No carte blanche DNB and AFM for massive data processing
The Ministry of Finance has proposed in two internet consultations that financial regulators Authority Financial Markets (AFM) and De Nederlandsche Bank (DNB) be allowed to start requesting customer personal data from financial institutions such as banks on a large scale. Privacy First participated in both consultations[*] and has heavily criticised the proposals, as both regulators already process personal data on a large scale without public accountability.
Financial personal data at risk
Right now, citizens' privacy is widely threatened by big advertising companies like Facebook and Google. To some extent, however, you can remove yourself from these companies' attempts to know everything about you.
Financial personal data has so far remained fairly unscathed from the data hunger of internet giants and governments. It is much harder for people to protect their financial personal data because you simply cannot do without banks, insurers and other financial institutions. Those institutions provide essential products, such as third-party insurance or a checking account, without which citizens cannot fully participate in society. Citizens must be able to trust that their privacy at their bank is guaranteed and that the government does not systematically violate their privacy by systematically requesting their data from banks at the back door and then sharing that data with each other and other national and international government agencies. This would make the fundamental legal right to data protection a dead letter.
On top of that, many government agencies already have access to bank account data of Dutch citizens, for example through the Banking Data Referral Portal.
Regulators seek data for 'machine learning'
Privacy First found that international financial partnerships such as the Bank for International Settlements (BIS) advocate that financial regulators use artificial intelligence (artificial intelligence, AI). That artificial intelligence must be trained through personal data and other detailed data of individuals and organisations ('granular data'). The consequence of this assumption is that regulators try to get hold of as much granular data as possible, which includes the financial personal data of every citizen.
Privacy First finds this undesirable and points to the May 2021 opinion of the Council for Public Administration (ROB), published via the news release 'Politics must act to protect citizens from expanding data hunger'. The ROB advocates a mature consideration of the need to provide personal data to the government, a consideration that is missing from the finance ministry's proposals.
Large-scale processing of personal data by AFM and DNB already takes place
On top of this, both AFM and DNB already process granular data on a large scale. An example is the personal data AFM processes under Mifid 2: few investors are aware that AFM receives passport numbers and/or tax numbers and dates of birth of the investor concerned for every share purchase or sale. Furthermore, AFM receives personal data of citizens from pension funds on a large scale. DNB receives personal data when implementing the deposit guarantee scheme, including addresses and telephone numbers, and widely processes personal data in the context of anti-money laundering supervision. Both regulators receive large-scale personal data from the Central Bureau of Statistics (CBS).
Accountability and fundamental rights review desired
Privacy First suggests that accountability for the current processing of granular data by DNB and AFM should first be established and then an adequate fundamental rights review should determine whether there are grounds to require financial institutions to provide additional data.
Furthermore, we consider it undesirable that the elaboration of the type of personal data financial institutions have to provide is not done in a law, but in an order in council. Furthermore, it is not transparent how regulators will link the data obtained from financial institutions to other datasets at their disposal and this should be clarified. Provision of granular data to international organisations should not take place, in the opinion of Privacy First.
Finally, the creation of independent data processing supervision of AFM and DNB and other safeguards to prevent financial regulators from mishandling personal and other granular data are desirable.
[*] Consultation on DNB mortgage market reporting act and Consultation Law on supervisory reporting AFM. Read HERE Privacy First's full comments to the DNB consultation and HERE Our identical comments to the AFM consultation.