Equifax and ODI publish Open Data consent report

Written by Peter Walker
27/11/19

Equifax and the Open Data Institute (ODI) have launched a report looking at the international consent framework for Open Banking.

It combines research into Open Banking and data portability initiatives from across a range of countries, as well as interviews with experts from each region, aiming to identify and compare consent environments from across the globe, as well as outlining the consequences for breaking national or regionally-specific data consent rules.

The report found that consent mechanisms can vary substantially from country to country, for a variety of reasons such as the type of organisation governing consent, the social and legal context, the risks to individuals or different groups of people, or the technical landscape.

Language can also impact how consent is treated, both in terms of different languages being interpreted differently across borders, but even within the same language. Despite this, there are overarching similarities, like the fact that consent must be clear to customers, using language like ‘informed’, ‘explicit’, ‘affirmative’. Most regimes also emphasise that consent must be ‘free’ or ‘voluntary’, and as easy to revoke as it is to give.

The specific rules of how consent operates, such as duration, restrictions, and punishments are far less universal though, according to the research.

Equifax and the ODI observed the time period for consent to range from 90 days in Europe, to one year in Australia and New Zealand, with most countries not defining this crucial aspect at all.

Restrictions tend to be informed by the privacy laws of the different countries, which like consent can be very idiosyncratic across cultures and legal landscapes. The UK and Australia have built whitelists for their Open Banking regimes to control which organisations can participate, while Mexico and New Zealand have been less restrictive in this.

Punishments can range both within and across countries depending on the severity of the infraction.

The report also noted the ‘redirect model’ of obtaining consent is seen worldwide, from Europe to Australia and New Zealand, as well as Nigeria’s Open Banking environment.

As Open Banking is becoming an increasingly multinational movement, and inspiring similar initiatives in other sectors, the report recommended that banks and regulators perform and openly publish further research to make it easier for people and organisations to understand the rules for consent that apply to them.

Patricio Remón, president for Europe at Equifax, said: “With Open Banking becoming a multi-national movement, the importance of research and developing understanding is paramount.

“Each country has its own set of tailored regulations, so it is vital that both consumers and financial institutions are able to understand the consent rules which apply to them and where the special circumstances, definitions and potential pitfalls lie.”

David Beardmore, commercial director at The ODI, added: “Consent is important because it gives people power over how data about them is used, who can access their data, and for what specific purpose - allowing them to confidently opt-in to data sharing environments like Open Banking.

“We now know that consent mechanisms vary substantially from country to country for a variety of reasons, including the social and legal context, the risks to individuals and the technical landscape,” he continued, adding: “Despite this, there are important overarching similarities such as consent being given voluntarily, explicitly, and easily revoked.”