New privacy and data sharing regulations
There are various drivers for improving privacy around personal data, some good business reasons (such as customer trust and loyalty) and some strong regulatory reasons such as fines, ability to operate etc. Forthcoming regulations will mean informing people much more explicitly about the data we collect, why we need it, what it is used for and then explicitly, clearly and unambiguously ask them whether they are willing to allow their data to be processed in the manners described in the consent request. The key data regulation in Europe is the General Data Protection Regulation (GDPR) but the European revised Payments Services Directive (PSD2) (and OpenBanking in the UK) will interact with GDPR. The data sharing aspects of PSD2 involving customers financial information and PSD2’s potential reach across other sectors for processing of financial information will mean consumer data privacy regulations will be key considerations of any PSD2 or OB solutions.
Mostly, customers interact directly with an organisation that stores and processes their data, current regulations only demand that terms and conditions (Ts&Cs) are available to the customer and that those terms can be accepted by the customer in some form (Tick box, scroll down and press agree etc.). Some organisations share the customer information with other entities, and as long as a statement that the company will share your data with third parties is in the Ts&Cs, then that is compliant with current rules and regulations. In reality those Ts&Cs are long and tedious documents (from the customers’ perspective) generally written in “legalese” and are often “taken as read” due to the opaque and repetitive nature. (iTunes Ts&Cs plus usage terms are longer than Macbeth and are growing over time, so are Barclays’ and Paypal’s. ref Which? for details.
Partly due to the nature of these documents and other trends there is a now a “new normal” of consumer apathy regarding privacy (i.e. share some data with me and get a free thing). At least this is only once per interface provider, subcontracted suppliers can inherit that right dependent on the Ts&Cs (and some legal constraints). The assumed right has however been fairly regularly abused by subcontractors, and limits the levels of trust some consumers have in companies.
When PSD2 and OpenBanking are running
By the end of 2018 at the latest, all UK banks will be providing APIs to customer financial data and services for third parties to use and European banks will be doing something similar in the same timeframe. This is not a natural evolution of a service driven by market forces, but as a response to lack of real competition in thparties having access to their financial services data if they wish. The banks will need to collect and store this consent from their customers each time the customer wishes to link a third party service to their financial services.
If we add GDPR requirements, which we shall be doing…
indication of the data subject's agreement” so the UX will need to be very carefully constructed so that a quick ‘click through’ is not the default user behavior and the ‘Shakespearean play scale’ of the Ts&Cs documents should be called into question. The third parties involved will also need to seek the same level of agreement to process the
The point is that in order to use a third party service a consumer will have to consent to sharing their data with TWO parties for every service they consume. First at the bank interface to enable the bank to meet GDPR, whilst supplying a PSD2 compliant service then AGAIN with the third party to gather consent to processing of that data. So due to the inherent data sharing in PSD2 and the obligations of GDPR, if solutions are not carefully implemented, trust and usability issues may well reduce adoption and consequently limit the success of PSD2 and OpenBanking.
What can be done for the customer?
Instruments like GDPR and PSD2 are intended to provide benefits to customers by improving privacy and increasing competition but the regulatory authorities need to look at the bigger picture. Are consumers going to be happy with some of the consequences of these regulations when taken together? There needs to be a balance as always between security & privacy concerns and the level of inconvenience that people are willing to put up with. Constant requests for consent, may ultimately lead to LESS security and control over personal data and services due to apathy and desire to consume services that are “easy” to sign-up to and use.
In the future there may be a way of communicating consent between processors of data (see theKantara Institute Consent Receipt Specification as a start of that effort). This may lead to a way to reduce the ‘consent burden’ on the consumer if the regulations allow for consumer consent to be communicated between third parties.
The terms documents should be built with more of an emphasis on building customer trust that their data is being looked after rather than just the intent of protecting the processor from litigation. There is limited research on this topic and the successful collection of consent, from customers in an unambiguous, clear and informed way is a challenge that needs to be taken up.
Dealing with these issues will increase security and privacy by helping the consumers understand what they are agreeing to and maybe even build trust in the ecosystem overall.