One thing that can be done to address data privacy challenges in digital payments is for all parties involved to prioritize transparency.
Gone are the days when each house had to have its own fat yellow telephone book, each employee had a “digital” alarm clock that would zero out on the most important days, day planners were bought once a year, and cameras required their own bag to lug them around with unorganized albums to keep the pics you took. Today, all of these things are quickly being turned into data and stored in the cloud. The more we move everything from the “real world” into the realm of the online digital one, data is becoming a commodity of ever-increasing value. While there are plenty of examples of data online that many companies would like to get their hands on, no stream of information needs data privacy protection more than payment data.
I am fairly sure that there are not too many companies out there that would pay for pictures of your trip to Paris, but to see exactly what you spent money on and where in Paris you did so will pique the interest of a good many organizations. As financial transactions move ever more into the realm of online payments and pass through the hands of third-party service providers, questions arise about who owns and has access to that information and what they might be doing with it. The digital payments market is projected to reach US$9.46tn in 2023, proving how huge this market is getting overall.
I will be taking a look at this in the following article and explore some of the complexities of data privacy that I’ve noticed in this era of digital payments. I’ll examine the idea of ownership rights and responsibilities of individuals, financial institutions, and those third-party payment service providers that are always happy to lend a “helping hand.”
Data Ownership and Data Privacy:
The digital payments landscape is a vast one. From crypto payments that are on an open network run via governance tokens to 3rd party companies that perform all their activities behind closed doors and windows, there is a lot to unpack here. Digital payment data processing relies on the collection of tons of personal and financial data. While we, the users, have all too willingly shared this information to facilitate transactions, not too many of us paid enough attention to the data privacy aspect of things. This is where the question of ownership arises. Because users provide their financial information to many different entities involved in the payment process, the question of who owns this data becomes a point of contention. Is the data solely owned by the individual who initiated the transaction, or do other parties also have a stake in its ownership?
There have been plenty of studies done to try and unravel this mess, with one paper by the Journal of Business Analytics going into extreme detail, but still came out well short of a solution. I think it will be a long time before any of us really comes to grips with how this transfer of ones and zeros has shaped our reality and the impacts it has on daily life.
Speculate as we will, from a legal standpoint, individuals do have a certain degree of ownership of the transaction data they generate and should, therefore, have a certain amount of control over how their financial data is used. Personal data protection laws in many jurisdictions aim to safeguard individuals’ privacy rights and impose obligations on organizations handling such data. However, navigating the complexities of data ownership becomes challenging when multiple parties are involved in the payment process.
As an example, let’s say that you are using a payment provider called A Corp to initiate a transaction. Perhaps you are ordering a bouquet of flowers for your gran from an online flower shop. Your payment will be initiated with A Corp, but that transaction might then be sent through a network of other companies and service providers before eventually landing in the flower shop’s account. A Corp might be using services from another company, let’s call them B Corp, to be able to process your transaction, meaning that the data will also be passed along their networks. B Corp could be using services from C Corp and D Corp, and on and on, the rabbit hole goes. So the question becomes, is the data still yours after all these iterations, or do some of these secondary companies now own some rights to use this information?
Traditional financial institutions have long held custody of individuals’ financial data, ensuring its security and confidentiality. When you open a bank account and sign off on the terms and conditions, you imagine that the only people who will have access to your transactional info are the bank and yourself. Despite this belief, it is now common knowledge that banks do tend to send information to third parties for a variety of reasons. However, the rise of digital payment platforms and fintech companies has introduced new players into the ecosystem, changing the game in ways we couldn’t have imagined 20 years ago.
These third-party service providers offer innovative payment solutions, but it comes at a cost, as it raises concerns about data ownership. Even if these newly created financial institutions ensure that they have the most robust data protection measures in place and clearly define their responsibilities regarding the handling of customer data, something as simple as a data leak opens a can of ownership worms. If a data leak takes place and your transaction information is stolen, should the company that got hacked be held responsible? Should they be punished somehow? Was it their data being leaked or yours?
Third-party payment service providers, such as mobile payment apps and digital wallets, have become such an integral part of the digital payments landscape that it is hard to imagine a world without them. These platforms offer a lot of conveniences and help to make seamless transactions. But here, too, there is a catch, as you only get to enjoy this convenience by offering up access to your financial information. With all the ease that they bring aside because they do provide us with some valuable services, the ownership and control of customer data that passes through these platforms can become ambiguous.
This has led to some conclusions that data mostly have multiple owners. Think about it this way: We could say that the creator of the data is the owner of it, but at the same time, the consumer of the data is also an owner. This can go deeper and deeper as the compiler of the data, the decoder of the data, the enterprise that generates and accumulates the data, the reader of the data, and so on can all be seen as joint owners. The more complex the system handling the data, the more complex the ownership status becomes. I admit this is just one way of interpreting it, but as so many entities have access to your information, we need to have a structure for how it is handled. Enter regulation.
The Role of Regulation in Data Privacy:
In response to the growing concerns surrounding data privacy, governments, and regulatory bodies have started to address these issues the old-fashioned way. Legislation, such as the General Data Protection Regulation (GDPR) in the European Union, sets guidelines for the collection, use, and protection of personal data. But, like with most old solutions we try to apply to this modern world, these regulations often struggle to keep pace with rapid technological advancements and the ever-evolving landscape of digital payments. This is not the fault of regulatory bodies who probably want what’s best for the majority of people, but with all the red tape and hoops that need to be jumped through to pass any new laws, things crawl along at a snail’s pace. Every year brings more advancement in tech, but as we have seen with crypto regulations, it takes a good many years before lawmakers even start to think about the problems at hand.
There definitely needs to be some regulations put in place. No doubt about it. But, with the process going at the speed that it is, perhaps a better approach is required by individuals and companies to sort all this out. One simple thing that can be done to address the challenges of data privacy in digital payments is for all parties involved to prioritize transparency. Sure, it seems far-fetched for the fintech industry to open its books, but financial institutions and third-party payment service providers could focus on adopting clear privacy policies, providing individuals with control over their data, and obtaining explicit consent for data usage rather than hiding some fine print at the bottom of page 26 of their T&Cs. In fact, a 2021 Intertrust report found that around 84% of Android apps and 70% of iOS apps come with at least one critical vulnerability, and 81% of finance apps actually leak data. So, users should exercise caution when sharing their financial information and be aware of the privacy practices of the platforms they use, meaning that you should be reading those boring T&Cs before signing on to anything.
At the end of the day, this landscape continues to evolve. Data is changing hands faster than we can think, and at this point in time, there is not enough regulatory oversight to cover all the nuances of the financial information space. If 3rd parties and individuals are willing to work collaboratively to strike a balance between innovation and data privacy, things might turn out to have a happy ending. But, ensuring that individuals’ financial information remains secure and confidential is something that could affect the bottom line of many of these companies, leaving the privacy and ownership issue stuck in limbo, at least for now.