Table of Contents
Introduction
Definition of Fintech, Fintech products and services
Fintech is the short form of financial technology and is part of the worldwide innovation boom. “Technologically enabled financial innovation that could result in the new business model, applications, processes, or products with an associated material effect on financial markets and institutions and the provision of financial services ”
The right to the protection of data
The right to protecting the private sphere of an individual against any form of intrusion from anyone including the state was set in motion in the international legal instrument in article 12, in UN for the first time in the 1948 Universal Declaration of Human Rights (UDHR) in relation to family life and private life of an individual. This led to the development of other instruments which safeguard human rights in the whole of Europe.
After the 2nd world war, the Council of Europe was formed to bring together the states and promote democracy, the rule of law, human rights and social development. This led to the adoption of European Convention of Human Rights (ECHR) in 1950 which began its operation in 1953. It is thus the international obligation of the state to comply with ECHR.
In order to ensure that there is total adherence to this agreement under ECHR, the members set up the European Court of Human Rights (ECtHR) in 1959 in Strasbourg, France, whose role is to ensure that all member states adhere to the laid down obligations by considering any complaints brought by individuals, NGOs, groups of individuals, or any legal person alleging that their rights of the convention have been violated.
One of the rights which are protected under this convention is the right to the protection of data. It is set under article 8 of the ECHR, and it gives the member individuals the right to respect for family and private life, correspondence and home. It also lays down the condition of permitting restrictions to these rights. ECtHR has thus undertaken several examinations throughout its jurisprudence where matters arose relating to data protection, including those which concerns forms or surveillance, communication interceptions and protection against personal data stored by the public authorities. Some of these case laws which ECtHR has handled are covered herein as case laws. It has further clarified that article 8 of ECHR obligates the State to keep off any action that might lead to the violation of the convention right and to actively secure the effective respect accorded to family and private life.
This paper aims to underscore the impact that Fintech has on data protection by the domestic law. To achieve the objective of this paper, the development of Fintech is first given which underscores its background from conception to its current state. This is then followed by the GDPR and its effect on Fintech. More importantly and to a more significant extent, this paper demonstrates through case laws, the right to personal data about private and family life and also the case law relating to the right to be forgotten.
Development of Fintech
From 2008 to 2013, the global Fintech investment has boomed from $930 million to more than $2.97 billion, which more than tripled. Even though the United States dominates the Fintech investment a lot, London and Ireland are the fastest growing regions. Since 2008, London has been growing at an annualised rate of 74 percent since 2008. In Q3 2017, global investment in Fintech companies hit $8.2 billion. Some $100 million+ megadeals drove Fintech investment globally, which many of them occurred in the United States (e.g. intact-$850 million, card connect-$750 million, exactly-$564 million among others), companies China, Germany, and Canada are also among the top 10 global deals.
In relation to Fintech, there is a data protective law which has been developed and designed to protect the right to privacy of data and information, including privacy to financial information, unless the court determines otherwise that such privacy is a threat to the State and has thus to be revoked and access to such information granted. This data protection directive draws possibility which is provided in the article 11 of the convention 108, which adds to the protective instruments of the individual members. The introduction of independent supervision in particular as a compliance instrument for the rules of data protection was an essential contribution to the European functioning of the data protection law
Lawful processing of sensitive and non-sensitive data
The data protection directive has two different sets of rules which are used for lawful data processing. One of the laws involves non-sensitive data and is found in article 7, while the other involves sensitive data and is found in article 8
Lawful processing of non-sensitive data
The general rules regarding lawfulness of processing data as found in the 95/46 directive provides that except for the provisions given in article 13, the processing of all personal data must be in compliance to the principles which relate to the quality of the data that is set out in article 6 of the data protection directive, and to give the criteria for legitimacy of data processing as spelt out in article 7. For this access to be guaranteed, consent has to be sought. This goes together with a contractual relationship. For instance, if a party intends to enter into a contract, but is still not able due to incomplete requirements, the contractual relationship is allowed.
Lawful processing of sensitive data
It is left at the discretion of the domestic law to determine appropriate protection to be given to sensitive data, while in the EU law article 8 of the data protection directive gives legal protection for protecting categories of data which reveal ethnic and racial origins together with political opinions. Other areas covered by this include religious life, philosophical beliefs, sex life, health information and membership to a trade union. By principle, the processing of sensitive data is outlawed. This prohibition has however numerous exemptions which are chronicled in article 8(2) and (3) of the directive. Some of the exemptions include vital interest given to the data of a subject, explicit of consent for the data of a subject, public interest and legitimate interests. The following case law relates to processing of sensitive data
The case of I. v. Finland, No. 20511/03, 17 July 2008
This case originated in an application no 20511/03 which was made against the Republic of Finland and was lodged to the court under article 34 of the convention that deals with the protection of human rights by the applicant who was a Finnish national on 20th June 2003. The case of the applicant was a health case in which after the applicant had been diagnosed with HIV in 1992 when she worked as hospital staff; she realised that her colleagues, who had free access to the hospital register of the patient, were aware of her illness. The applicant further complained that there was evidence to prove that the district health authority had failed in providing a secure register where the information of the patients could be safely kept without disclosure. According to article 8 clause 1 and 2, the chronicled statements are as follows:
“1. Everyone has the right to respect for his private and family life, his home and his correspondence. 2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.”
The Finland government however contested the argument of the applicant. In its admission, the court noted that the application was not ill-founded about article 35:3 of the convention. The court further reiterated that it is not inadmissible on any other grounds, and must thus be declared as admissible.
The party then gave their submissions in which the applicant submitted that there not be enough measures put in place by the domestic authorities to safeguard her private life about the requirement of the law on sensitive data such as health information. In her view, she admitted that retrospective control would prove of vital importance, in that the data system which was in place by then should have shown the person who did access her information to give a start off on the investigation on whether the person was lawfully authorised or not. The domestic court, however, rejected this claim since she could not identify the very person who did access her personal health information. The data controller whose duty was to safeguard personal data of the clients were obliged to ensure that no unauthorised persons were able to see and process personal data of the patients. As a matter of strict liability, the controller had an obligation to compensate any damage that is caused by such leakage to information.
For the case at hand, the government admitted that the control of the register in the early 1990s was done by storing the data identifier for the five most recent users of the record to a given patient. This management system was later changed in 1998 so that there were log-in and storage of each patient record. The government further stressed that the system of recording in the hospital and the retrieval of the information for the patient could only be carried out by instructions which are detailed and given to the patients and the action carried out as they observe. Other people who were allowed to observe were the personnel from health institution with high moral standards and the statutory secrecy obligation.
According to the assessment by the court, the hospital was a public one, meaning the convention acts applied directly to them. The processing of information which regards the private life of an individual is within the scope of article 8:1. Again, personal information which relates to the patient belongs to their private life alone without a doubt. Thus the application of article 8 in the said case was not contested by any of the parties.
The protection of personal data, and particularly the medical data, has fundamental importance to the enjoyment of the person’s right to respect given to family and private life about the provision given in article 8 of the convention. It is thus of vital importance to respect the confidentiality of health data in the legal systems of all parties which are contracting within the convention requirements. The requirement is not for protecting the sense of privacy but also preserving confidence in health services in general and in the medical profession in particular. Such considerations are always given as valid with regards to the confidentiality protection especially in cases such as information dealing with dreaded diseases like HIV infection since these are sensitive issues which surround the disease. There have to be safeguards given in the domestic law which prevent the leakage of any such information about the health of the person.
The applicant complained that articles 6 and 13 were violated as she bore the burden of proof to show that her colleagues had accessed her patient records unlawfully. With regards to the findings in article 8, the court considered that the examination of the aspects of the application was not necessary. Article 41 of the convention chronicles that:
“If the Court finds that there has been a violation of the Convention or the Protocols to it, and if the internal law of the High Contracting Party concerned allows only partial reparation to be made, the Court shall, if necessary, afford just satisfaction to the injured party.”
With regards to the damage under the head of pecuniary damage, the applicant claimed payment of EUR 38,115.53 which included EUR 20,000 for the incurred loss when the hospital refused to renew her work contract, the result of which was unemployment on her for about two years. Further damages claimed by the applicant were EUR 5,988.06 for legal costs and EUR 446.79 for private detectives who helped her uncover the evidence for the compensation proceedings. The final damage demanded by the applicant was EUR 11,680.67 for the economic loss which resulted due to the sale of her home since she moved from her initial place of residence as a result of the rumours relating to her disease
The court in its findings established that the applicant suffered non-pecuniary damage due to the failure of the state to secure her patient records from the risks of unauthorised access. In this case, the court awarded the applicant EUR 8,000 for such damages. The application was thus declared admissible by the court and held that the respondent violated article 8 of the convention. The state was thus ordered by the court to pay the applicant a total of EUR 5,771.80 for pecuniary damage, EUR 8,000 for non-pecuniary damage, EUR 20,000 for costs and expenses.
The areas that GDPR will impact on Fintech
Customer Consent
To acquire personal data, the companies must clearly describe the purpose of use and other consent if they want to share the data with the third party. The GDPR ensure individual’s right to their data. Therefore, the Fintech companies should carry out compressive analysis to see if they comply with GDPR. The companies may keep consent requests separate from other terms and conditions, making people withdrew consent smoothly. Keep evidence of record of consent.
The right to access data of an individual is acknowledged explicitly in article 8 of the 108 conventions. ECtHR has repeatedly held this that it is right to access to information which relates to one’s data unlimitedly. This right comes from the need to protect the private life of an individual. There is, however, a case law which was relating to Leander in which the ECtHR made conclusions that the right of accessing personal data which is in possession of public authorities may, however, be limited to some given circumstances. National law may add the information that the controller gets. For instance, the law quoted below is from the legal basis which relates to data processing:
“By accessing one’s data, one can determine whether or not the data are accurate. It is, therefore, indispensable that the data subject be informed about the categories of data processed as well as about the data content. It is thus insufficient for a controller to tell the data subject that it is processing his or her name, address, date of birth and sphere of interest. The controller must also disclose to the data subject that it is processing “the name: N.N.; an address: 1040 Vienna, Schwarzenbergplatz 11, Austria; the date of birth: 10.10.1974; and sphere of interest (according to the data subject’s declaration): classical music.”
The following case law applies to the customer consent:
Fintech Case Law Based on 1995 Data Protection Directive
C-73/07, Tietosuojavaltuutettu v. Satakunnan Markkinapörssi Oy and Satamedia Oy, 16 December 2008
In this case, the court considered the relationship between the principle of press freedom and the protection given to personal data. The company Markkinapörssi collects data on assets and income from 1.2 million taxpayers from the tax authorities in Finnish to give publications of extracts from such data. The organisation process of the data is performed by the income bracket and the municipality in an alphabetical list, in the editions of the regional newspaper. Satamedia, which is a company that forms part of the same group of publishers, gives services allowing the reception of the same information through text messages. This case arose from the complains which were made by individuals who alleged that there had been an infringement of their right to privacy, and was picked up by the Finnish data collection ombudsman who requested that both Markkinapörssi and Satamedia be barred from carrying on the activities of processing personal data at issue.
The application having been referred to at last instance, the supreme administrative court in Finland submitted questions to the court of justice leading to the interpretation of the 1995 directive number 95/46/EC which relates to the protection of personal data, inter alia, in order to determine the circumstances under which the activities under contest may be considered as data processing that is solely carried out for journalism. In article 9 of the 1995 directive, there should be provisions made for derogations or exemptions from data protection in which the processing of personal data is allowed only for journalistic purposes.
The court pointed out that, first of all, the activities conducted by Markkinapörssi and Satamedia are within the constitution of personal data processing that the 95/46/EC directive covers, although the public files that were used had contents with materials which had been published in the media in an altered form.
The next consideration given by the court was on the interpretation of the laid down exemptions concerning the data processing which was carried out about journalistic purposes. This took into consideration the fact that such derogation has the objective of reconciling the freedom of expression and the protection of privacy about personal data. For the freedom to be considered in every democratic society with regards to its importance, the court held the view that there has to be a broad interpretation of the notion of journalism, without affecting unnecessary encroachment on the fundamental protection to the right of privacy.
In this regard, the court defined journalistic activities notion which is referred in article 8 of the 95/46/EC directive as encompassing all activities with an objective of disclosing the information that relates to the public, ideas or opinions, without considering the person carrying out such activities. This may not necessarily be a media undertaking. The definition further covered the medium of transmission and reiterated that the medium is irrespective for the transmission of the processed data, be it the traditional medium like the radio waves or the paperwork, or an electronic medium like the internet. The final coverage of the definition by the court was on the nature of the activities intended for the data transmission, that is, whether for profit-making or not.
In its final verdict, the court gave the Finnish Supreme Administrative Courtroom to decide as to whether, in the case at hand, the activities of the two companies, that is, Markkinapörssi and Satamedia fall within the notion of journalistic activities as defined herein.
Biometric as identifiers for a financial transaction
Financial institutions adopt biometric information to identify the customers, such as fingerprint, eye and face scans. To comply with GDPR, financial institutions need prevent this first data from exposed. The means of identification also covers the user behaviour. This considers the way the users behave which takes the place of the data entry. The biometric identifiers are advantageous in that they do not require any other additional technology at the user interface. Thus they are seen as a potential solution to authentications which use single-factor passwords.
All companies which want to comply with GDPR will require controls for protecting the fundamental identity for the data of the individuals under their care. These controls are put in place to ensure that responsible companies have the organisation and technical measures which are sin place for preventing the exposure of any information that is personally identifiable through the management of the weak system in the data storage area. The primary concern of these companies should be on the possibility of meeting the expectations of the customers and demand growth by having proper protection of their private data [5]. The clients may also require deletion and correction of their data when need be. To meet such requirements, processes, strategies and technologies together with the aspects of marketing must be built in the desired picture. The use of biometric data is thus a viable method which plays an important in doing so, with the help of GDPR identification. GDPR defines biometric data as “personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data [7]”.
One of the useful tools for minimizing the collection of personal data is Digital Identification Access Management (DIAM). The use of this tool involves verification of data during registration against other sources, and is not then retained. When access is needed, the information that is required does not have to be exceptionally specific. For example, when it is only the region of living that is required for an individual as opposed to the exact address of the individual, DIAM can be applied. In the long run, it is in order that the data of the individual is owned solely and fully by the individual who is the sole owner of the data. This thus makes the third parties only to access the specific details from the data of the individual through his consent only. This is the point DIAM plays a major role with the help of block-chain in combination to the data storage layer [10].
Right to be forgotten
GDPR ensure the right that person can request financial institutions to delete their personal data. Financial institutions may keep data with other obligations are comply, however, the right to be forgotten should be prevail if there is no valid justification for doing so. The following case law applies to the right to be forgotten under the general data regulation.
Case law relating to the right to be forgotten under the general data protection regulation
Segerstedt-Wiberg and Others v. Sweden, No. 62332/00, 6 June 2006
The case originated in an application no. 62332/00 which was against the Swedish kingdom and was lodged with the court under article 34 of the convention for protecting human rights and fundamental freedom. It was lodged on 7th October with five applicants who were of the Swedish nationals. These applicants alleged that the storage in the files of security police of some specific information that had been let out to them composed of issues which are unjustified and which interfered with their rights for respecting private life which is contained in article 8 of the convention. The further complained with regards to this article that they were denied the full explanation as to why their information was kept in the register of the security police. The arguments of the applicants were also based on articles 10 and 11 of the same convention. Their final complaint was based on article 13 that there was no adequate remedy given by the Swedish law regarding the violations stated above [12].
There are several practices in the domestic law which relates to the case in question. Some of them are with regards to the freedom of opinion, association and expression as chronicled in the instrument of the government to provide the starting point. This also relates to the principle of free access to documents which are official as enshrined in the ordinance for the freedom of the press, together with the restrictions which that freedom comes with about the Secrecy Act of 1980:100 [1].
After the court’s assessment, they found it established that the refusal by the security police to advice the applicants of the full extent why the information was kept about them on the register of the security police amounted to an infringement on the right of the applicants to the respect that private life should be accorded. This refusal had a legal basis with regards to chapter 5 section 1(2) of the domestic law of secrecy act. The court confirmed that such refusals are only necessary in cases where the State may have legitimate fear when such information is provided, it may lead to the jeopardy of the efficacy of the designed secret surveillance system for the protection of national security and in a bid to combat terrorism. In this regard, the court decided that the State do well to regard the national security having considered the available margin or appreciation, and to put the interest of national security and fight against corruption first as opposed to the interest of the applicants.
In its final verdict, the court held that there was violation of article 8 of the convention with regards to the 2nd, 3rd, 4th and 5th applicants, but not the 1st applicant; the State violated that article 10 and 11 of the convention regarding the 2nd, 3rd, 4th and 5th applicants, but not the 1st applicant; and the State violated that article 13 for all the 5 applicants. The respondent, which was the State, in this case, was required to pay, within three months of the final judgment, in relation to article 44:2 of the convention, the following amounts to the applicants: regarding the non-pecuniary damage, EUR 3000 was paid to the 1st applicant, EUR 7,000 to each of the 2nd and 5th applicant, while EUR 5,000 was paid to each of the 3rd and 4th applicants. Also, the court directed the State to pay EUR 20,000 for costs and expenses jointly to all the five applicants [1].
Vendor management
The personal data passing through various IT applications since the financial institution use various IT systems. Therefore, the financial institutions understand all data flows across their various systems. The trend of outsourcing development will make personal data exposed to vendor easier. Under GDPR, vendors need to associate with an obligation towards data access. Similarly, a non-EU organisation working collaborated with EU banks also alert about data expose. GDPR impose accountability to ensure the data is protected.
It is vital to identify the privacy regulation that is relevant to every organisation to identify the personal information that is local, federally and internationally regulated, and will assist in determining the third parties which are specific to individual considerations. The organisation must determine the risk profile that it considers for each vendor. Such risk profiles include the supply of the vendor, the kind and quantity of data that is stored by the vendor, the impact of the business of the compromise or loss of the data, the place where the data is stored physically, the internal terms and applications that the third party require in order to access the information. The organisation then leverages the expertise of its security information team to help in the determination of the full criteria for the risks which are likely to be imposed. The profiles for standard risks include low, moderate and high levels [6].
If an organisation decides to engage a third party, the next step that vendor management requires is to review the agreement for engagement. If the third party provides the review, it should require legal input from the relevant legal department. The organisation is further required to maintain the master service agreement (MSA) or the standard third-party language template contract containing the security and privacy which are related to contract language by default.
The monitoring activities for vendor management are then performed which should then be limited to the third parties. The organisation should also ensure that the procedures for vendor management are maintained for the active monitoring of changes in the usage of data. This covers the fact that the organisation is adequately trained in the areas of vendor management processes which maintains and updates the list of third parties which are approved and have undergone the processes of scrutiny [8].
Conclusions
This paper aimed to underscore the impact that Fintech has on data protection by the domestic law. This objective has been achieved by underscoring the development of Fintech from its background from conception to its current state. This was then followed by the GDPR and its effect on Fintech. More importantly and to a more significant extent, this paper has demonstrated through case laws, the right to personal data about private and family life and also the case law relating to the right to be forgotten.
The right to protecting the private sphere of an individual against any form of intrusion from anyone including the state was set in motion in the international legal instrument in article 12, in UN for the first time in the 1948 Universal Declaration of Human Rights (UDHR) in relation to family life and private life of an individual. This led to the development of other instruments which safeguard human rights in the whole of Europe.
In relation to Fintech, there is a data protective law which has been developed and designed to protect the right to privacy of data and information, including privacy to financial information, unless the court determines otherwise that such privacy is a threat to the State and has thus to be revoked and access to such information granted. In the case of the right to be forgotten, it should prevail if there is no valid justification for doing so.
The data protection directive has two different sets of rules which are used for lawful data processing. One of the laws involves non-sensitive data and is found in article 7, while the other involves sensitive data and is found in article 8. The right to access data of an individual is acknowledged explicitly in article 8 of the 108 conventions. ECtHR has repeatedly held this that it is right to access to information which relates to one’s data unlimitedly. This right comes from the need to protect the private life of an individual.
- London is Benefiting from Fintech investment Boom, According to Accenture Study. < https://newsroom.accenture.com/subjects/research-surveys/london-is-benefitting-from-fintech-investment-boom-according-to-accenture-study.htm >
- The Pulse of Fintech Q3 2017-Global analysis of investment in Fintech. 7 November 2017. KPMG
- Burgess Matt, What is GDPR? The need-to-know guide. 5 April 2018. http://www.wired.co.uk/article/what-is-gdpr-uk-eu-legislation-compliance-summary-fines-2018
- Chris Brummer, Daniel Gorfine, Fintech-building a 21st– century Regulator’s Toolkit. October 2014
- New Data Regulation (GDPR) – Could Fintech companies face bankruptcy? Mi3Security. < https://www.mi3security.com/blog/2017/3/28/new-data-regulation-gdpr-could-fintech-companies-face-bankruptcy >
- John Armour, Dan Awrey, Paul Davies, Luca Enriques, Jeffery N. Gordon, Colin Mayer, Jennifer Payne. Principles of Financial Regulations, Oxford University Press, 2016
- Financial Stability Implications from Fintech, Supervisory and Regulatory Issues that Merit Authorities’ Attention, 27 June 2017 pp 7
- Andrew Meola, These are the top financial services providers and Fintech startups. 22 December 2016 < http://www.businessinsider.com/top-financial-services-providers-and-fintech-startups-2016-12/?r=AU&IR=T >
- Are you Ready for GDPR? Information Governance Resource https://www.infogovbasics.com/gdpr-basics-ebook/?utm_source=google&utm_medium=ppc&utm_campaign=eim-infogov-ebook&utm_content=gdpr-basics-ebook-text&elqcampaignid=29178&gclid=Cj0KCQjw5LbWBRDCARIsALAbcOdRRuZWftBetqVxNl4B2Dq3JP2wwjxMdzwYRxQCV-0kTJFSm_8J7-UaApnPEALw_wcB
- Schüffel, Patrick (2016). Taming the Beast: A Scientific Definition of Fintech. Journal of Innovation Management. p. 32-54.
- Sanicola, Lenny (13 February 2017). “What is FinTech?”. Huffington Post.
- Scheffel, Patrick (2017-03-09). “Taming the Beast: A Scientific Definition of Fintech”. Journal of Innovation Management. 4 (4): 32–54. ISSN 2183-0606.
- Aldridge, I., Krawciw S., 2017. Real-Time Risk: What Investors Should Know About Fintech, High-Frequency Trading and Flash Crashes. Hoboken: Wiley. ISBN 978-1119318965
- Scholten, Ulrich. “Banking-as-a-Service – what you need to know”. VentureSkies.
- “Global Fintech Investment Growth Continues in 2016” (PDF). Accenture. 2017.
- “What is FinTech and why does it matter to all entrepreneurs?”. Hot Topics. July 2014.
- “Stockholm FinTech: An overview of the FinTech sector in the greater Stockholm Region”. Stockholm Business Region. June 2015.
- “Fintech Investments Skyrocket in 2016– Report”. redherring.com.
- “Brexit a boon for Lithuania’s ‘fintech’ drive”. The Business Times.
- “Sydney FinTech hub based on London’s Level39 coming next April”. BRW. November 2014.
- Samantha Sharf (November 7, 2016). “The Fintech 50: The Complete List 2016”. Forbes.