Paying by smartphone, supporting a project via crowdfunding, and automated financial investment by so-called robo-advisors are now part of everyday life for many people. Financial services, which are used exclusively through Internet technologies, are becoming increasingly competitive with the traditional financial industry. However, the booming and diversified fintech industry has very different regulatory and data-protection standards compared to traditional financial service providers. For users of these services, it is often unclear what exactly happens to their personal data. Economist Professor Lars Hornuf from the University of Bremen, together with Professor Gregor Dorfleitner from Universität Regensburg, has recently published a study on how fintech companies have been processing user data since the General Data Protection Regulation (GDPR) came into force. This was commissioned by the ABIDA (Assessing Big Data) project and funded by the Federal Ministry of Education and Research.
User Data Is Less Well Protected in Many Cases
With this report, the economists follow on from their study on digital financial actors, which was conducted in the spring of 2018. For this purpose, they collected the current version of the respective data protection statements from all 505 fintechs examined in 2017 and examined them for changes in content. The results show that since the introduction of the GDPR data protection regulations have deteriorated for users of fintech products and services in many cases.
One Hour to Read the Data Protection Statement
The researchers were able to identify two general trends in the adjustments made: firstly, the data protection statements are now more than twice as large and secondly they now consist much more frequently of standardized text modules. The latter means that in many areas it is much less often stated definitively which personal data is processed and which is passed on to third parties. Users must find information about the processing of their data on the websites of the respective third parties themselves. “In extreme cases, it took users over an hour to read the data protection statement in full,” explains Professor Lars Hornuf. From the scientist’s point of view, a further finding is also just as critical: as in 2017, the collection of personal data must be accepted without alternative by consumers by giving their consent. In addition, fewer fintechs than before indicate how long data is actually stored and only refer to the legal retention periods.
Researcher Calls For More Consistent Implementation of Data Protection Measures
Lars Hornuf explains: “The hope that the GDPR will provide more transparency has not been confirmed among the fintechs that were examined. On the one hand, fintechs are often asked to provide their users with comprehensive information, but, on the other hand, they should also only do so in a brief and concise way. It may be that only professional financial actors are able to enforce the rights of many small market players, for whom the costs of law enforcement are usually too high. Consumer protection associations in particular are obliged to do this, and they must also be given sufficient human and financial resources.”
ABIDA Project: Focus on Big Data
The ABIDA project is an interdisciplinary research project on the social aspects of big data. It analyzes the social opportunities and risks of processing large amounts of data and develops courses of action for politics, business, and research.
Professor Lars Hornuf
Faculty of Business Studies & Economics
University of Bremen
Tel.: +49 421 218-66820
E-mail: hornufprotect me ?!uni-bremenprotect me ?!.de