Aussie consumer groups cite Facebook-Cambridge Analytica type data dangers for consumers in move to open banking

Aussie consumer groups cite Facebook-Cambridge Analytica type data dangers for consumers in move to open banking

The adoption of open banking must include consumer rights to data deletion and should exclude aggregated data sets from its scope, Australian consumer groups say.

These points are made in a joint submission by the Financial Rights Legal Centre and Consumer Action Legal Centre to Australia's Treasury. An Australian government report has already set out a blueprint for the introduction of open banking in Australia, recommending open banking should be legislated with the Australian Competition and Consumer Commission its primary regulator. 

Here in New Zealand ASB, BNZ and Westpac are taking part in a Payments NZ trial of software that enables open banking. This comes against the backdrop of a request from Minister of Commerce and Consumer Affairs, Kris Faafoi, for banks to demonstrate they’re doing something in this space to pave the way for greater retail payments competition by April or potentially face regulation.

In Australia the Financial Rights Legal Centre and Consumer Action Legal Centre pick up on the recent high profile Facebook-Cambridge Analytica scenario, where it emerged the data analytics firm used personal information harvested from more than 50 million Facebook profiles without permission to build a system that could target US voters with personalised political advertisements based on their psychological profiles.

'The desire on the part of consumers to control their data via strengthened regulations is becoming stronger every day'

The submission argues the right to deletion is integral for open banking to work in Australia as proposed.

"If consumers are to have confidence in the open banking regime, this distills down to the need to having control over their own data and to know that if they withdraw consent at any time that data will be deleted. Consumers do not want the situation where their data has been used by a company - with or without consent - and that company holds on to that data to use for secondary purposes, either in aggregated or de-identified form where there is any possibility of re-identification," the Financial Rights Legal Centre and Consumer Action Legal Centre say.

"The recent news that UK company Cambridge Analytica legitimately gathered some personal data from Facebook accounts and concurrently illegitimately gathered other people’s data, and then, when found out and were requested to delete the data, did not, has raised public consciousness over the potential for data to be misused. Combined with the never ending list of significant and high profile data breaches at Equifax, Ashley Madison, Yahoo and more, the desire on the part of consumers to control their data via strengthened regulations is becoming stronger every day."

"The Government will be opening consumers up to serious consequences if the right to erasure [remove] is not embedded within the regime from the very beginning. It risks undermining trust and confidence in a system it is promoting as the future. If a right to erasure is not included future headlines will include the names of accredited open banking entities rather than Facebook and Cambridge Analytica," the submission argues.

Aggregated data

In terms of aggregated data, the Financial Rights Legal Centre and Consumer Action Legal Centre suggest aggregated data sets should not be included in the scope of open banking, and consumers should be able to withdraw consent for the use of aggregated data sets by a data-holder or recipient with this data destroyed.

Furthermore they argue consumers should be able to withdraw consent for the use of data that isn’t anonymised or pseudonymised by a data-holder or data-recipient in Australia. This data, they say, must be destroyed and withdrawn because of the threat of re-identification. A right to delete under Australia's Consumer Data Right is "essential" for this to take place. However, this wouldn't apply to genuinely anonymous data.

"Australia is coming late to the consumer data right party. The European Union (EU) have taken strong strides into bolstering consumer protections in this space with the new General Data Protection Regulation (GDPR) from May 2018 and the Payment Services Directive 2 (PDS2) coming into force early this year in January 2018. Australia does not have to re-invent the wheel and can learn from the lessons hard fought overseas and should follow the EU’s lead or find itself out of step with international practice to the detriment of Australian innovators as well as Australian consumers."

"Consumer representatives believe these principles are appropriate. We do wish to see innovation in the financial services sector to drive improved outcomes. However this will need to be balanced by genuinely effective consumer protections and access to justice. We strongly support the Report’s placing of the customer at the centre of the regime," the submission says.

Specifically, the Financial Rights Legal Centre and Consumer Action Legal Centre want the development of a full consumer right that includes the right to deletion, or erasure.

"For the past two decades, consumers have experienced the innumerable benefits of new technology, innovation and data with the commensurate positive impact on their private, social, financial and working lives. The speed of these changes has been bewildering, so it is only now that consumer understanding of the full impact of these changes is dawning on them with a growing awareness of the true down-side of digital innovation. From world-wide data breaches and increased direct marketing and targeting, to the rise of price discrimination, the segmentation of populations and even the potential undermining of the political process, consumers are beginning to more fully understand the implications of what they have signed up for."

"Consumers are therefore entering into the open banking regime with a mix of expectation and wariness. In the development of the open banking regime and introduction of Consumer Data Right consumers see, on one side, banks and existing data holders who wishing to hold on to what is seen the gold mine of the future: our personal data. On the other side we have a fintech sector keen to mine this ore for riches, presenting the innovations they produce as the solutions for many of the ills the financial sector is currently displaying, most prominently in the current Financial Services Royal Commission," the submission says.

"For consumers, there are many opportunities for improved outcomes, for bank switching and a vast array of new innovative financial services: some they have been yearning for years, others that they don’t even know they need. Development of the Open Banking regime and the Consumer Data Right also provides a once-in-a-generation opportunity to fix issues regarding consent, and the unbundling of reams of unread terms and conditions."

'The right to deletion is integral for the open banking regime to work'

According to the submission, other issues that need to be addressed from a consumer perspective include tackling increased complexity and choice, combatting increased economic inequality and financial exclusion, countering increased information asymmetry and predatory marketing, plus addressing a number of basic concerns with respect to privacy, security, unconscionable practices, the impact of non-transparent black box technology, and flawed correction processes.

Additionally the submission argues that if Australia's Consumer Data Right and open banking regime don't include a right like the EU GPDR, Australian entities wanting to work overseas will have to create dual data handling protocols applying to competing jurisdictions.

"This is a burden on innovation and will place Australian fintechs at a distinct disadvantage to international competitors," the submission argues. "We note that with respect to the right to delete, the [Government] Report suggests that it is beyond the scope of open banking to mandate a special right to deletion of information. We however strongly disagree and take the position that the right to deletion is integral for the open banking regime to work as currently recommended by the Report."

The Financial Rights Legal Centre is a community legal centre that specialises in helping consumer's understand and enforce their financial rights. Consumer Action is an independent, not-for-profit, campaign-focused casework and policy organisation.

*This article was first published in our email for paying subscribers early on Friday morning. See here for more details and how to subscribe.

We welcome your help to improve our coverage of this issue. Any examples or experiences to relate? Any links to other news, data or research to shed more light on this? Any insight or views on what might happen next or what should happen next? Any errors to correct?

We welcome your comments below. If you are not already registered, please register to comment.

Remember we welcome robust, respectful and insightful debate. We don't welcome abusive or defamatory comments and will de-register those repeatedly making such comments. Our current comment policy is here.