In-depth articles, interviews and debates covering local and global topics related to the Experian business expertise.
European Commission to develop new Data Protection Directive by end of 2010
Experian Panorama Editor
Viviane Reding, European Commissioner for Justice, Fundamental Rights and Citizenship, has expressed her intention to update the Data Protection Directive. She previously was Commissioner for Information Society and Media, and in that role Reding was responsible for the famous Telecom Package, a set of laws that unified the Telecom market in the European Union, and included some provisions on data protection, called e-Directive. The Telecom Package was approved in November 2009, after two long years of negotiations.
Now Reding, in her third term in office, will be responsible for the whole set of laws that regulate personal data, privacy and handling of data by businesses. The Data Protection Directive was first introduced in 1995, and a lot of new challenges for personal Data Protection have appeared, from social networks to cloud computing and the current digitalization of public data assets. The need to overhaul and update European Data Protection legislation was already pointed out by people such as previous UK Information Commissioner Richard Thomas, who stated that “the directive is showing its age. Modern approaches to regulation mean that laws must concentrate on the real risks that people face in the modern world; must avoid unnecessary burdens; and must work well in practice”.
The process to update the Directive has just started. Over 160 responses were collected to a public consultation that lasted until December 2009. These responses were crafted by citizens, businesses and other organizations and public authorities. The objective of this public consultation is to gather “views on the new challenges for personal data protection, in particular in the light of new technologies and globalisation”, and what steps should be taken to overcome those challenges. Now Reding plans to present a first draft of the legislation by autumn this year.
What shape is the new Directive going to take?
Reding has a reputation of being a consumer champion, having forced mobile operators to cut severely the roaming charges, and forcing prices down in general. There is still little information on how this legislation is going to be, and how it will affect businesses in Europe, but we can take some hints from her speech on January 28, the Data Protection Day, before the European Parliament in Brussels.
In her speech, she mentioned specifically four aspects that she wants to address in this new Directive:
1) Social networking, especially matters related to child protection regarding their data and activities in those social networks.
2) Usage of RFID tags, small chips that may contain and broadcast personal data, although encrypted, as is the case with the European Union passports. A wider usage of these chips outside logistic operations, where they are standard now, for storing personal data, may have an impact on privacy.
3) Regarding behavioural online advertising she stated that “For me it is clear that without the prior informed consent of citizens their data cannot be used”.
4) The last example she cited explicitly in her speech were notifications of breaches of personal data. In her previous role as Commissioner for Information Society and Media she forced Telecom providers to notify both authorities and individuals of any personal data breach. This decision was taken not without controversy, as individuals affected by the personal data breach have to be notified even though the breach has been solved and measures have been taken, thus creating unnecessary alert and confusing users.
5) And finally, she expressed her wish to incorporate into the Directive the principle of Privacy by Design. This concept was developed by Ontario’s Privacy Commissioner, Dr Ann Cavoukian in the 90s, and “is an approach whereby privacy and data protection compliance is designed into systems holding information right from the start, rather than being bolted on afterwards”. Privacy by Design in comprised of 7 principles:
a. Proactive not Reactive; Preventative not Remedial
b. Privacy as the Default
c. Privacy Embedded into Design
d. Full Functionality – Positive-Sum, not Zero-Sum
e. End-to-End Lifecycle Protection
f. Visibility and Transparency
g. Respect for User Privacy
More recently this year, on April 29, Peter Hustinx, European Data Protection Supervisor, gave a speech at a European Privacy and Data Protection Commissioners’ Conference. There, he confirmed the Privacy by Design approach, besides announcing more accountability for data controllers and stronger enforcement powers for data protection authorities.
The role of personal data in the credit information services industry
At this point in the legislative process, without even an early draft to look at, it is too early to say, of course, how any update to the Data Protection Directive might affect all the services that rely on the usage of personal data with permission of the consumer. But regarding financial services, this is, however, a great opportunity for the European Commission to consider how a consistent approach might help consumers across the EU.
A credit reference agency collates data from lenders about an individual or a company about their borrowing and repayment history. This allows lenders to make decisions about whether to lend or continue to lend to individuals or companies based on reliable and consistent information.
Whilst credit reporting is widespread across the world there are a variety of models operated by different organisations, holding different levels of data and with permission to use that data in different ways.
The World Bank has a programme delivered by the IFC designed to promote credit reporting as an important component in operating effective credit markets. More about this can be seen in the IFC brochure on their global credit bureau programme.
The other major requirement is robust and effective regulatory controls of the credit and financial services industry with effective governance reporting and controls. This is set out in the “Getting Credit” section of the Doing Business Reports from the World Bank and they can be downloaded here.
Credit bureaux can be operated by the public or private sector on a profit or not for profit basis.
Public sector solutions are often under the control or even operated by the Central Bank and this is a particularly common model in developing countries.
In other countries privately operated credit bureaux may be operated by a consortium (often of lenders and/or banks) or by commercial organisations.
The World Bank does commend the benefits that can be derived from a market where commercial providers will compete for market share based on improving services and innovation.
There are generally three levels of data that might be available from a credit bureau and in many countries restriction apply to limit the coverage to levels 1 or 2:
1) In some countries the credit bureau is entirely based on an amalgamation of data that is already available and in the public domain. Again, what that might include is variable with some countries having a very wide range of data open for public examination. That could extend to combinations of income, any borrowing and assets. In most countries however, public data is much less comprehensive but will generally cover insolvencies, court actions for debt, ID information, address data and in the UK, the electoral register.
The next stage involves the sharing of credit data by lenders. This would be in addition to any public data that might be collected. There are huge variations in the depth and breadth of data available at credit bureaux across the world and the same is true within the EU as well.
Data is shared by lenders on credit agreements for specified purposes, generally associated with making responsible lending decisions and the prevention of over indebtedness.
The type of products that might be included will vary from country to country ranging form bank lending through lending from other financial organisations to, in some countries, telephone and utility data too.
2) The most basic entry level data sharing for credit bureaux is negative information which will cover the most serious levels of arrears or non payment. There is no universal definition of “default” – even within the EU - but it is usually taken to mean serious arrears. In some countries the definition is either set by law or agreed with regulators and in others it is agreed by credit bureaux in conjunction with lenders. In the UK for example the definition is agreed with the Information Commission and represents agreements “where the relationship has broken down such that the lender would no longer wish to do business with the borrower – if they have the choice.” It also requires the agreement to be at least 90 days past due, unless there is fraud.
3) The most comprehensive model is known as full data sharing or, sometimes, positive data. This would be in addition to public and negative data and provides a fuller and more rounded picture of a consumer’s credit commitments and behaviour. Again this varies from country to country but will generally involve monthly updated information on available credit [limits], payment performance [paid on time or not] and current utilisation [balances]. It may also include other information too.
Full data sharing usually occurs in highly developed and sophisticated economies but many of the new and emerging economies have embraced the model and moved swiftly to develop full data sharing regimes – often on a mandatory basis. India, for example, has recently moved from a one bureau model to a multi bureau competitive environment designed to help the Indian economy grow and develop in a controlled manner.
Other countries, in the wake of the recent difficulties are now exploring whether they should increase the amount and coverage of data in order to help prevent over indebtedness and make more responsible lending decisions. This is particularly true in the EU where the requirements to perform creditworthiness checks have driven regulators and lenders to explore new remedies.
Those countries with full data sharing models will often state that they believe this to be hugely beneficial to consumers, lenders and the economy as a whole because it helps ensure that decisions about the giving of credit are based on the most comprehensive and consistent information. Consumers find it saves them time and effort as they no longer have to assemble evidence of their credit commitments and there is clear evidence that in fact, many more consumers do get access to credit as a result. In the UK, the Competition Commission undertook an investigation into the Home Credit market and their final report actively required the home credit lenders to share data in an effort to help financially excluded consumers get access to mainstream credit. This section also includes some interesting references to the benefits of data sharing in helping consumers get access to credit.
Whatever the model, most credit bureaux, and certainly those operating under the European Data Protection Directive, also have to comply with a variety of requirements aimed at ensuring the system meets the requirements of the Directive such as making provisions so that consumers are able to easily see what data is held about them and get it changed if there is a problem with it. They also have to keep an audit trail of who has accessed the consumer’s data and, usually why. In the majority of countries access to the data does require clear and unequivocal consent from the consumer.
Clearly, any of these systems take time to develop and have to be right for the country in which they operate; both legally and in acceptability to the stakeholders within the market. All credit bureaux have generally been built up over many years, with input and support both in terms of advice, guidance and in some cases, regulation from a range of stakeholders.
When The Association of Credit Information Suppliers (ACCIS) responded to the Data Protection Directive consultation on behalf of the credit reporting industry they pointed out that the disparity in the interpretation of data protection rules across Europe is an issue for the effective development of credit reporting in the EU. The differences between countries create disparities, resulting in advantages or disadvantages between companies and consumers that live and work in Europe; not least in terms of their access to credit.
Contact us if you think Experian can help you.