use of data: balancing added value for customers and data ... · lack of transparency or knowledge...
TRANSCRIPT
![Page 1: Use of data: balancing added value for customers and data ... · Lack of transparency or knowledge by the customer about how their data is used: controllers are required to provide](https://reader033.vdocuments.site/reader033/viewer/2022051918/600ab9b7afc8330929682b5b/html5/thumbnails/1.jpg)
May 2018
Use of data: balancing added value for
customers and data protection
![Page 2: Use of data: balancing added value for customers and data ... · Lack of transparency or knowledge by the customer about how their data is used: controllers are required to provide](https://reader033.vdocuments.site/reader033/viewer/2022051918/600ab9b7afc8330929682b5b/html5/thumbnails/2.jpg)
The digital transformation is one of the key challenges today – also for the financial industry. The Associ-
ation of German Banks is meeting this challenge by, among other things, cooperating with start-ups from
the financial sector, fintechs. The cooperation was institutionalised in the Digital Banking Project Commit-
tee, which is vigorously driving forward the cross-cutting issue of digitisation. The committee is a high-
level body comprising bank Chief Digital Officers (CDOs) and leading figures from the German fintech scene.
The present paper is the result of intensive cooperation between banks and fintechs.
Contacts at the Association of German Banks:
Wulf Hartmann | Legal Affairs | [email protected]
Stephan Mietke | Retail Banking, Banking Technology | [email protected]
Tobias Tenner | Digital Banking | [email protected]
The Association of German Banks and fintechs
Andreas Krautscheid, Chief Executive
![Page 3: Use of data: balancing added value for customers and data ... · Lack of transparency or knowledge by the customer about how their data is used: controllers are required to provide](https://reader033.vdocuments.site/reader033/viewer/2022051918/600ab9b7afc8330929682b5b/html5/thumbnails/3.jpg)
bankenverband
Positions 3
Introduction
The financial services industry is undergoing a sweeping
digital transformation that is affecting retail business in
particular. In the meantime, a host of new providers with
innovative services and a raft of new business models
have entered the marketplace. These include – as befo-
re – companies creating and marketing individual pro-
ducts, but also platforms and entire ecosystems linking
customers, product providers, processors or added-value
service providers with each other.
The Association of German Banks is also facing up to the
digital transformation: it supports cooperation between
banks and fintechs and is instrumental in ensuring that
common positions can be found. This position paper is
based on the perception shared by both groups that the
ever growing amount of data generated by digitisation
needs to be used in the interests of customers without
losing sight of the importance of data protection.
Banks and fintechs are keen to play a proactive role in
shaping the digital transformation. Maintaining custo-
mers’ trust in protection of their data and at the same
time offering state-of-the-art, user-friendly applications
are a key success factor in this respect. This is why both
groups feel it is essential that every customer be enabled
to keep track of and retain control over their data and
handle this data freely and independently.
Starting situation
Digitisation brings many benefits – not only for busines-
ses but particularly also for customers: using data-based
analyses, their user behaviour and thus also their wishes
and needs can be better ‘understood’. This allows busi-
nesses to offer customised products at the right time and
deliver individual added value for every customer.
Yet this potential can only be tapped if users actually see
real added value for themselves and at the same time feel
there is an adequate level of security and trustworthi-
ness. The latter is essential, especially as data protection
law also stipulates that individuals should be able to
consciously and freely determine how their data is used,
whether they receive explanatory information when con-
cluding a contract or whether they sign a declaration of
consent. Particularly in Germany, citizens are rather cau-
tious and sceptical when it comes to the use or disclosure
of data if they fail to see the context or benefit. When
customers are asked if they agree to wider use of their
data, most usually express reservations.
In practical life, the picture is often different, however:
services that are known to be based on intensive use of
customer data but (in this way) offer customers signifi-
cant added value are popular with citizens; that goes for
social networks or messenger services, but also for many
other products from the digital world. This is why – par-
ticularly in view of the current allegations of data misuse
by some players – we believe that informed, conscious
and self-determined data handling by individuals should
be the rule.
The new European General Data Protection Regulation
(GDPR) now further harmonises the framework gover-
ning the use of customer data. To create a real level play-
ing field for all market participants, it must be ensured
that its provisions are implemented and interpreted con-
sistently across the EU.
Yet, looking at its thrust, we take a critical view of the
fact that the GDPR could lead to a further formalisation
and expansion of data protection information for custo-
![Page 4: Use of data: balancing added value for customers and data ... · Lack of transparency or knowledge by the customer about how their data is used: controllers are required to provide](https://reader033.vdocuments.site/reader033/viewer/2022051918/600ab9b7afc8330929682b5b/html5/thumbnails/4.jpg)
4 Positions
mers. Not least because of the high risk of penalties, we
are concerned that customer information will be further
‘juridified’, which would be at odds with customer-friend-
ly transparency. It should also be questioned whether,
given the innovative momentum today and the broad
knowledge potential of big data, the (narrow) ‘specific
purpose’ rule in data protection law is really in keeping
with the times or does not instead lead to opportunities
for customers and providers being passed up. Data pro-
tection must also be judged by whether it does not pose
any great obstacles to new business models in a global
digital economy and consequently does not encourage
any escape routes via offshore solutions. A fair balance
between overall economic interests and individual pro-
tection needs must be continually sought and optimised
anew.
![Page 5: Use of data: balancing added value for customers and data ... · Lack of transparency or knowledge by the customer about how their data is used: controllers are required to provide](https://reader033.vdocuments.site/reader033/viewer/2022051918/600ab9b7afc8330929682b5b/html5/thumbnails/5.jpg)
bankenverband
Positions 5
Position I – Added value for customers through use of data
Customers can be offered significant added value through use of their data without restricting protection
of their data or their privacy
Digitisation allows new added-value approaches from
which customers can benefit in the form of better, i.e.
higher-quality, quicker, simpler and lower-priced, pro-
ducts and services. Significant added value is created, for
example, by
�� identifying customer needs appropriately,
�� customising products and services,
�� individually protecting customers against financial
losses and
�� enabling banks to manage risks more accurately.
The associated ideas and approaches call for more in-
tensive use of data – in terms of collecting, linking and
enriching such data, as well as sharing it with third par-
ties – than in the past, however.
If a financial services provider collects a customer’s data,
it may, for example, be important and sensible to look
beyond pure financial transactions and consider con-
tracts of sale and other contract data, specific interests
or location data as well. Such additional data would
make it easier to realise cost savings potential, to ob-
tain better financial terms and conditions or to detect
account misuse earlier than in the past.
It would also be ideal if financial services providers could
link their own financial data to third-party data instead
of having to collect it anew in isolated data silos. After
all, much of the data mentioned by way of example is al-
ready available at other service providers, some of which
are outside the financial sector.
This expanded, collated and enriched data is more of a
guarantee that consumers’ actual interests and needs
will be catered to. According to a representative survey
in January 2018, three-quarters of citizens believe that
consumers are often unable to cope today when it co-
mes to making decisions on purchases. More strongly
data-based decision-making tools or recommendations
could provide better guidance in this area.
1 Representative GfK survey “Verbraucherschutz aus Bürgersicht” (“Consumer protection from a citizen’s perspective”) on behalf of the Association of German Banks, January 2018
![Page 6: Use of data: balancing added value for customers and data ... · Lack of transparency or knowledge by the customer about how their data is used: controllers are required to provide](https://reader033.vdocuments.site/reader033/viewer/2022051918/600ab9b7afc8330929682b5b/html5/thumbnails/6.jpg)
6 Positions
�� Proactive budget and liquidity monitoring
By analysing payment transaction data, banks can automatically offer help to customers whose fi-
nancial situation has deteriorated or threatens to deteriorate as a result of drastic changes in their
personal circumstances (e.g. change in their family environment or unemployment). For example,
it is possible that in such a case customers would proactively receive updated budget and liquidity
management planning. In this way, they would be advised as early as possible, drawing on the best
possible database. This would also be in line with the objectives of current regulatory efforts.
Such a service is frequently thwarted today by the fact that automated personalised reading of the
reason for a payment transaction is only allowed with the customer’s explicit consent (cf. Art. 94 (2)
PSD2 and Art. 6 (1) (a) GDPR) and that, because of poor transparency and uncertainty about how data
is used, customers are reluctant to actively agree to this.
�� Opening accounts/custody accounts digitally in a seamless process
If a user wants to open an account online, they can complete the account-opening process within a
few minutes. To retain the data already actively entered in the online form if the connection cuts off
or if it is deliberately interrupted, the website used temporarily saves the customer data, e.g. for a pe-
riod of seven days. If the user calls up the account-opening process again within this period, the data
they have already entered will be automatically uploaded and they can continue entering data from
where they left off, i.e. they don’t have to start all over again. There is the danger that these conve-
nience aspects will be lost sight of in the European ePrivacy Regulation currently under discussion.
�� Use of data from account information services
If a customer authorises their bank under the new PSD2 arrangements to aggregate other accounts
with other banks on its online banking platform (through an account information service), the addi-
tional data acquired in this way can be used by the bank to create various kinds of added value for
the customer.
However, in many cases it is not yet clear today exactly what services will be created as a result. As the
customer has to deliberately opt for account aggregation, it is likely that new declarations of consent
will be additionally required in the future and that the customer will thus face constantly amended
or expanded general terms and conditions and data privacy statements.
Examples
![Page 7: Use of data: balancing added value for customers and data ... · Lack of transparency or knowledge by the customer about how their data is used: controllers are required to provide](https://reader033.vdocuments.site/reader033/viewer/2022051918/600ab9b7afc8330929682b5b/html5/thumbnails/7.jpg)
bankenverband
Positions 7
�� ‘Data minimisation’ and ‘purpose limitation’ principles under data protection law:
only the data required to achieve a specific purpose may be used. However, a feature of modern servi-
ces – also triggered by PSD2 – is that they cater comprehensively to users’ needs, so that the purpose
focus is becoming increasingly blurred.
�� Lack of transparency or knowledge by the customer about how their data is used:
controllers are required to provide the customer/data subject with detailed information on the
processing of their data. However, comprehensive data privacy statements tend to quickly produce
information ‘overkill’ among customers. The degree of detail introduced by the GDPR as well as the
‘juridification’ of its language to avoid the risk of penalties diminish clarity and comprehensibility for
the customer, thus undermining the original purpose.
�� The actually right ‘privacy by default’ rule leads in practice to providers not recognising their users in
the digital world and being unable to proactively personalise their service. From the ‘analog’ world, e.g.
bank branches, we know, however, that customers would in fact like to be recognised and personally
looked after.
Lawmakers and data protection supervisors are called upon to create a framework fostering the use of
data while at the same time ensuring data protection:
1. Qualifying the ‘data minimisation’ principle, e.g. by generally allowing the use of publicly available data
(with and without reference to persons).
2. Freeing the ‘purpose limitation’ principle from an overly tight framework:
�� enabling the customer to accept various processing purposes, possibly through one step in the basic
settings or at the start of use of a comprehensive service (with scope for subsequent adjustment
where required);
�� moving in the medium term away from the outdated, since non-operationalisable, ‘purpose limitati-
on’ rule towards inclusion of (and user consent for) certain application classes, providers, regions or
other specifically designated types of data use that the user can understand.
Existing barriers
Petitions
![Page 8: Use of data: balancing added value for customers and data ... · Lack of transparency or knowledge by the customer about how their data is used: controllers are required to provide](https://reader033.vdocuments.site/reader033/viewer/2022051918/600ab9b7afc8330929682b5b/html5/thumbnails/8.jpg)
8 Positions
3. Accepting two-level information communication approaches, i.e. brief and concise information to
provide an overview (level 1) and further detailed information upon request (level 2) – see also Position
II below.
�� Encouraging customer acceptance by communicating more clearly the benefits of expanded and aggre-
gated use of data for the customer. Obvious use cases are better customer advice drawing on a broader
database, improving forward-looking financial scenarios, preventing fraud, and much more.
�� Indicating means of standardisation to strengthen customer confidence. Such means are appropriate
guidelines, a code of conduct or ‘bank secrecy 2.0’ adapted to the digital world.
Accompanying measure(s) by banks/fintechs
![Page 9: Use of data: balancing added value for customers and data ... · Lack of transparency or knowledge by the customer about how their data is used: controllers are required to provide](https://reader033.vdocuments.site/reader033/viewer/2022051918/600ab9b7afc8330929682b5b/html5/thumbnails/9.jpg)
bankenverband
Positions 9
Position II – User-friendly transparency on the use of data
Ensuring transparency on the use of data geared to the customer’s needs is the right approach to
strengthen the customer’s data sovereignty and create trust in disclosing data for innovative products.
Any framework to foster the use of data in the customer’s
interests must ensure the user’s data sovereignty and pri-
vacy. To this end, practical transparency approaches and
control tools need to be developed and implemented.
At present, the risk of penalties under the GDPR means
that the providers’ focus is on legal protection, which is
why a data privacy statement is usually a lengthy docu-
ment worded in turgid legalese. While this document
provides maximum (legal) transparency, the actual pur-
pose – comprehensibility for the user – frequently takes
a back seat.
What is thus needed is a transparency approach that not
only has legal precision in mind but also accommodates
the customer by answering the following key questions
briefly and concisely so that a legal layman can under-
stand:
�� Who uses the data (provider, third party)?
�� What data is used (by category of data)?
�� For what purposes is the data used?
�� Is the data sold on?
�� Where is the data stored/processed?
�� ‘Traffic light’ food labelling system: the ‘traffic light’ food label shows the way:
it is designed to protect consumers where they don’t have enough prior knowledge or information
to be able to reliably assess what is in a food product. A simple, easy-to-understand label is inten-
ded to show at a glance whether the product exceeds certain nutrient levels and thus contributes
to an unhealthy diet.
�� As regards data privacy statements, it is often also the case that, without any specific basic – in this
case, legal – knowledge, it is virtually impossible for the customer to gain an idea of how their per-
sonal data will be processed. This is where an easy-to-understand, uniform symbol code could help.
The first page of a data privacy statement should contain an overview of the symbols along with a
sentence explaining how data will be used in connection with the service the user is interested in.
Examples
![Page 10: Use of data: balancing added value for customers and data ... · Lack of transparency or knowledge by the customer about how their data is used: controllers are required to provide](https://reader033.vdocuments.site/reader033/viewer/2022051918/600ab9b7afc8330929682b5b/html5/thumbnails/10.jpg)
10 Positions
�� Impracticality of the strongly formalised information requirements under data protection law in terms
of both their length and the legal language used.
�� Lack of transparency standards for data privacy statements: these are provider-specific and thus make it
difficult for the customer to compare them across providers.
We call for a number of measures with a view to simplifying data privacy statements while at the same
time improving acceptance by users. These are:
4. Requiring lawmakers and data protection supervisors to foster and accept a modified transparency
approach that comprises two levels:
�� stressing the comprehensibility aspect in consumer information on the use of data, e.g. by way of
symbols or icons;
�� providing detailed, legally binding information and explanation of the symbols or icons upon re-
quest or centrally via a contact point or website.
5. Fostering a specific, uniform standard for simplified presentation of information and ‘messages’
(e.g. icons, keywords, one-pagers).
6. Requiring the competent data protection authorities to constructively accompany/support any
additional sector-specific standards.
�� Developing a transparency approach as an aid to, or even best practice for, members/banks. This ap-
proach should be designed to show customers the scope and limits of use of their data in simple, easy-
to-understand form so that they can grasp the implications of consent to use of their data (e.g. under a
contract or by a separate declaration of consent). At the same time, the approach could set data protec-
tion and data security standards within the existing legal framework and in this way help to harmonise
the application and interpretation of data protection rules.
�� Compiling a sector-specific data protection glossary explaining to users in plain language the terms
most frequently encountered in connection with financial services.
Existing barriers
Petitions
Accompanying measure(s) by banks/fintechs
![Page 11: Use of data: balancing added value for customers and data ... · Lack of transparency or knowledge by the customer about how their data is used: controllers are required to provide](https://reader033.vdocuments.site/reader033/viewer/2022051918/600ab9b7afc8330929682b5b/html5/thumbnails/11.jpg)
bankenverband
Positions 11
Position III – Easy-to-control data use via a data dashboard
Customers should be able to control and track use of their data by providers more easily and conveni-
ently than in the past. They should in this way be empowered to exercise control over their data con-
sciously and independently.
The condition for this is that customers have sufficient
transparency about how the provider or, as the case may
be, third parties intend to use their data (see, for examp-
le, Position II above).
Legal basis for data processing
Customers are in principle to be in a position to con-
trol use of their data – for example, under a contractu-
al relationship or on a consensual basis – by means of
a single declaration of intent. In some cases, however,
data may be legitimately processed on the basis of sta-
tutory provisions (keywords: responsible lending, fraud
prevention) or after a balancing of interests (keywords:
dialogue with credit information agencies, use of data
for advertising purposes). In such cases, notification to
this effect must suffice – where a balancing of interests
takes place, with an opt-out option. Separate customer
consent to use of data under a contractual relationship
is superfluous: if the contract cannot be performed with-
out using/processing that data, a consensual approach
would be misleading.
In the case of a contractual declaration relating to data
processing or separate consent to data processing, a sim-
ple confirmation, e.g. by way of a mouse click, should be
possible for the data subject. Particularly when it comes
to online processes, checkboxes containing a variety of
options are known to lead to high abort rates, as they
are not only time-consuming for customers but call in
some cases for decisions that may well overwhelm them.
Instead of checkboxes, concise information on the use
of data (see Position II) and, if required, a link to additio-
nal terms and conditions and guidance may be advisable
to inform customers better about the terms on which
they consent to use of their data
Controllability through a data dashboard
The guiding data protection principle is that data sub-
jects should generally be able to decide for themselves
(on a consensual basis or by contractual agreement)
who may process their data, what for and to what ex-
tent. This includes their right to information, rectifica-
tion or erasure, to restriction of processing, or the right
to object to processing, as well as the right to data por-
tability. In practice, however, the large number of coun-
terparties and different types of contract that individuals
face often make it virtually impossible for them to keep
track of and effectively exercise control over their data.
Better results could be achieved by a user-friendly data
dashboard allowing users to recognise and – where pos-
sible – control at a glance what data is used by what pro-
viders for what purpose and to what extent. Users could
also stipulate via the dashboard what online companies
they disclose full personal data to and whom they would
only like to deal with using a pseudonym. Authorisati-
on to access data could also be subsequently altered or
withdrawn; for this, there should be an access protocol.
The dashboard should offer customers – in standardised
form if necessary – a simple and clear overview.
A dashboard solution could be made available, on the
one hand, by data-processing companies within the user
profile but, on the other hand, also by trusted third-party
providers that bring together data and identity manage-
ment – like the personal finance management services
aggregating bank accounts – in one place. Similar to
the social login functionality we know from Facebook,
Google, LinkedIn, Xing or Twitter, this data and identi-
ty management service would inform customers prior
to any access to customer data by a provider what data
![Page 12: Use of data: balancing added value for customers and data ... · Lack of transparency or knowledge by the customer about how their data is used: controllers are required to provide](https://reader033.vdocuments.site/reader033/viewer/2022051918/600ab9b7afc8330929682b5b/html5/thumbnails/12.jpg)
12 Positions
�� Data/identity management platform
The data dashboard could be put in place on a central data/identity management platform. This
platform would offer its users a single sign-on key for various services. The disclosure of user data
can be managed and controlled via a permission centre: users can set the data disclosure settings
individually where a link to a new service is established. When doing so, they decide what data may
be disclosed to whom and in what situations it may be used. The data can be adapted and erased
at any time. Users can also set the desired degree of convenience to determine for the respective
services whether contact data, bank data or dispatch data is automatically disclosed.
�� Lack of clarity on interpretation of data protection law and threat of consequences in the event of an
infringement, particularly where cross-provider platform solutions are concerned. The obligation to
produce proof of the required legal basis for processing personal data lies in cases of doubt/dispute
with the provider, creating incentives to obtain explicit customer consent that, in turn, diminishes
customer convenience.
�� High complexity/considerable time and effort involved in designing and implementing such a data
dashboard.
Examples
Existing barriers
needs to be accessed and will therefore be disclosed.
This would put users behind the steering wheel.
Initial efforts by some US platform providers are aimed
at giving users the right to determine their ‘privacy set-
tings’. These efforts do not go far enough, however, in
our view. Though users are allowed to edit and erase the
data recorded and stored about their online behaviour,
transparent individual scope for disclosing data prior to
its use is missing.
![Page 13: Use of data: balancing added value for customers and data ... · Lack of transparency or knowledge by the customer about how their data is used: controllers are required to provide](https://reader033.vdocuments.site/reader033/viewer/2022051918/600ab9b7afc8330929682b5b/html5/thumbnails/13.jpg)
bankenverband
Positions 13
7. Accepting a structured information and management platform, particularly from a data protection
law/competition law perspective.
8. For cases where consent is required under data protection law:
�� adopting practical consent-based solutions that are easy to use and easy to understand for users. For
this purpose, legislators need to specify such solutions and embed them in a suitable legal frame-
work;
�� allowing simple – as far as possible, blanket – consent by the customer without the need for separa-
te, explicit consent for individual aspects of use of data;
�� the principle of ‘freely given consent’ (in accordance with Art. 7 GDPR) should be satisfied if the data
subject has an opt-out option in the event that use of their data goes beyond contract performance.
�� Identifying existing standards applicable to a data dashboard.
�� Assessing potential implementation by the financial industry.
Petitions
Accompanying measure(s) by banks/fintechs
![Page 14: Use of data: balancing added value for customers and data ... · Lack of transparency or knowledge by the customer about how their data is used: controllers are required to provide](https://reader033.vdocuments.site/reader033/viewer/2022051918/600ab9b7afc8330929682b5b/html5/thumbnails/14.jpg)
14 Positions
Annex: Overview of petitions
1. Qualifying the ‘data minimisation’ principle, e.g. by generally allowing the use of publicly available data (with and
without reference to persons).
2. Freeing the ‘purpose limitation’ principle from an overly tight framework:
�� enabling the customer to accept various processing purposes, possibly through one step in the basic settings or at
the start of use of a comprehensive service (with scope for subsequent adjustment where required);
�� moving in the medium term away from the outdated, since non-operationalisable, ‘purpose limitation’ rule to-
wards inclusion of (and user consent for) certain application classes, providers, regions or other specifically desig-
nated types of data use that the user can understand.
3. Accepting two-level information communication approaches, i.e. brief and concise information to provide an over-
view (level 1) and further detailed information upon request (level 2) – see also Position II below.
Position I – Added value for customers through use of data
4. Requiring lawmakers and data protection supervisors to foster and accept a modified transparency approach that
comprises two levels:
�� stressing the comprehensibility aspect in consumer information on the use of data, e.g. by way of symbols or icons;
�� providing detailed, legally binding information and explanation of the symbols or icons upon request or centrally
via a contact point or website.
5. Fostering a specific, uniform standard for simplified presentation of information and ‘messages’ (e.g. icons, keywords,
one-pagers).
6. Requiring the competent data protection authorities to constructively accompany/support any additional sector-
specific standards.
Position II – User-friendly transparency on the use of data
7. Accepting a structured information and management platform, particularly from a data protection law/competition
law perspective.
8. For cases where consent is required under data protection law:
�� adopting practical consent-based solutions that are easy to use and easy to understand for users. For this purpose,
legislators need to specify such solutions and embed them in a suitable legal framework;
�� allowing simple – as far as possible, blanket – consent by the customer without the need for separate, explicit
consent in regard to individual aspects of use of data;
�� the principle of ‘freely given consent’ (in accordance with Art. 7 GDPR) should be satisfied if the data subject has
an opt-out option in the event that use of their data goes beyond contract performance.
Position III – Easy-to-control data use via a data dashboard
![Page 15: Use of data: balancing added value for customers and data ... · Lack of transparency or knowledge by the customer about how their data is used: controllers are required to provide](https://reader033.vdocuments.site/reader033/viewer/2022051918/600ab9b7afc8330929682b5b/html5/thumbnails/15.jpg)
bankenverband
Positions 15
Publishing details | Publisher: Bundesverband deutscher Banken e. V., Postfach 040307, 10062 Berlin | Legally responsible: Oliver Santen bankenverband.de | Photo: fotolia kras99 | May 2018
![Page 16: Use of data: balancing added value for customers and data ... · Lack of transparency or knowledge by the customer about how their data is used: controllers are required to provide](https://reader033.vdocuments.site/reader033/viewer/2022051918/600ab9b7afc8330929682b5b/html5/thumbnails/16.jpg)
The Association of German Banks can be contacted
by post:
Bundesverband deutscher Banken
P.O. Box 040307,
10062 Berlin
Germany
by email:
online:
bankenverband.de
by phone:
+49 30 1663-0