Watchdog seeks data protection constraints on EU open finance plans

In June, the European Commission proposed a package of reforms – specifically, a new framework for financial data access, and new rules specific to payment services and e-money services – that promotes data sharing in financial services, subject to certain conditions being met.

With data considered vital to understanding customers and developing products and services they need and want, the plans aim to ensure that more businesses have access to the data that ‘data holders’ gather, to promote data-led innovation and greater competition in financial services markets.

In a new opinion issued on the proposals (22-page / 396KB PDF), however, the European data protection supervisor (EDPS) called for the categories of personal data that could fall within the definition of ‘customer data’ under the proposals, to be “clearly circumscribed, taking into account the risks for individuals whose personal data would be accessed and used”.

Under the Commission’s proposals, the types of ‘customer data’ that could be shared would include customer data on mortgage credit agreements, loans and accounts – including data on balance, conditions and transactions – as well as on savings and investments, cryptoassets, real estate and other related financial assets, customer data on pension rights, some non-life insurance products, as well as data which forms part of a creditworthiness assessment of a firm which is collected as part of a loan application process or a request for a credit rating.

The EDPS described the definition of ‘customer data’ in the draft as “particularly broad” and said it could capture “personal data of a highly sensitive nature” – including, potentially, health-related data and other data that would constitute ‘special category data’ under the General Data Protection Regulation (GDPR). The GDPR places significant restrictions on the processing of special category data due to the potentially sensitive and privacy-intrusive nature of the information.

“Allowing financial institutions to access highly sensitive personal data through the proposal’s data sharing, access and use provisions not only constitutes an interference with their fundamental rights to privacy and protection of personal data, but could also entail significant risks to the rights and freedoms of individuals, such as risks of financial exclusion via price discrimination, or refusal to supply financial products,” the EDPS said. “This outcome would run counter to one of the stated objectives of the proposal …, namely to ensure that the categories of personal [data] within scope of the proposal ‘allow for innovative products to the benefit of consumers to be developed, while being least intrusive for data subjects in terms of limiting fundamental rights, notably the right to privacy and the protection of personal data’.”

The EDPS further called for data created as a result of profiling to be explicitly excluded from the definition of ‘customer data’ in the new framework.

The EDPS also urged EU law makers to require ‘data users’ under the proposed new framework to “clearly outline … the specific types of customer data they seek access to” each time they file a request to access the data with ‘data holders’. This, it said, would “ensure that customers are able to selectively allow access to certain types of customer data …, but not all”.

“For instance, a customer may wish to share savings account information with a specific data user but not pensions- or investment-related data,” the EDPS said. “This requirement, in addition to the transparency requirements under the GDPR, would help to avoid the risk of broadly-worded and generic requests for access to personal data, regardless of the eligible entities holding it or the sensitivity of specific datasets.”

There should also be more central role for the European Data Protection Board (EDPB) in the formation of new guidelines under the proposed new regulation, according to the EDPS. The guidelines are expected to help clarify appropriate uses of personal data and protect vulnerable consumers, but responsibility for drawing them up rests predominantly with three EU supervisory authorities in financial services, not the EDPB.

“To ensure that the guidelines are fully aligned with data protection law, the EDPS considers a formal consultation of the EDPB to be necessary,” it said.

“The EDPS also recommends extending the scope of the future guidelines to other relevant financial products and services, such as to mortgage credit agreements, payment services, other insurance products, investment products, and pension products. The guidelines should also elaborate, where appropriate, on the limits for combining ‘customer data’ with other types of personal data, such as personal data obtained from third party sources (e.g., social media networks or data brokers),” it added.

The European Commission’s proposals for a new framework for financial data access and in relation to payment and e-money services are subject to scrutiny, amendment, and approval by the European Parliament and Council of Ministers. The legislative process can take months if not years. The EDPS’ opinion is not binding on the law makers but is considered influential.

Andreas Carney of Pinsent Masons, a data protection law expert at Pinsent Masons in Dublin, said: “The EDPS, in its opinion, has highlighted some of the fundamental principles of data protection which it feels require further consideration as the Commission’s propose package of reforms is developed. Applying those principles and the protections they afford to individuals with regard to the sharing and use of their financial and related personal data is at the core of its opinion. It is, on one level, somewhat of a ‘reminder’ to stakeholders in the package of reforms of those principles and that these need to be respected.”

“The EDPS recognises the benefits to consumers arising from increased competition in financial services through innovation, but is flagging that these drivers should not potentially put data protection rights at risk or override the rules relating to legitimate use of data. This is perhaps not unexpected, given the remit of the EDPS, and is not the first time that we have seen a call to more deeply consider the potential impact and outcomes for individuals from measures that, overall, are intended to be for their benefit,” he said.