Platform-Based Finance: Are Regulators Up to the Data Protection Task?

There is a lot of excitement within the financial inclusion community around the use of “alternative data.” The hope is that by using digital data not traditionally factored into financial services but widely available today, providers will be able to offer low-income people better, more affordable financial services at scale.

At CGAP, we’ve been looking into digitally included yet poor customers and the opportunities their digital footprints present to advance financial inclusion. Platforms, in particular, appear well-positioned to harness alternative data they have on workers’ income histories. We’ve examined promising examples of banks serving platform workers based on the income data generated by platforms. Similarly, GSMA has published findings on how mobile money platforms can leverage customers’ telecommunications usage and top-up data to extend emergency airtime loans.

But platforms’ use of alternative data does not come without risks for the customers. These include data privacy and protection risks, which are often a concern of low-income customers who are using or thinking of using digital financial services. As platforms ramp up their financial service offerings in emerging and developing markets (EMDEs), regulators can look at developments in more advanced economies to get a glimpse into the data protection issues they will need to consider. 

European Union experience underscores regulatory challenges

On the day that the European Union’s (EU’s) General Data Protection Regulation (GDPR) went into force in 2018, four complaints were filed against Facebook, Instagram, WhatsApp and Google. The complaints claimed the platforms’ “take it or leave it” approach to data protection (i.e., giving consumers no flexibility to opt in or out of individual contractual provisions with a platform) amounted to “forced consent” and was thus contrary to the GDPR, given that the GDPR requires users be given a choice unless consent is strictly necessary for provision of the service.

More recently, on January 6, 2022, France’s data protection regulator, the Commission Nationale de l'Informatique et des Libertés (CNIL), fined Alphabet’s Google a record €150 million and Meta’s Facebook €60 million for making it difficult for users to refuse online trackers known as cookies.

In many EMDEs, national data protection laws or regulations have recently been introduced (Nigeria in 2019, Thailand in 2019 and Brazil in 2018) or are still under debate (India, Indonesia, Pakistan and Vietnam). Many of these jurisdictions have looked to the EU and its GDPR for inspiration, as the GDPR is considered one of the world's best developed data protection regimes.

Yet even the GDPR has not been able to rein in abuses of data use, such as the Meta and Google cases referenced above. This problem is compounded when platforms are not only involved in social media but venturing into the provision of financial services.

Given that the implementation of the GDPR has been a challenge for many companies and regulators in the EU, how much more of a challenge will it be for EMDEs, with their more limited capacity to implement national data protection laws inspired by GDPR? And what happens in EMDE countries with no national data protection laws?

Minimum data protection rules for EMDE regulators

Recent CGAP customer research (publication forthcoming) shows that instant messaging and social networking are the top activities undertaken on the mobile internet by the digitally included poor. If platform-based finance is to harness the power of this data for financial services, it must be made accessible and at the same time subject to customer control and certain minimum data protection rules. This means EMDE financial sector regulators need to ensure platform-based finance is adequately regulated from a data protection perspective.

Minimum data protection provisions should include clear, transparent customer-centric disclosure (such as breaking privacy notices into smaller chunks of information and possibly using visuals to convey this information) as well as informed consent. There are a few ways to make consent more meaningful. These include giving customers advance notice of what type of data is being used and how it is to be used for a specific transaction, allowing customers to accept or refuse the use of their data across several relevant steps in the transaction process, and permitting customers to revoke consent or place a time limit on it.

However, given the difficulty of ensuring informed consent and the fact that consumers have no flexibility to negotiate individualized contracts with platforms (making it a “take it or leave it” scenario), regulators may wish to consider shifting the burden of data privacy on to the platforms themselves. This can be done by applying the legitimate purposes test, which limits use of data to what is compatible, consistent and beneficial to consumers and cannot be overridden by consent. It can also be done by introducing a legal fiduciary duty, requiring data collection and processing firms to always act in the interests of, and not in ways detrimental to, the subjects of the data. Both these approaches are currently part of India’s proposed Data Protection Bill.

Even if regulators do not wish to implement either of these approaches, they should at least improve customers’ control of their data. This can be done by providing data subject rights. These include rights for a customer to obtain a copy of their data, modify and delete their data, withdraw consent at any time, make a complaint concerning exploitative data practices, and port their data to other platforms in a structured, commonly used and machine-readable format.

In cases where the adoption of a national general data protection law is politically unfeasible or takes too long to implement, regulators can consider adding provisions in their financial service regulations that strengthen data protection and customer data rights for institutions and services under their mandate. Even if a national data protection law is in place, financial regulators can usually insert tailored data protection provisions for financial services into their sectoral regulation if the current national legislation falls short.

As long as platform finance is within the ambit of the financial regulator, these are realistic short- to medium-term solutions that financial sector regulators can take to find the right balance between customer protection and promoting financial sector innovation through platform-based finance.

This is the second post in a four-part series on regulating platform-based finance in emerging markets. The first post in the series summarizes three key challenges that platform-based finance poses to regulators: data protection, competition and regulatory coordination. Subsequent posts delve into each of these challenges. Stay tuned for posts on competition and regulatory coordination.