The Swedish Data Protection Authority’s focus on new technologies – what does it mean for the Fintech sector?

Three years have passed since the GDPR entered into force, forming the start of a major society wide privacy overhaul that is still ongoing today. Now, the Swedish authority for privacy protection (IMY) has summarised the latest technology and privacy developments in Sweden in a recent report, setting out the road ahead for the future supervisory initiatives. In this article, we look into the IMY’s report and how its findings could impact the Fintech industry.

In Sweden, the Fintech sector has seen a significant growth and development over the last few years. These developments could be attributed to a combination of important factors where the Swedish market stands out: a major and well established banking and finance presence; a large amount of highly competitive technology companies with ongoing developments; a highly connected society in general and banking sector in particular; experienced and willing local investors with a strong track record in both tech and financial services; and, perhaps most important, several tech and Fintech unicorns coming out of Sweden since the early 2000’s. With this beneficial environment, the Swedish market seems ripe for adaptions of new technologies in the Fintech sector. However, this raises the question if the sector’s maturity and ability as regards compliance with data protection regulations can match the challenges that such new tech may bring.

In a recent report, the IMY has summarised the last few years tech and privacy developments on the Swedish market and the authority’s plans to tackle these and future developments over the coming years. In this report, special emphasis is placed on the ongoing developments in new technologies and an enhanced privacy enforcement in several areas is identified as key to meet the coming technology developments and to create a fair and level playing field for all actors on the market. The IMY’s analysis and agenda is not only of general interest, but may also specifically apply to some key areas of particular relevance for the Fintech sector.

Below, we summarise some key findings in the IMY’s report and conclude what this could mean for the Fintech sector in Sweden over the coming years.

Exponential technology developments must be met with equal focus on privacy

The world is currently going through the fourth industrial revolution, where the new technology, at its core, is about creating, collecting, using and sharing data. This brings a massive potential for various kinds of personal data processing – where the more powerful the technological developments, the higher the potential for extensive and intrusive personal data processing.

With this in mind, the IMY notes that the technical developments are constantly ongoing at an increasingly rapid pace.  In fact, according to the IMY, the rate of technical improve-ments is exponential with technical capacity doubling every second year.

To keep up with this massive technical progress, the IMY sees it as essential to make significant efforts in ensuring a corresponding level of developments in privacy (both raising compliance and adapting requirements to the new technologies). It is also imperative that such efforts are initiated soon, since established technologies that don’t have sufficient levels of privacy considered in their design could be severely difficult and costly to amend later on – where business models established on these technologies, but in a non-compliant way, may also have strong incentives to resist or avoid any later changes, even if these are driven by privacy concerns.

So where do the IMY see the major technology developments and corresponding privacy challenges in the years to come? Here, the IMY identifies 16 areas of new technology where the IMY sees a particular privacy impact potential. Below, we mention a few of these technologies that are of particular relevance in the Fintech industry.

The power of Artificial Intelligence

The developments in Artificial Intelligence are seen as one of the main potentials for the future, as well as one of the main challenges from a privacy perspective. AI technology enables especially powerful collection and analysis of large amounts of data, to the extent that relatively benign data could be processed by AI in such a way that it could become very sensitive from a privacy perspective. According to the IMY, it will be imperative to ensure sufficient transparency, accountability and lawful basis for use of AI-solutions – areas where there are particular challenges and privacy risks.

For the Fintech sector, AI solutions are of particular interest due to the vast amount of data available in the financial systems. This provides a trove of potential value that could be mined by using AI technology. Such use could, according to the IMY, be relevant for the Fintech sector in for example automated analysis or decision systems, or in security or behavioural analyses for predictions on financial opportunities or risks. However, such processing could also be particularly revealing of fundamental information on individuals’ behaviours, interests, patterns, etc.  – all of which could be very sensitive from an integrity perspective and might even entail risks to individuals rights under applicable financial reg-ulations. For these reasons, the IMY will aim to have a particular focus on use of AI sys-tems and to ensure that common practice and enforcement will be made for an improved and continued compliance with privacy requirements.

You scrape my web, I scrape yours

Web scraping is something that already occurs to a large extent – where software applications uses various kinds of tools to automatically collect data presented online or in connected services. However, the IMY notes that when used in combination with AI, the privacy implications could be extensive. Particularly, large datasets could be collected from various sources in a complex way that could be very difficult for the relevant data subject to overview in a transparent manner. Moreover, where a powerful AI could provide extremely powerful insights this could lead to very intrusive processing of the individual’s personal information. A combination of these technologies could therefore not only be very power-ful but also entail a high potential risk from a data protection perspective.

For the Fintech sector, this could be particularly relevant when combining the already huge amount of financial data with other kinds of data available for web scraping. There could also be issues of lack of control of data, if advanced web scraping technologies are combined with powerful AI to obtain insights on other financial actors’ users. Here, the IMY sees particular risk and therefore a higher need for a focused regulatory supervision.

Cloud services

In the last couple of years, we have seen a massive increase in the use of cloud services, both for combinations and use of external cloud based services (as opposed to traditional licensing) and also for a decentralised and scalable hosting of an organisation’s data or infrastructure. The IMY notes that this technology has significantly improved the efficiency and scalability in IT-systems and services in a mostly positive way.

In financial services, the new and versatile cloud solutions makes it possible to take further advantage of the large amounts of data collected and processed as part of its operations and to quickly develop and implement new services in a more agile way than before.
However, few have missed the controversial and complex regulatory situation for cloud services, which has brought a significant amount of uncertainty on how to use this technology in a compliant manner. Particularly, regulations in the EBA Guidelines on Cloud Ser-vices and subsequent Guidelines on Outsourcing have increased requirements for financial actors’ use of cloud services in its IT-infrastructure. Additionally, last year’s ruling in the Schrems II case resulted in significant uncertainties as regards use of cloud services from the major providers. Together, these created a severely complex regulatory landscape with significant hurdles to overcome for any fully compliant use of cloud services in the finan-cial sector.

But there are perhaps good news to come for cloud compliance. Recently, the first Code of Conduct for Cloud providers was approved by the Belgian data protection authority – simplifying compliance when using cloud services. Hopefully, this will pave the way for further initiatives, which may be sector specific, facilitating the use of these new technologies in a compliant way. 

Particular focus on the “problematic” Adtech market

The IMY singles out and puts a specific focus on the Adtech market, which has come under scrutiny in several recent decisions and reviews around Europe. As such, the IMY labels the sector as “problematic” with severely complex and non-transparent use of personal data, which could lead to high risks for individuals’ rights according to the IMY. In general, the IMY states that the Adtech industry is systematically in breach of fundamental parts of applicable data protection laws.

For the Fintech industry, this may pose particular challenges when interacting with Adtech providers as these services are often essential for any business and therefore hard to com-pletely avoid. In this regard, such interactions may however pose a larger risk for Fintech players – since they are often exposed to more severe sanctions and are more sensitive to reputational/trust damage. The IMY notes that some users of Adtech services are different providers of financial services and that, as such, these are also responsible for personal data processed when using the Adtech service. Thus, if the Adtech industry poses a systematic compliance risk, this could entail severe compliance risks for Fintech actors and poten-tially also affect other regulatory aspects of a Fintech player. Since the Adtech sector will be under particularly scrutiny by the IMY in the coming years, the Fintech sector should do well to review any interactions or uses of the services such Adtech suppliers provide.

Blockchain technologies

Technologies based on blockchain solutions have been gaining momentum over the last couple of years, and with that there has also been an increase focus on whether these technologies can be designed and used in a way that is GDPR compliant. The IMY notes that blockchain technologies can be used in a wide range of applications, with everything from Central Bank Digital Currencies, decentralised finance (defi) solutions, smart contracts and secure processing of sensitive information. Blockchain applications may thus both entail inherent compliance issues that may be difficult to overcome as well as improve information security to the benefit of some privacy aspects.

It has been noted in a number of reports that there are several uncertainties regarding how some central aspects of the GDPR shall be applied and interpreted for blockchain technology and infrastructure. Particularly, many questions are unsolved on how to interpret and apply the definition of personal data to information in a distributed ledger, how to assign the responsibility as a personal data controller in such a decentralised system and how to comply with requirements of minimization of personal data, processing, purpose and storage when data in a blockchain is normally used continuously for verification of ongoing transactions and thus cannot be removed once included. The IMY stresses on the importance of continued development and clarifications on how to apply privacy laws on new technologies, and new developments in these areas are to be expected.

Extensive compliance deficiencies remain

During the recent years, the IMY has made a number of examinations of the general GDPR compliance level in Sweden. From these reviews, the IMY’s overall assessment is that alt-hough much work has been done, there are still general and extensive deficiencies in the companies’ GDPR compliance. Notably, the IMY observes that many companies still lack in establishing a systematic and continuous compliance work which results in the non-compliance of the fundamental principles of the GDPR, legal basis for processing, insufficient security measures or data subjects’ rights and more. Additionally, the IMY notes that it has likely received far too few requests for prior consultations, indicating that companies do not perform Data Protection Impact Assessments to the extent required.

With this general lack of full compliance, the IMY notes that some sectors have nevertheless come farther than others in establishing a higher degree of data protection compliance. Among those performing better in this regard are both the financial and tech sectors. However, the IMY states that these industries often undertake extensive and potentially sensitive personal data processing, which warrants this higher general degree of compli-ance. The IMY also notes that one of the main concerns among citizens is how information regarding their financial data is processed and how payment card details is used, why there is still more work to be done also in these sectors.

New efforts to raise the compliance level

The IMY sets out an ambitious plan for its work ahead for the coming years.

As one important part to tackle the challenges with these new technologies, the authority has received additional funding to perform activities and initiatives to raise the knowledge and compliance levels in the areas of technical innovations, developments and applications. This will require a deeper communication with the affected organisations, and will hopefully lead to constructive and clarifying materials on how to combine the new technologies with a high degree of protection for personal data. And, to further bolster innovation in combination with privacy compliance, the IMY also considers to establish a regulatory sandbox-operation where new technologies could be tried out.

The IMY also aims to take a leading role among its European counterparts in preparation of guidelines and recommendations in these areas of new technologies identified, in particular for technology that is of importance from a Swedish perspective. This will for example regard AI, IoT and biometry.

Perhaps most importantly, as regards its enforcement operations, the IMY will shift the focus of its compliance supervision from a previous risk based model, where high risk areas were specifically targeted for supervisory actions, to a complaint based model, where supervision and enforcement will be primarily based on complaints from the public. So for the future, companies should expect individuals complaints to be more of a focus for Swedish operations with personal data processing – and should consider to adjust its operations and customer support thereafter.

To sum up

To match the exponential technology developments, the Swedish supervisory agency IMY will take its operations into a higher gear. This will hopefully lead to significant clarifica-tions on GDPR compliance for the cutting edge of technology developments, but it will likely also lead to a considerable increase in new rules and guidelines as well as supervisory review and enforcement.

In conclusion, equally exciting and challenging times lie ahead, especially in the Fintech field where the stars could align for innovative utilizations of the vast amount of data that exists. But to be able to gain the advantage that this provides, companies must also address the privacy issues related to such technologies, even if no clear route for compliance may be available (due to lack of clarifications from the governing bodies). This requires for the Fintech company a strong foundation in routines, structure and organisation. Otherwise and without such a foundation, Fintech companies might find themselves left in the dust of other actors – either because of lack of implementation speed due to privacy investments made too late or from effective enforcement due to user complaints. So when enforcements from complaints will likely be more common companies should beware that the biggest cost in any data protection enforcement might not be the fine, but instead the cost of loss in consumer trust to use the service that they provide.