Dutch DPA: more privacy protection needed in legislative proposal on financial supervision
The government wants to give the Dutch Authority for the Financial Markets (AFM) the power to collect more financial information about people. This is done in the context of the supervision of financial markets in the Netherlands. The legislative proposal that deals with this matter needs to be adjusted to ensure that the privacy of people is properly protected. This is the warning issued by the Dutch Data Protection Authority (Dutch DPA).
It concerns the proposal for the Reporting in Support of AFM Supervision Act. This Act will enable the AFM to do its work as supervisory authority for the financial markets in the Netherlands in a more 'data-driven' way. This means that banks, insurers, mortgage advisers and other financial service providers and investment institutions, among others, will have to provide data about their customers to the AFM on a regular basis. The AFM can then use these data for its supervision. However, the legislative proposal to that effect is inadequate.
Sensitive data
‘It is obviously understandable if a government wants to take measures that enable the AFM to continue performing its statutory task as supervisory authority for the financial markets like it should’, Dutch DPA board member Katja Mur says. ‘Privacy protection is also an important aspect of this. Your financial data are among the most personal, sensitive data that exist; they give an insight into your life. What your income and expenditure are at the time you take out a loan, how much you lend, whether you have life insurance – all of this is information that is very private. And that has to be protected really well.’
Prohibit re-identification
The legislative proposal pertains to data of millions of people. Before these data go to the AFM, they have to be pseudonymised. This is a security measure which makes traceability of data to individuals more difficult, so the privacy of these people remains protected.
But this essential safeguard is missing in the legislative proposal, the Dutch DPA notes. It must be clear to everyone that the data may not be used for identifying people. That is why a prohibition on ‘re-identification’ must be included explicitly in the legislative text.
Mur: ‘Whether it concerns your fixed charges or any arrears in payments, it should be clear that it is not necessary for the supervision of the financial markets that such sensitive data may be used in a manner that can be traced back to you.’
Clarify the purposes
In addition, it is unclear how the supervision of the AFM will actually improve as a result of the proposed use of the data. According to the legislative proposal, the AFM will be using the financial data for ‘interpreting market developments’ en ‘identifying supervisory risks’. But what exactly this means and how this improves supervision is not clear. The purposes have been defined too broadly and do not provide a sufficient basis for being permitted to start using data of people.
Mur: ‘When you are asked to provide data, you should of course be given a proper explanation as to why this is really necessary, for what purpose. And why this cannot be done with fewer data. That is required by law to ensure that you know in advance what to expect. And, more importantly, to prevent your data from being used for a very different purpose at a later time.’
Data to DNB?
Finally, it is not clear whether the data that go to the AFM will also be passed on to De Nederlandsche Bank (DNB), the supervisor of the financial institutions. Subject to certain conditions, the AFM is permitted to share data with DNB. This can be found in the Financial Supervision Act (Wft). But the current legislative proposal does not deal with the question of whether the data will indeed be shared with DNB, and how this would relate to the Wft. Clarity is needed here.
