As an NGO that promotes civil rights and privacy protection, Privacy First has been concerned with financial privacy for years. Since 2017, we have been keeping close track of the developments surrounding the second European Payment Services Directive (PSD2), pointing out the dangers to the privacy of consumers. In particular, we focus on privacy issues related to ‘account information service providers’ (AISPs) and on the dangerous possibilities offered by PSD2 to process personal data in more extensive ways.
At the end of 2017, we assumed that providing more adequate information and more transparency to consumers would be sufficient to mitigate the risks associated with PSD2. However, these risks turned out to be greater and of a more fundamental nature. We therefore decided to launch a bilingual (Dutch & English) website called PSD2meniet.nl in order to outline both our concerns and our solutions with regard to PSD2.
Central to our project is the Don’t-PSD2-Me-Register, an idea we launched on 7 January 2019 in the Dutch television program Radar and in this press release. The aim of the Don’t-PSD2-Me-Register is to provide a real tool to consumers with which they can filter out and thus protect their personal data. In time, more options to filter out and restrict the use of data should become available. With this project, Privacy First aims to contribute to positive improvements to PSD2 and its implementation.
Protection of special personal data
In this project, which is supported by the SIDN Fund, Privacy First has focused particularly on ‘special personal data’, such as those generated through payments made to trade unions, political parties, religious organizations, LGBT advocacy groups or medical service providers. Payments made to the Dutch Central Judicial Collection Agency equally reveal parts of people’s lives that require extra protection. These special personal data directly touch upon the issue of fundamental human rights. When consumers use AISPs under PSD2, their data can be shared more widely among third parties. PSD2 indirectly allows data that are currently protected, to become widely known, for example by being included in consumer profiles or black lists.
The best form of protection is to prevent special personal data from getting processed in the first place. That is why we have built the Don’t-PSD2-Me-Register, with an Application Programming Interface (API) – essentially a privacy filter – wrapped around it. With this filter, AISPs can detect and filter out account numbers and thus prevent special personal data from being unnecessarily processed or provided to third parties. Moreover, the register informs consumers and gives them a genuine choice as to whether or not they wish to share their data.
We have outlined many of the results we have achieved in a Whitepaper, which has been sent to stakeholders such as the European Commission, the European Data Protection Board (EDPB) and the Dutch Data Protection Authority. And of course, to as many AISPs as possible, because if they decide to adopt the measures we propose, they would be protecting privacy by design. Our Whitepaper contains a number of examples and good practices on how to enhance privacy protection. Among other things, it lays out how to improve the transparency of account information services. We hope that AISPs will take the recommendations in our Whitepaper to heart.
Our Application Programming Interface (API) has already been adopted by a service provider called Gatekeeper for Open Banking. We support this start up’s continued development, and we make suggestions on how the privacy filter can be best incorporated into their design and services. When AISPs use Gatekeeper, consumers get the control over their data that they deserve.
Knowing that the European Commission will not be evaluating PSD2 until 2022, we are glad to have been able to convey our own thoughts through our Whitepaper. Along with the API we have developed and distributed, it is an important tool for any AISP that takes the privacy of its consumers seriously.
Privacy First will continue to monitor all developments related to the second Payment Services Directive. Our website PSD2meniet.nl will remain up and running and will continue to be the must-visit platform for any updates on this topic.
The Privacy Collective press release
Millions of Dutch internet users victim of unlawful collection and use of personal data
The Privacy Collective takes Oracle and Salesforce to Court
The Privacy Collective - a foundation that acts against violation of privacy rights - is taking Oracle and Salesforce to Court. The foundation accuses the technology concerns of unlawfully collecting and processing data of millions of Dutch internet users. The foundation has launched a class action, a legal procedure in which compensation is claimed for a large group of individuals. It is the first time that this legal instrument is used in the Netherlands in a case of infringement of the General Data Protection Regulation (GDPR).
Christiaan Alberdingk Thijm, lead lawyer in the case: “This is one of the largest cases of unlawful processing of personal data in the history of the internet. Almost every Dutch individual who reads or views information online is structurally affected by the practices of Oracle and Salesforce. Practices that merely serve a commercial purpose.”
Online shadow profile
Oracle and Salesforce collect data from website visitors at any time and on a large scale. By combining this with additional information, they create a personal profile of each individual internet user. The millions of profiles are used, among other things, to offer personalized online advertisements and unlawfully shared with numerous commercial parties, including ad-tech companies. The tech giants collect their information using - among other things - specially developed cookies. Alberdingk Thijm: “Most people do not know that they have such an online 'shadow profile'. They don't know what it looks like and have certainly not given legitimate consent.” For the collection and sharing of personal data, Oracle and Salesforce are obliged to ask for permission under the GDPR. “These parties violate internet users' right to privacy. The right to protection of personal data and the right to protection of privacy are recognized as fundamental rights", says Alberdingk Thijm.
The possibility to claim damages in a class action was recently created under Dutch law.“Claiming damages in a class action is an important tool to ensure the enforcement of the GDPR,” says Joris van Hoboken, a board member of the foundation and professor in Information Law. “It gives the GDPR teeth.” The Privacy Collective calls upon individual consumers to register with the foundation in order to show their support. Based on the number of victims, the total extent of the damage could exceed 10 billion euros. Several organizations support The Privacy Collective's campaign, including Privacy First, Bits of Freedom, Qiy Foundation and Freedom Internet. The claims are being fully funded by Innsworth, a litigation funder. The organization’s funding enables the benefits of scaling common claims in a collective action, without any individual claimants being exposed to litigation costs. Inssworth finances a similar class action in England and Wales, which is currently being prepared.
Source: The Privacy Collective press release, 14 August 2020.
More information: https://theprivacycollective.eu/en/.