Beginning with PSD2’s emergence on the financial stage, Open Banking allowed TPPs to use customer-allowed data to develop better financial products related to bank accounts, transactions, and payments.
As the world faces new regulations that aim to introduce Open Banking and Open Finance to consumers, the new financial services paradigm will extend beyond traditional banking services. Service providers will access new consumer data pools, such as those created from investments, insurance, lending, and other financial instruments.
Moving past Open Finance, we have seen countries drawing inspiration from the European Open Banking model, choosing distinct paths in opening up their financial data. Their approaches serve as compelling examples of the transformative potential of open data sharing, warranting closer examination by other regions.
While Open Banking and Open Finance are specific to the financial sector, the principles of openness, transparency, and data sharing are fundamental to both. Open Data, on the other hand, extends these principles to a wider range of information, including non-financial data. Open Data, as a broader concept, includes information beyond the financial sector. It encompasses data from various industries, government agencies, scientific research, and more.
Open Data’s core objective is fostering transparency, collaboration, and innovation through the unrestricted availability of diverse datasets to the public. Initiatives in Open Data aspire to facilitate the creation of novel applications, research endeavours, and insights spanning various domains.
In the evolution of these concepts, it’s plausible that the principles of Open Data will continue to influence and shape how data is shared and utilised across various sectors, including finance. The trends toward openness, interoperability, and collaboration are likely to persist, fostering a more connected and innovative environment for both financial and non-financial data. However, the specific trajectory and development of Open Data will depend on regulatory frameworks, technological advancements, and societal attitudes toward data sharing in the future.
The European Union is pursuing a data strategy to create a unified market for data, facilitating its seamless movement across the EU and various sectors, benefiting businesses, researchers, and public administrations. On February 23, 2022, the European Commission introduced the Data Act Proposal, aiming to establish standardized regulations ensuring fair data access and utilization. This proposal, following the Data Governance Act, is the second major initiative under the European data strategy, complementing existing frameworks like the GDPR, Free Flow of Non-Personal Data Regulation, and Open Data Directive. Future regulations like the Digital Markets Act and Digital Services Act will further shape data rules.
The Data Act, effective since January 11, 2024, is a cornerstone of the European data strategy, pivotal in advancing the Digital Decade’s goal of digital transformation. Complementing the Data Governance Act, it addresses beneficiary identification and value creation from data, promoting secure access across economic sectors and public interest areas. This legislation fosters a unified EU data market, ensuring equitable data access and distribution. As a cross-sectoral framework, it sets principles applicable across all sectors, while future legislation is expected to align with these principles.
Data privacy legislation is making significant strides in the United States, with eight states passing laws in 2023, five of which are slated to take effect in 2024. These include the Montana Consumer Data Privacy Act (MTCDPA), Florida Digital Bill of Rights (FDBR), Texas Data Privacy and Security Act (TDPSA), Oregon Consumer Privacy Act (OCPA), and Delaware Personal Data Privacy Act (DPDPA). Currently, 14 out of the 50 US states have implemented data privacy regulations, with 40 states proposing privacy legislation in 2023, indicating an increasing trend. User Centrics anticipates that more states will join in 2024.
Although progress has been made in data privacy legislation at the state level in the US, the implementation of comprehensive federal laws faces hurdles. However, heightened scrutiny due to technological advancements like generative AI may stimulate broader federal legislation aimed at addressing data privacy issues.
In Canada, the Digital Charter Implementation Act, 2022 (Bill C-27) is currently under review and may be enacted in 2024. This proposed legislation aims to introduce the Consumer Privacy Protection Act (CPPA), replacing the outdated PIPEDA regulation. Additionally, it entails the creation of the Personal Information and Data Protection Tribunal Act, which would establish an administrative tribunal tasked with supervising decisions made by Canada’s Privacy Commissioner and enforcing penalties for violations of the CPPA. Furthermore, the Act addresses the growing impact of AI through the Artificial Intelligence and Data Act (AIDA), which advocates for a risk-based approach to regulating AI systems in trade and commerce, highlighting the significance of data privacy for consumers, as indicated by User Centrics.
Privacy laws typically mandate organisations to establish a legal justification for processing personal data, which may include obtaining the individual’s consent for such activities. The GDPR has heightened the standards for obtaining valid consent, requiring separate consent for each processing activity instead of a blanket consent to the privacy policy. However, many countries, especially in Asia and Latin America, still heavily rely on consent as the primary basis for processing personal data, with provisions for consent withdrawal. Transparency and explicitness standards for valid consent have also been raised in line with GDPR requirements in many jurisdictions, Freshfields argues.
Nevertheless, several newly introduced or revised privacy laws have introduced more flexibility by incorporating GDPR-inspired legal grounds such as ‘legitimate interest’ and processing necessary to fulfill contractual obligations with individuals. For instance, countries like Indonesia, Korea, India, the Philippines, and Thailand have adopted a combination of these grounds alongside consent. In contrast, China and Vietnam still predominantly mandate obtaining individual consent in most cases. Similarly, many Latin American countries like Argentina and Uruguay require consent in most scenarios and lack GDPR-like provisions for processing personal data without consent, despite aligning with EU privacy principles in other aspects of their privacy laws.
In contrast, the UK and EU recognise consent as only one of the lawful bases for processing personal data, with consent often utilised for processing special category data or intrusive data processing. Singapore, since early 2021, has allowed processing based on deemed consent in a broader range of circumstances or legitimate interests. However, Singaporean law mandates organisations to conduct a specific Data Protection Impact Assessment (DPIA) when relying on either of these bases for processing, Freshfields concludes.
In 2024, global data privacy regulations evolve with the rise of Open Banking and Open Finance. While the EU leads with the Data Act, the US and Canada enact state and federal laws. Balancing consent-based models and alternative legal grounds for processing remains crucial in shaping future regulatory frameworks.
This article was originally published in The Paypers` Global Payments and Fintech Trends Report 2024. The report compiles insights and expertise from leaders representing companies across the financial services spectrum and it delves into the latest innovations and trends in payments and fintech across key markets worldwide.
Vlad is a Senior Editor at The Paypers, working on the Banking & Fintech team. He uses his research, content, and people skills for all activities revolving around Open Banking, Open Finance, Embedded Finance, and more. Vlad has a degree in Biology and Molecular Genetics and an extensive background in creative writing. You can reach out to him on LinkedIn or email.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now