This EU and UK legislation allows you to earn from your banking data

The EU and UK boast a comparatively mature set of institutional rules concerning personal data. While these rules have often been mocked for some annoying side effects, we have seen more and more countries around the world adopt similar legislation. I briefly present how EU and UK legislation enable you to own, control, and monetise your banking data.

GDPR as the base layer for individual data ownership

The General Data Protection Regulation (GDPR) provides the legal groundwork of personal data governance in the EU. While the UK is not part of the EU anymore, the Data Protection Act and the supplemented UK GDPR provide an almost identical legal framework. It identifies three actors in the personal data sphere, data subject (individuals), data controller, and data processor. It then sets out responsibilities and obligations for each of them, and establishes some general principles of lawful data processing.

GDPR grants individuals ownership and control over their personal data, while data controllers are supposed to take a role of stewardship over such personal data. Data controllers need to acquire explicit consent from data subjects and are responsible for ensuring fair and lawful processing, as well as specifying the specific purpose of such processing. Data controllers can then contract with data processors that perform data processing and adhere to the laid-out principles. Importantly, the processing of certain types of sensitive personal data related to health, ethnicity or religion is prohibited altogether.

Know your 8 personal data rights

GDPR grants eight fundamental rights to all data subjects. These rights aim to create more transparency and fairness in the data economy and empower individuals to take agency over their data. The first four rights relate to transparency and correctness of personal data: Data controllers need to (1) inform data subjects on what data they collect and why, (2) grant individuals access to such data, and provide means to (3) rectify and (4) permanently erase this personal data. The other four rights relate to how personal data is used by the data collector. Individuals have the rights to (5) restrict the processing of their personal data, (6) object to the processing of personal data for certain uses like marketing, (7) object to be subject to automated decision making and (8) receive a copy from data controllers or transfer their data to another data controller altogether.

Data portability as the key enabler to own and monetise your data

The latter personal data right is also called data portability. It states that the data subject can demand from a data controller “to receive the personal data […], which he or she has provided to a controller in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance” [GDPR]. In theory, this means you can take all of your data from Facebook, Spotify or Google and maintain a copy of it yourself, or move it to a new provider.

Unfortunately, the formulation of this right leaves a few ambiguities, such as the exact definition of which data is covered (it could include received, observed, inferred, and predicted data), as well as technical considerations regarding export formats and transfer between data controllers. A pretty recent study from Germany has shown that direct (company-to-company) data portability is in practice quasi non-existent, while indirect (company-to-consumer-to-company) data portability was possible with only a small fraction (< 30%) of studied data controllers and under high manual effort [2]. It is likely that legislators will follow up with more specific legislation to achieve (real-time) data portability across sectors and use cases.

Banking data portability is real and practical

Transactional payment and banking data is some of the most valuable data that individuals own, and the reason we see so many large tech companies foray into payments. Maybe unexpected for some, most of our transactional banking data is already available for (almost real-time) data portability. Since 2018, the “Revised Payment Services Directive” (PSD2) obliges banks to provide authorised intermediaries with standardised access (in the form of open APIs) to personal financial data upon explicit customer consent [PSD2]. This enables an “open banking” ecosystem where you can freely decide who should have access to your data and who should not. If you can decide who has access to your data, you can also decide to accept a reward for this access in return. This enables a bottom-up data economy in which individuals, not corporations, can reap the value created from their personal data.

How to take advantage of data portability and open banking

In the domain of financial data, new data intermediaries like Unbanks make this a reality. They empower you to exercise your right to data portability at ease, and monetise your data anonymously and securely with data buyers who are interested in acquiring ethically sourced data such as yours. The rewards go straight back to you in a transparent way. This is what a fair and sustainable data economy looks like. Find out more and sign up to the Unbanks waitlist here and follow them on Twitter.

Sources

[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation). European Parliament, Council of the European Union. https://eur-lex.europa.eu/eli/reg/2016/679/oj/eng

[2] Kuebler-Wachendorff, S., Luzsa, R., Kranz, J., Mager, S., Syrmoudis, E., Mayr, S., & Grossklags, J. (2021). The Right to Data Portability: Conception, status quo, and future directions. Informatik Spektrum. https://doi.org/10.1007/s00287-021-01372-w

[3] Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market. European Parliament, Council of the European Union. http://data.europa.eu/eli/dir/2015/2366/oj