The European Data Protection Supervisor (EDPS) has urged EU law makers to adopt tighter restrictions on the type of ‘customer data’ that is proposed to come within new data sharing schemes for the financial services sector, as well as how such data can be
accessed. The EDPS is an independent European supervisory authority mandated to monitor and ensure that European institutions respect data protection requirements.
In June, the European Commission proposed a package of reforms to promote (and manage) data sharing in financial services. The reforms form part of the EU’s wider digital finance strategy, comprising a new framework for financial data access and new rules
specific to payment services and e-money services.
The proposed framework essentially enhances the data access rights that apply in the payment services market already under the second Payment Services Directive (PSD2). It does this by extending the associated rights and obligations to a wider range of financial
services firms, providing for industry-led financial data sharing schemes to govern access to customer data. The framework also contemplates scheme rules addressing the charges ‘data holders’ will be able to levy ‘data users’ for facilitating access to the
data, as well as other matters such as contractual liability and dispute resolution.
The category of businesses classed as data holders is broad, including insurers, investment firms, crowdfunding providers, credit rating agencies, and crypto asset service providers. Under the framework, these data holders will be obliged to make customer
data available for access under the proposed new regime. In tandem, those businesses would, as data users and subject to customer permission, also have rights of access to customer data held by other data holders.
Data is widely recognised as being vital to understanding customers and developing products and services that suit their needs. The proposed reforms aim to democratise data held by data holders by ensuring that more businesses have access to the data, thus
promoting data-led innovation and greater competition in financial services markets.
The EDPS, however, has published an opinion calling for the categories of personal data that could fall within the definition of ‘customer data’ under the proposals, to be “clearly circumscribed, taking into account the risks for individuals whose personal
data would be accessed and used”.
The types of ‘customer data’ that could be shared under the Commission’s proposals are reasonably fulsome. The data includes customer data on mortgage credit agreements, loans and accounts – including data on balance, conditions, and transactions – as well
as on savings and investments, crypto assets, real estate and other related financial assets, customer data on pension rights, some non-life insurance products, as well as data which forms part of a creditworthiness assessment of a firm which is collected
as part of a loan application process or a request for a credit rating.
The EDPS, in its opinion, described the definition of ‘customer data’ in the proposals as “particularly broad” and said it could capture “personal data of a highly sensitive nature”. This could include, for example, health-related data and other data that
would constitute ‘special category data’ under the General Data Protection Regulation (GDPR). The GDPR mandates additional protections for special category data due to its potentially sensitive and privacy-intrusive nature.
“Allowing financial institutions to access highly sensitive personal data through the proposal’s data sharing, access and use provisions not only constitutes an interference with their fundamental rights to privacy and protection of personal data, but could
also entail significant risks to the rights and freedoms of individuals, such as risks of financial exclusion via price discrimination, or refusal to supply financial products,” the EDPS stated. “This outcome would run counter to one of the stated objectives
of the proposal…namely to ensure that the categories of personal [data] within scope of the proposal ‘allow for innovative products to the benefit of consumers to be developed, while being least intrusive for data subjects in terms of limiting fundamental
rights, notably the right to privacy and the protection of personal data’.”
The EDPS also called for data created as a result of profiling to be explicitly excluded from the definition of ‘customer data’ in the new framework.
The EDPS opinion urges EU law makers to require ‘data users’ under the proposed framework to “clearly outline … the specific types of customer data they seek access to” each time they file a request to access the data with ‘data holders’. This, it said,
would “ensure that customers are able to selectively allow access to certain types of customer data…but not all”.
“For instance, a customer may wish to share savings account information with a specific data user but not pensions- or investment-related data,” the EDPS said. “This requirement, in addition to the transparency requirements under the GDPR, would help to
avoid the risk of broadly-worded and generic requests for access to personal data, regardless of the eligible entities holding it or the sensitivity of specific datasets.”
The EDPS, in expressing these views, has highlighted some of the fundamental principles of data protection which it feels require further consideration as the proposed package of reforms is developed. Applying those principles and the protections they afford
to individuals (and ensuring that the individuals remain empowered) with regard to the sharing and use of their financial and related personal data is at the core of its opinion. It is, on one level, somewhat of a ‘reminder’ to stakeholders in the package
of reforms of those principles and that these need to be respected.
The EDPS recognises the benefits to consumers arising from increased competition in financial services through innovation. It is, however, flagging that these drivers should not potentially put data protection rights at risk or override the rules relating
to legitimate use of personal data.
One means of seeking to secure this is reflected in EDPS’ desire for the European Data Protection Board (EDPB) to have a more central role in the formation of new guidelines under the proposal.
The EDPB is a European Union independent body with the purpose of ensuring consistent application of the GDPR and to promote cooperation among the EU Member States’ data protection authorities. It can also play a significant role in the determination of
findings of non-compliance with the GDPR, as well as fines levied in respect of non-compliance.
The function of the guidelines would be to help clarify, amongst other things, appropriate uses of personal data and protect vulnerable consumers. The responsibility for preparing the guidelines rests predominantly with EU supervisory authorities in financial
services, not the EDPB.
“To ensure that the guidelines are fully aligned with data protection law, the EDPS considers a formal consultation of the EDPB to be necessary,” it said.
“The EDPS also recommends extending the scope of the future guidelines to other relevant financial products and services, such as to mortgage credit agreements, payment services, other insurance products, investment products, and pension products. The guidelines
should also elaborate, where appropriate, on the limits for combining ‘customer data’ with other types of personal data, such as personal data obtained from third party sources (for example, social media networks or data brokers),” it added.
The publication and focus of the EDPS opinion is perhaps not unexpected, given the remit of the EDPS. It is also not the first time that we have seen a call on EU institutions to more deeply consider the potential impact and outcomes for individuals from
measures that, overall, are intended to be for their benefit.
The impact of the opinion, and any involvement of the EDPB in developing guidelines under the framework, may ultimately mean having enhanced controls on data sharing embedded within the framework in its final form. This might lead to additional administrative
burdens for financial services businesses seeking to utilise the framework, which in turn may potentially ‘chip away’ at some of the overall benefits that the Commission is seeking to achieve through its proposals.
The European Commission’s proposals for the framework are not a ‘done deal’. They are subject to scrutiny, amendment, and approval by the European Parliament and Council of Ministers, and this can be a lengthy process. The EDPS’ opinion is not binding on
the law makers, but is considered influential.