This is my interim report on my ambassadorship. The introduction to my project on drafting a privacy framework for the implementation of the ILP was posted here.
My project has been progressing, but growing in complexity. I imagine I am not alone in experiencing this phenomenon, given how new the application of the protocol is, but it has been frustrating and discouraging despite lots of research and discussions. I am actually further ahead in terms of the drafting of my final report than expected in my proposed timeline, but somewhat overwhelmed by the difficulties in nailing down an accurate data flow map. Here is my problem.
I am trying to draft a model privacy framework for implementing the ILF protocol and training materials for those unused to thinking about privacy best practices. I have had lots of success discussing the issues with privacy experts, but I have had no luck finding precedent. Not enough current financial payment systems publish information about their dataflows.
Herein lies the heart of the problem: in order to come up with a privacy policy and risk assessment you need an accurate personal data map, showing who collects, uses, and shares personal data, and with whom. You need to understand and verify the purposes for collection, use and disclosure, and figure out the risk inherent in sharing with other parties. Particularly in jurisdictions governed by the GDPR, you need to know who is the data controller and who are the data processors. I have yet to find a clear exposition of how this works in international payment flows, which is rather astonishing when you think about it.
I am hoping to demonstrate how this would work with three hypothetical use cases:
• A transborder funds transfer from a temporary foreign worker back home to family
• A purchase of a good or service or bill payment
• A micropayment
Because of the lack of transparency about existing payment systems, I am having difficulty mapping this. First, to appreciate how much better an ILP solution is, we need to have facts about how bad current payments systems are. Those facts are hard to establish and cite reliably. Secondly, absent a clear explanation of how ILP applications work and who the data processing actors are, I am not well able to get an opinion from a regulator about whether my framework actually represents best practice. We are not giving legal advice here, but we are trying to propose sound privacy and human rights practices, and curb unnecessary data trafficking. I have not been able to find any information about Court cases where the protection has been deemed inadequate, but I am still working on that.
Nevertheless, I have detoured past this roadblock and continued working on the framework and the analysis of acceptable purposes, uses, and sharing. It is much more theoretical than I had hoped, at this point. All examples and experiences welcome; if anyone would care to share how they achieved compliance with, for instance, the GDPR, I would love to speak with you. I have developed a questionnaire for implementers, to prompt their thinking on compliance. I am starting to develop my powerpoint training materials, and will be sharing with the community for feedback as to whether they are useful, get the facts straight, and help them think about better human rights compliance.
I reported on my trip to the Computers, privacy and Data Protection conference in Brussels May 22-24 here.
This was one of my key projected activities, during which I discussed my work with a number of privacy experts and scholars.
I will follow up with those individuals once the materials are final. I have also committed to compiling a list of individuals and organizations who might be interested in the final framework. I have compiled a list of contacts in the privacy field who might be interested in the protocol and how an application of it might optimally achieve privacy compliance; I have not completed that work and will be adding to it during September as the academic calendar permits.
There is interest in what we are doing, but unfortunately I had no luck in turning up reference documents. The Berlin group, a committee of mostly data protection agencies who are interested in working on common positions on technology, has released their paper on Digital central bank currencies. You can read it here.
This provides valuable insights into their thinking on new digital payments, but I hope they will move on to examine digital payments specifically.
The next phase of my project will be to reach out to organizations that work with or represent the elderly and temporary foreign workers. Both groups are vulnerable as they interface with modern payment systems, and both may need information about how to protect their privacy and what they should reasonably expect in terms of personal information collection and disclosure. I plan to have this done in August as projected and report on my findings in the final report.
I requested a no-fee extension in April because I caught a terrible cold that slowed me down, so my report is currently due by the end of October.
With respect to the impact of my project, I think everyone stands to benefit from improved privacy in banking, and everyone stands to benefit from increased awareness of what is actually happening now. My projected focus was on the elderly and on temporary foreign workers, two groups who send a lot of money to their families and who are frequently vulnerable and insufficiently aware of technology risks. I cannot promise to deliver a full, accurate picture of where data is currently going, who is sharing, how it is affecting the risk analysis of individuals, etc., but I am optimistic I will be able to interest people in taking a closer look at what instruments they are using to pay bills and transfer cash. We live in an age of fatalism about privacy, but we need not throw in the towel. We are looking for improvement in awareness and activism here. I have noted the gaps in public information about payment systems as I have worked on this research project, and I will certainly include suggestions for some public awareness papers and reading lists in my final report. It is not actually a bad thing to come up with more questions than answers when embarking on a privacy project like this, so I will be reporting on those questions.
I have not invested time in marketing and will not do so until I have some approved maps and scenarios developed in the final report. I have discussed the issues and problems with several experts, and I asked many questions at the CPDP conference. Most of my outreach at this point has been personal contact through my privacy, civil society and Internet governance networks. I continue to seek any guidance and examples that the technical community can provide to help me finalize the materials. I look forward to sharing the training materials within the community to get some feedback as to their helpfulness during the next two months.
I have committed to printing final reports and mailing them to various experts in the field, in order to promote the acceptance of the framework, and pique interest in the use of the ILF protocol. That work will take place during the next two months, once I finalize my graphics and examples. I also committed to offering training sessions for anyone in the community who is interested in the data protection aspects and requirements when using the protocol and setting up payment systems. Those sessions will be scheduled once the materials are finalized and approved. It is important to remember that innovators must seek their own legal advice when setting up systems, but hopefully the framework will prompt them to put the focus on privacy and human rights, and guide the legal team they hire to focus on best practice, not data maximization.
I am a complete newcomer to the field of fintech, and I find it bewildering! I am truly grateful to this community for helping me to understand how the various players and pieces fit together! If you need help with privacy or know your customer rules, please reach out to me, I would be happy to discuss and am very interested in what you think is needed in terms of educational materials. If you can help me iron out the data maps for how the data flows from the customers through to all the parts of the payment paths, bless you! Please contact me, I can even switch or add to my use cases at this point, the more the merrier as long as I can get facts about who actually controls the customer interface and data collection.
Stephanie Perrin
info@digitaldiscretion.ca
Top comments (1)
This was a great read @how5 thank you for posting this