As more people are connecting to more financial services digitally, we’re seeing growing calls for individuals to have greater control over how their data is being used and by whom. At the heart of consumers’ ability to control their data is the notion of consent, but what consent means in practice can vary considerably and can often be difficult for providers to ascertain in a meaningful way from a consumer standpoint.
In the EU, the GDPR has defined consent as being free, informed, specific and unambiguous. It also necessitates an opt-out option for data subjects, allowing for the partial or complete withdrawal of any previously given consent, and for the removal of all gathered personal data. But while these requirements may be good for consumers, they’re also tough for providers to implement. Just ask Google, which was fined 50 million euros last year after the French data protection authority concluded that it “lacked transparency and clarity in the way it informs users about its handling of personal data and failed to properly obtain their consent for personalized ads.”
Flexibility Needed for Smaller Providers
So, if a tech giant, operating in Europe with all the resources and expertise at their disposal, can run afoul of these new consent requirements, does it make sense for governments in developing countries to try to adopt similar rules? India’s response for now has been yes. The current version of its pending data protection bill incorporates the same consent principles as GDPR. However, one legal observer we spoke to expressed concerns that the bill says nothing about what this consent architecture will look like and the ways in which consent will be sought. For smaller providers like microfinance institutions, fintechs and small finance banks that are trying to reach underserved segments with higher levels of illiteracy, obtaining consent as currently defined in the bill would pose a significant challenge, as elaborated below. Moreover, providers leveraging digital technologies to serve customers who might not be that digitally literate or understand the ways their data can be used may find it nearly impossible to meet such high standards of consent. The likes of Google might be able to figure it out over time, but smaller providers would need more flexible rules and support to comply.
Google might be able to figure out high-standard consent, but smaller providers would need more flexible rules and support.
For further evidence on how providers are already coming up short on consent, a recent World Bank report on new forms of data processing laid out many limitations of practices around consent, such as lengthy and complex consent forms, incomplete information, and standardized, inflexible terms offered on a “take it or leave it” basis. As a result, providers are often seen to be doing the bare minimum to comply with existing data protection requirements. In recounting the deficiencies identified in a study by the Centre for Internet and Society on fintech privacy policies in India, a recent article noted that one rule “requires a fintech company to provide an option to withdraw consent. Twenty-three percent of the companies allowed the user to opt out or withdraw from certain services such as mailing list, direct marketing and in app public forums, but they did not allow the user to withdraw their consent completely.” Such findings have led various observers to rightly question how effective consent really is in practice and to propose other approaches to give consumers more meaningful control over their data.
The Futility of Trying to Keep Up with New Approaches to Consent
This all stands to reason, but it again begs the question as to how providers who are already having a hard time complying at a minimal level could ever keep up with these new approaches. Indeed, in discussing the variety of data protection principles and standards that already exist around the world, the previously mentioned World Bank report also hastened to point out that “such principles may often be difficult to implement, particularly in low-capacity environments and/or where changes in the financial sector are fast paced.” As our interviewees attested, low-capacity environments and fast-paced changes are very much the rule, not the exception, and the path from principles to implementation is littered with landmines.
Low-capacity environments and fast-paced changes are very much the rule, not the exception.
One case we encountered centered around the issue of informed consent. Last year, the Reserve Bank of India fined Airtel Payments Bank the equivalent of roughly $700,000 for “contravening the Operating Guidelines for Payments Banks and directions issued by RBI on Know Your Customer (KYC) norms.” Airtel Payments Bank is majority owned by Bharti Airtel, one of the largest mobile operators in India, and in 2017 complaints started to emerge among mobile subscribers that Airtel Payments Bank had opened new bank accounts without their consent. According to reports, when new Airtel mobile subscribers first opened their Airtel mobile app, a pre-ticked consent box would appear on the welcome screen which, unless unchecked, would authorize the use of the same Aadhaar-based eKYC verification required to open the mobile account to also open an Airtel Payments Bank account. Over 2.3 million customers reportedly had new bank accounts created that they did not realize had been opened. Further complicating the matter was the fact that government subsidies would automatically be sent as direct benefit transfers to each beneficiary’s most recent Aadhaar-linked bank account, resulting in the equivalent of about $6.6 million in subsidies being deposited into these accounts. Airtel Payments Bank maintained that it had properly obtained consent to open these accounts but committed to working with the government to ensure compliance. We spoke with Akhil Verma, the current Chief Information Security Officer of Airtel Payments Bank, and he said the bank’s failure to notify customers of this caveat and obtain their explicit permission before allowing this was considered grounds for insufficient consent.
Out of Step With Modern Digital Reality
Another concern we heard from the other side of the globe was that some consent requirements are out of step with modern realities. According to Mariano Fuentes, Legal Advisor with ASBANC, the banking association in Peru, its data protection law (which was originally passed in 2011) is outdated for the digital times we now live in and does not do a thorough job of clarifying the ways consent can be obtained. Banks in Peru can obtain consent for personal data digitally, but “sensitive” personal data, which not only includes data on things like race or health, but also biometric data and data pertaining to “personal habits” that could come from things like mobile phone usage patterns, still requires written consent. Since Peru’s data protection law was passed in 2011, it would not have been able to fully anticipate the ways in which people’s lives have been digitized and the new types of data that would emerge, so it’s not surprising that it was reported last June that the National Authority for the Protection of Personal Data in Peru had issued 1,246 sanctions within three years (across all sectors). A scan of the sanctions imposed by the data protection authority also reveals that a significant share of these violations resulted from failures to properly obtain consent.
Whether these cases amount to violations is often a matter of interpretation. Mariano Fuentes of ASBANC underscored this by pointing out that five member banks are currently appealing their penalties because they disagree with the arguments made by the data protection authority. “The complete idea of consent is not represented by any technology, which is damaging in today’s times and is used against us to levy sanctions,” he added. Despite these challenges, Peru consistently ranks as one of the top country-wide regulatory environments for financial inclusion in the Economist Intelligence Unit’s Global Microscope assessment. In the 2019 version, it came in second partly because it “showed the greatest improvement in the consumer protection domain—specifically, for its data protection framework for financial customers.”
So How Are Consumers Supposed to Understand?
Given all the shortcomings with current consent practices around the world, it’s simply unfair to expect consumers to be able to fully understand what can and cannot happen with their data right at the point when they are about to access a new service or download an app. But at the same time, placing the burden on providers, especially those that are on the frontlines of underserved areas, to understand and apply high standards of consent is also proving to be a challenge. The reality is that this is a burden that both consumers and providers need to share, but not on their own. They need the right mix of policy and technology to help them get there. There are some emerging regulatory technology – or “regtech” – solutions providers in developed markets (like Trunomi) that enable consent-based data sharing, for example.
This is a burden that both consumers and providers need to share, but not on their own.
As these solutions continue to advance, perhaps governments in developing countries could seek to attract such providers to adapt these solutions for their markets. It’s this type of innovation and collaboration that is needed to make consent work. The burden should be broadly shared.