Anti-fraud is an important argument for less privacy protection. Insurance companies, banks, and lenders use it to get access to data.
The new European data protection regulation is the most lobbied piece of legislation thus far because the subject is very important and touches upon almost every aspect of our daily lives. Therefore Bits of Freedom used the Dutch freedom of information act to ask the government to publicise all of the lobby documents they received on this new law. We published these documents with our analysis in English in a series of blogs for EDRi. This series of blogs has also been combined in one report. What parties lobby? What do they want? What does that mean for you?
Fraud: nobody likes it. However, even though it’s a legitimate purpose to collect and process data, there should be limits as well. Those are unfortunately very difficult to determine, because: more is better, right?
For insurance companies, it’s a very important argument. In a letter to security and justice the Verbond voor Verzekeraars (the alliance of insurance companies, an interest group for insurance companies in the Netherlands) writes that they want to make it easier to process sensitive data, to make sure that they can use health data for insurance purposes (like life insurance). Apart from that, they want to be able to consult someones criminal past, to prevent fraud.
Those same data – so all data that are important to prevent fraud – can’t fall under the right to be forgotten, according to the insurance companies.
Insurance Europe, who represents European national insurance companies, has a more extensive wish list. Their letter to the perm rep obviously starts with “Insurance Europe welcomes the European Commission’s (EC) objective to further harmonize the data protection legislation within the EU and strengthen individual’s rights.”
But they want to limit the application of the article on profiling with regard to the activities of insurance companies.
“Insurance Europe recommends that the rules on profiling as proposed in the draft Regulation are amended to avoid prohibiting or restricting risk-adequate rating, rate classification and risk assessments necessary for premium calculation.”
That’s interesting, because we saw an earlier letter by TechAmerica in which the authors said that they thought the article on profiling was specifically meant for insurance companies. Which isn’t a crazy idea. Debates about profiling quite often refer to the activities of insurance companies.
Banks and credit
For banks and lenders fraud is an important argument as well. The Federation of European National Collection Associations, that represents debt organizations, writes in a letter to the ministry of justice that they would like easier access to data. Even when it’s for a different purpose than for which the data have been collected. That’s opening the floodgates. Even though collecting debt is important, that would be excessive.
Experian, a data broker who supplies credit analyses (would someone be eligible for a loan?), also wants to make sure that companies should more easily be able to reach certain data when they have a legitimate interest.
“Private law enforcement”
According to the Rabobank, banks have “big worries about the capabilities to fight crime under the upcoming data protection regulation.” In an email to the ministry of justice they express their concern about the limited ways to process criminal records to prevent fraud.
The Dutch association for banks (De Nederlandse Vereniging voor Banken) delivers her arguments and those of the European Bank lobby in a seventy pagedocument.ix In this document, they write that 50% of all data is currently processed on the grounds of a legitimate interest.
They worry about the increased emphasis on consent by data subjects and the additional requirements described in the provisions on profiling. They also aim for definitions to prevent all these requirements. They for example say:
“Art. 4(3a) defines profiling. However it makes no distinction between profiles of the personality of individuals and the outcome of algorithms that monitor deviations from average use of products in order to detect e.g. internet fraud. Such calculated average use of a product should not be confused with the profile of a personality.”
In other words: the protection against profiling described in the text, should only apply to certain ways of profiling (to creating profiles of someone’s personality, not to how people use products). The consequence is that it’s more difficult for citizens to know what rights they have.
Thomson Reuters (an international company that aims to prevent fraud) emails about the importance of the World-Check program that helps governments and companies in combating fraud with the help of open data. This re-use of open data is very controversial at the moment.
Anti-fraud shouldn’t be a ‘carte blanche’ either
Combating fraud is important. But it also requires a careful balancing of the interests of the people on the one side, and the interests of the financial industry on the other side. It’s a debate that stretches beyond Internet freedom alone and touches on solidarity in our society. Will people have equal access to loans or insurance? Or will this access be reserved for healthy and more highly educated people?
A lack of awareness considering this careful balance is nicely illustrated in the letter by Eurofinas to the perm rep. They act on behalf of consumer credit organizations in Europe and want to get rid of data minimization (a fundamental principle of data protection law: data collection should be proportional so companies should only collect the minimum amount of data necessary for the purpose for which they collect it), but at the same time think the sanctions connected to infringement of the data protection law are disproportionally high. Isn’t that ironic?
In any case, we don’t think the motto should be: open the floodgates and more data is better. We want to make sure the data is as accurate as possible. This means we should create requirements that relate to the quality of the data. This includes taking into account the context in which they have been collected. Apart from that, combating fraud should happen in a transparent way: as a citizen, you should be able to tell what data has been collected about you and how those data are used ‘against you’. Only in this way, you can check whether you were justifiably refused a loan, should that ever happen. Apart from that, other limits should be taken into account: combating fraud cannot lead to exclusion or discrimination.
To be continued
Want to continue reading about this? On the Bits of Freedom website, you can find all the lobby documents and the analysis. The next blog concludes these series.