Big data sharing: Navigating the regulation minefield

Issue 481 | 10 May 2023

Should payment firms be limited in how they reuse data or are the laws based on GDPR sufficient?

There are a multitude of benefits for payment firms that can successfully leverage big data analytics and open banking tools. Insights into transaction patterns, understanding customer needs and combating money laundering are just some of the advantages of big data payments sharing.

However, obtaining these benefits require payments firms to effectively navigate a minefield of regulatory obligations, not just within their home country, but also internationally when undertaking cross-border data transfers. “There are various benefits to banks in sharing payments data, from the ability to offer their clients more sophisticated products and services; to the cross and upsell of products enabled by better understanding of customer behaviours, habits and preferences,” says Amit Mallick, open finance lead at Accenture.

“For consumers, they stand to benefit from personalised offerings, loyalty programmes, discounts and intuitive and interactive solutions for payments and budgeting,” adds Mallick. “For SMEs, the sharing of payments data can facilitate insight-led products and services.”

Currently, the majority of information that is flowing though the payments ecosystem still constitutes personal data. While not always obvious, as it could be information linked to a transaction ID or a card number without a name attached, there is still always an individual behind any transaction data.

“What we have seen coming up quite a lot in discussions between merchants and particularly payment service providers, is the concept of purpose limitation,” says Simon Elliott, head of data privacy and cybersecurity practice for the UK, Ireland and Middle East at Dentons. “What this means is the rights or permissions for payment service providers to reuse data for their own purposes.”

For example, merchants can pull together large datasets from across their bases and supplement this with data from third parties to examine patterns of fraud or to look into developing new products or services based on trends.

Debates are currently ongoing as to what ‘limits’ should be placed on payment firms reusing data, with the issue of consent at the forefront.

“There are obviously issues surrounding consent and the ability to use and access data. This is where there’s is an important interplay between the revised Payment Services Directive and data privacy laws such as GDPR,” adds Elliott.

---

---

Implicit vs explicit consent

The European Commission’s revised Payment Services Directive (PSD2) was issued in March 2018. It aims to further level the playing field for payment service providers by including new players and enhancing protection for European consumers. It often intersects with the EU’s General Data Protection Regulation (GDPR) of which the UK’s own version is replicated from.

Within PSD2 there are certain obligations where payment services providers must obtain what is referred to as ‘implicit consent’ to gain data access. Implicit consent is when a consumer takes an action when they are inherently consenting to the use of their data. An example of this is when a customer makes an online purchase on Amazon, it can be argued that they are giving implicit consent to their address being used for the purchase delivery.

In contrast, ‘explicit’ consent takes it a step further where a consumer may grant consent for data access only after they are given an explanation of what data is being accessed, what it will be used for and who it is being shared with.