Author: Narmin Huseynzada, LLB, Baku State University, 2016-2020, e-mail: [email protected]
Editor: Bader Kabbani, LLM International Commercial and Economic Law, SOAS, University of London, 2020-2021, e-mail: [email protected]
Open banking has reshaped existing customer-bank relationships and led to the emergence of new challenges regarding data collection. While data protection law creates a shield against the illegitimate use of personal data, in some cases, processing payment data poses a higher risk for customers than processing other forms of data. This article will (1) seek to determine the status of payment data and its potential uses in open banking; and (2) how payment data is regulated under data protection law.
In the modern world, service providers try to offer products that give better and more efficient experiences. With the help of open banking, banks can share individuals’ data with third-party providers (TTP), essentially with financial technology companies (“FinTechs”) that provide customers with online services and products. The main advantage of open banking is that customers can make financial transactions without the need to go to the bank. Another advantage is that shared data through application programming interfaces (APIs), produce personalized products for customers that meet their demands. For the operation of this process, customers should give consent to share their personal data. In practice, this is conducted through the terms and conditions of all agreements. However, this data-sharing process brings its own risks that create conflict between consumer satisfaction and the right to privacy. In this sense, the traditional bank secrecy notion is no longer enough to protect customer data from unlawful use by third parties. Payment data that is kept in banks is not simply credit card or account numbers. Empirical research shows that customers do not fully understand how their financial data can be processed to reveal their personal data. For most customers, financial data is a valuable asset for fraud or money theft. In practice, payment data can reveal more about individuals when combined with other types of personal data. In this article, we will talk about what risks customers can face in case of payment data exposure in open banking. Firstly, this Article will try to introduce the status of payment data and its potential uses in open banking. Furthermore, it will describe how payment data is regulated under data protection law in the context of the General Data Protection Regulation adopted by the European Union.
Defining payment data
Payment data is data collected and processed during a payment operation. In practice, payment data can be divided into three categories:
- Actual payment data: means of payment used, amount of the transaction, date, and time of payment, identity of the merchant, identity of the beneficiary, IBAN, etc.
- Purchase or checkout data: characteristics of the products purchased, date and place of purchase, loyalty card details, etc.
- Contextual or behavioural data: customer knowledge data, geolocation, characteristics of the terminal used for an online purchase, characteristics of the products explored prior to the purchase, the time spent browsing, etc.
Banks can use actual payment data to evaluate the creditworthiness of potential customers. By analyzing the payment history of individuals, their preferences and payment habits, and the correlations between those preferences or habits and an individual’s default risk. With the help of purchase or checkout data, banks can provide a real-time view of customers and their purchases. This allows banks to know customer segments, evaluate their behaviour, and test what works best for them. Contextual or behavioural data can be beneficiary for marketing purposes if it is sold to third parties for external advertising.
Payment data protection
As described above, we can see how payment data is valuable and can generate various kinds of services that are helpful for individuals and businesses. However, research shows that customers have concerns about what type of data is shared and with whom. For that reason, lawmakers tried to establish general rules for data protection and grant some rights to consumers enabling control over their personal data. For example, one of the comprehensive data protection laws; the General Data Protection Regulation (GDPR) adopted by the European Union, gives definition to personal data as “any information relating to an identified or identifiable natural person”. Processing of personal data shall be lawful only if and to the extent that at least one of the following applies:
- the data subject has given consent to the processing of her or his personal data for one or more specific purposes. Consent must be freely given, specific, informed, and unambiguous;
- processing is necessary for the performance of a contract;
- processing is necessary for compliance with a legal obligation;
- processing is necessary in order to protect the vital interests of the customer or of another natural person;
- processing is necessary for the performance of a task carried out in the public interest;
- processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the customer.
If considering payment data as part of personal data, banks should refer to one of the grounds above-mentioned to process customer data. On the other hand, GDPR has introduced special categories of personal data, also known as sensitive personal data, that need a higher level of protection as this data can be easily used to discriminate against people, which is a breach of fundamental rights and freedoms. Data revealing racial or ethnic origin, political opinions, biometric data, etc. are included in this category (Art. (9) of GDPR). Although payment data is not specifically included in this category, the European Data Protection Board (EDPB) has stated that financial transactions can sometimes reveal special categories of personal data ‘about individuals’. For example, depending on transaction details, political opinions and religious beliefs may be revealed by donations made to political parties or organizations, churches, etc.
In determining the sensitivity of data, the Personal Information Protection and Electronic Documents Act of Canada took a different approach and stated that “although some information (for example, medical records and income records) is almost always considered to be sensitive, any information can be sensitive, depending on the context”. In the Royal Bank of Canada v. Trang case, the Supreme Court of Canada has recognized financial information as “extremely sensitive”, however, “the degree of sensitivity of specific financial information is a contextual determination. Otherwise, it can cause undue prioritization of privacy interests over legitimate business concerns. This view focuses on maintaining balance rather than prioritizing privacy rights over other rights. Considering the benefits of payment data that can bring people’s lives and businesses, it is essential to establish a legal framework that creates a balanced bank-customer relationship.
Overall research shows that the development of technology makes the use of payment data in financial services inevitable. Data protection laws should prevent excessive and unreasonable use of payment data. I am of the opinion that service providers should act sensitively when processing payment data, as it imposes risks like making customers mainly objects of data processing (customer profiling), transfer of payment data for fraud purposes, etc. However, it is not beneficial to limit payment data use by including it in the sensitive data category. In that sense, looking at the intentions of banks based on certain contexts of data processing, and considering other objective factors, such as the aim of data collection, and possible consequences for customers would maintain a balance between customer satisfaction and the right to privacy.
- Andreas Habersetzer, Why payments data is the key to unlocking new customer value (June 25, 2021)
- Cnil White Paper Collection – №2, When Trust Pays Off: Today’s and tomorrow’s means of payment facing the challenge of data protection
- Dr Edgar A. Whitley and Dr Roser Pujadas, Report on a study of how consumers currently consent to share their financial data with a third party, (March 2018)
- GDPR, Article (6), Article (9)
- GDPR, Key Issues
- Guidelines 06/2020 on the interplay of the Second Payment Services Directive and the GDPR, Version 2.0, (December 15, 2020)
- Pauline Affeldt, Ulrich Krüger, You Are What You Pay – Personal Profiling with Alternative Payment Data and the Data Protection Law, Vol. 89 (2020), Iss. 4: pp. 73–88, at p. 7
- Personal Information Protection and Electronic Documents Act (PIPEDA), Principle 3 – Consent, 4.3.4
- Royal Bank of Canada v. Trang Case, SCC 50, (2016)
- Venky Anant, Lisa Donchak, James Kaplan, Henning Soller, The consumer-data opportunity and the privacy imperative, (April 27, 2020).
Dr Edgar A. Whitley and Dr Roser Pujadas, Report on a study of how consumers currently consent to share their financial data with a third party, (March 2018) https://www.fscp.org.uk/sites/default/files/fscp_report_on_how_consumers_currently_consent_to_share_their_data.pdf
 Cnil White Paper Collection – №2, WHEN TRUST PAYS OFF: Today’s and tomorrow’s means of payment facing the challenge of data protection, https://www.cnil.fr/sites/default/files/atoms/files/cnil-white-paper_when-trust-pays-off.pdf
 Pauline Affeldt, Ulrich Krüger, You Are What You Pay – Personal Profiling with Alternative Payment Data and the Data Protection Law, Vol. 89 (2020), Iss. 4: pp. 73–88, at p. 7, https://elibrary.duncker humblot.com/article/60789/you-are-what-you-pay-personal-profiling-with-alternative-payment-data-and-the-data-protection-law
 Andreas Habersetzer, Why payments data is the key to unlocking new customer value (June 25, 2021), https://www.ey.com/en_gl/banking-capital-markets/why-payments-data-is-the-key-to-unlocking-new-customer-value
 Venky Anant, Lisa Donchak, James Kaplan, Henning Soller, The consumer-data opportunity and the privacy imperative, (April 27, 2020), https://www.mckinsey.com/capabilities/risk-and-resilience/our-insights/the-consumer-data-opportunity-and-the-privacy-imperative
 GDPR, Article (6)
 GDPR, Key Issues, https://gdpr-info.eu/issues/personal-data/
 Guidelines 06/2020 on the interplay of the Second Payment Services Directive and the GDPR, Version 2.0, (December 15, 2020),
 Personal Information Protection and Electronic Documents Act, Principle 3 – Consent, 4.3.4
 Royal Bank of Canada v. Trang, SCC 50, para 36 (2016), https://scc-csc.lexum.com/scc-csc/scc-csc/en/item/16242/index.do
 Royal Bank of Canada v. Trang, SCC 50, para 44 (2016), https://scc-csc.lexum.com/scc-csc/scc-csc/en/item/16242/index.do
This article is written within the Academic Essay Project (AEP) organised by LAWELS. AEP aims to increase the number of quality academic writings on legal topics, encourage young lawyers to participate in academic writing, and lay the foundation of an online database on legal science. The team of legal editors and legal writers share their knowledge through high-end essays that we are publishing on our website and social media accounts for the world to read and learn from.
The articles on the LAWELS platform are not, nor are they intended to be, legal advice. You should consult a lawyer for individual advice or assessment regarding your own situation. The article only reflects the views of the author.