What Is Bank Privacy?

Right to Financial Privacy refers to a right that an individual enjoys in their financial information without being illegally intruded, known, collected, used and disclosed by others. To understand its connotation correctly, we first need to clarify the scope of "financial information". Generally speaking, financial information refers to all information and materials known to and held by financial institutions in their business activities, including the identity of individuals, the status of various financial assets and transactions.

Financial privacy

Identity Information

Generally includes name, gender, date of birth, name and number of identity document, social security number, telephone number, mailing address, education level, occupation, etc. When applying for bank cards such as Visa and Mastercard, it is also required to provide the status of family property, such as deposit account number, checking account number, housing ownership, car brand age, financing channels, current debt, and creditor name and account number. Generally speaking, personally identifiable information covers many aspects and is easy to obtain through multiple channels.It seems that it should not be included in the scope of protection. The author believes that this information, because it is linked with dynamic information such as financial transactions, will generate a personal financial consumer Consequences should fall within the scope of privacy protection.

Trading Information

It mainly refers to accounting information (such as bank account number, password, deposit and loan amount, etc.), credit information (such as number of card holders, overdraft records, etc.), investment information (such as the composition of securities account assets), and insurance information. This information comprehensively reflects the status of personal financial assets and credit status, and is more sensitive information for individuals.

Subjective information

Mainly refers to

The understanding of the subject of privacy in the theoretical world is limited to natural persons, that is, only natural persons have the right to privacy, and legal persons or other organizations cannot enjoy this right. The subject of financial privacy is a broad category of civil subjects. The subject of financial privacy has the right to exclude illegal infringement by persons other than the subject (including natural and legal persons). The subject of the financial privacy right of bank customers in China is of course the bank customer, but the concept of "customer" has no legal definition, so it has important meaning for its scientific definition. Bank customers include formal bank customers and substantial bank customers. A bank customer in the form refers to a customer who holds a valid bank account, which is the current normal state of a bank customer; a substantial bank customer refers to a customer who does not hold a valid bank account, but has substantial financial information activities with the bank. The abnormality of bank customers is mainly protected for the following reasons: First, in

The objects to which the financial privacy right refers include: the credit status of the information holder, the transaction information of the information holder, and other relevant information that can judge the information status and flow of the property of the information holder, such as the property status and operating liabilities , Income and liabilities, personal files, tax records, and economic lawsuits that have a greater impact on the parties. At present, the legal and financial circles in the United States generally believe that the protection of customers' financial privacy rights by banks should be related to the following three aspects: information about accounts; information about customer transactions; and customer-related information obtained by banks by keeping customers Any information. The object of financial privacy right mainly includes three aspects: First, the basic information of the account. The basic information of the account mainly refers to the identity information of the customer. For example: customer's name, gender, age, ID number, etc. Bank customers must provide relevant personal information to the bank when opening an account, and the level of detail of customer information recorded in different types of accounts is different. Ordinary savings accounts generally only involve basic identity information, while credit card accounts involve more personal information, including personal education, employment unit, residential address, contact phone number, and income level. In addition to the customer's identity information, it also includes information such as the time to open an account, account number, and expiration date. Second, account transaction information. Account transaction information is the most important customer information, including: transaction time, type, nature, content, price, counterparty, account balance, and source of funds. Third, account derived information. Derivative information of the account refers to other information generated by the customer based on the account. For example, customers' business contacts.

The right of financial privacy is not mainly manifested as a personality attribute. It attaches to the civil subject itself in a negative form of interest, but becomes a specific form of rights of the civil subject. The right of financial privacy is different from the general right of privacy with spiritual interests as the object. It is a mixed right that has both personality and property rights. Different from the traditional right of privacy, it is closely connected with the economic or property rights of the information holder. It is the organic unification of personal rights and property rights, and transforms from personal interests to property interests. , Both personality and property and property is increasingly prominent. Within the framework of intangible property rights, the right to financial privacy has gradually transformed from personal interests to property interests, and is a new type of civil right separated from general personal rights. The purpose of the property rights rule is that those who want property rights must conduct negotiations before obtaining property rights. Therefore, the property right nature of financial privacy rights enables individuals who were originally weak in negotiation and negotiation to be given the ability to negotiate and negotiate their information privacy rights. In the information age, such a property right model is to treat personal information as a resource that can be allocated to an individual controlled by the information, or a resource that is controlled by a business operator other than that individual. Therefore, positioning them relatively independently and giving them independent property forms is conducive to maintaining the credit information benefits of market entities.

Financial privacy has the following capabilities:

Conceal power

Information holders have the right to conceal their credit information from making it known to others;

Dominance

Information holders can freely control their credit information, and decide for themselves whether to allow or disallow third parties to know and use their credit information;

Remedy power

When credit information is improperly leaked or violated, the information holder has the right to seek judicial relief. The core of financial privacy power is the domination of credit information and its benefits, that is, the information holders have control over their credit information.

Its purpose is that the information holder is not only the original source of its credit information, but also the final verifier of its completeness and correctness, and it is also the participant in determining the scope of application of its credit information. Therefore, information holders must be given the right to actively control and control their credit information. The powers of financial privacy are a whole that interact and influence each other. As the subject and object change and develop, the old powers may be destroyed and new powers may be generated.

1. The importance of the protection of financial privacy is drawn from a well-known British case.

The first well-known jurisprudence of Shoukai Bank's obligation to protect financial privacy is the 1924 "Toumier" case, where the plaintiff Tournier opened an account with the defendant bank, and its account was overdrawn thereafter. And failed to repay on time according to the installment agreement. The defendant's bank informed the employer of the plaintiff's account overdraft. This notification resulted in the plaintiff's employer's firm refusal to extend the plaintiff's expiring labor contract. Therefore, the plaintiff sued the bank on the ground that the bank violated its obligation to protect financial privacy. The UK Court of Appeal found that the bank had breached its financial privacy protection obligations to customers and should be liable for compensation.

The British courts have invoked the "implicit clause" theory as the theoretical basis for determining that banks are undertaking financial privacy protection obligations, arguing that the bank has breached their financial privacy protection obligations to customers and should be held liable. The court held that although there is no explicit clause on financial privacy protection obligations between the bank and the customer, there is an implied clause that the bank must not disclose information about the customer's account or transaction except in certain specific circumstances. It further pointed out that the scope of the bank's protection of customers' financial privacy is not limited to the customer's account itself, but includes any information obtained by the bank due to the existence of its relationship with the customer. And this obligation to protect financial privacy will not end because the customer clears the account or stops using the account.

2. The connotation of "implicit clause"

In the above-mentioned cases, the court relied on the "implicit clause" theory as the theoretical basis for determining that banks should assume the obligation to protect financial privacy. The so-called "implied terms" refer to the terms that should be included in the contract, although they are not stipulated in the contract itself, but are confirmed by the court when a dispute occurs. Generally speaking, implied terms can be divided into three categories according to different judgment standards: one is the de facto implied term, which refers to a term that is not explicitly stipulated in the contract but is necessarily included according to the parties' intentions; One is an implied clause in law, which refers to a term that some parties do not intend, but should be included in accordance with the law; another is a customary implied clause, which should be included in the contract according to custom and practice . The court recognized that there are implied terms between the bank and the client, mainly based on (1)

Bilateral coordination mechanism for financial privacy

surroundings

The bilateral coordination mechanism is a mechanism for coordination between the two countries that have conflicts in the protection of financial privacy laws, mainly through bilateral agreements to negotiate or dialogue on the protection of financial privacy rights and resolve conflicts. The Safe Harbor Agreement between the EU and the United States on privacy protection provides us with good materials for studying the bilateral coordination mechanism for the protection of financial privacy.

In the 1970s, the huge differences in privacy protection between the United States and the European Union became the focus of trade disputes. The United States adheres to a flexible protection strategy and uses the self-regulatory mechanism to cooperate with the government's law enforcement guarantees to achieve the purpose of protecting the right to privacy. However, the EU tends to protect personal data across national flows through strict legislation. Article 25 of the EU Directive on the Protection of Individual Rights in the Processing of Personal Data and Free Flows (hereinafter referred to as the Personal Data Protection Directive or the Directive) provides that only when a third country ensures that adequate protection of personal data can be provided at the adequate level Only then can personal data be transferred or transferred to a third country, a provision known as the European Union's "full protection" standard. The "full protection" standard sets a restrictive threshold for US companies to conduct business in the EU. To address this, the European Union and the United States reached the Safe Harbor Agreement in 2000. The goal of the "safe harbor" is to maintain the self-regulatory mechanism that the United States has long adopted while ensuring that American companies meet the higher EU protection standards.

Safe harbor

"Safe Harbor" refers to the establishment of a public directory by the US Department of Commerce. Any organization under the jurisdiction of the Federal Trade Commission and the United States Department of Transportation can voluntarily adhere to the rules of the "safe harbor" to join this public directory and become a "safe harbor." A member. To meet the requirements of "safe harbor" and get its protection, organizations must take one of the following measures: (1) participate in a self-regulatory privacy protection project that complies with the "safe harbor" principle; (2) develop a "safe harbor" principle Self-discipline policy; (3) Comply with laws and regulations on protecting the privacy of individuals. Institutions take one of the three measures mentioned above and engage in e-commerce as members of the "safe harbor" and voluntarily commit to abide by the seven privacy protection principles of the "safe harbor". These institutions are assumed to have met the "full protection" requirements , You can continue to receive and transmit personal data from the European Union. Institutions joining the "safe harbor" must also assume certain obligations, that is, they must ensure compliance with the seven principles of the "safe harbor", including: (1) the notification principle; (2) the selection principle; (3) the outward transfer principle; 4) Safety principle; (5) Data integrity principle; (6) Acquisition principle; (7) Implementation principle.

The "safe harbor" reflects the compromise between Europe and the United States in terms of privacy protection standards. First of all, in terms of data sharing of affiliates, the EU Directive provides clear selection procedures, and data sharing between affiliates can only take place with the explicit consent of the data subject. The "safe harbor" stipulates that consumers have the right to "opt out" when sharing information between affiliates, that is, when sharing non-public personal information between affiliates, consumers are given the option to terminate the sharing of this information, but "select "Retreat" must abide by the "safe harbor" principle. Secondly, in terms of information transmission with non-affiliated third parties, the Directive also adopts the "selection" standard, which requires the explicit consent of consumers. The "safe harbor" uses the "selection and withdrawal" method. It can be said that the "safe harbor" agreement requires US institutions to provide sufficient privacy protection for individuals in the EU, but it does not fully adopt the standards of the Directive, but a compromise between the EU and the US privacy protection standards.

For historical reasons, the protection of financial privacy was not included in the Safe Harbor Agreement. However, the author believes that it is feasible to solve the problem of financial privacy protection between the EU and the United States in a "safe harbor" manner. First, the existing mechanism of the "safe harbor" agreement can shorten the negotiation time. The United States and the European Union have negotiated the "safe harbor" agreement for nearly two years. If other coordination channels are sought, it will also require a lengthy negotiation process. Incorporating the information transmission of financial institutions into the "safe harbor" can use existing negotiations As a result, the confrontation point between the two countries is limited to financial privacy protection standards, thereby greatly reducing the negotiation time. Secondly, including "safe harbor" can save costs and solve problems in one go. Some scholars have proposed the use of the "standard contract" method, in which financial institutions in the United States individually apply to the EU data protection authorities, and the two parties sign the contract to obtain individual approval for data transmission. However, this proposal is not feasible because individual negotiation means With thousands of contracts, implementation costs are very high. Including "safe harbors" can greatly reduce costs. Third, incorporating financial information into the "safe harbor" has certain resource advantages. The "safe harbor" mechanism has been in operation for more than six years. After several years of practice and improvement, the "safe harbor" has become an effective mechanism for bilateral data privacy protection. Incorporating financial information into the "safe harbor" can take advantage of existing Mechanism to solve the problem of protecting financial privacy information as soon as possible.

The "safe harbor" model can also be implemented between the EU and other countries that do not meet the EU's "full protection" standards. If a country with a weak level of data protection blindly raises its level of protection to meet high-standard countries, it will inevitably lead to a disconnect between legislation and practice, cause a heavy burden on domestic financial institutions, and affect the financial order of a country. The method of compromise can effectively bridge the gap in privacy protection between countries, and it is a method worthy of reference.

Multilateral coordination mechanism for financial privacy

Introduction

The multilateral coordination mechanism protects the right to financial privacy through the establishment of international organizations or the signing of international treaties. Coordination committees or similar institutions can be set up to specifically coordinate and operate. Multilateral coordination mechanisms include regional multilateral coordination mechanisms and global multilateral coordination mechanisms.

Regional multilateral coordination mechanism for financial privacy

In the mid-1980s, both developed and developing countries scrambled to invest in regional economic integration, setting off a wave of regional economic integration. The scope of regional cooperation has covered trade, investment, taxation, finance and other fields, and is still expanding. The cross-border movement of people and economic exchanges have put forward new requirements for the protection of financial privacy. Some regional organizations are keenly aware of these needs and have started to focus on international cooperation in the protection of financial privacy. The establishment of regional cooperation organizations or the signing of regional treaties are the main ways of regional multilateral coordination mechanisms. The Organization for Economic Cooperation and Development (doing a lot of work on the protection of personal data privacy, issued the "Guide to Protecting Personal Privacy and Cross-Border Personal Data Flow" in 1980, the "Declaration on Cross-Border Data Flows" in 1985, Declaration on the Protection of Personal Privacy on the Global Network, in which the "Guide" of 1980 was the first achievement of international cooperation in the protection of personal privacy and personal data. "Personal data" in the Guide refers to individuals identified and identifiable Personal information is very broad, and personal financial information is also included. This definition is widely adopted in the field of data privacy protection, which is basically adopted by EU countries. The purpose of the Guide is between member states. Achieving the minimum standards for privacy protection, reducing the differences in national legislation, and reducing the risk of infringing on the privacy of individuals due to data flow. The Guide provides eight principles for the processing of personal data, including the principles of collection restrictions, data quality Specify the principle of purpose, the principle of use restriction, the principle of security protection, the principle of openness, People involved in principle, the principle of responsibility.

The European Union is an effective organization in regional cooperation and coordination in the protection of financial privacy. As early as 1980, the European Parliament completed the Convention for the Protection of Automated Personal Data concerning the protection of personal data. With the development of the European Union into the European Union, more attention has been paid to the protection of personal information and privacy: in 1995, the European Union passed the Personal Data Protection Directive and in 1997 the Telecommunications Personal Information Processing and Privacy Protection Directive; 1998 In October, the "Private Measures for the Protection of Personal Data on the Internet" formulated by the European Union came into effect. The Directive is the core norm of the EU personal data protection legal system, with a total of 34 articles. "Personal data" in the Directive refers to any information related to an identified or identifiable natural person (data subject), including physical, physiological, economic, cultural, social and other aspects. Financial information protection is also This is reflected in the directive. The directive covers almost all issues concerning the processing of personal data, including the form of personal data processing, the collection, recording, organization, storage, modification, repair, consultation, use, disclosure, dissemination, deletion, destruction, retrieval of personal data. The objectives of the Directive are: (1) to ensure the rights of individuals and their privacy in the information society; (2) to establish a coordinated protection mechanism to promote the EU by establishing uniform personal data protection rules among EU member states Free circulation of personal data; (3) Prevention of misuse of personal data due to insufficient protection in third countries. Countries have implemented data protection legislation in accordance with the Directive, and now EU member states have basically formed uniform financial privacy protection standards.

APEC also reached the APEC Privacy Protection Framework at the 17th Annual Ministerial Conference in Busan, South Korea. The Framework aims to promote the Asia-Pacific region by integrating and promoting efficient information privacy protection to ensure the free flow of information in the Asia-Pacific region. Regional trade development. "Personal information" in the Framework refers to any information that is identifiable or sufficient to identify that individual. However, publicly available materials such as legally disclosed government archives, news reports or legally disclosed personal data are not protected. The Framework applies to individuals or institutions that collect, hold, process and use personal data. The Framework stipulates the following principles: the principle of prevention of damage, the principle of notification, the principle of collection limitation, the principle of use of personal data, the principle of party autonomy, the principle of integrity of personal data, and the principle of security management.

Global multilateral coordination mechanism for financial privacy

The global multilateral coordination mechanism is mainly the establishment of specialized international organizations, and through the development of some industry guidelines, principles, guidelines, memorandums of understanding, etc. to provide reference standards for the protection of financial privacy in various countries. The Data Protection and Privacy Commissioner's Meeting, which began in the early 1980s, is an important organization in the field of personal data privacy protection. Its predecessor was the Western European Data Protection and Privacy Commissioner's Meeting. The conference is held once a year and has now developed into a worldwide data privacy protection conference. In 2005, the 27th Session of the Commissioner for Data Protection and Privacy was held in Montreux, Switzerland, and adopted the Montreux Declaration. The "Declaration" emphasizes the protection of data privacy on a global basis on the basis of respect for differences. The "Declaration" clarifies the details of the right to data privacy, treats data privacy protection as part of the protection of human rights and enforces it. And privacy protection legislation, calling on countries to actively cooperate in data privacy protection.

With the increasing role of data transmission in international trade, the link between the World Trade Organization (WTO) and personal data protection has become increasingly tight. There are four types of trade in services stipulated in the General Agreement on Trade in Services (GATS): cross-border payments, cross-border consumption, commercial presence and natural person mobility. The first and second types involve the cross-border transfer of data. In the third case, human resources information will also be taken abroad by multinational companies. The provisions related to privacy protection in the WTO are "executive exceptions" in Article 14 "General Exceptions" of GATS. Without precluding arbitrary or unreasonable discrimination or constituting a disguised restriction on trade in services, Measures necessary to ensure compliance with laws or regulations not inconsistent with this provision include, among others, the protection of personal privacy related to the processing and dissemination of personal information and the confidentiality of personal records and accounts. The GAT allows countries to adopt and implement privacy protection measures, provided that these measures do not discriminate or unfairly discriminate against other countries or create trade restrictions. Such a rule not only reflects the WTO's respect for the sovereignty of countries, but also shows the WTO's attitude towards privacy protection, that is, privacy protection cannot become a non-tariff barrier.

Some scholars proposed to establish a "General Agreement on Information Privacy" under the WTO framework to promote the protection of the cross-border flow of citizen information. Professor Joel R. Reidenberg believes that GAIP should be committed to establishing a coexistence system of various systems in the short term, and its long-term goal is to promote the unification of information privacy management standards. Professor Reidenberg proposed that the core content of data protection can be specified at the WTO level, basic data protection standards can be established, and incorporated into multilateral trade agreements. Due to the large number of WTO member states, incorporating GAIP into the WTO framework can form a unified standard for information privacy protection among member states, greatly promoting the unification of global information privacy protection.

However, due to the significant social, historical, and cultural differences in the protection of information privacy, there are many difficulties in incorporating it into the WTO system: (1) The WTO is based on free trade and a market economy, and is an implementation of multilateral trade. Organization of rules. Some principles for dealing with trade issues are not necessarily suitable for non-trade issues. If non-trade issues are included in the WTO system, it will distort the function of the multilateral trading system and even threaten its stability, thereby damaging the WTO. (2) The remedy for violations of WTO principles is trade sanctions, and private privacy violations are mostly through private Compensation and compulsory injunctions are used to safeguard individual rights, and the differences in punishment mechanisms are difficult to reconcile; (3) The right to privacy appears as a human right in many countries and involves human rights issues, and it is very difficult to coordinate differences and differences among countries; ) The inclusion of information privacy issues into the WTO system may detract from the protection of private privacy rights. The WTO aims to promote trade liberalization, and information privacy protection focuses on private rights. Negotiations on information privacy in a trade organization such as the WTO, It is very likely that in order to achieve the purpose of promoting trade development, the free flow of information is favored, and the protection of the right to privacy is impaired.