2 years ago, details about how the bank Ing fraudulently got personal data were given. The minister of the Economy requested an adjustment afterward, while the French banking supervisor sent me misinformation to cover up the case.
Boursorama, PSA Banque, RCI Banque have gotten data the same way meanwhile (1). They took full advantage of the legal framework of the Fight against money laundering and terrorist financing (LCB-FT) demanding data that are not claimable such as the number of customers’ children.
Despite these data are used for commercial purposes, the French data Authority (Cnil) has remained particularly silent.
But in July 2018, a social housing office was fined 30,000 euros for using a list of tenants to send a letter criticising a decrease in housing benefits. The Cnil argued that data were “used outside the purposes they had been collected for” (2).
3 months later, 5 insurance companies such as Malakoff Médéric, Mutuelle Humanis Nationale, and Humanis Assurances were compelled to stop business prospecting from a list of pensioners getting private pension. They committed a "serious breach" in doing so (3).
A Hotel in Paris had also been required to stop collecting some data from customers. They were used for purposes that are not provided for in the Code for Entry and Residence of Foreigners and the Right of Asylum (4).
More than 60 penalties and warnings had been given from 2014 to 2018 for breaking data protection rules.
When it came to Banks and their business, it seems that a deal was preferred...
Let’s first have a look at the directive 2005/60/EC of the European Parliament and of the Council of 26 October 2005.
It provided that banks have to collect some new data from customers within the framework of LCB-FT and carefully check bank transfers, especially the unusual and significant ones.
As result of this, the European Union countries had to review their regulation. The French monetary and financial Code was changed thereafter.
Alex Türk headed the Cnil over that period and issued on 18th December 2008 a deliberation(5) about a forthcoming ordinance related to LCB-FT.
This deliberation was not sent to the database of legal texts (Legifrance) and was not available for public consultation.
I failed to get it when asking the Cnil to send it to me in 2018 but eventually got it in May 2019 through the Commission for Access to Administrative Documents (6).
This deliberation is basically a set of comments regarding a draft ordinance which leads banks to be vigilant and report suspicious activities to the department Tracfin. Customers should not know if they are under investigation even through a specific Cnil’s procedure (droit d’accès indirect).
Banks were required to collect customer details about the business relationship and other "pieces of information". A ministerial decree was subsequently published and mentioned job, wages and estate data as being part of them (7).
The Cnil pointed out that these data should only be used for LCB-FT (ces projets de textes ”devraient rappeler notamment le caractère exclusif de la finalité de la LCB-FT des données ainsi collectées”).
The deliberation we are talking about was published in December 2008. Interestingly, another one was published a few months later (2009-465, 9th July 2009 (8)).
The Cnil made new comments based on Act n°78-17 of 6th January 1978 on Information Technology, Data Files and Civil Liberties. The data collection should be used for legitimate purposes and should not systematically involve every customer. More specific measures are required toward people related to politics.
However, a few words among more than 2,500 ones stand out and change the whole thing : the customers should know "if need be, the others uses that these data may be processed for’’.
In other words, commercial purposes from these data will be henceforward allowed.
The Cnil entitled banks to do so in June 2011 in another deliberation (Autorisation Unique AU-003): '' These data can be processed for other uses within the framework of banking relationship as long as customers have been informed in accordance with I of 32 article of Act n°78-17 of 6th January 1978 ''.
Banks became immune from Article 226-21 of the Penal Code which bans anyone from using data outside the purpose they were collected for, unless an authorisation was given.
Remarkably, this entitlement was created and inserted in a text dealing with the ''Fight against money laundering and terrorism financing'' despite it has nothing to do with this issue.
The only way for customers to prevent commercial processes from their data was to use their '' opposition right '' since they supposedly agree with if banks stipulate it in their terms and conditions. Banks were not even compelled to get a specific customer's consent.
Fortunately, the European Parliament did not admit that deal. What the Cnil arranged was disputed in a new directive issued on 20th May 2015 (9).
" Personal data shall be processed by obliged entities on the basis of this Directive only for the purposes of the prevention of money laundering and terrorist financing as referred to in Article 1 and shall not be further processed in a way that is incompatible with those purposes. The processing of personal data on the basis of this Directive for any other purposes, such as commercial purposes, shall be prohibited".
But what came next? Is there anything else that should be said?
