Fintech and Privacy

On 7th February 2018, the Norwegian Data Protection Authority ("DPA") published a report which examines the challenges that the revised Payment Services Directive (PSD2) pose for privacy.

The PSD2 enables new actors, including large technology companies, to enter the financial sector and provide payment initiation services and account information services. Banks have thus lost their monopoly over their customers' transaction details. Moreover, companies outside the banking sector may create new services on top of the bank's data and infrastructure. To retain their competitiveness in the market, traditional actors such as banks and insurance companies are responding by forming new alliances and partnerships.

The report states that traditional banks and insurance companies tend to enjoy a high level of trust among consumers in Norway. Consumers expect that financial services are secure and safeguard privacy. Norwegian consumers hold that their private financial data deserves a high level of protection. Thus, those actors in the financial sector who provide a good level of privacy protection will enjoy a competitive edge, according to the DPA.

In the report, the DPA makes a number of recommendations to providers of financial services to protect customer privacy in the best possible manner. These recommendations include the following:

  • Privacy should be at the heart of the business: An ethical council or committee where new business models are discussed before being implemented should be established.
  • Create solutions that provide openness and transparency to the customer.
  • Create user-friendly solutions where the customers, as much as possible, can choose which personal data they wish to share and for what purpose such data may be used.
  • Use privacy-enhancing technology: Active, good and innovative use of privacy by design solutions can give new bank and insurance services a competitive edge in the long run.
  • Certification mechanisms, privacy seals and marks should be developed to increase transparency and ensure compliance with the forthcoming General Data Protection Regulation. Insurance, banking and fintech companies ought to explore the feasibility of developing industry standards.
  • Necessary risk assessments should be carried out before the development of new APIs or before insurance firms enter into partnership with providers of Internet of Things products. Where processing results in a high risk to privacy, a data protection impact assessment must be carried out to comply with the requirements in the General Data Protection Regulation.