In evolving to a Single Digital Market, the use of consumer data becomes more and more important for service providers. With regard to financial institutions, exploiting payment data is of particular interest, not only to reduce costs and improve product quality, but also to offer new and innovative financial services and, in general, an increased customer experience. The access to and the control over such data is therefore crucial.
One of the ways by which the EU legislator wants to promote this is by mandating banks to “open up the bank account” to external parties. This is often referred to as the ‘access to account’ rule (‘XS2A’) which is for instance embodied in the revised Directive on payment services in the internal market (“PSD2”).
Also from a consumer’s perspective, Europe wants to further strengthen a person’s control over his personal data and support the free flow of such data. This is one of the goals of the new General Data Protection Regulation (“GDPR”),and in particular the new “right to data portability”.
The GDPR applies from 25 May 2018. In order to bring further clarification for undertakings implementing it, the Working Party 29 (“WP 29”) recently published several guidelines. One concerned the right to data portability.
This article intends to give an overview of the most important points elaborated by WP 29 and, although the scope of this right concerns personal data in general, give particular attention to the portability of bank account information.
The main elements of data portability
Article 20.1 GDPR allows a data subject (e.g. a bank’s customer) “to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format
and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided”.
The goal is thus to provide a data subject with the capacity to obtain, reuse and transfer its personal data from one data controller (e.g. Bank A) to another (e.g. a third party payment service provider such as an AISP).
WP 29 specifies that, in order for a controller to fulfill its obligations towards data portability, technical measures should be implemented to enable such ‘transfer’. This could be done by providing the data subject with the possibility to download the data or, at the request of the data subject, by sending the data directly to the other provider.
As is stated by the GDRP, the data should be provided “in a structured, commonly used and machine-readable format”. WP 29 does not give specific recommendations to this regard except, whatever format is chosen by the first controller, it should make the data interoperable and effectively useable for a second controller.
It is worth noting that executing its right to data portability, and thus transferring its personal data from one controller to another, does not mean that the ‘initial’ controller (e.g. Bank A) has the obligation to delete the transferred data. Unless, for example, a data subject would invoke its right of erasure (in accordance with article 17 GDPR), the controller is still allowed to retain the data for the initial retention period.
With regard to the receiving entity, he, as a data controller, shall of course have to process the acquired data in accordance with the provisions of the GDPR as well.
When does data portability apply?
As article 20.2 GDPR states, this right only applies for two processing operations. On the one hand, when the processing of the data is based upon the data subject’s consent or, on the other hand, when it is based upon a contract.
Moreover, the right only applies when it concerns processing ‘carried out by automated means’, thus excluding paper files.
Which personal data is concerned?
WP 29 sets forth three conditions.
First, the guidelines clarify it only concerns personal data related to the requesting data subject. Anonymous data or data related to a third party are excluded. However, WP 29 emphasizes the latter should be interpreted pragmatically. For instance, the transaction history of a person’s bank account can by principle be transferred by its bank, although the history shall contain details about third parties (i.e. the sender or receiver of the transaction).
Second, the right is limited to the data provided by the data subject itself. In this regard WP 29 points out that it should not be limited to data that is ‘actively and knowingly’ provided by the data subject, but also include personal data that are generated by and collected from the activities of the users. How extensively the latter should be interpreted remains vague. What is certain is that ‘inferred’ or ‘derived’ data are excluded. This means, for example, that if a data subject wishes to transfer all its personal data from Bank A to an AISP, it shall concern all data the data subject actively provided to Bank A (e.g. contact details, data about the transactions made via the account) as well as the data generated by using the bank’s services (e.g. an overview of all its bank transactions or location data). Other information the bank would have derived based upon the usage of their services and the data provided hereby, for instance a profile containing information on the consumer’s solvency, the number of credit transfers executed to a certain person, etc. does not have to be provided by the bank.
Third, the rights and freedoms of third parties may not be adversely affected. This means the execution of the right should be done in respect to personal data concerning other data subjects. WP 29 gives as an example the transmission of a bank account history. If the concerned data is processed by the second controller for the same purpose (i.e. as ‘bank account history’) such processing does not give rise to any legal problems. This would however be the case if the data related to the third party would be used for another purpose, such as marketing. The execution of the right to data portability should also be with respect to data covered by intellectual property and trade secrets.
Some other obligations for the data controller
The GDPR explicitly obligates data controllers to inform the data subjects about their different rights under the Regulation. One must thus be notified about the existence of his right to data portability and how it differs from other rights under the Regulation. This should be done at the time when personal data are obtained, but WP 29 recommends to include such information also before any account closure.
Furthermore, a controller is not allowed to charge the requesting data subject a fee, exceptional circumstances left aside.
Finally, a data controller should implement an authentication procedure in order to confirm the identity of the data subject requesting to execute its right to data portability. This can, for example by using passwords or a digipass, which are already common practices in the banking sector.
To conclude, in order to give a person more control on its personal data, the right to data portability is one of the means by which the EU tries to achieve it. As the European Banking Association (EBA) recognized in its Discussion Paper on innovative uses of consumer data by financial institutions,
allowing the portability of consumer data would significantly reduce the risks for a “lock-in” with one single service provider and, as a consequence, foster competition. What the effects will be in practice, in particular in combination with the XS2A rule under PSD2, will be seen as of 2018.
For further information, please contact Simont Braun’s Digital Finance Team: firstname.lastname@example.org – +32 (0)2 543 70 80