Out-Law News 5 min. read
24 Jun 2015, 4:40 pm
Financial services sector head John Salmon and the Pinsent Masons financial services sector team bring you insight and analysis on what really matters in the world of financial services.
Two weeks ago I took part in a roundtable discussion in Brussels on big data organised by Eurofinas, the consumer credit provider association. The focus was on how financial services businesses can use credit data to improve customer experience, customer acquisition and retention and internal processes.
While many issues were discussed on the day, three stood out for me – anonymisation, automated decision making and the central importance of APIs.
Anonymising data
Anonymisation remains the key to unlocking an organisation's right to freely use data. As a technique it allows organisations to overcome a major legal hurdle – anonymise data and it no longer falls under data protection laws.
However, when someone says 'what we are doing is ok because we are only using anonymised data' they have just considered part of the story. If data is considered 'personal data' it will be subject to data protection laws.
'Personal data' includes all information that directly identifies a person, whether by reference to a physical, physiological, mental, economic, cultural, social fact or an identification number, factor or unit. It also includes information they indirectly makes a person 'identifiable'. This can happen where two or more pieces of information are matched together. EU countries differ in their views on the extent to which businesses need to be concerned about the risk of information being matched together and identifying a person as a result. But in principle, so long as information may identify a person it could be subject to data protection laws.
Data will be outside the scope of data protection laws if "rendered anonymous in such a way that the data subject is no longer identifiable" as the current Data Protection Directive states. Like many things in law however, these words should not always be read in absolute terms.
Anonymisation is defined by an ISO industry standard as the “Process by which personally identifiable information (PII) is irreversibly altered in such a way that a PII principal can no longer be identified directly or indirectly". While this may technically give the impression that absolute and permanent anonymity is required, laws across Europe for the most part take a softer approach. They generally do not require that it be impossible to ever identify a person again for data to be considered anonymised.
The UK's Information Commissioner's Office in its guidance on anonymisation says that data protection laws are "not framed in terms of the possibility of an individual being identified" and "the risk of identification must be greater than remote and reasonably likely for information to be classed as personal data." The focus in the UK therefore requires organisations to deal with 're-identification risk' in a manner that is reasonable and proportionate to the risk of harm that re-identifying an individual through data could present.
German, Italian and Slovenian laws similarly focus on the relevance of whether a “disproportionate effort” would be needed to re-identify individuals. But the French data protection law, on the other hand go further as the Article 29 Working Party has pointed out, and provide that data remains personal data "even if it is extremely hard and unlikely to re-identify the data subject – that is to say, there is no provision referring to the 'reasonableness' test."
Financial services organisations must be careful before relying on anonymisation as the basis of a decision to ignore data protection laws. They may also need to change their approach to dealing with data depending on where they process data.
Conducting privacy impact assessments can help organisations assess re-identification risk in a structured and auditable way. Senior management oversight, ongoing 're-identification testing' and clear procedures for identifying and dealing with instances where anonymisation may be difficult to achieve can all help an organisation maximise the extent to which relying on anonymisation as the basis for enabling greater maximisation of the value of data.
Automated decision making
Increasingly machine learning techniques are creating a situation where businesses rely on algorithms to not only process information, but also to determine the logic behind how decisions are made. While the broad algorithmic principles behind how a decision is made about an individual will always be determined by humans, the detail of the logic may not.
This is interesting as both current data protection laws and those proposed under the GDPR give individuals the right to request that the 'logic' behind any automated decisions made about them be shared with them. The more businesses depend on processes that are determined by algorithms that they cannot readily explain, the more they will find it difficult to comply with requests to provide the logic behind how those decisions are made.
Reliance on algorithms to provide the logic behind decision making may become an even greater concern if some of the changes to data protection laws supported by the European Parliament are agreed to in the final version of the GDPR. While under current law the right to request the logic behind decisions extends only to decisions made solely on the basis of automated processes that have legal effects concerning that individual, the European Parliament's version of the GDPR broadens this right to all decisions predominantly made on the basis of automated means. It also requires organisations to "…implement effective protection against possible discrimination resulting from profiling".
While up until now protected characteristics such as gender, race, sexual orientation and religion were the primary focus of anti-discrimination laws, there is growing concern that segmenting audiences on the basis of other less defined characteristics, such as geographic location, education and browsing habits, will also come within the scope of these laws. If the GDPR includes references to protection against discrimination, financial services businesses need to be prepared for what this could mean in practice.
Whether or not the European Parliament's version of these provisions is successful, it is likely that automated decision making will become a hot topic for regulators once the GDPR comes into force. Financial services businesses should determine whether they have effective processes in place to satisfy the demands of customers and regulators for information about their automated decision making processes. They should also determine whether they can overcome any perceived discriminatory implications of those processes.
APIs
A third related area that stood out at the Eurofinas roundtable was the acknowledgment of the fundamental importance of the API economy. APIs are changing the ways in which almost every sector conducts business. For financial services, it means among other things, an easier way for organisations to share data and innovate collaboratively.
The UK Government is well-aware of the central importance of APIs to financial services and has made clear its intention for the UK to be a global leader in financial technology and in the use of open banking data. It is promoting the benefits of creating a single common open API standard that can be used by organisations wanting to develop innovative products and services that exploit the value of customer data held by banks. It has committed to set out a detailed framework for the design of this standard by the end of 2015.
The Payment Services Directive II (PSD2) which is currently being negotiated at EU level provides its own framework regarding APIs. It will allow new providers including those that purely initiate payments and that provide information account aggregation services to directly access customer account data. The regime will also give bank the opportunity to share data and collaborate more freely with associated companies through the use of APIs.
Eurofinas is the European Federation of Finance House Associations for specialised consumer credit providers in Europe.