The terms and conditions of use for Google or Facebook share a lot in common with a financial Product Disclosure Statement. Nobody reads them. Well, hardly anybody does. And those who do, seldom understand what they’re agreeing to.
It’s difficult to go about life without either financial services or data hungry online services. This quasi-mandatory character of both online and financial services pronounces the information asymmetry and weak bargaining position that people are in when it comes to negotiating a fair and balanced agreement.
Clients, customers, and members just click to agree en masse. If they want to proceed, there is no alternative to do otherwise.
Financial institutions are in a particularly important position, having dual responsibilities for managing both money and data, and will benefit from better management of conflicting interests and adopting a higher standard of care in managing other people’s data.
Other people’s data…
Social licence and public trust are outcomes for any industry which is seen to adopt a responsible approach in dealing with their customers. Arguably, these are two outcomes that Australia’s financial services industry is currently lacking.
But if financial institutions hope to regain, and then maintain, social licence and public trust in the years ahead, it will require that the best interests of customers are also sought in their handling of other people’s data.
The challenge facing financial institutions – and the financial advisers who recommend their investment products - in managing customer data is about to become increasingly important with the commencement of the Consumer Data Right and Open Banking.
The importance of getting the management of data right has been shown by the Hayne Royal Commission, but the financial services industry can also learn from the lessons around the controversy related to the use (or misuse) of Facebook user data by Cambridge Analytica.
At the nexus of both issues lies the conflict of interest inherent in managing a valuable commodity on behalf of another. The implications of an overreliance on disclosure and contract in regulating the relationship between the institution and individual are all too clear.
Most people simply do not have the time, attention, inclination or sometimes even the understanding to grasp the complex and detailed disclosure in either financial product documents, or the terms and conditions agreed to by clicking when using online services.
Accordingly, we need to consider better ways of regulating the use of people’s data by financial institutions.
It is common for most of us to refer to information which relates to us as ‘my data’. It would probably come as a shock to most of us to hear that we don’t own much of our ‘own’ data.
The challenge remains, that not all of a ‘person’s data’ is property, and therefore can’t be owned at all. This lies at the heart of many of the risks and responsibilities which are likely to become increasingly visible.
If we are to make sense of regulating the use of people’s data, we need to have a clearer picture of what exactly we mean by people’s data.
A sensible starting point for financial institutions is to adopt clearer classification models which extend beyond classification of personal information for privacy law purposes to assist in making it clear which data are property and which are not, and identifying the owner where the data is intellectual property.
This approach will also be effective in highlighting the extent to which meta data are being collected and created, and the importance of ensuring that such meta-data are managed responsibly.
What might aligning the regulation of data used by financial institutions with public expectations look like?
The treatment of meta-data is a good example. Meta-data – which is quite simply data about data which helps institutions catalogue customer activity – is a key component when it comes to regulation and privacy. There are existing legal principles which provide possible mechanisms for regulating the use of non-proprietary, non-personal information meta-data.
Agreement by consent and the formation of a contract between the financial institution and customer sounds good in theory – with parties entering into the contract freely. This is the basis for most authorisation of data use by individuals, and regulation under privacy law.
It is however becoming increasingly clear that this may not be inadequate.
The real issue in the Cambridge Analytica scandal was not that the laws were broken; it was that such activities occurred with the consent of individuals.
Even where disclosure and contracts are extremely well drafted in simple, concise, and clear wording – the practical reality is that so many people simply do not fully understand what they are agreeing to.
It’s therefore worth considering alternate approaches to regulating the use of data by financial institutions.
The finance sector has a long history of relying on the archetypical fiduciary relationship of the trust as a means of protecting the vulnerable and regulating the management of property in the best interests of others.
A model which relies on a similar best interests obligation for the management of data is something worth serious consideration.
The fiduciary relationship requires the adherence to principles of loyalty (managing conflicts of interest) and prudence (adopting an appropriate standard of care).
On face value, such a relationship has appeal as a means of regulating the use of other people’s data by financial institutions.
However, a fiduciary duty in general law is problematic (or impossible), particularly where property rights don’t exist. Furthermore, the fiduciary relationship can be fashioned by the express trust between the parties, making it possible for the same problems which arise in contract and negligence.
The flexible nature of private law (or self-regulation) leaves us with statutory reform as being the only realistic alternative if financial institutions are to maintain trust in the long-term management of other people’s data.
While unconventional, legislating an irrevocable right to benefit from the use of a customer’s ‘own data’ where it records our behaviour and activities should be considered. Such an approach would enshrine in legislation that where data were held by an institution, it would have to be managed in the best interests of the individual.
It may provide an innovative approach to ensuring that institutions have the legal certainty required to own and manage their derived intellectual property, while ensuring that it is managed for proper purpose and in the best interests of individuals it relates to.
This right could include giving individuals the power to transfer or license the legal right of ownership between financial institutions and themselves. It would also enable a financial value to be placed in data, and could see consumers deriving financial benefits from licensing their own data to third parties.
A cross industry prudential standard issued by APRA on information ownership and use could provide the principles-based mechanism for achieving this.
Future proofing trust
If we hope to avoid a future Royal Commission into the misuse of data by financial institutions, money managers and even financial planners, it is imperative that trust is entrenched in the management of both money and data, and that both are managed in the best interests of individuals.
The public trust and social licence which can come from general regulation of the use of customer and member data is an opportunity which financial institutions should embrace and actively pursue.
Jonathan Steffanoni is principal consultant, legal and risk at QMV.