World Council is pleased to make available our new Compliance Guide for the EU General Data Protection Regulation/EU-US Privacy Shield to World Council’s member associations and their member institutions.

This recently adopted European Union (EU) data protection legal framework is intended to establish rules for privacy applicable to businesses located anywhere in the world who have customers living in the EU.  This EU regulation claims jurisdiction over non-European companies, including financial cooperatives that have at least one member living in the EU, even though the EU is asserting universal jurisdiction primarily to regulate non-European technology companies like Google.

The EU’s framework requires institutions to appoint a data protection officer, have in place data protection policies that include recordkeeping and data breach notification requirements, obtain consumers’ consent to collect data, and observe other EU consumer data protection rules.  EU authorities can impose fines for non-compliance of EUR 20 million or more per violation.

The United States of America’s Commerce Department and Federal Trade Commission—the latter of which has jurisdiction over US-based privately insured credit unions—have also agreed to help require most US-based businesses to follow this framework, based in part on the Commission’s authority to prohibit unfair and deceptive acts and practices.  The US Consumer Financial Protection Bureau may issue similar guidance in the future that would apply to other US-based credit unions and banks, and EU residents may also have a private right of action to sue non-compliant companies under the US’s Computer Fraud and Abuse Act.

For further information and to review the Compliance Guide, please click here (Login Required).