Protecting Financial Consumer Data in Developing Countries: An Alternative to the Flawed Consent Model

  • August 29, 2018

  • Sydney, Australia

By the Digital Financial Services Research Team, Law Faculty, UNSW Sydney


There is currently great enthusiasm about the potential for “big data” and data-driven innovations to advance financial inclusion in developing countries and emerging markets. New data practices are allowing providers to extend services to previously excluded or under-served consumers and to tailor products to the actual needs of these consumers. At the same time, these practices create some significant risks, which may lead to loss or even financial exclusion for vulnerable financial services consumers.

In a recent article, we propose an alternative approach to financial consumer data protection, which takes account of the modern dynamics of digital data collection, use, sharing and storage, and the limitations of consumers individually negotiating acceptable levels of data protection.
This alternative approach is for regulators, industry and scholars to: recognise that the problem of consumer data protection is not solved by consumers supposedly providing consent to data practices; reframe the discourse to avoid euphemisms and assumptions which unjustifiably favor provider interests; recognise that data privacy and financial inclusion objectives may be advanced simultaneously; and more broadly, challenge the validity of the dominant “privacy self-management” paradigm in the context of developing countries.

Potential Benefits and Harms from Financial Consumer Data Practices

The analysis of “big data” and other data-driven innovations are likely to aid financial inclusion objectives in developing countries. Big data refers to data collected from various sources on a large scale in real-, or near-real, time, where that data is accurate and therefore valuable. Financial service providers analyse big data, using increasinagly sophisticated algorithms, to create financial inclusion benefits, including the extension of credit to “thin-file” consumers; the identification of consumers who do not have formal identification documents; and tailoring products to the real-world needs of specific categories of consumer.

At the same time, there are undoubtedly risks which arise from the collection and use of big data. These include the risk that consumer’s personal information will be used for fraudulent purposes, disclosed in ways which jeopardise the reputation of the consumer, used for the purpose of predatory marketing or lending, and aggregated or interpreted in ways (e.g. using automated algorithmic decision-making) which may lead to unexpected consequences, such as discrimination against, or exclusion of, the consumer.

The Traditional “Informed Consent” Model and Its Weaknesses

In many developing countries, there is no comprehensive data protection regulation, or very limited enforcement of existing data protection regulation. Financial consumer data privacy tends to be addressed by privacy policies, which are published on providers’ websites and/or included in the terms of contract for a particular product or service. Consumers are taken to consent to these terms.

This approach to data privacy aligns with the traditional “informed consent” – or “notice and choice” – approach to data privacy. In recent decades, however, this traditional approach has been increasingly criticised. Given the complexity of modern data practices, the opacity and length of standard form privacy terms, and the take-it-or-leave-it nature of those privacy terms, it is argued that consumers do not in fact receive genuine notice of proposed data practices, nor do they have a genuine choice about whether to consent to those practices.

These criticisms of the traditional model have even more force in developing countries, given generally lower levels of literacy, less experience with modern data practices and technological channels for the delivery of digital financial services, less ability to object to unfair privacy terms and lower overall levels of supply of, and competition in, financial services, which reinforce the take-it-or-leave-it characteristics of standard privacy terms. This is in addition to lax or non-existent cybercrime protection and prevention mechanisms, which multiply the underlying risks for consumers.

An Alternative Approach

We argue that regulators, industry and scholars should depart from the traditional approach to financial consumer data privacy in the following ways:

  • Recognise the problem is not solved by consent: It is unfair to expect financial consumers (especially those with limited literacy and limited familiarity with financial services and new technological interfaces) to shoulder the burden of understanding the data practices proposed by providers and attempting to negotiate their way out of any terms which are unacceptable to them. Consent to standard-form privacy terms should not be the primary justification for financial consumer data practices.
  • Reframe the discourse: Regulators, industry and scholars should avoid terms which diminish the value and significance of financial consumers’ personal information, such as “digital exhaust” and “leaving behind a digital footprint”. It is more appropriate to acknowledge that corporations are actively tracking the movements and behaviour of data subjects. In addition, regulators should perform a more active role in supervising the usage of the consumers’ personal information by third parties: the absence of meaningful and observable control over this data is likely to generate a negative image with consumers and reduce the potential for greater financial inclusion.
  • Recognise data protection need not be a zero-sum game: Financial consumers should not be required to choose between accessing financial services and maintaining the privacy of their personal information. According to “Privacy by Design” principles, privacy should be part of the design of any new service, built into systems and practices from the outset.
  • Question the “privacy self-management” paradigm: The dominant Western approach to informational privacy treats privacy as a matter of personal preference and imposes responsibility on individuals to manage their own privacy, including by striking appropriate bargains with those who wish to collect and use their personal information. This approach is seen to serve individual freedom and autonomy. However, informational privacy may serve other values, including dignity, compassion, fair treatment and belonging, which may be particularly prized in many developing countries. Acknowledging this, it may be appropriate to establish some substantive data privacy rules rather than relying on the proceduralism of consumer consent alone.

There is reason for optimism about the potential for new data practices to advance financial inclusion objectives in developing countries. Data-driven innovations can lead to convenient and affordable financial services for consumers who have been unserved or under-served by traditional financial services. However, adequate restraints will be required to ensure that modern data practices do not do more harm than good. Establishing the appropriate level of restraint is likely to require a departure from the traditional “informed consent” approach to data privacy, which unfairly imposes responsibility for privacy on consumers who have very limited information and equally limited bargaining power.