Why is this year different? In 2023, we have reached a tipping point where data privacy policy reform is necessary and non-negotiable. As consumer attitudes shift and policies are implemented to ensure data is used in a controlled and secure manner, these changes can have a significant impact on fintech firms, financial institutions and all members of the ecosystem that rely on data, financial or otherwise.
Following Data Privacy Day, we’ve compiled the key observations and opinions of experts across the fintech industry to take the pulse of the sector in our latest Fintech Sentiment Series article.
Data privacy and protection, a global effort
Data transfer continues to be a talking point within the European Union. Alongside this, organizations are still enduring the implications of the Schrems II judgment and grappling with the EU-US Data Privacy Framework.
Further afield, “there is a proliferation of new privacy laws and amendments to existing privacy laws to keep up with. These range from new laws (or amendments to existing laws) that have now come into force, laws or amendments that are expected to come into force this year, as well as discussions or proposals for future reforms.
“In particular, there are developments to be aware of in Australia, Japan, Taiwan, Vietnam, India, Qatar, UAE, Saudi Arabia, Türkiye, Canada, Argentina, Vietnam, Switzerland, several US states, and the UK. Almost half of these are G20 economies so we except such changes will be important given the inextricable link between information-driven trade ecosystems,” a Baker McKenzie report reads.
Data privacy and protection trends
The report outlines the status of each data policy that could make an impact on the financial services industry in 2023.
UK Data Protection Reform
Although the Data Protection and Digital Information Bill, otherwise known as the DPDI Bill, was published in July 2022, it has not yet progressed through the legislative process. GDPR in the UK will not be replaced, but there will be a shift away from viewing regulation as a box-ticking exercise in 2023.
UK Addendum and International Data Transfer Agreement
Since 21 September 2022, new contracts that involve personal data transfer to areas not under UK GDPR, the International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses is now used. Existing contracts approved under the Data Protection Directive (Directive SCCs), will be valid under UK GDPR until 21 March 2024, provided operations and the contract remain unchanged and data transfer is secure.
ICO Guidance and Transfer Risk Assessment Tool
The UK Information Commissioner’s Office (ICO) published new guidance on data transfers in November 2022, and provided a new transfer risk assessment (TRA) tool. Companies can also choose to follow the European Data Protection Board’s (EDPB) advice.
Future UK Adequacy Regulations
The UK Government will be issuing new post-Brexit adequacy regulations and will be conducting adequacy assessments with Australia, Colombia, the Dubai International Financial Centre, Singapore, the US, and South Korea. In the future, this group will include India, Brazil, Indonesia, and Kenya. In addition to this, the UK’s adequacy regulations will also cover credit information processed by controllers.
ICO25 and future regulatory approach
The ICO25 will aim to regulate and review the impact of predatory marketing calls, the use of algorithms within the benefits system, the use of AI software in recruitment for which neurodiverse or ethnic people weren’t considered and tested, and support of children’s privacy.
Colum Lyons, CEO and founder of ID-Pal, shares his view on UK policy and regulation. “Data Protection Day is an important reminder of the role we all play in data privacy and protection as a global cause. In 2020, many industries were forced to move their processes fully online. For example, in the UK, temporary Covid-adjusted guidance on how to conduct Right to Work checks was introduced for employers, and now the ability to perform checks digitally is permanent.
“The digitalisation of manual processes improves the user experience and offers enhanced security when processing and storing personal documents and data. Individuals can assess data is being handled in a compliant, secure way. Something that is impossible to confirm with a manual method.
“It’s crucial businesses are aware of their duty to protect all customer, and employee, personal information. Organisations can reduce risk and vulnerability to fraud using digital identity verification to securely verify identity and address documents. They should also question vendors on what their approach is to data protection and privacy. How do they ensure the highest standards are in place across their framework, so that your business is not put at risk? By integrating these digital solutions that also have data protection at their core, companies can overcome their vulnerabilities and develop trust with customers from day one.”
France and sanctions
In 2022, the CNIL (Commission Nationale de l’Informatique et des Libertés) in France imposed 22 sanctions totaling 100,927,900 EUR for various entities in various sectors for failure to respect the right of access, obtain valid consent, and define appropriate data retention periods. Among the largest sanctions were for lack of valid consent and mismanagement of cookies, which resulted in a fine of 60 million EUR. Another significant fine of 20 million EUR was imposed on a provider of facial recognition technology not established in France for collecting and using data without a legal basis.
The CNIL’s annual investigation plan in 2022 focused on commercial prospecting, cloud services, and remote working monitoring. Its strategic plan for 2022-2024 prioritized targeted regulatory actions on high privacy topics such as augmented cameras, cloud computing, and smartphone apps.
The CNIL’s Digital Innovation Lab has a research plan for 2022-2023 on the impact of data protection on the environment, new data economies, practices and perceptions of data subjects, and capturing data. In 2021, the CNIL’s priority was cybersecurity, inspecting 21 organizations’ websites and issuing formal notices for defects in data encryption and security management.
The CNIL has issued reminders and practical recommendations for individuals and companies on ransomware, encryption, and passwords. It may be working on guidelines for Transfer Impact Assessments but has only published a reminder on the use of new Standard Contractual Clauses in data transfer agreements.
Germany and five main topics
Germany is expected to see continued developments in the area of data protection and privacy in 2023. The following are the five main topics to be focused on:
International data transfers: There is a hot debate on the subject of international data transfers, particularly in light of the European Commission’s draft adequacy decision published in December 2022 and the US president’s Executive Order in October 2022 addressing points raised by the CJEU in the Schrems II decision. A German DPA has also pointed out unanswered questions and deficiencies with the Executive Order.
Appointment of data protection officers: The European Data Protection Board’s plan to focus on data protection officers will be a relevant topic in Germany since German local data protection law requires the appointment of a data protection officer in most cases, particularly for companies employing at least 20 persons dealing with automated processing of personal data.
Guidance from German data protection authorities: The German Data Protection Conference, consisting of all German DPAs, has updated its guidance and published new statements and guidance. For example, in February 2022, the Conference updated its guidance on the processing of personal data for direct marketing under the GDPR and in December 2022, it published updated guidance on the interpretation of the Telecommunications and Telemedia Data Protection Act.
Enforcement and data disputes: German DPAs have continued to impose fines, such as in July 2022 when the DPA of Lower Saxony imposed a fine of EUR 900,000 on a bank for insufficiently basing its profiling activities for advertising purposes on legitimate interests. In 2023, we can expect continued enforcement by DPAs in the form of fines and audits, as well as an increase in private actions and claims under the GDPR. This includes private actors who are collecting damages and legal fees and introducing privacy claims in proceedings between employers and employees, as well as an increase in claims by private associations.
Increase in claims by private associations: The risk of private enforcement is expected to increase once the Representative Actions Directive, which must be implemented into German law by June 2023, is applied. The Court of Justice has already ruled that the GDPR does not preclude national legislation allowing a consumer protection association to bring legal proceedings for infringements of laws protecting personal data.
Canadian Artificial Intelligence and Data Act (AIDA)
While there is no AI-specific legislation in Canada, AIDA “would require organisations that design, develop and use AI systems to identify, assess, manage, and mitigate risks and biases associated with high-impact AI systems.” With this regulation, there would be new criminal prohibitions and penalties for unlawfully obtained data being used for AI development, where careless deployment of AI systems poses serious harm, and where there is fraudulent intent to cause substantial financial loss through the deployment of the AI system.
According to a new survey from Interac published found that nearly eight in 10 Canadians (76%) are worried about protecting their online privacy, and seven in 10 (74%) want more control over their online information. Further to this, sign-in – the act of verifying your identity to access online services or activities – is what Interac views as a critical moment for organisations to build trust with their customers by giving them more control over their personal information.
53% believe organisations are responsible for protecting their personal information, and 69% would hold them accountable in the event of a data breach. Despite this, Canadians continue to sign in through services in which they report low levels of trust and confidence. For example, 58% say they use their social media accounts to log in to other online services, yet only 11% trust these accounts to store their personal information.
Colette Stewart, senior legal counsel and privacy lead at Interac, says that “when customers sign in to an online service, they are putting their trust in that provider to keep their data safe. As Canadians hold organizations accountable for the use and storage of data, entities of all sizes have an imperative to provide clear guidelines on how personal information will be used and to enable increased control for users when it comes to managing their privacy online.”
Hong Kong cybersecurity legislation
The Hong Kong Government aims to strengthen cybersecurity of critical information infrastructure (CII) by imposing network security obligations on operators of CII. Examples of CII include water, electricity, coal supply, communication networks, transport services and financial institutions.
India Digital Personal Data Protection Bill 2022
In November 2022, the Ministry of Electronics and Information Technology of India introduced a draft of the Digital Personal Data Protection Bill 2022 (DPDP Bill). This follows a similar regulation that was withdrawn after pushback from stakeholders.
Preekshit Gupta, vice president – APAC & MEA, Bureau.id believes that Data Privacy Day “is a reminder that data privacy is a fundamental right, and companies must take all necessary steps to ensure the safety of customers’ data. With the emergence and growing usage of new-age technologies like artificial intelligence and machine learning, organisations can use them to detect and prevent data breaches, identify fraudulent behavior and protect user privacy. Machine learning algorithms can process large volumes of data to identify potential threats and protect user data.”
On Indian policy, he adds that the “recent draft of the data protection laws released by the government also placed significant penalties for any company breaching the regulations. Data security is the cornerstone of online financial transactions, and the rise of cybercrime makes it a priority for companies across sectors, especially digital lending and e-commerce, to ensure that their customers’ personal information remains safe. The Reserve Bank of India has showcased concerns around the digital lending space and has also issued clarifications on digital lending, reiterating the need to protect borrowers’ data lenders.
“While traditional data protection laws such as the Information Technology Act and the Personal Data Protection Bill provide a basic framework for data privacy, it is also essential that companies also invest heavily in data security and data privacy infrastructure to safeguard their customers.”
Mexican Data Protection Regulator
In 2022, the INAI published recommendations “to exercise extreme caution when making purchases online. These recommendations focus on the precautions individuals can take to avoid becoming a victim of cybercrime when carrying out an online transaction.”
Peruvian Data Protection Authority
The PDPA has conducted important actions aimed at ensuring the protection of personal data, including the issuance of 173 resolutions aimed at safeguarding data subjects and supervising 317 public and private entities, most of them acting in the financial and telecommunications sectors.
Qatar 2021 Regulations
The Qatar Financial Centre (QFC) has issued new data protection rules known as the 2021 Regulations which came into effect on 21 May 2022. The new regulations will establish a new Data Protection Office led by a Data Protection Commissioner, introducing purpose specification, data minimisation, new rights and additional transparency for controllers.
DIFC Data Protection Law
On 8 March 2022, the Dubai International Financial Centre (DIFC) Authority enacted the DIFC Laws Amendment Law, DIFC Law No. 2 of 2022, which includes amendments to clarify the process for individuals to seek judicial redress, increasing accountability for controllers and processors when handling requests for data access. This also grants more authority to the data regulator Commissioner of Data Protection and will introduce a $75,000 penalty.
Hamad Sayah Al Mazrouei, CEO of ADGM Registration Authority, posits that the “ADGM acknowledges the fundamental right of data privacy and protection and emphasises it not just through words but through mandates and policies for the local and global community-based in the international financial centre.
“As an authority, we take our responsibility seriously and are continuously addressing the emerging challenges from the rapid acceleration of the digital ecosystem that we are all part of. ADGM’s Registration Authority is the sponsor of ADGM’s overall data protection frameworks that is a part of ADGM’s legal frameworks since its establishment, a reflection of the importance we have placed on data protection and privacy since the beginning.”
Sweden Enforcement Action: Transparency
In 2022, the Swedish Authority for Privacy Protection issued a decision where a fintech company would be fined approximately EUR 720,000 if it was unable to adequately provide information to its customers for one of its financial services.
