Thought leadership from our experts

The global battle over access to customer data and data portability

Peter Leonard, Gilbert + Tobin, Australia

Around the globe battles are now being fought over consumer data.

The protagonists and their weapons of choice vary significantly economy by economy. However, the broad characteristics of the battlefields are similar. The forces in these battles include incumbents and new entrant service providers, comparison sites and service packager intermediaries, providers of new platform services such as social networking sites and online payment providers. The weapons are a range of regulatory interventions by financial services regulators and competition authorities to promote ease of switching between service providers, by consumer protection authorities in response to to demands by consumer advocates for better transparency and improved control of consumers over data held about them, their interactions and transactions, and implementations of new data protection requirements as to data portability.

The battles are facilitated by increased volume, velocity and variety of data sets that power and enable refinement of data analytics techniques. These techniques generate algorithmic discrimination tools that enable service providers to improve their ability to define and then target increasingly granular customer segments and to differentiate as to price and other terms offered to those customer segments. Data is more readily available because businesses interact with each other and with consumers through flows of consumer data, and because each businesses is increasingly algorithmically driven in its own operations (therefore requiring better integration and availability of data across the business). Data is also more readily available for analysis because it is more 'discoverable' – as data taxonomies are standardised and data extraction tools refined, there is more data that can be discovered and used. Tools for analysis and presentation of actionable insights are now widely readily available – including powerful tools readily available to consumers in the form of apps on smart phones or online comparison websites.

Telco regulators will recognise these battles as the natural evolution – albeit now fuelled by the steroids of data and technology – from regulatory interventions over the two decades from 1990 to promote competition in telecommunications industry. Those interventions includes mandating number portability and requirements for certain disclosures of by incumbents to new entrants of network and customer related information in order to address information asymmetry. Of course, differential access to customer data and barriers to switching have long been important aspects of incumbency advantage. But there are now important new aspects of this battle, elements which increasingly erode that incumbency advantage.

The first new element is the direct involvement of technology companies in facilitating switching decisions across a broad range of industry sectors. For example, a data aggregator Envestnet Yodlee acts as intermediary between the banks and start-ups, pulling data from U.S. banks and translating the data into a form that start-ups like Betterment, Mint and Digit can use. Technology companies like Mint and Betterment provide services that let people link all their various bank-account and credit-card information. The benefit to consumers that they offer is to make budgeting and bookkeeping easier. Their business case is targeted offer (with targeting based upon analysis of the customer data) of new kinds of loans and investment products to consumers. A response by some banks has been to restrict the sharing of this kind of data with technology companies, including by refusing to pass along information such as fees and interest rates they charge. Some banks say they want to give people access to data about them, but they want security controls and authentication standards and agree restrictions as to how intermediaries request and handle this data. Across many industry sectors and in many countries, a similar battle is now playing out as to terms on which data may be released, including as to restrictions as to secondary or downstream uses and as to security and other standards required to be observed by prospective recipients as a condition of data release.

The second new element is increasing capability to use insights derived from analysis of consumer interactions or transactions on social networks, or in a particular industry sector, to make actionable business decisions as to product or service offers in another industry sector. Data linkage across multiple data sets, and many customers being addressable by inference as to their attributes or preferences even while not being identifiable as particular persons, increasingly enables cross-sector data analytics to yield valuable business insights. As a result, incumbents within particular sectors may derive value from data linkage with businesses in other industry sectors – and sometimes find themselves facing non-traditional competitors entering from those sectors.

The third new element is a new regulatory construct as to consumer rights to data. This construct has grown out of, but is now quite distinct from, traditional justifications for individual's rights of data access under data protection laws. This is the area in which there remains the greatest difference between different jurisdictions both as to the extent of regulatory intervention and the rationale for intervention.

The then United Kingdom Government commenced its midata initiative in early 2011 as a voluntary scheme applicable to customer transaction data in certain 'core sectors', being energy supply, the mobile phone sector and current accounts and credit cards. Two main benefits were stated as arising from the new right. First, to help consumers make better choices: with access to their transaction data in an easy to use format, consumers would be able to make better informed decisions, often with the help of a third party. This in turn would reward firms offering the best value products in particular markets, allowing them to win more customers and profits and resources. Secondly, as a platform for innovation: midata would lead to the creation of new businesses which will help people to interact with their consumption data in many innovative ways. In April 2013 the Enterprise and Regulatory Reform Act gave the Secretary of State the ability to issue regulations imposing a duty on suppliers to provide customer transaction data to their customers in those 'core sectors' but also with the ability to extend this requirement to any supplier of goods and services. In August 2016 the Competition and Markets Authority required the largest U.K. banks to develop by 2018 a new open API banking standard that will enable customers and SMEs to share information with third parties including price comparison websites and the third party payment service providers created by the new Payment Services Directive 2 (account information service providers and payment initiation service providers). Certain less sensitive information (for example, about prices, charges, terms and conditions and customer eligibility criteria) was required to be released by 31 March 2017.

In the European Union, the new right to data portability provided by Article 20 of the General Data Protection Regulation (GDPR) allows for data subjects to receive the personal data that they have provided to a controller, in a structured, commonly used and machine-readable format, and to transmit this data to another data controller. The primary stated purpose of this new right is to empower the individual that is the data subject and give him or her more control over personal data. Although the GDPR itself incidentally noted that data portability would also foster competition by facilitating switching between different service providers and therefore promote development of new services, the Article 29 Data Protection Working Party in its Guidelines on the right of data portability (WP242 rev 0.1 as revised on 5 April 2017) proposed a broad interpretation of data 'provided by' a data subject and as to when it is 'technically feasible' to directly provide the data electronically to another service provider at the request of the data subject. Data 'provided by' the data subject includes data actively and knowingly provided by the data subject (for example, mailing address, user name, age, etc.) and data observed through use of a service or device. Examples include a person's search history, traffic data and location data and other raw data such as the heartbeat tracked by a wearable device. By contrast, "inferred data" and "derived data" created by a service provider, such as algorithmic results, are excluded. Thus, the term 'provided by' includes personal data that relate to the data subject activity or result from the observation of an individual's behaviour, but does not include data resulting from subsequent analysis of that behaviour, such as personal data created by the data controller as part of the data processing (e.g. by a personalisation or recommendation process, by user categorisation or profiling).

In the United States in November 2016 the Consumer Financial Protection Bureau (CFPB) launched an inquiry "into the challenges consumers face in accessing, using, and securely sharing their financial records". The 2010 Dodd-Frank Wall Street Reform and Consumer Protection Act provided for consumer rights to access their financial records and account-related information and specified that this information "shall be made available in an electronic form usable by consumers". That statute also gave rulemaking authority over this area to the CFPB. As at April 2017 the CFPB was moving towards writing new rules to facilitate this data access, but it remained unclear whether such initiatives would be supported by the Trump Administration or, indeed, whether the CFPB would continue to be funded. In November 2016, the Federal Communications Commission had released stringent privacy rules and new disclosure requirements as to uses by carriers and broadband services providers of telecommunications customer data. These were eliminated by Congressional joint resolution signed into law by President Trump in April 2017.

Increasingly, we may expect to see the debate as to consumer access to data and data portability to be framed in terms of finding the balance between promoting consumer trust and promoting competition. Consumer trust is a key attribute of the social contract between individuals (consumers and citizens) and businesses and governments that enables use and limited sharing of information about individuals. Consumer trust is also integral to adoption of many efficiency enabling technologies and services and therefore to achievement of the benefits to society that are expected to flow from uptake of these technologies and services. Rights of access to data and of data portability nurture consumer trust, by lifting confidence over time that consumers, along with governments and businesses, can choose how and when to use their own data. But it will often be difficult to determine the appropriate point beyond which data ceases to be about customer transactions and should then be protected from disclosure as commercial-in-confidence business information. As business investment in data analytics increases, it becomes even more important to get this point right. Incorrect regulatory settings will undermine incentives for services providers to innovate by value-adding in service feature and functionality and improving personalisation of services by data analytics and data transformations. Incorrect settings may facilitate free riding by less innovative service providers upon innovations by first movers, and unfairly appropriate or undermine trade secrets and other intellectual property of first movers. Also, the significant costs in implementation of APIs for access to data are a cost burden on businesses that must be balanced against consumer benefit: there may be relatively few industry sectors and service providers where cost-benefit analysis supports mandating API enabled access to data and data portability.

The battles now being fought over consumer data will continue to be fought over the next few years. It is clear that the outcome will be increased consumer access to data and technological support for electronic data portability. But the ways in which that access will be provided, and the extent to which access will be mandated through regulatory action either in particular industry sectors or across economies, remain hotly in contention.