Introduction
In recent years, banks have increasingly reduced their in-branch services, pushing customers toward the use of automated teller machines (ATMs). This shift has made ATMs a critical component of daily financial transactions. However, frequent ATM outages pose significant challenges, prompting the question: should ATM unavailability be considered a breach of data protection obligations? We argue that under the Data Protection Act, 2020, such unavailability is a data breach, and consumers can use this law to hold banks accountable.
I. Forced Reliance on ATMs
The banking industry has undergone substantial changes, with many banks closing branches and reducing the range of services available in person. This has effectively forced customers to rely on ATMs for their banking needs. The convenience of ATMs is undeniable, but this forced reliance comes with its own set of problems, especially when banks who operate a monopoly on this service refuse to make them available.
Context Setting: In recent times, repeated attacks on security companies servicing ATMs have led banks to stop maintaining a number of ATMs across the island. This has left many communities without easy access to cash and holding the country to ransom.
II. Banks’ Commitments and Failures
Banks’ service agreements often include commitments to maintain the availability of ATMs. However, they are failing to live up to the promises made in the agreements with their customers. This failure to uphold their commitments raises serious questions about banks’ reliability and their obligation to provide continuous service.
Below are some of the promises, made in their Financial Services Agreement, by one of our local banks made to their clients in relation to ATMs made to customers found of one of our banks:
Self-Service Banking Options
Our Automated Banking Services , offer you the convenience of paying bills, checking your balance, and transferring funds to other bank Accounts and in some countries to accounts at other banks any time you choose.
Automated Teller Machines (ATMs): With your Card and PIN, you can access your local currency Accounts and, where available, foreign currency accounts through any ATM/ABM in the country where your Account is Domiciled.
“You can access your designated accounts through the following delivery channels (where available): designated automated teller machines (ATMs)
You may also, for a fee, access the funds in your Accounts (cash withdrawals) by using banking machines of other financial institutions in the country where your Account is Domiciled
III. Legal Framework: Data Protection Act, 2020
Under Section 30 of the Data Protection Act, 2020, data controllers are required to ensure the availability, integrity, and resilience of systems that process personal data. ATMs, which process sensitive financial information, fall under this category. Therefore, prolonged or frequent unavailability of ATMs could be interpreted as a breach of this legal obligation. In addition to their contractual obligations and duty of care owed by Banks to their customers, Banks are expected to implement measures that ensure their systems, including ATMs, remain operational and resilient against disruptions.
IV. Impact of ATM Unavailability on Data Subjects
The impact of ATM outages extends beyond mere inconvenience. For individuals, the inability to access cash has disrupted daily transactions such as purchasing groceries, paying bills, or commuting. Businesses, particularly those that rely on cash transactions, face significant operational challenges and financial losses. The 2011 ATM outage, for instance, highlighted these issues, causing widespread inconvenience and financial difficulties. Customers’ trust in the banking system can also be eroded, leading to long-term implications on their financial decisions.
Just yesterday, I had to go to Trelawny to make a data protection presentation and realized that I did not have money for the toll. I stopped at the last gas station before the toll that I knew had ATMs from two different banks. None of them worked. I ended up propositioning persons at the gas pump to pay for their gas with my card so I could get the cash. The same thing happened in Montego Bay; I went to at least three different ATMs, and none of them worked. This personal experience highlights the practical challenges and inconveniences that arise from ATM unavailability.
V. Holding Banks Accountable: What Consumers Can Do Under the Data Protection Act
The Data Protection Act, 2020, provides several avenues for consumers to take action against entities that fail to comply with data protection standards. When it comes to ATM availability, consumers may argue that unavailability impacts their access to personal data, thus constituting a breach under Section 30, which mandates data controllers to ensure the availability and resilience of processing systems and services.
Filing a Complaint Under the Act, consumers have the right to file a complaint with the Data Protection Commissioner if they believe their rights under the Act have been violated. This includes instances where ATMs are frequently unavailable, potentially impacting the availability of personal financial data. The Commissioner has the authority to investigate these complaints and issue enforcement notices to compel banks to rectify the situation.
Seeking Compensation Consumers can seek compensation for any damage or distress caused by a bank’s failure to ensure ATM availability. This includes situations where the lack of access to ATMs has caused financial hardship or other inconveniences. The Act provides for penalties against data controllers, including fines and other corrective measures, ensuring that banks take the necessary steps to prevent such breaches in the future.
Conclusion
ATM unavailability should be treated as a data protection breach under the Data Protection Act, 2020. Banks have a legal and ethical obligation to ensure the continuous availability of their ATM services. Consumers need to be aware of their rights and take action when these obligations are not met. By holding banks accountable, we can ensure better service, enhanced security, and greater trust in our financial institutions.
Chukwuemeka Cameron is an attorney-at-law, a privacy practitioner with a master’s in Information Technology and Management for Lawyers, and a certified lead implementer of ISO 27001. He is the founder of Design Privacy, a company that helps you comply with local and international privacy laws. He can be contacted at [email protected].