This document is an excerpt from the EUR-Lex website
Document 52023XX01054
Summary of the Opinion of the European Data Protection Supervisor on the Proposal for a Regulation on a framework for Financial Data Access (The full text of this Opinion can be found in English, French and German on the EDPS website https://edps.europa.eu)
Summary of the Opinion of the European Data Protection Supervisor on the Proposal for a Regulation on a framework for Financial Data Access (The full text of this Opinion can be found in English, French and German on the EDPS website https://edps.europa.eu)
Summary of the Opinion of the European Data Protection Supervisor on the Proposal for a Regulation on a framework for Financial Data Access (The full text of this Opinion can be found in English, French and German on the EDPS website https://edps.europa.eu)
OJ C, C/2023/1054, 20.11.2023, ELI: http://data.europa.eu/eli/C/2023/1054/oj (BG, ES, CS, DA, DE, ET, EL, EN, FR, GA, HR, IT, LV, LT, HU, MT, NL, PL, PT, RO, SK, SL, FI, SV)
Official Journal |
EN Series C |
C/2023/1054 |
20.11.2023 |
Summary of the Opinion of the European Data Protection Supervisor on the Proposal for a Regulation on a framework for Financial Data Access
(C/2023/1054)
(The full text of this Opinion can be found in English, French and German on the EDPS website https://edps.europa.eu)
On 28 June 2023, the European Commission issued a Proposal for a Regulation of the European Parliament and of the Council on a framework for Financial Data Access and amending Regulations (EU) No 1093/2010, (EU) No 1094/2010, (EU) No 1095/2010 and (EU) 2022/2554 (‘the Proposal’). The objective of the Proposal is to promote the development of data-driven financial services and products by enabling consumers and firms to better control access to their financial data.
The EDPS welcomes that the Proposal seeks to empower customers - including data subjects - to decide how and by whom their data is used. He notes, however, that the definition of ‘customer data’ is particularly broad, potentially including personal data of a highly sensitive nature. The categories of personal data to be made available under the Proposal should be clearly circumscribed, taking into account the risks for individuals whose personal data would be accessed and used. The EDPS also recommends explicitly excluding data created as a result of profiling from the definition of ‘customer data’.
The EDPS welcomes that the Proposal would impose several obligations on data holders and users that could have a positive effect on the level of protection of the personal data. To further this objective, data users should be obliged to clearly outline, for each request, the specific types of customer data they seek access to. The Proposal should also prohibit the denial of the financial services to customers who do not install and avail themselves of the permission dashboard or otherwise enable data sharing by data holders with data users under the Proposal.
The EDPS considers that a clearly identified and strongly enforced data use perimeter is necessary to delineate appropriate uses of personal data and to protect vulnerable consumers. In this regard, the EDPS welcomes that the Proposal provides for the development of guidelines by the European Banking Authority and the European Insurance and Occupational Pensions Authority, in cooperation with the European Data Protection Board (EDPB). To ensure that the guidelines are fully aligned with data protection law, the EDPS considers a formal consultation of the EDPB to be necessary. The EDPS also recommends extending the scope of the future guidelines to other relevant financial products and services, such as to mortgage credit agreements, payment services, other insurance products, investment products, and pension products. The guidelines should also elaborate, where appropriate, on the limits for combining ‘customer data’ with other types of personal data, such as personal data obtained from third party sources (e.g., social media networks or data brokers).
The EDPS recommends ensuring close cooperation between competent authorities under the Proposal and data protection supervisory authorities to ensure consistency between the application and enforcement of the Proposal and EU data protection law. Such close cooperation could be fostered by clarifying the circumstances in which competent authorities may consult and exchange information with data protection authorities.
1. Introduction
1. |
On 28 June 2023, the European Commission issued a Proposal for a Regulation of the European Parliament and of the Council on a framework for Financial Data Access and amending Regulations (EU) No 1093/2010, (EU) No 1094/2010, (EU) No 1095/2010 and (EU) 2022/2554 (1) (‘the Proposal’). |
2. |
The Proposal aims to promote the development of data-driven financial services and products by enabling consumers and firms to better control access to their financial data (2). By doing so, the Proposal would make it possible for consumers and firms to benefit from financial products and services beyond payments that are tailored to their needs based on the data that is relevant to them. At the same time, the Proposal aims to address the risks that are inherent to the increased sharing of and access to financial data (3). |
3. |
The Proposal is a sectoral building block that fits into the broader European strategy for data and enables data sharing within the financial sector and with other sectors (4). It is directly connected with one of the priorities of the Commission’s Digital Finance Strategy for the EU, notably of creating a European financial data space to promote data-driven innovation, building on the European data strategy (5), including enhanced access to data and data sharing within the financial sector (6). |
4. |
In essence, the Proposal would:
|
5. |
The present Opinion of the EDPS is issued in response to a consultation by the European Commission of 29 June 2023, pursuant to Article 42(1) of EUDPR (18). The EDPS welcomes the reference to this consultation in Recital (54) of the Proposal. In this regard, the EDPS also positively notes that he was already previously informally consulted pursuant to Recital (60) of the EUDPR. |
8. Conclusions
54. |
In light of the above, the EDPS makes the following recommendations:
|
Brussels, 22 August 2023.
Wojciech Rafał WIEWIÓROWSKI
(1) COM(2023) 360 final.
(2) COM(2023) 360 final, p. 1.
(3) COM(2023) 360 final, p. 1-2.
(4) COM(2023) 360 final, p. 3.
(5) Communication from the Commission to the European Parliament, the European Council, the Council, the European Economic and Social Committee and the Committee of the Regions on A European Data Strategy (COM(2020) 66 final, 19.2.2020).
(6) Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions on a Digital Finance Strategy for the EU (COM(2020) 591 final, 24.9.2020, p. 3 and 4).
(7) Listed in Article 2(1) of the Proposal.
(8) Listed in Article 2(2) of the Proposal.
(9) Article 3(5) of the Proposal: ‘ “data holder” means a financial institution other than an account information service provider that collects, stores and otherwise processes the data listed in Article 2(1)’.
(10) Article 3(6) of the Proposal: ‘ “data user” means any of the entities listed in Article 2(2) who, following the permission of a customer, has lawful access to customer data listed in Article 2(1)’.
(11) Article 3(2) of the Proposal.
(12) Article 5 of the Proposal.
(13) Article 6 of the Proposal.
(14) Notably, products and services related to the credit score of consumers and to risk assessment and pricing of consumers in the case of life, health and sickness insurance products. See also recital (18) of the Proposal.
(15) Article 7 of the Proposal.
(16) Article 8 of the Proposal.
(17) Titles IV and V of the Proposal.
(18) Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39).
(19) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1).
(20) Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (OJ L 201, 31.7.2002, p. 37).
ELI: http://data.europa.eu/eli/C/2023/1054/oj
ISSN 1977-091X (electronic edition)