Interview Emerce with Privacy First on PSD2 label
“Some Dutch banks and fintechs are working together with the Privacy First Foundation on a PSD2 trustmark. With this, the companies want to make it clear to consumers who they can trust with their data. Volksbank is one of the first to join the initiative. What need are those involved responding to?
European payments directive PSD2 is raising privacy concerns as well as innovation. The directive, which came into force in January - the Netherlands is likely to follow with its own legislation this summer - allows consumers to give companies access to their bank account and (financial) data. However, the question is whether they realise they are sharing privacy-sensitive data. Moreover, once shared, banks cannot "retrieve" that data.
Apart from an advantage, PSD2 therefore also carries a real risk, Privacy First argues. Together with some Dutch banks and fintech companies, the interest group is therefore working on a trustmark. The parties are responding to a statement by the Dutch Central Bank. The latter would have determined earlier that there is a need for this. While the AVG, the new European privacy law, should ensure better protection, PSD2 opens the back door, explains Martijn van der Veen of Privacy First.
How do you see PSD2 from a privacy perspective?
Van der Veen: "The subject of privacy has been underexposed within PSD2 for far too long. For a long time, PSD2 was mainly a party for fintechs and focused on innovating the payments system.
"Among other things, PSD2 allows parties to access your transaction data, for example to gain insight across multiple bank accounts. A bank may not just provide that transaction data, a consumer must give 'explicit consent' to do so. That's not just a check mark. The person must give 'free, specific and informed' consent. On paper, then, things are fine. But PSD2's impact on privacy may be far greater than whether a person's consent is recorded."
"Our biggest concern is what happens to the data once it is with a service provider. What do they do with it? Don't think that services are limited to showing transaction data, companies want to do something with that large amount of data that comes into their possession. Think about making offers, new services and comparisons. To do that, they want to link, relate and look for patterns in data. And of course there is a revenue model attached to that."
"One wrong framing is that it is 'just' transactional data. You can derive an awful lot about someone's life from it. At a bank, if you can look back three years, the provider also receives three years of transaction data directly. From account numbers, you can tell whether someone uses medical support often, where a person goes often and what their lifestyle is. From recurring transfers, you deduce whether someone is a member of a religious organisation or trade union. These are data that should not be used for good reasons."
"The crazy thing is, where everyone is doing their best to get their privacy protection in order because of the AVG, PSD2 puts the back door wide open."
But why is a hallmark needed?
"The PSD2 Privacy Hallmark should help consumers choose a provider. It provides information on whether the provider will handle personal data well and can be trusted. In doing so, we want to colour the open standards of the law. Now a provider decides what is a decent data retention period. And how quickly it responds to complaints. The question is whether the interests of consumers are then paramount. The quality mark informs consumers and encourages providers to raise the level of privacy protection. This is valuable for both parties because it increases trust in a service provider." (...)
Read more at Emerce.