Privacy First advocates restraint in disseminating financial personal data

Input to parliamentary consultation on European open finance regulation ('FIDA regulation')

On 5 October last, Privacy First drew the attention of the Finance Committee of the House of Representatives to the risks associated with the proposal for the European regulation framework sharing financial customer data, the 'FIDA regulation' [1]. The Dutch government is positive about the proposal [2], while according to Privacy First there is no reason to do so, as the substantiation and purpose of the proposal is meagre compared to the risks for the privacy and legal position of citizens. All in all, Privacy First therefore finds it unfortunate that it chooses for even more data sharing of citizens' financial data, without clear indications that citizens whose data is affected have a need for this.

The proposal for the FIDA regulation builds on the regulation under the revised Payments Directive (PSD2) introduced possibilities for bank customers to access their payment accounts. The Dutch evaluation of PSD2 [3] showed that the use of the new PSD2 services is low.

Privacy First sees clear risks to citizens' privacy and legal status under the proposal. Access to financial data has great value for both commercial parties and government agencies, so there may be pressure on citizens to actually enable this data sharing.

The arguments that large-scale data sharing would benefit citizens do not make a credible case. Most financial parties already give customers online and real-time access to their data, and it is not difficult for customers to access that data if desired yourself to third parties. Citizens keep better control of their data this way than under the proposals.

Privacy First is concerned about the increasing and large-scale distribution of citizens' financial data, without data subjects being able to properly oversee where these data end up, what the data are used for and to which parties at home and abroad the data are further provided. In short, contrary to what the European Commission says, this proposal does not seem to contribute to better protection of financial data nor to more control by the owners of these data.

On 6 October, questions from members of the Finance Committee became public [4], which unfortunately did not show sufficient awareness of the risks associated with the proposed FIDA regulation. Only two parties bothered to ask questions.

Privacy First is now considering further action.

[1] https://finance.ec.europa.eu/digital-finance/framework-financial-data-access_en

[2] https://www.tweedekamer.nl/kamerstukken/detail?id=2023Z17665&did=2023D42859

[3] https://www.rijksoverheid.nl/documenten/rapporten/2022/06/20/evaluatie-psd2

[4] https://www.tweedekamer.nl/kamerstukken/detail?id=2023Z14558&did=2023D41034