On February 24th announced the AP a survey of providers of new online account services. In its own opinion, the AP wants to find out whether those companies are aware of the privacy risks involved in the processing of account information and whether they comply with privacy regulations. In addition to the survey, the AP also sent a letter explaining the rules from the AVG that are most important to them.
A press release alone says little. To understand whether the letter and the research can have an effect, you want to know what the research looks like, what questions are asked and how deep they go. That is why we submitted a WOB request. Fortunately, the AP responded quickly to our request and posted the letter online. They also promised to publish the research as soon as possible after completion.
Providers are professional parties
Gradually we wondered more and more: why is the AP sending this letter? Account information service providers are not little boys. You don't just start an account information service. If you want to start offering account information services, you will need a license from DNB, or a similar license from another country. In order to meet the licensing requirements, you must have set up a professional service. You can expect such parties to have or be able to attract sufficient legal knowledge. So you can expect them to know about the hat and the edge of the AVG. The register of the European Banking Authority shows that almost all parties are already established financial service providers. Why then inform these parties with general information?
Limit yourself to supervision and enforcement
It would have been better to make it clear that the AP monitors compliance with the AVG and expects the parties to comply with the law. The emphasis could have been on compliance. But that is precisely the point that the AP leaves behind. Where the letter neatly refers to articles of law everywhere, it forgets a reference to the articles where these powers are described. And what about the press release in which the AP says about its investigation: "The purpose of the investigation is not to impose sanctions such as fines, but if the AP finds violations, the AP can proceed with enforcement. What does the AP say to this?
Data minimization sounds nice, but...
The AP informs parties about privacy by design, including the application of data minimization. A number of examples of applications had gone a long way. For a number of providers it will be possible to limit the amount of data they process. A mortgage lender can limit himself to the income of the past two years, and does not need more data. But (and this is a major risk) the majority of providers consist of parties that are involved in credit scores and risk analyses. These are parties that collect as much data as possible and preferably link it to numerous databases. You can easily comply with the AVG without restricting data collection.
The wax nose of inform
A point of attention should be to inform people. Although the AP seems to understand where the flaw lies in the PSD2 ('Sharp picture of private life'), they are missing an opportunity to point out important risks and conditions to the parties involved. Why say that 'a DPIA is mandatory for certain processing operations' and then not say: you can assume that this applies to you, and when we visit and this is not present, we will sanction you.
The AP monitors compliance with the law. It draws suppliers' attention to the obligation to provide information. Surely the AP will also know that this information does not help consumers to weigh up whether or not to go along with a provider? Providing information says nothing about whether consumers understand what they say 'yes' to, or what it means to share ten years of your financial trade and walk with a party. An investigation into the legal obligation to provide information and the duty of care of financial institutions is advisable.
The AP still points to the consent. The consent must be 'free', the consumer must not be put under pressure or suffer any disadvantage as a result of a possible refusal of consent. A number of providers use an easy way out for special personal data: if you do not want to share this data, do not use our service. Although parties are allowed to exclude users, there is friction here between the rights of users and practice.
AP can take a little more freedom
The PfA should be allowed to decide on the rights which should be the starting point for the position of consumers. Several providers try to position themselves as platforms from which you can purchase additional services. After revocation of consent, which is an explicit act, data is not immediately deleted. After a period determined by the organization, the data will be removed. If a person wants to have this done earlier, he or she will have to submit a request for data deletion. If through the platform other parties also possess data of the person, a person will have to submit a request for this himself/herself. Logically, a chain responsibility will arise in which the service provider will have to play a more active role in exercising someone's rights. The AP may be reluctant to provide an explanation that may be seen as too prescriptive, but now the AP is missing an opportunity to persuade organisations to explain the law in favour of consumers.
It is good that the AP actively looks up account information service providers and points out the AVG. But the AP seems to appeal to friendly start-ups, not professional parties who turn data into their business model. The AP could and should have taken much more room to explain the AVG to consumers. This could have been done perfectly well in many places, without going over the top. We continue to wonder why the AP actually sent the letter...