Open Finance leads to more data turns and more data breaches
Europe's draft 'Open Finance' directive goes one step further than PSD2, which Privacy First was also unenthusiastic about. It now goes from bad to worse. We were able to voice our objections to the Ministry of Finance. Below is a report of that. With text and explanation of the issues.
Privacy First Foundation was invited by the Ministry of Finance, to consult us on the 'Open Finance' (Open Financial Markets) proposal, which is with the European Commission and will be announced to the ministry on 28 June.
What is it about?
The proposal deals with the expansion of data sharing by banks, in terms of exchanging customer data with other commercial parties, such as insurers and credit card companies. The main purpose of the consultation was to exchange views on the privacy safeguards in the proposal on Open Finance.
The 'Open Finance' proposal builds on PSD2 (Payment Services Directive 2), the European payment services directive. That already allowed data sharing by banks based on payment data, without the consent of the citizens involved. But 'Open Finance' goes much further.
Privacy First on PSD2
The European Commission is very positive about PSD2 in its 2023 work programme. Privacy First Foundation thinks very differently.
PSD2 has not had any positive effect for citizens. It has only made them more vulnerable. Indeed, it has only increased the data-twisting by commercial companies.
The new 'Open Finance' proposal also allows insurers and other commercial parties to very easily request financial data from citizens. Those companies usually do not do this with the best of intentions. Privacy First therefore finds the European Commission's enthusiasm too premature and naive.
We are concerned about financial data sharing anyway. Not only because of the privacy aspects, but also because of the danger of inimitable algorithms and the danger of profiling. Soon you will not only have a high risk profile with the bank, but also with your insurer, based on your bank payment behaviour.
In addition, any information from third parties - to whom you have paid or by whom you are paid - also comes into the open.
Besides all this, the question always remains: how is monitoring done, and is monitoring adequate?
The banks and the Personal Data Authority are already so busy! The outcomes of PSD2 have not convinced us that supervision is working well because it has not yet been carefully evaluated.
We were also asked to help think about how to proceed.
Of course, we are happy to think about this. But this should never be an excuse to easily waltz over privacy concerns. Legislators should also think about it themselves. So even without consultation.
In the consultation, we argued for:
- payment by the data acquirer;
- keeping data linkage and data sets anonymous;
- tightening of supervision.
In practice, this may not be feasible, but that does not matter. What matters is the goals you ultimately want to achieve.
Further reading: What will the Netherlands do with 'open finance'? (Ellen Timmer, 9 June 2023).