3 Key changes to data privacy legislations

The proliferation of fintechs innovation can sometimes outpace regulatory compliance, especially in areas such as data privacy management.

While fintechs set themselves apart from traditional financial institutions by being more agile, boundaryless and design-focused, they must be careful to also embed privacy into their product design and business model. As fintechs often hold and process large amounts of customer data, it is imperative that innovation does not come at the expense of privacy compliance. 

From keeping up to date with the ever-evolving data privacy legislations to incorporating privacy into company culture, there’s a lot of challenges that fintechs need to address in order to be compliant, competitive and customer-focused.

1. The Australian Privacy Act reforms are underway

Following a number of high-profile cyber incidents, the Government passed the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 to increase penalties for businesses who commit serious or repeated interferences with privacy. For organisations, this increases the penalty from the current $2.22 million (per contravention) to up to $50 million.

In our recent Data Privacy webinar, we spoke about the Government’s reform to the Privacy Act 1988 and their recently released Review Report. Of the proposed changes, it is anticipated that the Privacy Act exemption that currently applies to small businesses will be removed with greater compliance requirements from employees as well. 

According to the team at K&L Gates, it is expected that the review will be finalised towards the end of the first half of 2023. All businesses therefore need to prepare themselves for the proposed reforms and ensure they have their ‘house in order’ to streamline such changes. To stay updated on the latest developments and timeframes for the Australian Privacy Act reforms, it is advisable to consult the Office of the Australian Information Commissioner (OAIC) website.

2. From GDPR, CPRA to PIPEDA, global compliance is now more critical than ever

Compliance with these regulations is not only a legal requirement but also foundational in building customer trust and protecting sensitive customer and financial data. 

Fintechs with global customers need to keep to date and adapt to changes in data privacy regulations, from website cookies to customer KYC verification, not only in the jurisdictions where they operate but also in regions where their customers are located. To make matters more complex, different regions have their own data privacy legislations and in the United States, this differs by state as well. 

The European Union’s General Data Protection Regulation (GDPR) 

GDPR applies to private and public entities, not-for-profits and data processors established in the EU, regardless of where the data processing takes place. It also applies to entities located outside the EU that offer goods or services to individuals in the EU or monitor the behavior of individuals in the EU.Under GDPR, for instance, consumers maintain the right to access, deletion, and transparency of their data. More broadly, trust is paired with ethical and cultural considerations in support of company objectives.

Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA)

Canadian private sector organsations that collect, use, or disclose personal information during the course of commercial activity. This also includes organisations located outside of Canada if the organisation’s activity has a real and substantial connection to Canada.

California Privacy Rights Act (CPRA)

For-profit businesses that collect personal information from California residents and meet at least one of these criteria:

1. Gross annual revenue greater than $25 million.

2. Buy, receive, or sell the personal information of 100,000 or more California consumers or households.

3. Derive 50% or more of revenue from selling or sharing consumers’ personal information.

4. Affiliation to a subject of CPRA through a joint venture or partnership composed of businesses in which each business has at least a 40 percent interest.

3. Consumer Data Right and Open Banking

Consumer Data Right (CDR) is a regulated data sharing framework in Australia that aims to give consumers greater control over their personal data and enable them to share it securely with trusted third parties. 

Developed by the Australian Government, it is an opt-in service that enables consumers to share their data to accredited third parties, firstly with banks with the energy sector next in line, in exchange for information on the right products and best deals.

Open Banking, a subset of CDR which focuses on banking data, began with the major banks in 2020. The big four – CBA, Westpac, NAB and ANZ – all now accredited data recipients. 

Australia’s journey with Open Banking follows that of the UK, which now boasts an ecosystem of 7 million consumers and SMEs, including hundreds of fintechs. The popularity of Open Banking four years after post launch is set to expand into Open Finance, which brings the benefits of leveraging financial data to unlock benefits in broader industries, such as superannuation, investment, insurance, mortgage etc.

According to a report by Open Finance Advisors, as of December 2022 114 Australian banks are sharing data with more than 30 different financial products. The report also states that:

– 88 Accredited Data Recipients (the “highest level” of accreditation) and other Access Models

– 95% of Data Holders (banks) are active with 99% consumer coverage

– 280% growth in 2021-22  in the number of Data Recipients

Open Banking and CDR opens up new opportunities for the Australian fintech community to innovate, enhance customer experience, disrupt but also collaborate with traditional financial institutions. 

With the ‘action initiation’ phase of the CDR underway, businesses (especially those in the banking, finance, energy and telco sectors) should consider whether they should become accredited to initiate actions, such as payments or account switching.

How Fintechs can move forward with privacy

Whether you are a fintech or financial institution, a startup or established business, privacy is non-negotiable. 

Fintechs, like any other company, need to cultivate a culture that is aware of and committed to privacy. This is especially important for early stage startups without the bandwidth to set up and maintain unique security controls that meet local, national, and global regulations.

According to the Australian Privacy Index 2022, only 43% of consumers are happy to share their personal information and 51% of the people uncomfortable with their online activity being tracked. It’s clear that Australians are hyper-conscious of their personal and financial details being mis-used and leaked, which factors into their purchase decisions and trust in brands.

With the rise of e-commerce, digital payments and open data, businesses must proactively protect their customer’s privacy, offer greater flexibility and control in what data is collected and handle data with care, and in doing so build customer trust.

Source: Fintech Australia

Also read: Why does it matter where data are kept?


Read more