Stand up for your customers’ privacy and protect their data rather than harvesting it
Simon Lelieveldt is a leading regulatory consultant for payments and fintechs with wide-ranging experience in the banking world – from ING to a supervisory role at the Central Bank, and subsequently as the head of the Bank Supervision department at the Dutch Bankers’ Association. Here, he explains why it’s time to stop infringing on human rights and start building a sustainable digital future.
How would you define ‘digital sustainability’?
The concept of sustainability is linked to taking care of all life on Earth. Since 1948, how we take care of ourselves as the human race has been enshrined in the United Nations Universal Declaration of Human Rights. So to me, digital sustainability means being equally able to protect fundamental human rights in the digital world as we are in the physical world. Therefore, digital sustainability is essential for the future of humankind, democracy and life in general.
What is the current state of play in terms of the shift to digital sustainability?
In my view, the impact of digitalisation on human rights is an area that is still being largely overlooked by the majority of public-sector and private-sector organisations. Although technology – and the world in general – has changed dramatically since the 1950s, the human rights framework has been updated to reflect today’s digital reality; in early 2019, the Resolution on the Right to Privacy in the Digital Age was adopted by the UN General Assembly on Human Rights. This is an internationally binding resolution to ensure digital sustainability. It calls on governments to “refrain from requiring business enterprises to take steps that interfere with the right to privacy in an arbitrary or unlawful way, and to protect individuals from harm, including that caused by business enterprises through data collection, processing, storage and sharing and profiling, and the use of automated processes and machine learning”. However, unfortunately it seems that governments and organisations around the world aren’t paying sufficient attention to this resolution.
We’re all aware of the risks associated with digital tools when they fall into the wrong hands. But what we widely condemn in nations like China – where government bodies are using and abusing the power of digital tools and technology – is actually already happening here too; there have been several recent cases of racial profiling and discrimination based on the large-scale analysis of personal and financial data by governments in the EU. These are clear infringements of basic human rights and the current approach is allowing governments to do exactly what we don’t want them to be able to do in a democratic society.
It pains me to say it, but the financial sector is actually complicit in this. This all started in the late 1980s/early 1990s, when the regulators started pushing the Financial Action Task Force (FATF) standards to prevent money laundering (AML). This mass surveillance of payments intensified following the 9/11 attacks in an attempt to counter the financing of terrorism (CFT). But now, over 20 years later, this so-called temporary ‘project’ – because it is still not actually a legal entity – means that banks and other financial institutions have been skewed into ignoring people’s basic right to privacy and intruding into their private dealings. It’s a simple fact: in the world of payments – whether cash or digital – transactions should be a private matter. But the lure of efficiency facilitated by digital transactions means that the right to privacy has gone out of the window and Dutch banks are now called on to report any unusual transactions to the relevant authorities. As a result, numerous legitimate customer groups – from charities to jewellers – are viewed as ‘guilty until proven innocent’ and have their access to the financial system blocked due to these over-zealous measures – all under the guise of preventing money laundering. There are other, much more effective ways to tackle this problem… which in my view is not the worst offence someone could commit, by the way! It should be a job for the police, not the banks! How is this being used to justify such an infringement of people’s privacy? So in the financial sector, the current state of play is that we have a non-legally recognised standard-setting organisation encouraging governments and financial institutions to engage in mass surveillance and intrusion on the one hand, and a UN charter protecting human rights on the other. The ‘mass snooping club’ currently has the upper hand – but thankfully, I believe the tide is turning!
What should governments, organisations and companies pay attention to in the context of digital sustainability?
This is an opportunity for governments, organisations and companies to make the right decision and to steer a path towards a sustainable digital future. We’re fighting the good fight and the law is on our side! Perhaps it helps to take a step back and think about human rights in the historical context, and to consider where we might be in ten years’ time if things don’t change. I would recommend everyone to read the UN Universal Declaration of Human Rights with digital sustainability in mind, and also to read – and act on – the Resolution on the Right to Privacy in the Digital Age as well as the broader UN Guiding Principles for Business and Human Rights: Implementing the United Nations ‘Protect, Respect and Remedy’ Framework (HR/PUB/11/04). These guiding principles are grounded in recognition of states’ existing obligations to respect, protect and fulfil human rights and fundamental freedoms, and they apply to all states and to all business enterprises, regardless of their size, sector, location, ownership and structure.
Which indicators can be used in conjunction with digital sustainability performance?
There are various signs that the balance is starting to shift in favour of digital sustainability. The topic of human rights related to data is receiving increasing attention in the mainstream press, for example, such as a recent article in the Dutch newspaper De Telegraaf referring to a national privacy watchdog’s concerns about mass surveillance by banks. Additionally, the European Data Protection Board (EDPB) has sent several letters to the relevant European institutions expressing strong concerns that the AML-CFT legislative proposals could have a disproportionate negative impact on the rights and freedoms of individuals and could lead to significant legal uncertainty. I get the feeling that the EDPB’s patience is wearing thin.
For me, another key indicator is the growing number of successful lawsuits. In 2020, a coalition of NGOs won a court case which ruled that, in its attempts to detect social services fraud, the Dutch government must cease using the algorithm-based System Risk Indication (SyRI) system for profiling citizens on the basis of large-scale data analysis. The court concluded that SyRI is in violation of the European Convention on Human Rights since it impinges disproportionately on the private life of citizens. Specifically in the financial sector, a relatively small company in the crypto space is the only one who has so far fought – and won – against the Central Bank’s requirement to conduct mass surveillance. So even though the supervisors didn’t extend their ruling to the rest of market, it is clearly possible to take the regulators to court successfully – and more companies should be doing it.
What advice do you have for organisations when it comes to data sharing? What action could and should they be taking?
My advice is simple: refuse to keep snooping for the government without proper legal title, refuse to keep sending information that is in violation of the Human Rights charter! Instead, stand up for your customers’ privacy and protect their data rather than harvesting it.
Companies need to stop treating digital sustainability separately from corporate social responsibility. Human rights is not just about preventing slavery and child labour in faraway countries, for example. How can you say you comply with ESG principles if you’re not taking action to protect your own customers’ privacy? And the argument that ‘the customer consented’ doesn’t hold water because that’s ill-informed consent at best, and customers often don’t even have a choice nowadays. In fact, it’s pretty bizarre that the data economy and incentive system has become accepted as ‘normal’ in return for access to better services. There are of course some good examples in which data sharing can be very useful, but we’re largely ignoring the fact that enslaving consumers with short-term benefits is unsustainable from a societal perspective.
It’s as if data is the ‘forbidden fruit’; now that governments and businesses have had a bite of it, they’re hooked. But – especially as we move towards the metaverse and Web3 – it’s time to exchange the short-term gains for long-term relevance and therefore survival. That’s why digital sustainability needs to be integrated into your business strategy along with all the other ESG aspects. This starts with being open and transparent: inform your customers how you treat data their data, what you do with it, and make any possible side effects of sharing their data clear to them. There are lots of tools in the box to help you, not only in terms of data storage, protection and encryption, but also anonymity techniques, privacy-sensitive biometrics for identification purposes, temporary/single-purpose use of data and of course blockchain for transparency. Privacy by design is of huge importance in this context.
Showing your true colours takes courage and you might even risk a fine from the anti-money-laundering supervisors. But digital sustainability is your weapon against those on the ‘dark side’: the Big Techs, dictators, seemingly respectable governments and shady regulators who are all prying on citizens and taking their data, data sovereignty, money – and sometimes their livelihoods and even their families – from them. Therefore, the message ‘Your data remains private with us’ is the strongest business case you can have.