Note: This blog post was originally published on 23 June 2023 and has been updated to reflect the current state of the regulatory environment.
In this second instalment of our 3-part blog series on IDV privacy and ethics, we will be covering the considerations for data in transit from a privacy and ethical perspective.
International transfers are now tougher
Let’s take a look at the subject of international data transfers. If your IDV provider is transferring your data around the world improperly, then you will be held responsible by your local regulators.
In terms of data transfers, the world is moving away from open borders and there is more mutual distrust. Meta was fined over a billion euros last year for its systematic transfers of EU resident data to the US, even though Meta had considered the law and put in place lots of measures to safeguard the data. The EU regulators and courts simply did not trust the US authorities to respect GDPR norms, meaning there was nothing Meta could do to become compliant with its data transfer.
There are now the EU-US and UK-US data bridges to allow for EU/UK data to be transferred to the US. The US has had to give EU and UK citizens enhanced legal rights in the US for the EU to accept the legality of the transfers. These measures were rushed in after the Meta decision, and will be challenged by privacy groups in Europe. So…watch this space.
Many other countries require that the data exporters ensure the data is protected by measures at least equivalent to the requirements of that country. Examples include Australia, Singapore, and Japan. Some countries forbid the export of certain types of data, e.g. India does not permit the export of financial data.
Data sharing & reciprocal protection
Fraudsters communicate and work together to identify soft links in security and process, and to share ideas on how to defraud financial institutions. Perhaps financial institutions and IDV providers should work together to identify fraudsters and protect each other.
The UK Digital Identity and Attributes Trust Framework (UKDIATF) contains various goals on threat and intelligence sharing, but there is little actually implemented currently. There are member schemes in the UK operated by entities such as CIFAS and Synectics that share details on suspected fraudsters.
Some of the leading IDV providers have a fraud or threat service. They create their own databases of suspected fraud attacks and then scan against it for each new end user. It is possible to use this database across different clients. The IDV provider, though, needs to consider how:
- It can do this compliantly with privacy laws;
- It can do its best to ensure victims of fraud do not end up on the database; and also
- Have a process to ensure victims of fraud understand that they might be in this database and can be manually removed from this database.
Questions to ask your IDV provider:
- In which jurisdiction will the data of my end users be hosted?
- Can we select different jurisdictions for data hosting depending on where the data originated?
- At any point in the IDV process, is any data transferred from the UK or the EU into the US?
- If yes to Q3, what is the lawful mechanism the transfer is made under?
- Has the US importer of the data opted into the EU/US or UK/US Data Bridge?
- Is my end user data used in any fraud signal sharing database? If so, please share your Data Protection Impact assessment so we can understand the legality of this processing.
About the post:
Images are generative AI-created. Prompt: Three little pigs, one sleeping, one running, one working on laptop. Tools: Craiyon (fka DALL-E Mini), ChatGPT.
About the author:
Peter Violaris is Global DPO and Head of Legal EMEA and APAC for IDVerse. Peter is a commercial technology lawyer with a particular focus on biometrics, privacy, and AI learning. Peter has been in the identity space for 6 years and before that worked for London law firms.
