PSD2 makes privacy a paper reality

Some Dutch banks and fintechs are working together with the Privacy First Foundation on a PSD2 quality mark. By doing so, the companies want to make clear to consumers who they can trust their data. The Volksbank ranks as one of the first behind the initiative. What is the need of those involved?

Yoshi Tuk interviewed in May 2019 Privacy first spokesperson Martijn van der Veen for Emerce. Here's the interview:

In addition to innovation, the European Payment Directive PSD2 also raises privacy concerns. The directive that came into force in January - the Netherlands will probably follow this summer with its own legislation - ensures that consumers can give companies access to their bank account and (financial) data. The question, however, is whether they are aware that they are sharing privacy-sensitive data. Moreover, once shared, banks will no longer be able to 'retrieve' that data.

Except for one So there is also a real risk to PSD2, says Privacy First. Together with a number of Dutch banks and fintech companies, the interest group to a quality mark. In doing so, the parties respond to ruling of the Dutch Central Bank. The latter would have previously established that here need for is. While the AVG, the new European privacy law, must ensure for better protection, PSD2 opens the back door, explains Martijn van der Veen from Privacy First out.

How to see you the PSD2 from a privacy point of view?

Van der Veen: "The subject of privacy has remained underexposed within PSD2 for far too long. For a long time, PSD2 was mainly a party for fintechs and aimed at innovating the payment system.

"With PSD2 parties can, among other things, have access to your transaction details, for example, to gain insight across multiple bank accounts. A bank may not provide these transaction data just like that, for this a give the consumer 'explicit consent'. That's not a tick put. The person must give 'free, specific and informed' consent. On paper, it's fine then. But the impact of PSD2 on privacy can much greater than whether someone's permission has been registered.

"Our greatest concern is what happens to the data as soon as it reaches a service provider lie. What do they do with it? Don't think services are limited stay until showing transaction details, companies want to do something with that large amount of data coming into their possession. Think about doing offers, new services and comparisons. For this they want data linking, relating and searching for patterns. And of course there is also a earning model to fixed.

"A wrong framing is that it's 'but' transaction data. You can infer a lot about a person's life. If you spend three years at a bank can look back, then the provider also immediately receives three years to transactional data. From account numbers you can see whether someone often has medical uses support, where a person often goes and what a person's life pattern is. From recurring wire transfers you can deduce if someone is a member of a religious organization or trade union. These are data which, with good reason, are not may be used.

"The crazy is, where everyone because of the AVG is doing their best to protect their privacy on to get order, PSD2 will open the back door wide."

But why is a hallmark necessary?

"Privacy The aim of the PSD2 label is to help consumers in their choice of supplier. The provides information as to whether the provider will handle the personal data properly go and be trusted. In doing so, we want the open standards of the law color in. Now a provider determines what a decent storage period of data is. And how quickly he responds to complaints. It's debatable whether it's the interests of the consumer come first. The label informs consumers and encourages providers to raise the level of privacy protection. For this is valuable for both parties because it gives confidence in a service provider raises."

On which concrete areas should the quality mark be tested and supervised?

"Parties must already have a lot in order because of their PSD2 license and privacy laws. The quality mark will mainly concern the question of whether a provider deals accurately with the personal data. Without PSD2, banks were the primary party to business participate. They had a reputation, customer service and a duty of care. That must now all arise anew, and the label can help with that. Think e.g. how a person is informed or what happens with the data. And how well the parties take their responsibilities when the is about data minimization and protection.

"Compare from the provider's point of view, driving on the road. That someone's got a driver's license he doesn't make a good b

Sailor. We want to fill in how you can be a good driver. The quality mark will have to be reviewed by independent parties. We are now thinking of a independent foundation that evaluates holders of the quality mark. But that is still work in progress.”

PSD2 says a lot of people nothing at all. Moreover, there is already a forest of (online) labels. To what extent do you think consumers have an eye for this?

"I'm glad that you're asking this question. Isn't that where the problem is? PSD2 leans very strong on getting explicit permission. The quality mark offers information about the provider. But if a consumer is not simple indication of whether the party is handling the data properly why are we going there? or assuming that the same consumer is well informed about a service? When it comes to privacy, privacy threatens to become a paper reality, That's what we want to avoid with a hallmark.

"We know not yet exactly what the hallmark will look like. The main thing is that it is simple and must be clear."

What things as far as you're concerned, should have been better regulated in the legislation?

"Precisely because the PSD2 very much relies on the AVG, we would have liked consumers to see a lot of could more directly influence the history of the transaction data and the blocking of certain data from which special personal data can be derived, - the blocking of certain data from which special personal data can be derived. lead. As soon as someone withdrew his consent, all the parties who had over data, it must be erased automatically. This is not yet the case. But the tricky thing about privacy legislation is that certain terms are closer to being deleted. must be completed. The law can't regulate everything.

"For the protection of privacy would have been easier if banks had been able to use their duty of care could play a role. However, this quickly leads to distortion of competition. And the idea of PSD2 is precisely to attract new entrants. give it a chance. Who knows, maybe there will be another fintech with a PSD2 dashboard. what that step is gonna involve."

Among others the Volksbank is cooperating. From which organisations do you expect even more involvement?

"We're going assuming that all banks, fintechs and interest groups involved will join the PSD2. A number of them have already joined the initiative and are closely involved in further development.

"Where we The aim is that the lack of a hallmark works like a dissatisfier. This will therefore be detrimental to the image of such a company. We want the More consumer organisations and interest groups will be joining in the coming period. They can help to implement the standards from their constituencies. The time of innovating and making money without having an eye for privacy is now real over."

Which concrete steps are being taken now?

"We want come up with a self-assessment around the summer that banks and fintechs can use to help themselves. be able to judge. We are now working hard on the underlying framework of standards so that it becomes clear what companies have to comply with in order to earn the label. In addition to a self-assessment, we want to quickly set up an organisation for the processing the applications and placing the quality mark on the market. There is a lot to do, but the pace is right now."