By Sarah Kenshall leads Burges Salmon’s cross-departmental FinTech practice and is a director in the firm’s Technology and Communications team.
We talk of data streams, so let’s imagine a vast river of free flowing data.
How are we to control and harness this flow? A simple analogy would be that of a dam – think Hoover or the Grand Coulee, the huge hydro-electric dams built in the US in the 1930s, and so eloquently eulogised by Woody Guthrie. By damming the river, that energy can be harnessed to work more constructively for the community. Hydro-electric dams provide not only a stored source of fresh water, but also electricity. Water and electricity – two of the most basic building blocks on which modern society is founded.
Getting back to data. In our age where sector after sector is undergoing digital transformation in readiness for the ‘smart’ world powered by 5G, the Internet of Things and edge computing, data is itself a building block of modern living; an extremely valuable economic asset, if only we can control and harness its flow so that it can be used properly for the benefit of the community.
Step in GDPR (as expressed in the UK through the Data Protection Act 2018). GDPR is rarely seen as a building block towards a free flowing of data, but rather a sometimes cumbersome and often costly measure that only restricts this flow. What’s more, it is certainly the case that some companies use the GDPR as a shield to avoid sharing data within a wider eco-system. Yet Recital 13 of the GDPR states that ‘the proper functioning of the internal market requires that the free movement of personal data is not restricted or prohibited for reasons connected with the protection of natural persons’.
The purpose of the GDPR is not just to empower individuals; rather, through that empowerment, it is there to create trust such that individuals can reliably devolve the management of the flow of their data to connected eco-systems of companies, in the knowledge that they can exercise rights to restrict the flow if needs be. These are companies they trust to store, use and share their personal data in a secure, reliable manner in conformance with their legal rights. GDPR provides both the dam and the turbines.
Why build the dam?
So there we have it. GDPR, as both dam and turbines, empowering individuals, and through such empowerment, facilitating data flow. We can see exactly how this empowerment is working in financial services.
Open Banking, a UK initiative mandated by the UK Competition and Markets Authority required nine of the biggest UK banks to implement a common standard API to allow third parties to access customer bank accounts with customer’s explicit consent. There is no limit on the number of third parties permitted by a customer to access their accounts. Some of these third parties may be empowered by the customer to onward share data directly with other permitted third parties. The hope is that the initiative will bring about innovation in the payments industry and break down any data sharing barriers that may be hindering effective competition. A related EU initiative is instigated under the second Payment Services Directive (PSD2) which introduces a similar regime for certain financial service providers (including current and savings accounts providers, e-money and credit card providers – but this is just the start). There are over one million customers now using some form of Open Banking provider, from the newly launched Ordo, whose app aims to take the pain out of billing and payments, to established high growth players, such as Revolut, whose app allows you to see your accounts and transactions in one place.
The information commissioner considers PSD2 and Open Banking as key to unlocking individuals’ rights to data portability. Under Art 20 GDPR, the right to data portability gives individuals the right to receive personal data they have provided to a controller in a structured, commonly used and machine readable format. It also gives them the right to request that ‘a controller transmits this data directly to another controller without hindrance where it is technically feasible to do so’.
These overlapping initiatives make it easier for us as consumers and businesses to hold multiple accounts and compare or switch financial products, perhaps ultimately managing finances through one chosen digital platform, with a proliferation of apps to personalise the services. (Digital platforms acting as the sluice gates to the GDPRs dam).
Of course, new frontiers come with their own challenges and risks, and the harnessed flow of data is no exception. The GDPR, powering the data turbines, is not proof against cyberattack, any more than the Hoover dam is proof against explosives. It is however there to mitigate the risk of data misuse and accidental or negligent leakage. There are challenges around privacy and security with a potentially complex and extended supply chain of providers sharing personal and financial data. However, you can check whether providers are authorised to participate in the Open Banking ecosystem here. It is also worth mentioning that unauthorised payments are still the responsibility of your bank to sort out, even if the payment was initiated through a third-party provider (provided the payment didn’t arise as a result of fraud or your negligence). In the case of fraud, the banks have further put in place initiatives to counter, for example Authorised Push Payment fraud, which we have written about here.
Finally, the digital world has a tendency towards concentrating power in the hands of a small number of platform providers (for example, Amazon, for on-line market places, Spotify, for music). It is quite conceivable that tech giants such as Google, Facebook or Amazon could get in on the Open Banking act and manage every aspect of your financial life. Or maybe the provision of a dominant integrated financial service platform will be a new name? Perhaps a fledgling challenger banks, yet unknown.
Where else does the river flow?
The FFD Regulation, an EU regulation for the free flow of non-personal data, has been applicable in the EU and the UK since May 2019.
The regulation is primarily aimed at cloud providers (of storage and other data processing services) establishing, amongst other things, self-regulatory codes of conduct to make it easier for businesses to switch data service providers (or repatriate data to themselves). The aim is to avoid vendor lock-in practices, such as requirements for specific data formats or contractual arrangements.
Data from these B2B tributaries may also flow into our river. The FFD regulation stipulates that where non-personal data is ‘inextricably linked’ with personal data, the GDPR governs the whole dataset. The Commission’s guidance note on the regulation goes on to note: ‘Mixed datasets represent the majority of datasets used in the data economy and are common because of technological developments such as the Internet of Things (i.e. digitally connecting objects), artificial intelligence and technologies enabling big data analytics.’
Therefore, thanks to the right of portability under the GDPR, these mixed datasets may be shared at a user’s behest, between competitors, further harnessing the river’s flow for the benefit of society. There are constraints; it is not a free for all. The data portability obligations only apply to data controllers that process personal data based on customer consent or to perform a contract involving the data subject and if the processing takes place by ‘automated means’ (i.e. excluding paper files).
A river without banks is a flood. A river with a dam is a power source. This trend towards a harnessed, flow of data within a trusted ecosystem is likely to transform the financial services sector as we know it today.