Page 98 - ITU-T Focus Group Digital Financial Services – Recommendations
P. 98
ITU-T Focus Group Digital Financial Services
Recommendations
Title of recommendation Informed consent on data collection and use
Working Group Consumer Experience and Protection
Theme Data protection
Audience for recommendation Regulators
Regulators should require DFS providers to provide clear, conspicuous, and understandable informed consent
with all DFS, so that customers appreciate what data is being collected; how it may be used; whether it will be
disclosed to third parties and, if so, which parties and for which purposes; how long it will be retained; whether
it will be disclosed for legal or public interest reasons (such as to the government for criminal or tax related
investigations), and what options customers have if they believe their data has been improperly accessed or
used. Regulators should also require DFS providers to obtain specific consent for each type of data use or sharing
including when such information is being sold or shared with a third party for a purpose unrelated to the original
transaction.
There is a growing international recognition of the importance of data protection as a component of DFS and
mobile transactions. For instance, GSMA has developed a set of mobile privacy principles that promote
59
consumer privacy in the mobile ecosystem. On the governmental level, the European Union has recently
adopted a General Data Protection Regulation that emphasizes key components of data protection, making
them generally applicable across industry sectors. One of the BTCA’s Responsible Digital Payments Guidelines
46
calls for the protection of clients’ digital data. The Payment Aspects of Financial Inclusion (PAFI) states that
a “lack of clarity regarding what can be disclosed, and to whom, may deter the use of a payment service by
some potential customers.” The United Nations Guidelines for Consumer Protection calls for the “protection
60
of consumer privacy and the global free flow of information.”
In addition, new research commissioned by the ITU shows that half of DFS customers in Ghana, Tanzania, and
the Philippines think DFS providers or agents could use their personal information to harm them. In the same
study, more than half in each country expressed concern about advertisers using their data.
In keeping with emerging data protection principles, there are several steps regulators should take to protect
DFS consumers. First, consumers should be given clear, conspicuous, and understandable disclosures so
they understand what data is being collected from them, how that data will be used, what choices they
have regarding such uses, how long their information will be retained, and whether their information will be
disclosed to third parties. This information could help empower those consumers to make informed choices
about the handling of their personal information. Given the display limitations on devices often used to access
DFS, and low literacy levels of some users, this may be challenging, but research has shown that simple
61
explanations and informational brochures can help customers understand data use. Regulators and providers
can use consumer research to test different disclosure options can help identify the most effective mechanisms.
In addition, it is important for consumers to be informed about certain provider policies and practices, including
the policies for selling data to third parties. One way to reduce risk and empower customers is to require
that providers obtain separate consent for each instance of data sharing or selling, allowing the customer to
decide when the benefits of sharing personal data will outweigh the risks. Consumers should also be informed
of provider policies for sharing data with government entities, such as law enforcement and tax authorities.
And, regulators should require that providers inform customers of their ability to access, dispute, and have
59 GSMA Privacy Principles, Promoting Consumer Privacy in the Mobile Ecosystem (2016) http:// www. gsma. com/ publicpolicy/ wp-
content/ uploads/ 2012/ 03/ GSMA2016_ Guidelines_ Mobile_ Privacy_ Principles. pdf
60 United Nations Guidelines for Consumer Protection (2016) http:// unctad. org/ en/ PublicationsLibrary/ ditccplpmisc2016d1_ en. pdf
61 Mazer, R., Carta, J., Kaffenberger, M., Informed Consent: How do we Make it Work for Mobile Credit Scoring? (2014) http:// www.
cgap. org/ sites/ default/ files/ Working- Paper- Informed- Consent- in- Mobile- Credit- Scoring- Aug- 2014. pdf
92