Prevention of fraud is a compelling argument for less privacy protection. Insurance companies, banks, and lenders often use it to get access to data.
The new European data protection regulation is the most lobbied piece of legislation ever because the subject is very important and touches upon almost every aspect of our daily lives. Therefore Bits of Freedom used the Dutch freedom of information act to ask the government to publicise all the lobby documents they received on this new law. We published these documents on the Bits of Freedom website with our analysis in a series of blogposts. What parties lobby? What do they want? What does that mean for you? These nine articles are now translated into English for the EDRi-gram. This is part 8.
Fraud: nobody likes it. Even though it’s a legitimate purpose to collect and process data, there should be limits. Those limits are unfortunately very difficult to determine, because “more protection against fraud is better”, right?
For insurance companies, prevention of fraud a very important argument when justifying the weakening of the privacy protection of their clients or potential clients. In a letter to the ministry of security and justice the Verbond voor Verzekeraars, an interest group for insurance companies in the Netherlands, writes that they want to make it easier to process sensitive data, to make sure that they can use health data and criminal records for insurance purposes and to prevent fraud.
Insurance Europe, that represents European national insurance companies, has a even more extensive wish list. Their letter to the permanent representation obviously starts with “Insurance Europe welcomes the European Commission’s (EC) objective to further harmonize the data protection legislation within the EU and strengthen individual’s rights.” However, they want to limit the application of the provision on profiling with regard to the activities of insurance companies: “Insurance Europe recommends that the rules on profiling as proposed in the draft Regulation are amended to avoid prohibiting or restricting risk-adequate rating, rate classification and risk assessments necessary for premium calculation.”
That’s interesting, because in a letter by TechAmerica indicated that the authors said that they thought the article on profiling was specifically meant for insurance companies. This isn’t a crazy idea; debates about profiling quite often refer to the activities of insurance companies. In the world of online tracking and “big data” this is, of course, profiling has become a far broader activity.
Banks and credit
For banks and lenders fraud is an important argument as well. The Federation of European National Collection Associations (FENCA), that represents debt collection organisations, wrote in a letter to the Dutch Ministry of Justice that they would like easier access to data, even when it’s for a different purpose than for which the data have been collected. Even though collecting debts is important, that would be excessive. If data can be used for a different purpose for the one you handed it over in the first place, how do you give consent? How do you exert control over your data?
Experian, a data broker who supplies credit analyses, for example to define if a person is eligible for a loan, also wants to make sure that companies should be more easily able to process certain data when they have a legitimate interest.
Privatised law enforcement
According to the Rabobank, a Dutch banking and financial services company, banks have “big worries about the capabilities to fight crime under the upcoming data protection regulation”. In an email to the Dutch Ministry of Justice they express their concern about the limited ways to process criminal records to prevent fraud.
The Dutch association for banks delivers its arguments, as well as those of the European Bank lobby, in a seventy page document. In this document, they write that fifty percent of all data is currently processed on the grounds of the “legitimate interest” legal justification. They worry about the increased emphasis on consent by data subjects, and the additional requirements described in the provisions on profiling. They aimed to introduce definitions to prevent all these requirements. They for example say:
“Art. 4(3a) defines profiling. However it makes no distinction between profiles of the personality of individuals and the outcome of algorithms that monitor deviations from average use of products in order to detect e.g. internet fraud. Such calculated average use of a product should not be confused with the profile of a personality.”
In other words: the protection against profiling described in the text should only apply to certain ways of profiling; to creating profiles of someone’s personality, not to how people use products. The consequence would be to reduce protections and make it less clear for individuals what their rights actually are.
Thomson Reuters, a multinational mass media and information firm, emailed to a representant of the Dutch Permanent Representation to the EU about the importance of the World-Check program that helps governments and companies in combating fraud with the help of open data. This re-use of open data is very controversial at the moment.
Anti-fraud shouldn’t be a “carte blanche”
Combating fraud is important, but it also requires the data security of individuals being protected at the same time as the interests of the financial industry on the other side. Profiling is a debate that stretches beyond internet freedom alone and touches on solidarity in our society. Will people have equal access to loans or insurance? Or will this access be reserved for people profiled as being healthy, rich or more highly educated?
A lack of awareness considering the issue is nicely illustrated in the letter by Eurofinas, the European Federation of Finance House Associations, to the Permanent Representation. They act on behalf of consumer credit organisations in Europe and wanted to get rid of data minimisation. Data minimisation is a fundamental principle of data protection law: data collection should be proportionate, and companies should only collect the minimum amount of data necessary for the purpose for which they collect it. However, at the same time, the letter also states that the sanctions connected to infringement of the data protection law are disproportionately high.
More data is not always better – it frequently is not, in fact. When data that is collected and processed, it should be as accurate as possible. This means there should be requirements that relate to the quality of the data, including the context in which they have been collected. Apart from that, combating fraud should happen in a transparent way: as a citizen, you should be able to tell what data has been collected about you, and why it has been collected. As a database is always more of a security risk than no database, data collection and storage should be kept to a minimum . Combating fraud cannot lead to exclusion or discrimination.
To be continued
Want to continue reading about this? On the EDRi member Bits of Freedom’s website, you can find all the lobby documents and the analysis. The next blog concludes this series.
Verbond van Verzekeraars position paper sent to ministry of justice (26.02.2013)
Email by Insurance Europe to the Dutch Permanent Representation (28.02.2013)
TechAmerica Europe position paper sent to ministry of justice (14.01.2014)
FENCA’s letter to the Dutch Ministry of Justice (24.11.2014)
Email by DLA Piper to the Dutch Permanent Representation (19.03.2014)
Email by Rabobank to the Dutch Ministry of Justice (15.10.2013)
Email by Nederlandse Vereniging van Banken to the Dutch Permanent Representation (17.12.2013)
European Banking Federation position paper (17.12.2013)
Email by Thomson Reuters to the Dutch Permanent Representation (02.10.2012)
(Contribution by Floris Kreiken, EDRi member Bits of Freedom, the Netherlands)