GDPR is here
Whatever might eventually happen with Brexit, most informed observers will have recently had cause to reflect upon the differential between data protection law in the European Union and that in other advanced jurisdictions such as the US. The recent publicity involving Facebook has emphasised the fact that European Union law is light-years ahead of other mature jurisdictions in this respect.
As far as the UK is concerned the story begins in 1984, when the first Data Protection Act introduced some key concepts of EU law relating to the need to protect personal information into the UK for the first time.
As information technology advanced into more areas of business invoice financiers devoted considerable resources to dealing with the next piece of legislation, the Data Protection Act 1998. There were various transitional provisions in this legislation, so it was not until 2000 that the invoice finance industry felt the full force of compliance with its provisions.
It is fair to say that for an industry which has never been regulated this came as something of a culture shock to some within the industry. The Factors and Discounters’ Association (“FDA”) issued detailed guidance after liaising with the Information Commissioner’s Office (“ICO”), in particular on the key issue of the invoice financier’s notification obligations in the case of confidential financing (as we shall see below).
Of course in the two decades since 1998 the use of information technology and the consequential implications for personal data have expanded massively into all sorts of areas that may not have been foreseen 20 years ago.
> EU GDPR
The EU has attempted to meet both the current situation and to anticipate future developments by the General Data Protection Regulation, which was finalised in April 2016. A two-year period was allowed for implementation, and the UK government decided that the GDPR would have direct effect in English law from 25 May 2018 without the need for any refinements in a statute such as was the case in the 1998 legislation.
Data Protection Bill 2018
However, even without the added complications of Brexit there was much to be done by legislators in conjunction with the GDPR, and the result has been a highly complex and lengthy Data Protection Bill which is currently progressing through Parliament and which compliments the GDPR.
EU Regulations are drafted very differently from UK statutes, so before we get to the operative provisions of the GDPR there are 173 Recitals to consider setting out the broad aims and objectives and general principles which have been laid down. For example, when we come to consider the issue of an invoice financier’s obligations in relation to notification in a confidential facility we need to consider in particular recital 39 which provides: –
“It should be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed. … That principle concerns, in particular, information to the data subjects on the identity of the controller and the purposes of the processing and further information to ensure fair and transparent processing in respect of the natural persons concerned and their right to obtain confirmation and communication of personal data concerning them which are being processed”.
The GDPR then sets out its specific requirements in 99 Articles, which are broadly equivalent to sections in a UK statute.
What is personal data?
“Personal data” is defined as “any information relating to an identified or identifiable natural person, and
“an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person” (Article 4 (1.))
Ever since the introduction of data protection law into the UK there seems to have been some confusion among some financiers as to what is meant by “processing.” For example there seems to have been a view that merely viewing information from a credit reference agency without taking a copy would not be covered.
This is not the case, as is made clear by the very wide definition in Article 4 (2): –
“‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.”
Invoice financiers and clients
Therefore any processing of information within the above definition relating to individuals will be covered, which in relation to an invoice financier’s clients would normally include credit checks on a sole trader, a member of a partnership, any director or person of significant control of a limited company or limited liability partnership, and any guarantor or indemnifier who is an individual.
Invoice financiers and Debtors
As far as debtors are concerned, clearly sole traders would be covered but there is a real issue as to the extent to which members of a partnership would be covered. Take the situation were an invoice identifies a debtor as “Smith and Jones” with a certain trading address. Copies are sent to the invoice financier in a disclosed facility who then sends a statement of account, so information about the partnership is clearly being processed, but does this involve “personal data”? Are members of the partnership identifiable “directly or indirectly” by reference to the name of the partnership and their address?
When the ICO was asked by the FDA to give guidance on the 1998 Act the ICO expressed the view that to err on the side of caution members of partnerships should be treated the same way as individuals, but some may feel that this was an unduly restrictive interpretation and that unless in a particular case individuals are readily identifiable simply by the name of a partnership, invoice financiers need not consider information about them to be within the definition of “personal data.”
Who is a data controller?
The GDPR distinguishes between a data controller and a data processor, however a controller is defined as the person who “alone or jointly with others, determines the purposes and means of the processing of personal data” (Article 4 (7)).
Some commentators have sought to argue that in certain circumstances invoice financiers do not meet this test, but our view is that an invoice financier processing information will almost always fall within the definition of a data controller.
Principles relating to processing of personal data
The central principle of the GDPR is set out in Article 5.1 which provides that personal data shall be: –
“processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’)”.
This Article then proceeds to provide that data must be collected only for specified, explicit and legitimate purposes, that processing must be adequate, relevant and limited to what is necessary, it must be accurate and kept up-to-date, must be kept in a form which permits identification of data subjects no longer than is necessary, and must be processed with integrity and confidentiality.
Article 5.2 provides that the data controller shall be responsible for and be able to demonstrate compliance with these key principles.
Bases of lawful processing
Personal data may only be processed under one of the conditions set out in Article 6, only 2 of which are likely to be directly relevant to invoice financiers.
The condition in Article 6.1 (a) is that “the data subject has given consent to the processing of his or her personal data for one or more specific purposes.”
Article 6.1 (f) provides: –
“processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child”.
When the 1998 Act came into force most commentators and those who drafted most of the relevant documentation assumed that consent of the individual would be the lawful condition for processing relied on almost exclusively by invoice financiers. This is why there are repeated references to consent throughout the documentation used by most invoice financiers in relation to both individuals concerned with clients and sole trader and partnership debtors (at least in disclosed facilities).
However, over the years the EU Commission, the ICO and others have come to the view that the provision of consent by individuals has been somewhat taken for granted, so in strengthening data protection law the EU decided to make it clear that going forward in order to rely on consent as a condition of processing the provision of consent must be explicit:-
“‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her” (Article 4(11)).
Article 7 of the GDPR therefore requires the data controller to demonstrate actual consent and there is now an explicit right to withdraw consent at any time.
Lawyers have therefore been turning to the “legitimate interests” condition as more appropriate in some areas of financial services, and our view is that invoice financiers would be well advised to use the legitimate interests condition as the main justification for processing personal data in most circumstances.
The ICO’s recent Guidance supports this shift of emphasis in certain areas of financial services, and certainly where the financier is not interfacing with consumers on a regular basis.
The ICO advises that as part of a controller’s regular compliance procedures it should undertake an analysis of the lawful basis for processing, which means that invoice financiers would be well advised to consider and document the fact that the basis for most of their lawful processing of personal data is their own legitimate interests, and the steps they are taking to ensure that such processing does not override the rights and interests of data subjects.
Special categories of personal data
The 1998 Act introduced the concept of “sensitive personal data”, which included amongst other things data relating to health and criminal convictions etc.
The GDPR takes a different approach –
(1) data concerning health is included within the new definition of “special categories of personal data” in Article 9, which is unlikely to be relevant to invoice financiers save in relation to their employees;
(2) data relating to criminal convictions and offences is dealt with in Article 10, which permits processing of such data only in accordance with national law, which in the case of the UK means the Data Protection Bill 2018. There are some complex provisions in the Bill (which has yet to be finalised) which amongst other things may require invoice financiers who process such information to do so in accordance with a written policy complying with certain strict obligations.
Rights of the data subject: notification
The heart of the GDPR is the rights given to the data subject relating to the processing of personal information. For invoice financiers the key issue is the information to be provided to the data subject.
A distinction is drawn between the position where personal data is collected from the data subject, which is dealt with in Article 13, and where the controller comes into possession of personal data which has not been obtained directly from the data subject, which is dealt with in Article 14. Invoice financiers will normally be concerned with the former in dealings with clients and the latter in dealings with debtors.
Article 14.1 provides: –
“1. Where personal data have not been obtained from the data subject, the controller shall provide the data subject with the following information:
1. the identity and the contact details of the controller and, where applicable, of the controller’s representative;
2. the contact details of the data protection officer, where applicable;
3. the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
4. the categories of personal data concerned;
5. the recipients or categories of recipients of the personal data, if any;
6. where applicable, that the controller intends to transfer personal data to a recipient in a third country …reference to the appropriate or suitable safeguards and the means to obtain a copy of them or where they have been made available”.
It should be noted that this is much the same as existing notification requirements under the 1998 Act. However, Article 14.2 goes further than existing legislation in requiring the following: –
“2. In addition to the information referred to in paragraph 1, the controller shall provide the data subject with the following information necessary to ensure fair and transparent processing in respect of the data subject:
1. the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
2. where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party;
3. the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject and to object to processing as well as the right to data portability;
4. where processing is based on point (a) of Article 6(1) or point (a) of Article 9(2), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
5. the right to lodge a complaint with a supervisory authority;
6. from which source the personal data originate, and if applicable, whether it came from publicly accessible sources;
7. the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject”.
These obligations do not apply “where and in so far as a data subject already has the information”. So for example in disclosed invoice financing it would normally be permissible for this information to be provided to a sole trader debtor by the client rather than the financier. However, whatever is provided for in warranties in the invoice finance agreement or otherwise, it is important that financiers understand that the obligation to comply with the GDPR lies on them as controller, and cannot be delegated to the client or anybody else.
Therefore the better course in relation to sole trader debtors in a disclosed facility is for a comprehensive Fair Processing Notice to be supplied by the financier to all sole trader debtors known at take on and subsequently to those who come on board during a facility.
It seems that the requirement to give notice to sole trader debtors under existing legislation has rather fallen by the wayside in the operational processes of some invoice financiers. Even those who are currently in compliance with existing legislation must enhance their procedures to comply with the various additional requirements of the GDPR, for example in relation to the policy on data retention and the rights of rectification and erasure set out in Article 14.2.
When the 1998 Act came into force confidential invoice finance constituted a much smaller proportion of the invoice finance industry than it does today. There were however notification provisions in the 1998 legislation which required that: –
“the data controller ensures so far as practicable that …the data subject has, is provided with, or has made readily available to him” information about the identity of the data controller and the purposes of the data processing (see paragraph 2 of Schedule 1 Part 2 of the 1998 Act).
Obviously this raised a serious issue for confidential facilities, so the FDA entered into discussions with the ICO which resulted in what effectively amounted to a concession being granted by the ICO, that it would be permissible for individual (and where relevant partnership) debtors to be told by the client that information would be processed by “our financiers,” provided that the identity of the financier would be revealed if the debtor asked for it.
The GDPR goes much further, there is no reference to the obligation to notify being limited “so far as practicable” or the information being “made readily available” as opposed to actually provided to an individual.
However, Article 14.5(b) provides that the notification requirements shall not apply where and insofar as: –
“the provision of such information proves impossible or would involve a disproportionate effort, in particular for processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to the conditions and safeguards referred to in Article 89(1) or in so far as the obligation referred to in paragraph 1 of this Article is likely to render impossible or seriously impair the achievement of the objectives of that processing. In such cases the controller shall take appropriate measures to protect the data subject’s rights and freedoms and legitimate interests, including making the information publicly available.”
How does this apply to confidential invoice finance? Assuming that a financier has information enabling it to identify a sole trader debtor, such as a name and address on a copy invoice or in a list of debtors provided by the client, how does each limb of this exemption apply?
It is not impossible for the information to be provided.
(b) Disproportionate effort
Providing the information may be inconvenient but would not involve a disproportionate effort – this was the view of the ICO expressed to the FDA in relation to the 1998 Act, and is also the view of the EU Article 29 Working Party set up to offer guidance on the GDPR (see WP260 rev.01 Guidelines on transparency under Regulation 2016/679EU at paragraphs 61 – 64).
(c) Serious impairment of the achievement of the objectives of that processing
Different lawyers have come to different conclusions as to whether this limb of the exemption can properly be applied to confidential invoice financing.
At the UK Finance invoice finance conference in Leeds on 3 May 2018 the view was expressed that this part of the exemption does apply to confidential invoice finance, but some lawyers are more cautious and are doubtful that on its proper construction processing by a confidential invoice financier can be brought within this exemption.
It is one thing to say that notification to a sole trader would seriously impair the achievement of the underlying commercial objectives of a confidential invoice finance facility, but the precise wording of the exemption refers back to “that processing,” ie. “processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes”.
To the layperson (and particularly to seasoned invoice financiers) the distinction may seem to be dancing on the head of a pin, but it is important to recognise that the GDPR has to be interpreted as a whole in the light of its stated objectives.
This is where the recitals on the overall purpose of the Regulation need to be considered. Reference has already been made to recital 39 above which sets out the starting point that an individual is entitled to know who is processing information about him and the reasons why. In addition: –
(1) recital 60 states:-
“The principles of fair and transparent processing require that the data subject be informed of the existence of the processing operation and its purposes;”
(2) recital 61 states: –
“The information in relation to the processing of personal data relating to the data subject should be given to him or her at the time of collection from the data subject, or, where the personal data are obtained from another source, within a reasonable period, depending on the circumstances of the case”.
The concept of “transparency” is a major difference between the 1998 Act and the enhanced protection for individuals contained in the GDPR. We have already seen that the starting point for the GDPR in Article 5.1 requires data to be processed “lawfully, fairly and in a transparent manner in relation to the data subject”, so when read against these provisions there must be at least a doubt as to whether a confidential financier is entitled to rely on the exemption in Article 14.5 (b).
The view of the EU working party in WP260 rev.01 at paragraph 65 is that: –
“To rely on this exception, data controllers must demonstrate that the provision of the information set out in Article 14.1 alone would nullify the objectives of the processing.
Notably, reliance on this aspect of Article 14.5(b) presupposes that the data processing satisfies all of the principles set out in Article 5 and that most importantly, in all of the circumstances, the processing of the personal data is fair and that it has a legal basis”.
The working party then gives an example of a bank giving a suspicious activity report under the anti-money laundering legislation: in such a case providing the data subject with notification would seriously impair the objectives of the legislation; however, even in this case the paper expresses the view that to comply with the exemption:-
“..general information should be provided to all account holders with [the Bank] when an account is opened that their personal data may be processed for anti-money laundering purposes”.
This interpretation and the wording of Article 14.5 (b) itself does suggest that the exemption may well not have been intended to apply to confidential invoice finance. However, there are many other situations where the same issue arises, for example in block discounting and other areas of asset finance and securitisation in general, and our considered view is that it is worth exploring options to adapt existing operational procedures to minimise the chances of a successful challenge under the GDPR.
Consequences of Breaching the GDPR
There has been much publicity about the potentially devastating consequences of enforcement action by the ICO against breaches of the GDPR, with potential fines of up to €20 million or 4% of worldwide annual turnover if higher.
At the UK Finance conference in Leeds on 3 May it was reported that the ICO has indicated that provided that invoice financiers can demonstrate serious attempts to comply with the GDPR, then the technical issue of whether notification is required to individual debtors in the case of confidential facilities is unlikely to attract enforcement action by the ICO, which of course has many other more deserving areas of potential non-compliance to focus upon.
However, the GDPR also gives rights to compensation for damage suffered by individuals as a result of breaches. Independent invoice financiers may have little to fear in this respect, but it is easy to foresee how some of the bank owned financiers may be subject to the attention of the claims industry or of individual claimants who feel aggrieved at credit decisions which may be taken in other areas of their business where there is a possible argument that there may have been a breach of the GDPR by an invoice financier owned or operated by the bank.
In additional to the operational considerations already discussed, from a drafting perspective all references to the data protection legislation in invoice finance agreements will need to be updated.
Fair Processing Notices, Take-on letters to individual debtors and references in Application forms and other preliminary client facing documentation will also require to be updated.
In addition to the requirements referred to above, further points worth considering by invoice financiers are: –
(1) where personal data is obtained in an operation such as payroll finance a Fair Processing Notice should be given to individuals concerned, i.e. individual workers and self-employed contractors; it may be possible for this to be done by the client on behalf of the financier but the obligation cannot be delegated so it would be sensible for the financier to provide the client with its own Fair Processing Notice;
(2) invoice financiers should carefully consider the position in relation to their employees and others involved in the business–again a Fair Processing Notice should be provided to individuals explaining the use of personal data, and where health information or other information within the special categories in Article 9 is involved explicit consent would normally need to be obtained.
If you require any advice on drafting or implementation of the GDPR please get in touch.