Dvara Research BlogDvara Research Blog
Dvara Research Blog
Doorway to Financial Access
  • Home
  • Our Work
  • Themes
  • Subscribe
    • Email Subscription
    • Feed
  • Contact Us
Menu back  

The Need for Boundaries: Respecting Privacy in Financial Consumer Data Practices

March 9, 2018Leave a commentGuest Viewed : 3129

Guest Post By Dr. Katharine Kemp

If we are serious about improving the lives of low-income customers, data privacy cannot be an afterthought. Financial consumer data privacy is not the icing on the cake for financial inclusion efforts, or an interesting philosophical question to be addressed at a later stage if time permits. Financial consumer data privacy must be central in the planning of financial services providers, and in the development of best practice principles, from the very beginning.

This blog post does two things. It explains why data privacy matters and why global developments – particularly changes in the law – are going to make it matter.

Misuses of financial consumer data

Modern data practices constantly penetrate the boundaries between our public and private lives. As we journey through various online transactions and interactions, often in a setting of apparent privacy, we are in fact being tracked and monitored. Our activities are recorded and shared with data aggregators who create individual files, recording name, address, age, gender, ethnicity, occupation, travel, purchasing preferences, sexual preferences, relationships, and diseases.

One of the undesirable uses of this information is the profiling and targeting of individuals for marketing purposes, based on their actual or suspected vulnerabilities. As Professor Frank Pasquale has pointed out, lists have been compiled – lists of real people who suffer from depression, impotence, sexually transmitted diseases, people who are facing financial difficulties, people who are victims of sexual assault. Such lists have been used to exploit people in their most vulnerable moments for financial gain.

Lenders in China have targeted students in financial hardship with exploitative loans leading to a spate of suicides when the students defaulted. In Kenya, digital lenders published the names of defaulting customers on Facebook. In Australia, an insurer used genetic testing data to exclude a woman from certain insurance and increase her premium for another on the basis of a breast cancer gene even after she had a preventative double mastectomy.

These uses are unfair to consumers but they may also mean that data itself becomes less useful. Recent surveys indicate that many consumers do not trust companies (or governments) with their personal information. If people withhold information or provide inaccurate answers because they don’t trust providers with their data, the data collected will be inaccurate and incomplete, undermining data analysis objectives.

Should we regulate data use alone and leave data collection unrestricted?

Numerous scholars argue that we should regulate against the misuse of data, but that, especially in the age of big data, it is no longer realistic to place boundaries on the collection of personal data. Some in this camp have argued that being concerned about the mere collection and digital storage of your personal data is like being worried that your dog has seen you naked. They say no harm actually flows from either of those events (although your dog may beg to differ).

However, as Bruce Schneier points out, your dog seeing you naked and a computer monitoring and storing your personal information are in fact quite different things. Your dog cannot understand or process the fact that you are naked. Nor can your dog store a description of you in that state for the rest of time, or pass that information on to a third party. But computers can do all these things.

The simple truth is the more personal data we collect and the longer we store it, the more opportunities we create for that data to be illegally accessed, stolen and misused, and for anonymous data to be re-identified. We have seen this truth play out on a grand scale in recent times. Equifax is one of the largest credit reporting agencies in the US and provides a service which allows consumers to see whether they have been the victim of identity theft. Last year Equifax’s own systems were hacked and the sensitive financial information of 143 million people was stolen. Hundreds of thousands of sensitive health records have been exposed in the US and the UK.

Even researchers acting with the very best motives can inadvertently cause substantial harm through the collection and storage of data, as the Harvard Signal Program revealed.

The need for balance

Of course, this does not mean that we should stop collecting personal data. We can draw analogies with other risky activities. Consider surgery. Like surgery, collecting personal data is potentially very beneficial and potentially very harmful. Just as we would not avoid surgery altogether, we would not avoid collecting personal data altogether, but we should have a very good reason for doing it.

We should limit when we do it and put in place safeguards from the very beginning, according to the potential risks and benefits of the case in question. Privacy should not be an optional “bolt-on” at the end of a provider’s project planning. It must be the foundation of our data practices. Fortunately, financial consumer data privacy is not a zero-sum game. It is not a choice between privacy and efficiency. Both can be had when privacy is built into systems from the outset.

These are some of the principles of Privacy by Design, developed by Dr. Ann Cavoukian, a former information and privacy commissioner of Ontario, Canada. These principles can be summarised as follows:

  1. Proactive, not reactive – preventative, not remedial, protection of privacy.
  2. Privacy should be the default setting.
  3. Privacy should be embedded into the design – “baked in” from the beginning.
  4. Full functionality – positive-sum, not zero-sum.
  5. End-to-end security – full life-cycle protection of personal data.
  6. Visibility and transparency – keep it open.
  7. Respect for user privacy – keep it user-centric.

These principles have been endorsed and adapted by privacy regulators around the world.

Global developments in data protection regulation

There is currently a great deal of debate on what is the best regulatory response to the threats posed to consumer data privacy in the context of new data-driven analysis and innovations. The Office of the Privacy Commissioner of Canada has recognised the problems with supposedly obtaining informed consent from consumers in the age of big data, and made proposals for improving and replacing consent where appropriate. The UN Special Rapporteur on Privacy last year released a draft report on the right to privacy in the age of big data, including the concept that privacy is necessary as part of a right to the unhindered development of our personalities.

Australia is following the UK’s lead and putting in place an Open Banking regime. The idea is that a consumer will be able to go to her existing bank and instruct them to send her data – years of her transaction history, for example – to a new bank or lender or financial app with the aim of increasing competition in financial services and improving outcomes for consumers. A critical issue currently being considered is how the law should protect consumers and their data in this process.

In this post, I will focus on two particularly important global developments, namely the developments in India following the judgment of the Supreme Court of India in the Puttaswamy case, and the European Union General Data Protection Regulation, which will come into effect this May and change the world of data privacy.

India: The Puttaswamy Case

In August 2017, the Supreme Court of India delivered its ground-breaking judgment in Justice K S Puttaswamy v Union of India in which it decided for the first time that there is a fundamental right to privacy under the Indian Constitution.

The plurality opinion delivered by Justice Chandrachud in Puttaswamy provides a compelling answer for any who believe that privacy is a first-world issue or a luxury that should wait until more pressing economic needs have been met. As he stated:

The refrain that the poor have no need of civil or political rights but are concerned only with economic wellbeing has been used throughout history to wreak the most egregious violations of human rights. …

The pursuit of happiness is founded on autonomy and dignity. Both are essential attributes of privacy, which makes no distinction based on the birthmarks of individuals.

Another important consequence of the Puttaswamy judgment is that the Indian government plans to enact data protection legislation which is likely to create substantial data privacy obligations for financial services providers operating in India and possibly for those processing the personal data of residents of India. There is hope that this law will, in fact, set an example for data protection regulation globally.

EU General Data Protection Regulation

While the EU General Data Protection Regulation (GDPR) was passed by the European Parliament, its consequences will stretch far beyond the EU. The GDPR will apply directly to providers who are established in the EU but also to those outside the EU who monitor the behaviour of individuals in the EU or offer goods or services to individuals in the EU.

The GDPR comes into effect on 25 May 2018. By global standards, it creates some very high standards for data privacy and very onerous penalties for breaching those rights – up to €20 million or four percent of global annual turnover.

The GDPR is likely to affect the businesses of financial services providers around the world, even where it does not apply directly to those businesses. Already the majority of countries with privacy laws follow a more EU-style approach (as opposed to the more “hands-off” US approach) to data privacy regulation. This will continue to be the case, especially for countries that wish to do outsourced work for EU companies. The GDPR is also likely to lead to an increased focus on the design and production of Privacy Enhancing Technologies (PETs).

Here I will mention just one example of the increased obligations created by the GDPR, namely the increased requirements for “consent” as a justification for the use of personal data. Under the GDPR, a data subject’s consent must be explicit (it cannot be implied), active (no pre-ticked boxes) and unbundled (it cannot be tied to other purposes or types of information), among other requirements. Some IT companies have proposed examples of GDPR-compliant consent requests for the tracking of consumers’ online behaviours, for instance, which would include a list of hundreds of entities with whom that data would be shared and an extensive list of categories of personal and sensitive information to be collected.

Interestingly, according to the surveys of these companies, given a choice, the vast majority of consumers would refuse to provide such consent. This reinforces the view that the supposed “informed consent” that consumers are currently assumed to give is not consent at all. Consumers are effectively forced to accept corporations’ open-ended uses of their personal data.

If we want to prioritise the needs of low-income customers, customer privacy must be a first-order concern. We need to understand the threats to customer privacy and build appropriate protections into our systems from the beginning.

—

The post is based on Dr. Kemp’s keynote presentation at the “Customer Centricity: Enabling Financial Choices and Positive Outcomes for Low-Income Customers” Learning Event, Mamallapuram, India, 22 February 2018

Share Via :Tweet about this on Twitter
Twitter
Share on Facebook
Facebook
Share on LinkedIn
Linkedin
Email this to someone
email
consumer dataData PrivacyKatharine KempPrivacyRight to Privacy
Leave Comment

Cancel reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

11 + 9 =

clear formSubmit

Related posts
Solving the Micro-Entrepreneurs Working Capital Conundrum: BharatBazaar Pilot
June 18, 2021
Big Data, Financial Inclusion and Privacy for the Poor
August 22, 2017
Agricultural Markets: Five Opportunities for Innovation After Demonetisation
January 10, 2017
Replug – Interview with Dr. Viral Acharya
December 28, 2016
Insights on Public Data & Visualisation – In conversation with co-founders of “How India Lives”
December 10, 2016
The Nexus of Financial Inclusion and Stability: Implications for Holistic Financial Policy-Making
September 26, 2016
Search
Recent Comments
  • Prasanna Srinivasan on Care through competition: The case of the Netherlands: “This made interesting and informative reading. Thank you. Inevitably, the mind ran a comparison with the Indian context even while…”
  • Misha Sharma on Direct Benefit Transfers in Assam, Chhattisgarh, and Andhra Pradesh: Introducing the Dvara-Haqdarshak Study on Exclusion in Government to Person Payments: “Great post, Aarushi. It will also be interesting to document the challenges faced in accessing these transfers and experiences with…”
  • Misha Sharma on What is Social Protection?: “Thanks for writing this, Anupama. A much needed piece and looking forward to the second post in this series. It…”
Subscribe and Follow Us

Popular Post

Popular Post
  • ‘Buy Now, Pay Later’: What is it, and how does it affect customer protection?
    May 5, 2022
  • Call for Papers: Field Workshop on Household Finance 25th June, 2022
    May 4, 2022
  • Care through competition: The case of the Netherlands
    April 28, 2022

Categories

Categories
  • Channels(88)
  • Consumer Protection(33)
  • Events(30)
  • Featured(42)
  • Field Reports(6)
  • From the field(9)
  • General(22)
  • Guest(30)
  • Household Research(75)
  • Long Term Debt Markets(9)
  • News(45)
  • Origination(30)
  • Products(42)
  • Regulation(112)
  • Research(254)
  • Risk Aggregation(26)
  • Risk transmission(63)
  • Small Cities(21)
  • Technology(25)
  • Uncategorized(105)
  • Unemployment Support(5)

Archives

Archives
  • May 2022 (2)
  • April 2022 (4)
  • March 2022 (2)
  • February 2022 (3)
  • January 2022 (3)
  • December 2021 (4)
  • November 2021 (6)
  • October 2021 (4)
  • September 2021 (4)
  • August 2021 (6)
  • July 2021 (6)
  • June 2021 (10)
  • May 2021 (7)
  • April 2021 (9)
  • March 2021 (10)
  • February 2021 (8)
  • January 2021 (4)
  • December 2020 (7)
  • November 2020 (7)
  • October 2020 (11)
  • September 2020 (10)
  • August 2020 (12)
  • July 2020 (3)
  • June 2020 (5)
  • May 2020 (8)
  • April 2020 (4)
  • March 2020 (8)
  • February 2020 (3)
  • January 2020 (9)
  • December 2019 (4)
  • November 2019 (3)
  • October 2019 (7)
  • September 2019 (3)
  • August 2019 (2)
  • July 2019 (4)
  • June 2019 (4)
  • May 2019 (4)
  • April 2019 (7)
  • March 2019 (2)
  • February 2019 (3)
  • January 2019 (3)
  • December 2018 (5)
  • November 2018 (2)
  • October 2018 (5)
  • September 2018 (2)
  • August 2018 (2)
  • July 2018 (2)
  • June 2018 (2)
  • May 2018 (1)
  • April 2018 (1)
  • March 2018 (5)
  • February 2018 (2)
  • January 2018 (2)
  • December 2017 (5)
  • November 2017 (4)
  • October 2017 (3)
  • September 2017 (1)
  • August 2017 (3)
  • July 2017 (1)
  • June 2017 (3)
  • May 2017 (4)
  • April 2017 (3)
  • March 2017 (4)
  • February 2017 (3)
  • January 2017 (6)
  • December 2016 (5)
  • November 2016 (2)
  • October 2016 (3)
  • September 2016 (5)
  • August 2016 (4)
  • July 2016 (4)
  • June 2016 (8)
  • May 2016 (4)
  • April 2016 (5)
  • March 2016 (4)
  • February 2016 (3)
  • January 2016 (3)
  • December 2015 (3)
  • November 2015 (1)
  • October 2015 (2)
  • September 2015 (3)
  • August 2015 (5)
  • July 2015 (3)
  • June 2015 (3)
  • May 2015 (3)
  • April 2015 (2)
  • March 2015 (3)
  • February 2015 (1)
  • January 2015 (1)
  • December 2014 (5)
  • November 2014 (4)
  • October 2014 (3)
  • September 2014 (4)
  • August 2014 (4)
  • July 2014 (4)
  • June 2014 (8)
  • May 2014 (1)
  • April 2014 (4)
  • March 2014 (5)
  • February 2014 (6)
  • January 2014 (8)
  • December 2013 (7)
  • November 2013 (8)
  • October 2013 (7)
  • September 2013 (7)
  • August 2013 (5)
  • July 2013 (6)
  • June 2013 (7)
  • May 2013 (6)
  • April 2013 (8)
  • March 2013 (9)
  • February 2013 (6)
  • January 2013 (9)
  • December 2012 (8)
  • November 2012 (7)
  • October 2012 (5)
  • September 2012 (5)
  • August 2012 (5)
  • July 2012 (7)
  • June 2012 (4)
  • May 2012 (6)
  • April 2012 (4)
  • March 2012 (7)
  • February 2012 (6)
  • January 2012 (8)
  • December 2011 (8)
  • November 2011 (7)
  • October 2011 (8)
  • September 2011 (7)
  • August 2011 (3)
  • July 2011 (6)
  • June 2011 (11)
  • May 2011 (8)
  • April 2011 (9)
  • March 2011 (13)
  • February 2011 (10)
  • January 2011 (8)
  • December 2010 (10)
  • November 2010 (10)
  • October 2010 (10)
  • September 2010 (7)
  • August 2010 (13)
  • July 2010 (10)
  • June 2010 (6)
  • May 2010 (13)
  • April 2010 (7)
  • March 2010 (10)
  • February 2010 (5)
  • January 2010 (4)
  • December 2009 (3)
  • November 2009 (1)
  • October 2009 (6)
  • August 2009 (1)
  • July 2009 (2)
  • June 2009 (1)
  • May 2009 (1)
  • April 2009 (1)
  • March 2009 (1)
Share Via :Tweet about this on Twitter
Twitter
Share on Facebook
Facebook
Share on LinkedIn
Linkedin
Email this to someone
email
Site Map

www.dvara.com