Deutsche Börse Group’s index activities are performed by the subsidiary STOXX Ltd. For our customers, this means one single point of contact for ...
In light of the recent judgement by the > European Court of Justice regarding the validity of the "safe harbour" concept, the topics of data sovereignty and data confidentiality have been brought into focus. This is particularly relevant for MIFID II because of the additional data attributes required on traders, beneficial owners, etc. and the confidentiality associated with these.
Data sovereignty describes the concept that data stored in a digital form falls within the legal jurisdiction of the country in which it is stored. With increased global connectedness and use of cloud computing this can be difficult to manage and ensure. The challenge is increased due to different nation’s stance on data privacy.
Safe Harbour is a policy agreed between the US and EU regarding the way that US companies handle private data about EU citizens. It is effectively as special process allowing data on EU citizens to be exported to US companies without them having to apply to each EU member state for permission and comply with the stringent guidelines of the European Commission Directive on Data Protection.
Based on revelations of mass internet surveillance by the US National Security Agency (NSA) as leaked by Edward Snowden in 2013, challenges have now been raised that companies are not meeting with the requirements as stipulated by the Safe Harbour policy and therefore the export of personal data would be illegal.
Firms need to be very careful in identifying the data sovereignty issues they may face when dealing with companies, and their parent companies, that provide them with infrastructure and services related to their regulatory reporting. Since the data must leave the firm at some point in order to be reported to the NCAs, this data is susceptible to transfer across networks and to servers which may reside in different jurisdictions to that of the reporting firm. Additionally, firms need to consider legal oversight pressure that may be applied to their suppliers; examples of US firms having data subpoenaed by the Department of Justice, which resided within the EU come to mind.
In summary, firms need to carefully evaluate all of their data responsibilities, not just those in the regulatory text, when conducting their selection process for vendors.