Promise Not Fulfilled: FinTech, Data Privacy, and the GDPR
Gregor Dorfleitner, University of Regensburg
Lars Hornuf, University of Bremen
Julia Kreppmeier, University of Regensburg
--Data have become a critical resource for many business models as a result of digitalization and globalization. Individuals disclose personal information intentionally and unintentionally over the Internet and when using their smartphones. Because of the international location of servers and cloud-computing services, the processing of data often takes place under different jurisdictions and does not stop at national borders. On May 25, 2018, the General Data Protection Regulation (GDPR) became binding in the European Economic Area (EEA) to address the increasing challenges of data security and privacy. The GDPR extends its territorial reach even outside the EEA if European data are involved.
The financial sector and, in particular, the recently emerging Financial Technology (FinTech) industry process many sensitive data. Payment data, for example, can entail information about racial or ethnic origin, political opinions, religious beliefs, health or sex life. The different FinTech business models, which frequently rely on artificial intelligence, big data, and cloud computing, thus represent an important and relevant industry to examine the impact of the GDPR. Companies are not required by law to have a privacy statement; however, they often comply with the requirement to inform their users (art. 13-15 GDPR), by publishing such statements, about the personal data they process. Therefore, privacy statements serve as research objects for many studies that analyze privacy.
A central goal of the GDPR is that communication to data subjects about the processing of data occur in a concise, transparent, intelligible and easily accessible form, using clear and plain language (art. 12 GDPR). In a recent CESifo working paper, we analyze 308 privacy statements published by German FinTech firms before and after the GDPR became binding. We analyze readability, standardization, whether company- and industry-specific factors affect the quantity of data processed, and the transparency of privacy statements. We perform textual analysis on the privacy statements and provide evidence that their readability has worsened since the GDPR became binding. Specifically, the texts have become longer and more time-consuming to read. We also find an increase in the use of standardized text, reducing the informational content that users can draw from the privacy statements. These findings contradict the primary objectives of the GDPR. Further, we investigate the quantity of data processed and transparency and its determinants. We document a significant increase in the quantity of data processed but find no significant changes in the level of transparency.
External investors can contribute knowledge and experience to build a proper and future-oriented company. In our study, the number of external investors positively influences the quantity of data processed and transparency solely before the GDPR became binding. Cooperations with a bank do not have any significant impact on FinTech privacy practices. Legal capital that we interpret as ex-ante founder team dedication is positively related to data processed and is particularly relevant for transparency before the GDPR became binding. These results underline that before the GDPR became binding, externally induced pressure of investors and internal engagement of the founders resulted in better privacy practices. However, the results vanish after the GDPR became binding, as the GDPR made all FinTechs act to ensure data privacy in a similar manner. We also provide evidence that mimicking behavior in terms of industry pressure positively influences privacy practices after the GDPR became binding, which indicates that the GDPR gave companies an incentive to adopt their direct industry peers' data-processing or privacy statements.
One might ask whether it is possible for a user to give informed consent (art. 7 GDPR) if they cannot transparently capture the language respective to the content of privacy statements. Thus, the question arises whether the GDPR has really fulfilled its promises regarding its main provisions and objectives, especially for the FinTechs.