The increasing pace of innovation in technology used for financial and banking services (“FinTech”) both raises alarm bells and brings high expectations. On the one hand, traditional banking players fear serious losses in terms of eroded market power, reduced customer loyalty and disintermediation of direct consumer relationships. Traditional players are concerned about the impact that FinTech’s promise of “unbundling banking” will have on their core functions (settling payments, collecting savings, providing credit and sharing risk). On the other hand, the arrival of new non-traditional players raises hopes of increased levels of competition within financial markets. For a long time, the retail banking sector has been affected by lock-in problems, low elasticity of demand, abuse of market power by incumbents and high barriers to entry. As a result, large, longer-established banks have been able to not only maintain high and stable market shares, but also engage in product-tying practices to the detriment of new market entrants and consumer welfare.
It is worth pointing out that this challenge is presented not only by start-ups, but also by technology “giants”. Over the years, companies like Apple, Google, Uber, Facebook and Alipay have gathered huge digital data sets as well as increased their big data analytics skills in exploiting consumer data and offering tailored services. It is just a matter of time before they start systematically providing financial and banking services to their customers along with their core offerings. New FinTech services are based on innovative uses of financial data such as insights into personal expenses, budgeting, comparison tools and tailored financial planning. Therefore, they need access to accounts data to implement their business. For their part, traditional players have always kept a strict and exclusive control over this information in order to consolidate their market power.
To help FinTech achieve its pro-competitive potential, policy makers and financial regulators are now setting new regulatory frameworks and supervisory approaches. The regulatory landscape that is relevant for FinTech in the EU includes the Regulation (EU) No 679/2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation, or GDPR), which will come into force on May 25, 2018 and the sectorial Directive (EU) No 2366/2015 on payment services in the internal market (Payments Services Directive, or PSD2), that came into force on January 13, 2018.
From ownership to ‘control’ of consumer data: the purpose of competition policy
One of the core innovations brought by the GDPR is the right to data portability. Pursuant to article 20 of the Regulation, each person has the right to obtain a copy of all their personal data in a machine-readable, commonly used and structured format in order to share them, for instance, with a new data controller.
Despite the collocation within the GDPR, data portability has little to do with the right to data protection stated under Article 8 of the EU Charter of Fundamental Rights. In particular, we want to stress that the concept of ‘data portability’ is not a matter of data protection but rather of competition policy. By allowing individuals to move their data from one controller to another, the EU legislator aimed at boosting competition among data-enabled service providers.
Further, data regulation challenges traditional concepts of civil law: like other information-related goods, data can be reproduced and transferred at almost zero marginal cost. In this respect, data portability has been shaped as a specific form of control over data, rather than as proper ownership. Thus, the right to data portability under the GDPR cannot be identified with an ownership-like regime. Suffice to say that property entails the right to exclude anyone, which is not provided by the GDPR (or the PSD2, examined below). Similarly, the right to erasure under the GDPR cannot be seen as a proprietary tool, due to its extremely limited (and highly contested) applicability.
In this context, the PSD2 represents a fundamental piece of legislation aimed at promoting competition by empowering consumers to exploit their own data within the Internal Market. Some of the changes concerning data regulation enacted by the Directive are far-reaching and are worth being investigated from a competition policy perspective.
Under the so-called Access to Account rule (XS2A) introduced by PSD2, providers of payment initiation services (PISs) and account information services (AISs) have free access to a user’s account data, on the condition that it is accessible online, and the customer gives his explicit consent. PISs are services based on orders to initiate a payment, at the user’s request, directed to another account service provider (such as a bank). These services contribute to opening up the retail payment market by lowering transaction prices and facilitating online payments, both for businesses and consumers. This development opens the doors to the widespread use of mobile and internet payments fuelling the current trend of e-commerce growth.
AISs are services aimed at providing consolidated information about one or more payment accounts held by the user with another payment service provider. This means that firms providing customers with payment accounts will give access to their account data and operations to third-parties, such as the new FinTech players. Under this new legal framework, banks are expected to both execute payment orders given by users through the PISPs, and provide account information to AISPs at no cost and on an equal footing with their own services.
Thus, consumers will exercise a specific form of control over their data. Here, the question is whether such a notion of “control” will represent a valid substitute for traditional ownership rights, in protecting consumer rights and interests, especially concerning privacy.
As suggested above, by introducing the access to account rule, PSD2 marked a crucial step towards the unbundling of retail payment markets to authorized newcomers, which from now on will have the right to request account information without any previous agreements with banks. Thus, the EU aims to prompt competition within retail payment markets to the benefit of customers by giving them greater bargaining power and control over their finances.
Disentangling Data Portability and the Access to Account rule
It is worth evaluating the XS2A rule as an important contribution to the overall data governance regime in the EU and, more specifically, as a sector-specific form of data portability limited to account data. PSD2 pre-empted the entry into force of the GDPR by a few months and now provides a useful reference point for the implementation of data portability under the GDPR.
Of course, account data is clearly personal data according to the GDPR’s broad definition (“any information relating to an identified or identifiable natural person”), so it is necessary to clarify how the two regimes should be coordinated. In fact, the Article 29 Working Party (WP29), which is a group formed by EU national supervisory authorities’ representatives aimed at providing the Commission with independent advice on data protection matters, tried to reduce legal uncertainty by publishing specific guidelines on applying data portability rights. The WP29 also made it clear that the PSD2 sectorial legislation overrides the GDPR whenever data subjects’ requests aim specifically at providing access to bank account history to third party service providers.
Therefore, when it comes to accounts data, the PSD2 access to account rule will take priority over the GDPR data portability regime. However, banks have been collecting huge quantities of data relating to their customers for years as part of their business and regulatory duties which exceed the material scope of XS2A obligations (for example, relating to creditworthiness, commercial profiling, know-your-customer and anti-money laundering compliance, just to mention a few). So, it is clear that when customers ask for their data to be portable, they will need to make a choice between which regimes they intend to opt for. Consequently, attention should be paid when establishing transparency mechanisms to help customers navigate this scenario. Otherwise, the fragile pro-competitive goal pursued by EU legislators would be jeopardized.
As discussed, data governance regimes enshrined by the EU regulator in the GDPR and PSD2, even if substantially different, introduce data portability as an emerging concept within EU law which is likely to play a central role in the data-driven economy to come. Nonetheless, the process is far from complete: inter-operability and portability need to be made effective, which is exactly where they risk remaining a dead letter. The PSD2 implementation process is at a more advanced stage compared to GDPR data portability. In particular, PSD2 required the European Banking Authority (EBA) to develop five sets of guidelines and six drafts of Regulatory Technical Standards (RTS) aimed at ensuring workable interoperability and implementation of the access to account rule, among other aspects.
After a complex drafting process, characterized by a heated debate with the European Commission, the EBA released the technical standards, which were later amended and published by the European Commission in November 2017. In order to comply with the access to account rule, banks can now set dedicated interfaces to transmit account data to third party service providers. Should the interface prove ineffective or excessively dysfunctional, FinTech companies can have direct access to customers’ accounts as a fall-back remedy. The difficult task of ensuring the proper functioning of this mechanism is left to the EBA and national authorities across the Internal Market.
Many market players and scholars believe that Application Programming Interfaces (APIs) are the most reliable technologies for implementing the access to account rule. However, there is no consensus regarding who should define the APIs or, even more importantly, whether to standardize their creation. A likely negative consequence of a top-down approach to API standards is reduced innovation. In fact, firms will prefer to provide services that are compliant with the chosen APIs, disregarding further potential innovations based on different interfaces. The pace of innovation could slow down together with market players’ ability to operate freely and follow their entrepreneurial instincts.
However, despite several complex technicalities implied by effective implementation of data portability rules, Article 20(1) of the GDPR merely states a general requirement for the format of transmitted data, which need to be “structured, commonly used and machine readable”. Unsurprisingly, the WP29 advisory group suggested the adoption of APIs to implement data portability. So, it is clear that standardization will continue to play a major role in ensuring the consistent implementation of data portability regimes. Therefore, the major challenge which policy-makers should focus on is whether and how to reach consistent “data inter-portability” between heterogeneous players across the industries or allow undertakings to develop their own data portability environments autonomously and let the market pick the winners.
To conclude, it is clear that data portability is going to play a key role in the discussion concerning a suitable data governance regime for the future digital economy. In particular, we suggest that data portability relates to competition policy rather than to data protection. Further, the point we make in this post is that the EU legislator is not tackling the matter consistently. On the one hand, it has introduced a general right to data portability into an already complex data protection eco-system, creating high expectations of data protection authorities’ skills to manage this competition policy tool: a task which could be carried out more effectively by antitrust authorities. On the other hand, it recognized the need to intervene with sector-specific solutions, such as the access to account rule, which is aimed at strengthening competition by empowering consumers to have more control over their data.
As we are witnessing, the standardization process under PSD2 shows how difficult it can be to reach a viable and effective outcome for market players. In this respect, the implementation of data portability rights under the GDPR is likely to be even more complex and troublesome, given the multifarious interests at stake across the range of existing industries covered by the general scope of the GDPR.
We believe, therefore, that regulators and policy makers would do better to design rules tailored to the specific needs of each industry instead of adopting holistic and overbroad general approaches.
Oscar Borgogno is a Ph.D. candidate at the Law Department of the University of Turin and a research fellow at the Tilburg Institute of Law and Technology.
Cristina Poncibò is an associate professor of comparative private law at the Law Department of the University of Turin.