During a Dutch press meeting about the new Payment Service Directive 2 (PSD2), an initiative to launch a privacy quality label for payment services was announced. This quality label should encourage financial service providers and fintech companies to focus on the privacy of consumers.
If you struggle to make ends meet, sooner or later you will get physical complaints, two Utrecht physicians wrote in Dutch newspaper AD/Utrechts Nieuwsblad of 7 March 2018. Those who want to lead a healthy life, will first have to make sure they’re in a healthy financial position. Being in control of your own finances and all related data is a part of that. De Volksbank offers a helping hand in both these areas.
The new European Payment Service Directive 2 (PSD2) paves the way for payment apps of new parties. Banks no longer have the exclusive right to offer payment services. This appears to be good news for consumers. But there is a downside too. Customers who share their data with any such new service provider, should take into account that part of those data are privacy-sensitive. A bank cannot recover such data once in the hands of other financial service providers, so the consumer cannot resort to anyone but himself if he regrets his decisions.
The Dutch Consumers' Association (Consumentenbond) has recently warned that personal data are already being collected on a large scale for commercial reasons. With the introduction of PSD2, this will only increase. Ninety days of access to personal information is sufficient for service providers to create digital profiles that can be traded. De Volksbank does not want to create profiles and is of the opinion that client information should be secure in the hands of the bank: ‘‘That means that we don’t sell information of clients, neither on an individual nor on an aggregated level. We earn our money as a bank, not by selling the data of our clients.'’
De Volksbank considers it to be its role of helping clients deal with their data in a secure and deliberate way in an environment that has changed. By providing information (free is never really free), but also by encouraging clients to take additional measures:
- When it comes to taking deliberate decisions on sharing data, clients should increase their self-awareness by operating a Main Switch. The default setting of the Main Switch should be ‘off’. Before a client is able to authorize the bank to share his data with third parties, he should first flick the Main Switch. The client should then authorize the sharing of data for each party. In so doing, he can stop sharing his data with any party at any moment. Alternatively, he can flick the Main Switch, blocking the access to his data of all parties in a single instant.
- In cooperation with De Volksbank, several other banks, KPMG and fintech companies, Privacy First is developing a PSD2 quality label. This should answer the call of the Central Bank of the Netherlands (DNB), which ascertained that as of yet there is no such quality label, while there is the need to have one. As far as we know, the Netherlands is the first country to be working on this issue. Thanks to the PSD2 quality label, consumers should at once be able to tell which parties they can or cannot entrust their data to. De Volksbank is working hard on further developing the quality label in order for it to be ready as soon as the Payment Service Directive 2 has been transposed into Dutch legislation.
The Privacy First Foundation supports the PSD2 privacy quality label. Privacy First would like it to become an international label which is recognized and supported by banks, fintech companies, financial service providers, regulators and consumer organizations.
PSD2 offers advantages, but also puts people’s privacy at risk. People are more than just consumers. Privacy First doubts whether the measures laid down in PSD2 to protect the data and therewith the privacy of people, will be sufficient. For the protection of personal data, PSD2 relies heavily on the new General Data Protection Regulation (GDPR). This regulation has not yet come into force and we don’t know which effects PSD2 will have in practice and what the monitoring of it will look like. Many organizations are not yet ready to comply with all of the GDPR requirements. However, they will not hold off providing their services. In turn, regulators are not yet ready to enforce all aspects of the GDPR. Introducing PSD2 is like going out to fly without checking the parachute.
We hope that the quality label will encourage financial service providers and fintech companies to start considering consumers as human beings. We want the requirements of the label to be set higher each year. We also want service providers to consider the ‘information behind the information’:
- The disclosure of behavior and data by others
- Services with the underlying aim of collecting data (improper application)
- Deducting data, such as transaction data from which sensitive personal data can be deduced.
We call on fintech companies to continue to explore ways to limit the amounts of data they collect and store. Think of excluding transaction data that could indicate religion, political preference or health status. Limiting the retention period of transaction data is another measure to take into consideration.
This article has also been published on privacy-web.nl.