Project PSD2-me-not: looking back and looking forward
Since 2017, we have been closely monitoring developments around PSD2, highlighting the dangers to consumer privacy. In particular, we focus on privacy issues arising around 'account information service providers' (AISPs) and the possibilities PSD2 offers for further processing of personal data.
Our PSD2 project began in 2017. Back then, we thought providing more adequate information and more transparency to consumers would be sufficient. However, the risks of PSD2 turned out to be bigger and more fundamental. Therefore, Privacy First launched a bilingual (Dutch & English) website called PSD2menite.co.uk to outline both our concerns and our solutions regarding PSD2.
Central to our project is the filtering of special personal data by the PSD2-me-not register. We launched this idea on 7 January 2019 at the television programme Radar and in this press release. The PSD2-me-not register should effectively give users a tool with which to protect their own personal data. In time, further filtering and restriction should become possible. With this project, Privacy First is contributing to positive improvements to PSD2 and its implementation, in order to achieve better protection of personal data. In doing so, we have been supported by the SIDN Fund.
Protection of special personal data
In this project, Privacy First focused on ''special personal data'. Payments to trade unions, political parties, religious organisations or LGBT advocacy organisations, or payments to medical service providers. But also payments to the CJIB: they reveal parts of our lives that need extra protection. This data is directly related to fundamental human rights. When a consumer uses an account information service, this data can be shared more widely. Because of PSD2, data, which is now protected, may still become widely known through a roundabout route, for example by being included in a profile. Or because they are used as black list.
The best protection is to avoid processing special personal data. We have therefore established a PSD2-me-not register set up and around it a API, a privacy filter. With this filter, an AISP can detect and filter account numbers, preventing special personal data from being unnecessarily processed or provided. Moreover, a consumer is informed and given a real choice whether to share data or not.
We have contained much of our results in a Whitepaper. It was sent to stakeholders such as the European Commission, the European Data Protection Board (EDPB) and the Personal Data Authority. And of course as many AISPs as possible, because if they adopt the measures they will protect privacy 'by design'. Our Whitepaper also contains a number of other examples of how to better protect privacy. Like the 'good practices' to get better transparency on account information services. We hope AISPs will take the advice in our Whitepaper to heart.
Our API is included in a service provider, Gatekeeper for Open Banking. We support their continued development and help think through how the privacy filter can be incorporated into their design and services. When AISPs use Gatekeeper, consumers get the control over their data they deserve.
With the Whitepaper and API, we have developed and disseminated the tools that can be used by AISPs. The European Commission is only evaluating the PSD2 as of 2022. Therefore, we are happy to have been able to convey our thoughts in this way.
Privacy First continues to monitor this case. Our website PSD2menite.co.uk remains on the air and will continue to provide a basis for this issue.
Do you have any suggestions or want to know how things are progressing? Let us know.