Law of financial services

The rapid expansion in trade and electronic communication over the last several years has raised much concern in the global market. The public, government,

Policy makers, media have expressed need to develop policies and laws that are aimed at protecting personal information and business transactions (Bygrave, 1997). In the last decade a number of countries have adopted laws and policies to guarantee privacy as the world is integrated into a village by trade and ICT.

The right to privacy has been acknowledged and ratified in several International convections. Example is Article 12 of the United Nations International covenant on civil and political rights which states that “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence nor attacks upon his honor and reputation. Every one has the right to the protection of the law against interference of attacks” (Ibid, 1997).

The aim of the Data protection Act, which was amended in 1998,is to provide for the regulation of the processing of information relating to individuals, including the obtaining, holding, use or disclosure of information (Bygrave, 1997).

The principles of the U.S Data protection Act, according to the Act include; that the information to be contained in personal data shall be obtained, and personal data shall be processed, fairly and lawfully, personal data shall be held only for one or more specified and lawful purposes, personal data held for any purpose or purposes shall not be used or disclosed in any manner incompatible with that purpose or those purposes, personal data held for any purpose or purposes shall be adequate, relevant and not excessive in relation to that purpose or those purposes, personal data shall be accurate and, where necessary, kept up to date, personal data held for any purpose(s) shall not be kept for longer than (Bennett, 1992).

This helps banks and customers to ensure that the customer information is held responsibly and the risks that relates to financial data are minimized.

Besides, different countries have developed policies directed at protecting specific information. In US National Education Statistics Act of 1994 was enacted to tighten access to personal data collected in Education field (Bennett, 1992). There is no single law that provides a comprehensive treatment of data protection in US .The privacy Act of 1994 and computer matching and privacy act deals only with how personal information held by Federal government should be handled (Ibid, 1992).Noticeably, United States has largely avoided legislation to govern the treatment of personal information in record held by other institutions other than the Federal government (Bennett, 1992).

However the US has adopted laws to address the treatment of personal financial information in records systems held by private financial firms (Bygrave, 1997). Example is The Fair credit deporting Act which regulates the treatment of personal financial information held by consumer credit reporting agencies (Bygrave, 1997).

Unlike U.S, Europe adopted privacy protection laws through Omnibus legislation that cover both the public and private sectors (Bennett, 1992).Europe developed two supra-national policies to deal with data protection; the Council of Europe’s convention on data protection, and EU data protection directive (Ibid, 1992). EU data protection directive was adopted in October 1995. The directive sets standards for the treatment of personal data collected from individual and for individual right of access, notification and connection.

Whereas EU states have adopted full approach to privacy legislation, United States have taken piece meal approach to deal with data protection and privacy. EU recognizes privacy right on a fundamental right and hence it has been serious in implementing its laws and policies on data protection and privacy. To ensure data protection of citizens in the member states, EU data directive Article 25 provides that EU member states may transfer personal data only after determining that the third country in question ensures an adequate level of data protection (Bennett, 1992).

In privacy and data protection regulation, US has largely maintained its policy on the private sector by not directly regulating the sector .The US privacy and data protection policy in Private sector has been self-regulatory .The Federal Trade Commission has been continuously working with the private sector to develop voluntary code of conduct (Bygrave, 1997).

This self-regulatory approach is not sufficient to ensure adequate data protection and privacy. There have been cases that exhibit developments of data protection in Europe. In 2007, Germany increased the thresholds for the requirement for a data protection officer (Bennett, 1992). This has been done to ensure there is more vigilance to check on cases of private data invasion and intrusion. In France, The data protection and privacy regulator (CNIL) has sought to balance the restriction on collecting data relating to a person’s racial or ethnic origin in order to implement preventing racial and ethnic discrimination in the workplace (Ibid, 1992).

A very popular case in UK where the body in charge of fighting security breaches (FSA), applied for a fine of almost 1 million on Nationalwide Building society. FSA found that Nationwide’s security system and controls were inadequate and it has breached principle 3 of FSA’S .In that case it emerged that a laptop had been stolen from home of an employee in Aug 2006 and it contained customer Information (Bennett, 1992).

There by Nationalwide building management failed to adequately deal with breach of security. In another case, the UK Information commissioner Officer (ICO)  implicated eleven banks in a breach of their obligation as data controllers under Data protection Act of 1998 (Bygrave, 1997). These banks included The Royal Bank of Scotland, National Westminster Band plc, Barclays Bank plc, and the Co-operate Bank plc. They were found to have disposed off documents containing personal data of their customers in waste receptacles.

As in the case above, all EU member states have been implementing privacy and data protection policies that adequately address the needs of traders and consumers in the region.

In US, the level of adequacy of policies and laws to address the customers needs differ from state to state (Bennett, 1992). Some states have developed and adopted policies and legislation that guarantees adequate protection of consumer and traders in this digital age. In Minnesota State, retailers will be fined for data compromises when they violate industry standards of data protection under the state’s law (Ibid, 1992).

The law adopts payment Card Industry Association (PCIA) data protection standards which provides that firms not to retain data from a card, including security codes, PINS, and magnetic strip data, for more than two days after the transaction is approved .However, federal government do not have clear-cut protection on private data and privacy especially in private sectors.

Federal government can also obtain IP address of websites a person has surfed without a warrant (Bennett, 1992).In the case, U.S vs. Forrester, it was held that unlike the content of those communications, the header information does not violate a reasonable expectation of privacy under the fourth amendment of the constitution (Bygrave, 1997). Also a sixth circuits panel held that web users have a reasonable expectation of privacy is the content of their email, even where the ISP has a contractual right to look at the email.

Its implied that, unless the user policy proves for monitoring, inspecting or auditing of an account, the is a societal expectation that the ISP or the phone company will not read the contents as a matter of course. The court in the ruling likened it to ISP scanning email for child pornography or spam, or post office scanning for drugs or explosives. In contrast, in 2007, a Europe court of human rights ruled that a U.K employer was wrong in law in monitoring the private mail, phone and interest use of one of its employees. In that case of Copland vs. United Kingdom, the court quoted articles of the Europe conventions on human rights.

In conclusion, data protection and privacy has been a great issue since the advent of digital era. The governments are under obligation to ensure the privacy of consumers and traders is guaranteed. In Europe, there is adequate data protection and privacy. In U.S there is inadequate data protection and privacy to consumers and private institutions. The U.S government should consider regulating private institution in relation to privacy and data protection through legislation.


Bennett, Collin J. (1992). Regulating Privacy: Data Protection and Public Policy in Europe and U.S. Ithaca: Cornell University press.

Bygrave, Lee A. (1997). Data Protection pursuant to the Right to privacy: International Journal of Law and Information Technology 6(3).