News
BackA proposal put forward by the EU Commission in June of this year provides for the exchange and use of personal financial data by various data users to be re-regulated. The Commission's declared aim is to simplify access to data and promote innovation and data-based business models in the EU financial sector. The Chamber of Labour takes a very critical view of the proposal.
Consumer data covered by the Commission proposal is varied: savings, loans, accounts, pension rights in occupational pension schemes, property or investments in financial instruments. The proposal aims to enable the transfer of data and to define clear rights and obligations for the exchange of consumer data. According to the Commission, this should provide consumers with better financial products, stimulate competition in the financial sector and make its products more innovative. The declared need for action has been justified, among other, by the supposedly inadequate access of consumers to their data. This in itself should be critically questioned, as the Chamber of Labour's consumer advisory service has never received any complaints regarding poor access to data. There can be no doubt that the project is in conflict with the fundamental right to data protection and privacy.
Right to data protection and privacy is being undermined
Consumers must be free to decide whether they want to disclose their data to third parties in order to receive personalised offers. The aim of promoting competition and the introduction of new financial services products does not generally constitute an overriding legitimate interest within the meaning of the General Data Protection Regulation, behind which the confidentiality interests of consumers would have to take a back seat in a generalised and undifferentiated manner. As financial services are complex products and usually involve large sums of money, particular caution is required when legislating.
The Commission´s Proposal reflects the image of rational and sovereign consumers, whereby vulnerability must be assumed in the digital age. Added to this is the great imbalance of power between the contracting parties, consumers on the one hand and financial service providers on the other. Hence, there are doubts as to whether consumers have a sufficient overview of the consequences of their decisions. On the other hand, better access to data would enable providers of financial products to organise their sales practices even more aggressively.
Ambiguous responsibilities and unnecessary legal uncertainty
The entire Commission Proposal is pervaded by the comparatively undefined concept of authorisation to transfer data, while the GDPR clearly defines the requirement of consent. The intention behind this is ambiguous. Obtaining consumers’ consent is important for the reason alone that, according to the GDPR, only a right of withdrawal exists if consent has been given. Effective consent should therefore also have to be obtained in areas covered by the proposed regulation.
It should also be critically noted that the allocation of tasks between data protection and financial supervisory authorities is not clarified in the Proposal with legal certainty, as fragmentary extracts from the General Data Protection Regulation are repeated. In order to avoid this unnecessary legal uncertainty, it should first be expressly clarified that the data protection authorities must implement all data protection aspects arising from the Commission Proposal. In addition, it would be desirable to include precise sector-specific requirements that go beyond the general GDPR principles, for example on limiting the purposes of use, data security or advertising bans.
Data sharing systems should be stored on EU servers
The IT infrastructure for the exchange of financial data is one of the most sensitive areas of public services and is, in principle, an attractive target for cyber-attacks. Systems for sharing financial data should therefore at best be obliged to store personal data on servers within the EU. In general, it is important to ensure as best as possible that consumers are not affected by data misuse or network outages. It must therefore be seen as a major shortcoming of the Proposal that no preventive measures against misuse are provided for or that network and data security are not taken into account at all.
The Commission's proposal was also discussed in detail at a recent event organised by the European consumer protection organisation BEUC. Patricia Suárez emphasised that the exchange of personal data must be made as transparent and comprehensible as possible for consumers. The representation of consumer interests in the legislative process is particularly important due to the great power of the industry in this area. In its position paper, BEUC also warns of the risk of data misuse by financially strong companies.
The Proposal is to be put to the vote in the EU Parliament's Committee on Economic and Monetary Affairs in March 2024. Due to the areas of tension outlined in the Chamber of Labour's position paper, a fundamental revision of the Commission Proposal is urgently required.
Further information:
AK EUROPA Position: Financial Data Access
EU Commission: Financial data access and payments packages
EU Commission: Proposal for a Regulation on a framework for Financial Data Access
BEUC Event: Back to the Future – the promises and perils of digital finance
BEUC: Position paper on the proposed Financial Data Access Regulation
BEUC: The price of bad advice
European Banking Authority: Discussion Paper on selected payment fraud