Privacy First demands PSD2-Me-Not register.
From the beginning of 2019, 'PSD2' (Payment Service Directive 2) will take effect in the Netherlands. This new European banking law will allow consumers to share their banking data with parties other than their own bank. This will put pressure on privacy.
Following an account holder's explicit consent, a bank will soon be obliged to share all the account holder's transaction data with an external party (financial services provider) for a period of 90 days, after which the consumer can renew his consent. Also, the account holder can withdraw his consent at any time.
This involves all transaction data. How far this data goes back varies by bank. The Consumers' Association made an overview: Majority keeps account statements for at least 5 years.
PSD2 worries Privacy First
Privacy First has major concerns around PSD2. The law is too focused on improving competition and innovation, and the privacy interests of account holders have been lost sight of. Privacy First's biggest concerns are:
- Account holders cannot limit the amount of bank data. Even if a financial service provider does not need this data, all data is still shared after giving consent.
- An account holder's bank details include the details of someone else's current account. This person does not know that his data is shared and cannot prevent it. Because transaction data will be analysed much more widely through big data and data analytics than before PSD2 came into force, major risks of privacy breaches arise.
- Bank details contain "special personal data" that should only be processed under strict conditions. A contribution payment to a trade union, political party or organisation that reveals sexual preferences should be seen as special (sensitive) personal data, according to Privacy First. Transactions with healthcare providers and pharmacies should also be seen as special personal data. Currently, there is no way to filter this data and it is provided to parties that are not allowed to process it.
The processing of special personal data is in pinciple prohibited unless there is an explicit basis for processing (such as consent) (Article 9 AVG and Article 22 UAVG).
During the broadcast of AVROTROS Radar of Monday evening, 7 January 2019, Privacy First specifically called attention to these issues.
PSD2 label for transparency
Privacy First wants consumers to be informed honestly and transparently about what happens to their data. Instead of lengthy privacy statements, Privacy First advocates independent information on one A4, offering information determined by consumers. After all, account holders themselves are best placed to determine what information they find valuable when making a choice. Throughout 2018, Privacy First worked on this initiative with Volksbank and other financial industry partners.
Privacy First is surprised that no attention has been paid to the role of "special personal data" in transaction data. This data should only be shared under strict conditions and should therefore be able to be filtered. Consumers who do not want their data shared by others with financial service providers should also be given the option to prevent this. That is why Privacy First wants an opt-out register for PSD2, similar to the don't-call-me register.
During Radar's broadcast, Privacy First announced that it would take the initiative on this proposal, where we aim to develop it further with the financial industry and politicians. The aim here is to make the use of an opt-out register mandatory. The European PSD2 directive will have to be adapted for this purpose.