Examining the Privacy Policies of Czech Financial Companies and Its Implications for Personal Data

Introduction

5.16 billion people have access to the internet across the globe. While the world’s population is more interconnected than ever before, our Digital Age has decreased one’s reasonable expectation of online privacy. Targeted ads, personalized analytics, and data collection devices such as mobile phones and GPS-tracking technology have become the standard. Thus, if individuals want access to these devices, they must consent to the technology’s privacy policies. Yet rarely do users know about the implications of these policies, which often include permissions for the company to sell their personal data. Thus, in terms of data collection, I frequently find myself asking to what ends—and whose?

During my internship at CEE Bankwatch in Prague, I was tasked with monitoring publicly funded projects from the European Investment Bank and the World Bank. Throughout my time at Bankwatch, I learned something important: large financial organizations have the propensity to operate as secretly as possible. Intuitively, this makes sense as publicly explaining decisions would reveal their operations and strategies, a clear disadvantage when it comes to industry competitors. Yet, a lack of transparency is unethical, especially when it impacts the livelihood of customers. As a bioethics and public policy major, I am acutely interested in the intersection between ethics, policy, and technology. Nowhere is this intersection more present than in the field of data ethics and data privacy. Data taken from financial transactions are used to create algorithms that predict human behavior, ranging from the military, the health industry, educational institutions, and the halls of government. 

At Bankwatch, whenever I inquired about this fact, I was met with the same response: not enough information is available to the public concerning how financial institutions are using customer data in Europe, especially the Czech Republic. My internship coordinator encouraged me to look further into this area, so I set out to answer the questions (1) to what extent do Czech financial institutions collect and sell personal data? and (2) why should we care?

When I first came to the Czech Republic, I was fascinated by the General Data Protection Regulation (GDPR) that regulates how companies can process personal data. In the United States, there is no such comprehensive data protection regulation. Private and public companies alike are able to collect and share data with third-parties. For example, in 2018, the at-home DNA testing company 23andMe sold consumer genetic data to the pharmaceutical corporation GlaxoSmithKline for $300 million. Consumers were completely unaware their data was sold to the highest bidder. Although data encompasses every facet of life, including one’s health, social life, education, and career, I believe this issue is especially damaging when it comes to finance. 

In the United States, companies are beginning to use “digital credit scoring” as a way to assess a customer’s trustworthiness. One’s social media use, purchasing history, and socioeconomic status are used to create digital profiles by banks. One American Express user found his credit limit lowered by 65% solely due to the fact that “other customers who have used their card at an establishment where [he] recently shopped at have a poor repayment history with American Express.” Thus, due to robust data collection, the person standing behind an individual in line could actively affect his or her financial status. 

In the Czech Republic, the GDPR states that financial institutions must obtain consent before sharing personal data with third-parties. Yet, the reality is more complicated. After researching the privacy policies of the most popular Czech banks, I believe that financial institutions are legally circumventing these regulations due to two factors: (1) the European Union Directive 2016/943 of the European Parliament and of the Council, and (2) the creation of ambiguous and unintelligible privacy policies made by lawyers, for lawyers.  

Legal Secrecy: Privacy Policy Contents

The European Union Directive 2016/943 of the European Parliament and of the Council was passed in June 2016, protecting undisclosed know-how and trade secrets against disclosure and acquisition. While this is beneficial for businesses that want to keep their proprietary information out of the hands of competitors, it can also be used to abuse established privacy regulations. 

Financial companies in the Czech Republic are thus not required to reveal the specific methodologies they use to extrapolate data since it is considered a protected “trade secret.” In order to create the algorithms they use for collecting customer data, they must hire software engineers and create individualized systems of analysis. Thus, the details of these methodologies are considered proprietary information. This is not just applicable to the financial industry, algorithms form the architecture of our entire information ecosystem, affecting democratic processes, fundamental rights, and safety. In today’s age, it is extremely difficult for individuals to fully participate in society without a credit card or bank membership. Thus, individuals are forced to accept the privacy policies of financial institutions whether they want to or not. Without transparent knowledge of how one’s data is being collected—and by who—individuals lose informational autonomy.

Due to this legal secrecy, companies are able to collect certain types of personal data without consent. I will use the Czech Republic’s largest bank, Česká Spořitelna, as a case study. Česká Spořitelna has approximately 4.7 million customers, 10,000 employees, 517 branches, 1,700 ATMS, and 2.8 million cards across the country. In its privacy policy, the bank outlines (albeit ambiguously) the types of data it can and cannot collect without consent. When one takes a closer look at the types of data they can collect without one’s consent, the picture becomes clear. On the surface level, the bank states that “you have the right not to be the subject of a decision based solely on processing including profiling which produces legal effects concerning you or significantly affects you,” offering the customer the option to opt-out of automated decision-making and profiling. First, this reveals that Česká Spořitelna is indeed using personal data to make financial decisions for the user, including “health data, contact details, telephone call recordings, information on creditworthiness and trustworthiness, and voice biometrics,” not just his or her financial history. Yet, to opt-out of this process, one has to file a formal request, one that “can be prolonged by two months.” As I will discuss later in the paper, this action is not accessible for most users, as it is written in fine print in a multi-thousand-word document.

Moreover, based on the privacy policy of the company, opting out of this process is not enough. Even if one does not consent to personal data collection, the bank can legally process personal data considered under “legitimate interest.” Outlined in their privacy policy, this includes data they collect themselves or “publicly available or third-party data namely from social networks as well as other data that you publicize about yourself or are published about you on the internet.” They can legally collect “data about your experience, skills, and lifestyle (preference concerning your leisure time), your user name on social networks, and your IP address.”  

Additionally, Česká Spořitelna states that if a customer uses an electronic device to access their payment account online, they can legally collect and process without consent “a list of your installed applications, your consents granted to the banking applications you use, or the way you use electronic devices.” Why would a bank need a list of one’s installed applications or the way they use electronic devices? Further, the bank claims they do not need to obtain consent for data collection when they do it for the “fulfillment of a task carried out in the public interest” without stating what these public interests might be. Under this clause, the bank can justify many instances of unlawful data collection under the GDPR.

In addition, even if one opts-out of the third-party transfer of their data, the bank can legally share information with companies that operate within the Česká Spořitelna Financial Group including Erste Grantika Advisory, Erste Asset Management GmbH, REICO investiční společnost České spořitelny, among others. With consent, the bank can “share” (sell!) personal data with marketing and research agencies, stock exchanges and intermediaries of securities trading, mobile network operators, and providers of postal and communication services. It is shocking how much data banks collect on their customers. 

Circumventing Consent: Privacy Policy Comprehension 

It is widely known that major corporations use privacy policies not as a way to inform the public, but rather to cover their legal bases. A 2019 study conducted by the European Commission set out to survey the habits of 27,000 Europeans vis-a-vis data protection. The results are unsettling: only 30% of citizens understand their digital rights under the GDPR. Worse, only 13% of online users in Europe read privacy policies before accepting them. How is an individual supposed to consent to a privacy policy without being able to understand it or its implications?

It cannot be that only 13% of Europeans care about their online privacy—there is a greater issue at play. The problem becomes more clear when looking at the comprehension level of privacy policies. The majority of privacy policies in Europe are above the comprehension level of the average citizen. To be on track for university admission, 16-year-olds are expected to have a comprehension level of 1050. Yet, the majority of privacy policies created by financial and social media companies are above 1300 comprehension points. Companies such as Chase, Bank of America, Uber, the New York Times, Facebook, and even Candy Crush Saga all have privacy policies above 1400 comprehension points, a level of literacy doctors and lawyers are expected to have in their specific fields. Many privacy policies exceed even these standards.

To further illustrate my point, I calculated the average reading time of the Česká Spořitelna privacy policy. The company’s privacy policy is 4,141 words. According to a study published by Ghent University in Belgium, the average non-fiction reading rate is 238 words per minute, indicating that it would take the average Czech reader nearly 20 minutes to read the policy in its entirety. Even if each individual were to spend 20 minutes reading the policy (a feat only attempted by 13% of the population), the document’s reading comprehension level is so high that their efforts would likely be fruitless. Thus, companies must make a full-faith effort to make their policies accessible to all. If knowledge is power, we are currently rendered powerless.

Why Should We Care?

Internet users ought to have a say in the handling of their personal data. Otherwise, their informational autonomy is violated. One cannot have this autonomy without understanding the causal flow of information technology. One of my favorite philosophers, Andrei Marmor, wrote “What is the Right to Privacy?” positing that individuals must have the right to choose what information they reveal to others. If this control over the way we choose to present ourselves is lost, our autonomy has been violated. 

I have heard many individuals, friends and colleagues alike say “I have nothing to hide. Why should I care about my personal data and online history?” The answer is simple: your information has value. In fact, this value is so high that data has surpassed oil as the world's most valuable resource. The global big data market is estimated to be worth $162.6 billion. There are third-party “alternative data” firms that operate solely to collect and sell personal data. Alternative data is a type of data pulled from non-traditional sources that other institutions cannot obtain. For example, data under this category includes satellite imagery, product reviews, social media commentary, and credit card transactions. Major hegemons such as Data-Core, DataSpark, FACTSET, Transparent (note the irony), and Thinknum make millions of dollars obtaining and selling this data to investment firms and financial institutions. Thus, when companies such as Česká Spořitelna and American Express state that they are not collecting personal data to make financial decisions, they might technically be telling the truth: they are buying it from alternative data firms. Worse, they are also selling this data. Companies such as Mastercard and Envestnet have profited over $400 million from selling transaction data to these firms. 

When there is such a high profit incentive for companies to collect data, the possibilities for its misuse run rampant. On this matter, I interviewed Dennis Sasha, professor of computer science at the NYU Courant Institute of Mathematical Sciences. When discussing the implications of non-privacy in the Digital Era, he said that “total surveillance in the wrong hands could lead to total control. Any dictatorship whether in China, Hungary, or potentially the U.S. could use that information to remain in power indefinitely.” This concern is extremely relevant given the effects of untethered data collection.

In 2016, Donald Trump hired the data firm Cambridge Analytica to create targeted ads using voter data. This data was pulled from over 87 million Facebook users, originating from a personality quiz that 270,000 people were paid to take. However, the personal data from Facebook friends of users who took this quiz were also collected, resulting in the nonconsensual data collection of millions of users who would not have agreed to the personality test. The harvested personal information included where the users lived, what pages they liked, and their online habits. This information enabled them to collect up to 5,000 data points on each individual—a complete psychological profile. They then used this information to target voters and persuade them to vote for Trump using ads that play on the individual’s psychology. This technique was also used in the Brexit referendum, as Cambridge Analytica was hired to create the Leave.EU campaign. Thus, the implications of wide-scale data collection are hazardous, as they have the potential to influence democratic campaigns and a person’s individual psychology.

Conclusion

If algorithms are both protected under the European Union Directive 2016/943 of the European Parliament and of the Council, then it is the onus of companies, not individuals, to safeguard personal data. Under the law, internet users are at a disadvantage as they have few mechanisms to access how their data is being used.

In my research, I set out to explore how transparent privacy policies are in the Czech Republic. The answer: not very. Yet, this is not just an issue that affects the Czech Republic. Global transparency standards are extremely lacking. Even with regulations such as the GDPR, it is easy for technology to outpace policy due to the rapid nature of innovation not anticipated by laws. However, hope is not lost. It is possible for companies to give informational power back to users. BBC, a British public service broadcaster, has a notoriously comprehensive privacy policy with a comprehension level of under 1000 points. Technology companies and financial institutions alike have the power to prioritize privacy and autonomy over profit. For example, they could halt their incorporation of algorithmic decision-making into their company operations, publish transparent privacy policies, and create regulatory bodies that protect the use of personal data. In the United States, there is precedent for this type of oversight, although specific to cybercrime, dubbed the National Cyber Investigative Joint Task Force (NCIJTF)—a branch of the Federal Bureau of Investigation (FBI). Thus, companies and governments in Europe and across the globe could create specific bodies that mandate digital transparency.

Although I believe it is not the responsibility of individual users to protect their personal data, there are steps that one can take to protect their privacy. First, do not blindly accept a privacy policy; it is worth reading. Second, in Europe, each time one enters an online website, an option to “accept cookies” pops up on the screen. It is important that users reject and decline all cookies, as this is how companies can collect data about Internet users including one’s location and language preferences, interests, online shopping trends, browsing activity, time spent online, and visited pages. In addition, taking online personality quizzes enables companies to collect personal data; avoid Buzzfeed quizzes or any other type of testing. I look forward to seeing how the Czech Republic and other countries tackle this growing concern. We are living in the new paradigm of the Digital Age, and our online privacy protection ought to reflect this.

Bibliography

1.  Ani Petrosyan, "Digital population worldwide as of January 2021." Statista, January 2021. Accessed May 2, 2023. https://www.statista.com/statistics/617136/digital-population-worldwide/.

2. Daviet, Remi, Gideon Nave, and Jerry Wind, 2021. “Genetic Data: Potential Uses and Misuses in Marketing.” Journal of Marketing 86, no. 1 (January 2022): 7–26.

3. Shaylor, Jay. “‘GMA’ Gets Answers: Some Credit Card Companies Financially Profiling Customers.” ABC News Accessed 18 Nov. 2021.

4. European Union. Directive 2016/943 of the European Parliament and of the Council of 8 June 2016 on the protection of undisclosed know-how and business information (trade secrets) against their unlawful acquisition, use and disclosure. 2016 O.J. (L 157) 1-18. Accessed April 27, 2023. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016L0943.

5. Statista. "Assets of Leading Banks in the Czech Republic as of December 2018, by bank (in billion Czech koruna)." Accessed April 27, 2023. https://www.statista.com/statistics/693563/leading-banks-assets-czech-republic/#:~:text=In%202018%2C%20the%20retail%20bank,%C4%8Deskoslovensk%C3%A1%20obchodn%C3%AD%20banka%20(%C4%8CSOB).

6. Česká spořitelna. "Zásady zpracování osobních údajů." Accessed April 27, 2023. https://www.csas.cz/cs/zasady-zpracovani-osobnich-udaju.

7. Ibid.

8. European Commission, “Data Protection Regulation One Year On.” June 13, 2019. https://ec.europa.eu/commission/presscorner/detail/en/IP_19_2956. 

9. Navarro, Kevin. We Read 150 Privacy Policies. They Were an Incomprehensible Disaster, The New York Times, 12 June 2019

10. Ibid.

11. Marmor, Andrei. 2015. “What Is the Right to Privacy?” Philosophy & Public Affairs 43 (1): 3–26. doi:10.1111/papa.12040, 3.

12. "The world's most valuable resource is no longer oil, but data," The Economist, May 6, 2017, accessed April 30, 2023, https://www.economist.com/leaders/2017/05/06/the-worlds-most-valuable-resource-is-no-longer-oil-but-data."

13. Peter Cohan, "Mastercard, Amex, and Envestnet Profit from $400M Business of Selling Transaction Data," Forbes, July 22, 2018, accessed April 30, 2023, https://www.forbes.com/sites/petercohan/2018/07/22/mastercard-amex-and-envestnet-profit-from-400m-business-of-selling-transaction-data/.

14. Dennis Shasha. Personal Interview with Molly Bombard. April 2023.

15.  Rob Price, "A guide to Cambridge Analytica, the Trump-linked data firm that harvested 50 million Facebook profiles," Business Insider, March 21, 2018, accessed April 30, 2023, https://www.businessinsider.com/cambridge-analytica-a-guide-to-the-trump-linked-data-firm-that-harvested-50-million-facebook-profiles-2018-3#where-did-it-come-from-3.

16. Ibid.

17.  Navarro, Kevin. We Read 150 Privacy Policies. They Were an Incomprehensible Disaster, The New York Times, 12 June 2019.

18. Pernik, P., Wojtkowiak, J., & Verschoor-Kirss, A. (2016). National cyber security organization: United States. NATO Cooperative Cyber Defence Centre of Excellence, Tallinn, Estonia.

19. Navarrete, Sonia, "Collecting Customer Data in the Post-Cookie World," GetApp, accessed April 30, 2023, https://www.getapp.co.uk/blog/2175/collecting-customer-data-post-cookie-world.