On 19 June 2018 the ECJ handed down a judgment (C-15/16) revealing some interesting views on the confidentiality of information a regulated entity provides to regulators.
Information relating to a supervised entity and communicated by it to the competent authority including all statements of that authority in its file and correspondence with other bodies do not constitute, unconditionally, confidential information and thus is not unconditionally protected by the obligation to maintain professional secrecy. The ECJ considers the need for protection of professional secrets to decrease over time meaning that after a period of five years information usually are not relevant for businesses and hence no longer confidential. Confidentiality has to be reassessed at the time of a disclosure request; the confidentiality at the time the entity provided the information is irrelevant. Therefore, it is likely that information only stays classified in the future if the disclosure would likely adversely affect
- the interests of the party who provided the information or of third parties, or
- the proper functioning of the system for monitoring the activities of investment firms that the EU legislature established in adopting Directive 2004/39.
So, if the information is at least five years old it must be considered historical and therefore as having lost its secret or confidential nature. The exception: the party relying on that nature shows that, despite the time gone by, information still constitutes an essential element of its commercial position or that of third parties respectively. As this is an exception from the rule, it is not the one claiming disclosure that has to prove reasons to declassify the information. The exception makes it a reverse burden of proof and the party who pleads for the need for protection has to explain that the sensible information is still an essential.
Background: an investor had requested information about of a now-defunct securities trading bank from the German Financial Supervisory Authority (BaFin). The bank had run a Ponzi Scheme with their customers’ money. The request for information aimed to back up claims the investor wanted to pursue to cover his losses. Based on Article 54 of Directive 2004/39/EC (MiFID), BaFin had rejected the demand because of the need for protection of confidential information. The rejection will now be reassessed by national courts based on the ECJ ruling.
Impact: For now, this ruling affects MiFID-entities. However it is likely to impact insurers in two ways. One is that they might be forced to proof the confidentiality of their information. The second is the increase of claims made against financial institutions or at least the increase of legal costs in related litigation given the access to documents, which both could have an adverse effect on claims payments under the (liability/fidelity/D&O) insurance cover for these institutions.