As an NGO committed to civil rights and privacy protection, Privacy First has been concerned with financial privacy for many years. Since 2017, we have been closely following developments around PSD2, highlighting the dangers to consumer privacy as a data subject. In particular, we focus on privacy issues arising around 'account information service providers' (AISPs) and the opportunities PSD2 offers to further process personal data.
Our PSD2 project began in 2017. Back then, we thought that providing more adequate information and more transparency for consumers would be sufficient. However, the risks of PSD2 turned out to be bigger and more fundamental. Therefore we have launched a bilingual (Dutch & English) website called PSD2meniet.nl/en to outline both our concerns and our solutions regarding PSD2.
Central to our project is the filtering of special personal data through the PSD2 me-not register. The idea was launched on 7 January 2019 in the television show Radar and in this press release. The PSD2-me-non-register should effectively provide users with a tool to protect their own personal data. In time, more far-reaching filtering and restriction should become possible. With this project, we are contributing to positive improvements of PSD2 and its implementation, in order to achieve better protection of personal data. In this, we are supported by the SIDN foundation.
Protection of special personal data
We focused on 'special personal data'. Payments into unions, political parties, religious organizations or LBHT advocacy groups, or payments into medical service providers. But also payments to the CJIBThey reveal parts of our lives that require extra protection. This data can be directly related to fundamental human rights. When a consumer uses an account information service, this data can be shared more widely. PSD2 means that data that is currently protected can become widely known via a detour, for example because it is included in a profile. Or because they are used as black list.
The best protection is to prevent special personal data from being processed. We have a PSD2 do not register and around it a API, a privacy filter. With this filter, an AISP can detect and filter account numbers and thus prevent special personal data from being processed or provided unnecessarily. In addition, a consumer is informed and given a real choice whether to share data or not.
How to proceed?
With the white paper and the API, we have developed and distributed the tools that can be used by AISPs. The EC evaluates the PSD2 pass as of 2022. Therefore, we are glad that we have been able to transfer the thoughts in this way.
The API is included in a service provider, Gatekeeper for Open Banking. We support their further development and think along with them about how the privacy filter can be incorporated into their design and services. When AISPs become Gatekeeper users, consumers will have the control over their data that they deserve.
A large part of our results are contained in a whitepaper. This has been sent to stakeholders such as regulators the EC, EDPB and the AP. And, of course, as many AISPs as possible, because if they adopt the measures, they protect privacy 'by design'. The White Paper also contains a number of other examples of how privacy can be better protected. For example, the 'good practices' for achieving better transparency regarding account information services. We hope that AISPs will take the advice in the white paper to heart.
We continue to monitor this file. The PSD2meniet.nl website will remain in the air and will continue to serve as a basis for this topic.
Do you have any suggestions or want to know how things are going? Let us know via martijn@privacyfirst.nl.
