The worldwide recession of 2008 turned financial markets on their heads. Regulators around the world started to recognize that financial firms were suffering from the results of a dangerous lack of transparency. Many financial service providers operated with little-to-no accountability, and to remedy this issue the European Union and the United States passed major financial reforms requiring more robust monitoring and disclosure of communications and other information exchanged between employees. While these far-reaching financial reforms have helped curb the likelihood of fraud or market manipulation by ensuring that financial firms operate transparently, they have also raised privacy concerns among employees of regulated firms.
The cost of noncompliance with privacy protection laws can be very high. To ensure the law effectively deters the improper release of private employee data, the ePrivacy Regulation imposes steep penalties on firms that release private employee data. Violating the confidentiality, erasure, and other privacy protections found in the ePrivacy Directive could result in fines that reach €20 million or up to 4% of worldwide annual turnover (whichever is higher).
While the employee privacy issues detailed in this article have been mitigated to some degree by the laws and policies discussed above, MiFID II and the GDPR are designed to work in tandem and properly balance transparency and privacy.
The EU privacy protection laws in place before the financial crisis formed the basis for electronic privacy law on the continent, but MiFID II and the GDPR are shaping the development of employee data privacy across the financial sector. These laws demand transparency in financial markets, but they also impose strict requirements on the protection of employee data. Together, they form the bookends of EU data disclosure and privacy requirements for financial firms active on the continent.
Under MiFID II, financial firms must track and monitor every customer contact and transaction. Every phone call, email, and electronic communication coming from or going to a trader’s desk must be monitored. MiFID II casts a wide net, and the GDPR functions to rein in some of the compliance-related monitoring processes that could reasonably infringe on personal privacy.
GDPR protects customer privacy as well as the privacy rights of employees by limiting the legal basis upon which financial firms can use and process personal information. For example, under the GDPR, personal data can only be included as part of a compliance-related monitoring system to the degree that it is required for the performance of an employee’s work-related duties, necessary to comply with some applicable legal obligation, or vital to the interest of another employee, the employer, or a third party.
Together, the data collection and privacy protection policies established by MiFID II and the GDPR strike a careful balance, and compliance officers at today’s financial firms stuck at the fulcrum. In addition to implementing and monitoring the extensive compliance-related data collection and tracking systems required by new regulations, they must also take special care to avoid overstepping privacy barriers.
After all, if every written and verbal communication from a trader’s desk is monitored, it’s only a matter of time until the compliance systems pick up a piece of private information.
Well, that’s one hell of a conundrum…