Maybe you have noticed it. Privacy is an issue. A bit strange since there are only 8 days left until the new EU General Data Protection Regulation (GDPR) will become fully enforceable throughout the European Union.
So before end of May 2018 all organizations that process data of EU citizens must comply with this General Data Protection Regulation. Determining how to design and improve your systems to meet the GDPR is not straightforward. However it can and should be done. Preferably by taking the privacy of your customers very serious.
In my humble opinion this means:
- Create a very clear privacy statement for your users.
- Behave and act as company as stated in your privacy statement.
- No misleading advertising and behave ethical and moral correct when it comes to privacy aspects.
A sector where privacy matters is the banking industry. Due to the new financial reality since 2008 many banks are searching for new profitable business models. So your privacy as a consumer can be under pressure. Some of the temptations for banks are e.g.:
- Selling your payment behaviour.
- Selling your data anonymised or pseudonymised.
- Selling your metadata (device information, location information and other fingerprinting data)
- Selling or using your contacts (e.g. contacts stored on your mobile phone)
- Enrichment of your personal data profile with data from collected from social networks and other sources to sell your other (financial) products.
Of course banks and financial corporations are fully compliant with all legal laws and will follow the GDPR. But history learned that it is not always wise to trust that banks will follow all laws in a correct moral way.
You can take any bank as example but to make you aware of privacy aspects and banking a short privacy view on ‘Bunq bank‘. Bunq claims not to be a bank, but if it looks like a duck, talks like a duck than it properly is…
On the public website of Bunq bank is written:
- “A true alternative to traditional banking”
- “At bunq your privacy is not for sale”
This sound good especially if you care about your privacy and want that companies take the GDPR serious.
So the highest time for a quick scan of the Privacy Statement of Bunq bank. This gives:
- The clear statement “At bunq,we really care about your privacy”. This seems good, so is this really a bank that will not mess with the privacy of its customers?
- Bunq collects “Biometric data”. Of course identification and authentication is a key aspect for secure banking, so this is not strange for a modern bank. However never is stated: What kind of biometric data, how it is used and when it will be deleted. Using this special category of personal data is in depth outlined in the GDPR Article 9. Using this data can give a lot of extra compliance risks.
- Bunq collects “Use data (how you use our products and services)”. For improvements of products and services this seems logical, but extensive collection of usage data can give all kinds of privacy risks. Or you as consumer ending up with products you do not really want, since machine learning algortimes are playing with this data to seduce you. Comparable as with any mature eCommerce platforms (Amazon).
- Bunq states “You can always contact us via the app if you do not want your data to be used for marketing purposes”. However this is not the way of doing privacy by design.
- Bunq claims “..will share your personal data with third parties if: a)this is (in our opinion) required to provide or improve our products and services b) this is required to perform our marketing efforts”. So this seems the Facebook way of dealing with personal data. Improving marketing and sharing it around.
- Bunq claims “We will always try to keep the sharing to a minimum” . The word that gives a privacy alert is the the word “try“. Why trying to keep it low, just do it!
- Bunq claims “By giving our app access to your contact list you can easily see whom of your contacts also uses bunq.” and “We can store chat and phone conversations.” So Bunq inspects just like WatsApp, FailBook and all other malware apps on your smarthone with who you communicate, how long and when.
- Bunq uses technology from adjust GmbH a marketing company who lives of analyzing personal data.
- Bunq uses Google Analytics.
- The sentences and words used in Bunq pricay statement are not so vague as in GDPR document, but on crucial points clarity is missing. At least if you want to read in normal words exactly what Bunq does with your personal data.
So from this quick scan you can and should discuss the following observations made from a privacy perspective:
- Bunq bank performs marketing activities with collected usage data.
- Bunq bank “privacy by design” implementation does not meet the ‘purpose limitation’ and ‘data minimisation’ GDPR principles from a core banking activities perspective.
- The Bunq bank statement that “they care about your privacy” seems not to be written from the perspective of a the consumer who cares about his own privacy.
- Bunq seems indeed a new way of banking, it seems much more a digital marketing company (e.g. Facebook) that has a service to do some money transfers.
So the Bunq claim that they do banking “On our own terms” seems 100% true. If you care about your privacy maybe it is wise to validate if the privacy terms of Bunq match your own privacy terms and principles. If you are customer at Bunq and want more information on how your personal data is used, the GDPR can help you to get more clarity.
This blog post will be added (after rewrite) as an extension on the ‘Open Reference Architecture for Security and Privacy‘. We are working on an renewed version. Please join us!