5 minute read
SCOPE, KEY CONCEPTS AND DEFINITIONS
PILLAR 3: DATA SUBJECT RIGHTS
3.1 Guiding Principle: Establish fundamental rights of data subjects 3.2 Guiding Principle: Specify how rights may be exercised by data subjects
Advertisement
PILLAR 4: CONSUMER AWARENESS AND RECOURSE
4.1 Guiding Principle: Require effective internal complaints handling procedures 4.2 Guiding Principle: Provide for an external dispute resolution scheme for data subjects 4.3 Guiding Principle: Consider need for public awareness programs
PILLAR 5: SUPERVISION AND ENFORCEMENT
5.1 Guiding Principle: Take a risk-based and proportionate approach to supervision 5.2 Guiding Principle: Ensure supervisors have effective mandate, powers, capacity, and resources 5.3 Guiding Principle: Establish clear consultation and coordination framework 5.4 Guiding Principle: Consider DP4DFS issues in regulatory sandbox environments 5.5 Guiding Principle: Ensure credible threat of enforcement
6.1 Guiding Principle: Provide policy guidance on application of DP4DFS in emergencies 6.2 Guiding Principle: Ensure DP4DFS legal framework makes provision for emergencies
A one-page ‘Minimalist Approach to DP4DFS for Financial Sector Regulators’ has also been included in this Guideline Note. This proposal contains suggestions as to the minimal actions that financial sector regulators might take in the interim period before there is a comprehensive data protection law in place.
In summary, the main body of this Guideline Note is organized as follows: > Scope, Key Concepts and Definitions > Emerging Trends in DP4DFS Policy and Regulatory
Frameworks > Guiding Principles for overall DP4DFS Policy and Regulatory Framework > Minimalist Approach to DP4DFS for Financial
Sector Regulators
The Guiding Principles cover ‘data privacy’ issues affecting personal information but not issues specific to ‘data protection’.
These terms are defined as follows for the purposes of this Guideline Note: ‘data privacy’ is considered as the appropriate use and management of personal data having regard to entitlements to privacy and ‘data protection’, as securing data against unauthorized use. These are the definitions used in the AFI Policy Model on Consumer Protection for Digital Financial Services (2020). On this basis, issues such as cyber fraud, security systems and data localization rules are considered to be in the ‘data protection’ realm. Some issues relevant to the ‘grey’ area that overlaps data privacy and data protection have nevertheless been covered (such as identity fraud and misuse).
For completeness it is also noted that the right to privacy is generally considered as ‘the right to be let
alone’, albeit subject to some limitations.1 However, it is considered beyond the scope of this Guideline Note to discuss the nature of the right to ‘privacy’ or whether any right or other entitlement to privacy might exist in any jurisdiction.2
The Guiding Principles are relevant to retail DFS products and related business models common in emerging economies from time to time (now and in
the future). This could include, for example, savings, digital credit, P2P lending, e-money, remittances, micro insurance, crowd funding and investment products, as well as more innovative products and services such as account aggregation and other open banking services.
Other key issues reflected in the Guiding Principles are: > Financial inclusion: The Guiding Principles are framed on the assumption that it should be relevant to consumers in economies with ambitious financial inclusion goals.
1 Sameul D Warren and Louis D. Brandeis. The Right to Privacy. Harvard
Law Review Vol. 4, No. 5 (Dec. 15, 1890), pp. 193-220 2 For a discussion of these issues in the context of India see the important decision of the Supreme Court of India in Justice K.S. Puttaswamy vs.
Union of India (2017) 10 SCC 1 which, in summary, held privacy to be a right protected by the Constitution of India.
> FinTech: The Guiding Principles have been developed with the consideration of FinTech developments that are relevant to DFS, including new and innovative providers, business models, processing systems and applications. The Guiding Principles are also intended to be ‘technology-neutral’, in the sense that they should be relevant regardless of the technology used to design, market, or deliver DFS. > Vulnerable groups: Data privacy issues relevant to vulnerable groups are reflected in the Guiding
Principles. These groups include, for example, women, youth, the elderly, persons with disabilities and displaced persons. > Emergencies and DP4DFS: There are undoubted benefits in the widespread use of DFS to respond to global and national emergencies (such as
COVID-19, the Ebola crisis, the Syria crisis, and natural disasters). However, there are data privacy challenges too. Against this background, a specific
Pillar on DP4DFS in Global and National Emergencies has been included.
Key terms used in this Guideline Note (including the Guiding Principles) are intended to have the meanings in Annex 3. These meanings have been developed having regard to the more commonly used terms and related definitions in regulatory frameworks, research and commentary. For ease of reference, the most significant definitions are set out in Table 1 below. It is, however, stressed that different approaches may be taken for the relevant terms and definitions, and those proposed are not intended to be mandatory.
BOX 1: DEFINITIONS OF ‘PERSONAL DATA’ OR SIMILAR IN DATA PRIVACY PROTECTION LAWS
EU’s General Data Protection Regulation: ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;’ (section 4).
For other examples of definitions of ‘personal data’ or an equivalent term, see: > Kenya’s Data Protection Act 2019 (section 2), > Malaysia’s Data Protection Act 2010 (section 4), > he Philippines Data Privacy Act 2012 (section 3).
See also India’s draft Personal Data Protection Bill 2019 (section 3[28]), which specifically includes any inference drawn from personal data for the purpose of profiling.
TABLE 1: KEY CONCEPTS AND DEFINITIONS
CONCEPT DEFINITIONS
DATA SUBJECT An individual whose personal data is or may be processed.
PERSONAL DATA Any information or an opinion relating to an identified or identifiable individual, whether true or not, and whether kept in a material form or not, and whether automated or not.
CONTROLLER A natural or legal entity or public authority, which alone or jointly with others determines the purpose or method of processing personal data.
PROCESSOR A natural or legal entity or public authority, which processes personal data on behalf of the controller.
PROCESSING Any operation conducted in relation to personal data, whether manually or automatically, including collection, use, disclosure, storage, recording, erasure or otherwise, and ‘processes’, ‘processed’ and similar words that have a similar meaning, but excluding any processing: > required for the purposes of specified activities (such as a judicial function, enforcement of a claim, national security or a purely domestic or household purpose); or > undertaken for a purpose required or permitted by law
