I. Introduction
The expansion of the Internet and information and communication technology (ICT) development have given rise to deep changes in society by creating a complex regime of interpersonal relationships that are globalising the economy and countries’ financial markets. The degree of influence of this transforming process in various countries has increased the differences between developed and developing countries, giving rise to the so-called “information society”. However, the transcendence achieved by the Internet within social relationships demonstrates that it cannot be considered as simply a communication system.Footnote 1 The Internet is much more than that, as it is the articulating instrument of a society with a self-identity, enabling the synergy between the tangible world and cyberspace.
The scientific advances related to the Internet are leading to the digital evolution of society in the fields of big data, cloud computing, blockchain or the development of artificial intelligence. These areas can be considered to be the technologies that will sustain a new disruptive period of humanity, giving rise to the so-called Fourth Industrial RevolutionFootnote 2 or Digital Revolution.Footnote 3 In spite of the fact that this revolution has only taken the first steps towards its manifestation, we expect a deep transformation of individuals’ behaviours, relationships and conceptions, which will force the different sectors of society to adapt to digital media.Footnote 4
In this sense, financial technology (Fintech) has become a strategic tool for achieving the sustainable development of the economy while at the same time including the various sectors of society. The adequate promotion of Fintech by governments could help with the achievement of international, communitarian and national goals while bearing in mind the social balance inspiring the values of this century.
Therefore, in order to ensure the sustainable development of Fintech in the long term, this paper focuses on analysing Fintech from a legal point of view, specifically from that of RegTech, which consists in the increasing “risk-management mechanisms, internal controls and compliance requirements” imposed by financial regulators.Footnote 5 After providing a view of the Spanish digital plan in the context of the “2030 Agenda” (United Nations; UN) and the strategy “2020 Europe” (European Union; EU), this paper analyses the use of techniques of big data that make use of the indexed information available on the Web to create user profiles. In this sense, it is necessary to understand the operating systems of big data – that is to say, the origin of its fundamental elements, the design of the algorithms employed and the profiles from which the decisions are made (see Figure 1). On the other hand, this paper aims to fill in the gap in the literature on the RegTech problems that restrict the expansion of new technologies, particularly personal data protection. It is important to remember that personal data protection is a fundamental right in the Spanish Constitution that, moreover, has deserved special protection in the legal regime of the EU. In effect, Regulation (UE) 2016/679 of 27 April 2016 (General Data Protection Regulation) has established certain provisions that cannot be ignored either by countries or by companies. This is the case of the principle of data minimisation, the prohibition of data processing without the consent of their owners or the right not to be subject to automated processing – in other words, where there is no human intervention. None of these issues are easy to solve, and so they need to undergo a detailed analysis in order to find a balance between technology and law.
Thus, the organisation of this paper is as follows: after this introduction, Section II describes the concept of Fintech, its characteristics and the types of businesses operating in the private sector. Section III discusses how Fintech can be used in the public sector to achieve the so-called “Sustainable Development Goals” (SDGs), especially poverty reduction, by ending world hunger, improving education or promoting sustained, inclusive and sustainable economic growth, full and productive employment and decent work for all, as well as by designing a more transparent government that enables citizens’ participation, with the goal of reaching the prototype of an Open Government. Section IV analyses the legal framework of Fintech (see Appendix, Section VII). The fundamental elements of its development are data, especially personal data collected from all available databases. Then, the algorithms that configure big data and the simplest artificial intelligences are in charge of making predictions based on those data. However, the designers of these applications often forget the legal restrictions and the additional guarantees that must be followed when using personal data. This study can help us to understand the main legal shortcomings of these systems in order to ensure the appropriate incorporation and successful development of Fintech. Finally, Section V summarizes and discusses the legal aspects regarding the consolidation of these technologies and their uses in order to enhance the growth of society.
II. Literature review
Most countries have not considered the effects of the Digital Revolution, and they have implemented these new technologies without analysing the consequences for the various sectors of their respective economies. Thus, they have opted for progressive economic growth while at the same time being respectful of the available resources and inclusive of society. In order to achieve this goal, the UN, in the so-called “2030 Agenda”, has set 17 objectives and 179 goals related to sustainable development, in which new technologies play a transcendental role. In this way, through this Agenda, the participant countries have committed to sharing the responsibility for sustainable world developmentFootnote 6 in the economic, social and environmental fields.
Nevertheless, before the approval of the “2030 Agenda” by the UN, the Council of Europe had already elaborated a report regarding the challenges and opportunities that the EU would face in that year,Footnote 7 reiterating the necessity for reforming the current social and economic model.Footnote 8 In this way, the EU has spent more than two decades regulating and promoting different projects relating to society’s adaptation to new technologies from the perspective of the sustainable and rational use of resources. Additionally, within the framework of its attributed competences, the EU has implemented the strategy “2020 Europe” in which it presents a project of intelligent growth in order to position Europe’s future in “an economy based on knowledge and innovation”.Footnote 9
For this reason, 2020 has become the intermediate time period for the observance of the proposed goals, as well as at the international level. The EU has determined three different ways to achieve such intelligent growth: (1) increasing the research and development budget; (2) promoting the technological education and training of the population in order to become adapted to the labour market and (3) improving the technical conditions upon which the digital society is based, especially those relating to the Internet’s capabilities and ICT’s possibilities. Moreover, in order to reach this last goal, a Digital Agenda was created for EuropeFootnote 10 through which the fulfilment of the purposes of a digitalising society has been split into smaller goals.Footnote 11 Despite this, the actual impulse towards the construction of a digital society took place with the Digital Agenda for Spain in 2013,Footnote 12 which, imitating the European plan, lays the foundations for the model to be followed with regards to ICT.
Regardless, now that the year 2020 is over and the proposed goals having not been satisfied, especially in terms of education and formation, competence acquisition and the digital impulse in the economy, the European Commission has set some new goals. On this occasion, efforts have been focused on the following purposes for a five-year period: first, a reversal of the current positions between people and technologies by putting the latter at former’s service so as to create a real difference in citizens’ daily relationships; second, a fair and competitive economy in which all companies can benefit from the same resources when using the services and products offered by the digital world; and third, the construction of an open, democratic and sustainable society where citizens can keep control of their own data.Footnote 13
According to this, and in accordance with the proposed European objectives, a new Digital Plan has been approved in Spain for 2025Footnote 14 that shows a special interest in the transformation of the business sector, the economy and the financial sector in this country by setting the following rules: first, special attention must be paid to achieving the digitalisation of the economy, for which it is necessary that companies, especially small and medium-sized enterprises (SMEs), implement new technologies in their businesses in order to achieve higher productivity, competitiveness and global profitability. For this reason, there is a need to design a “SMEs digitalization impulse plan” either by introducing a law on start-ups that improves the entrepreneurship conditions in Spain or by modernising public funding to support entrepreneurship.Footnote 15 Second, it is recommended that the beginning of the digital transformation must start from the most productive sectors in our economy. In this way, it is necessary to boost the digital agro-food sector, which is committed to the Fourth Industrial Revolution. And third, it has been suggested that the Spanish economic system should be transformed based on the data economy by boosting artificial intelligence and the creation of an ethical and juridical framework based on the values shared across Spanish society.Footnote 16
III. Fintech: concept, characteristics and business types
“Fintech” is the term used to describe “the financial activities that resort to new technologies in order to improve the efficiency in the financial services”.Footnote 17 The origin of this new market is based on the evolution of electronic finance, and its progress has been supported by big data, social media, cloud computing, blockchain, the application programming interface (API) and the evolution of smartphones.Footnote 18 Companies promoting these improvements in financial services are characterised by developing their activities in a completely online way. This allows them to access to a broad clientele and potential consumers without the need to create a physical market.Footnote 19
These technologies are comprised of different agents. On the one hand, we can cite the start-ups or innovative companies in specific sectors, such as asset management and payment or loans services. Start-ups are in charge of finding an unsatisfied need in the market and then creating a new (digital) service that had not been offered before. On the other hand, we can mention the developers of this technology, who are in charge of the final design of the software or specific program that covers that need. These technologies have, as their basic operating systems, several analytical and predictive algorithms that, without being artificial intelligences, share a similar operating structure. In this way, these programs basically operate with data, more specifically mega data provided by big data technologies. Additionally, the use of scoring techniques, based on the use of big data, is very frequent, which makes use of the indexed information available on the Web, even from social media and navigation system cookies. Subsequently, the obtained data are used to create analytical profiles that are stored and safeguarded in cloud computing systems.
Consequently, due to the operating system of these technologies, the regulations on data protection are applicable, as these technologies mainly employ personal data. These regulations have an important roles in the Spanish legal framework because data protection is considered as a fundamental right in the Spanish Constitution (Article 18.4). Moreover, data protection has been protected by the Council of Europe’s Convention No. 108 and the protocol additional to the Convention. Moreover, within the EU, this right has been included in Article 16 of the Treaty on the Functioning of the European Union and in Article 8 of the Charter of Fundamental Rights of the European Union. In this sense, we will use an analytical methodology and a bibliographic compilation in order to analyse the legal problems that data protection presents. It is important to take into account that Fintech cannot improve our economic system without having previously solved the questions regarding the protection of personal data and the design of algorithms that respect fundamental rights (see Figure 2).
These technologies are mostly addressed to millennials – that is to say, people highly adapted to the technological environment – and also to traditional institutions, such as banks, among which new companies in this sector have been observed to have high innovative capacity and significant competitive advantages. Consumers and financial institutions, through the use of these new technologies, favour the creation of a favourable and inclusive business environment that, with appropriate equipment and qualified staff, could change the concept of finance.Footnote 20 However, it is essential that the government also supports the expansion and consolidation of these technologies through suitable RegTech and juridical regulations.
Therefore, the characteristics defining this new business model are diverse. First, Fintech provides financial products exclusively offered online, and as such there is no physical centre or place to them, since their official sites are in cyberspace. Second, this technology is characterized by a flexible structure and a resilient methodology that easily adapts to market needs. Third, Fintech is focused on meeting consumers’ tastes, which are generally adapted to the use of new technologies (prosumer), but, at the same time, they have star products within their range of services.Footnote 21 Finally, Fintech is a tool that facilitates general financial inclusion and transaction transparency that, together, reduce actual digital service costs.Footnote 22
Fintech is usually classified in relation to the classical business models.Footnote 23 Thus, six main business modalities can be identified: payment methods, wealth management, crowdfunding/crowdlending, lending, capital market and insurance services (see Figure 3).Footnote 24
However, strictly speaking – and following the reports provided by FUNCAS and KPMG – there are twelve business models: financial advice and asset management; personal finance; alternative financing; crowdfunding and crowdlending on assets and tangible goods; transactional services and foreign currency; methods of payment; financial infrastructure; cryptocurrencies and blockchain; insurtech; online customer identification; big data; and neobanks and challenger banks.Footnote 25
Nevertheless, with respect to these categories, it is necessary to point out some general considerations due to the innovative characteristics shown by some of these categories within the legal system. First, neobanks appear to be improved versions of traditional banks that operate without a banking license, do not have a physical network and only conduct transactions through Web or mobile phone apps. On the other hand, challenger banks offer a large range of services – and not necessarily just banking services – as they are usually specialised in new products based on technologies. In a systematised way, these kinds of banks offer specific services to their clients and are specialised in new technologies. They offer competitive rates and are trying to adapt their techniques to the Digital Era. The main problem that these banks face is the lack of trust from their clients.Footnote 26
Second, another innovation is presented in the payment methods. In effect, the possibility of conducting transfers online or through mobile phone apps is becoming more common due to its convenience for users.Footnote 27 Cryptocurrencies, such as bitcoin, represent another possibility in that they do not necessarily involve the participation of a bank as they allow virtual money transfers from one software program to another one. Social media are also boosting the use of Transferwise or AxisBanks, which allow access to these kinds of services. Finally, we must not forget applications such as Apple Pay or Google Wallet, which allow online transfers from one terminal to another one.
Third, with respect to bank loans or digital lending, this activity is allowed without needing any intermediaries. The user only needs to submit the same information required by a conventional bank, but in a telematic way and using automated tasks. The advantage of these apps is that they are able to be compared with other open-access databases – public or private – to check, through the use of algorithms, the capability for debt repayment. In fact, these digital lending platforms connect borrowers with lenders in exchange for a fee, so that borrowers are not exposed to high risks of interest.Footnote 28
Fourth, we must consider crowdfunding and crowdinvesting. Crowdfunding consists in the connection, through a digital platform, of people interested in being helped to cover a certain project’s cost. In other words, crowdfunding connects pioneers with savers or sponsors in order to collaborate in the development of certain ideas. What makes this different from crowdinvesting is in the nature of participating after obtaining potential benefits relating to the involved project. Consequently, in crowdfunding investors usually take part selflessly through donations, whereas in crowdinvesting the underlying idea is that, following a contribution, a percentage of the obtained benefits will be applied to cover the costs by adding the agreed interests if a project proves successful.Footnote 29
Finally, we can cite wealth management, which integrates financial services, portfolio management and financial planning. Traditionally, this process was performed by qualified professionals, but today it is managed by algorithms in a substantially automated way. These technologies use the roboadvisor, whose precedent was the traditional financial advisor, with the difference being that there is no person behind the decision-making; rather, they are fully managed by algorithms and automated processes.Footnote 30
IV. Fintech and public law: getting closer to the SDGs
As previously indicated, Fintech provides a wide variety of financial innovations that have resulted in the revolution of this sector. In Spain, there are more than 400 Fintechs, predominantly being micro-specialised, using an inter-company business model; in other words, they commercialise and offer their services to the financial sector, which, in turn, offers them to its clients as new products.Footnote 31 However, these technologies must be regulated by public law in order to build a more inclusive and transparent society, and especially to achieve the objectives of sustainable development included in Agenda 2030 (see Figure 4).
Fintech cooperates with poverty reduction (Goal 1 of the SDGs: no poverty), as financial inclusion can be considered as a basic element to the eradication of poverty and to increasing economic growth opportunities.Footnote 32 The same could be said for the case of famine reduction when integrating highly technological agriculture thanks to certain advanced applications that allow for the controlling of crops (Goal 2 of the SDGs: zero hunger). Moreover, Fintech could also represent a tool for achieving the promotion of education and formation (Goal 4 of the SDGs: quality education) in matters of the economy, as has been pointed out by some apps such as “Pensumo”.Footnote 33 A field that Fintech can particularly influence is the achievement of a decent work, the economic growth of a country and the construction of an intelligent industry, supporting the consolidation of new technologies and the development of infrastructure (Goal 8 of the SDGs: decent work and economic growth; and Goal 9 of the SDGs: industry, innovation and infrastructure).
However, there is a use of Fintech within public law that is not being sufficiently exploited: Fintech can be used to build an Open Government. In effect, Goal 16 of the SDGs focuses on achieving peace, justice and strong institutions, whose goals are related to “building effective and transparent institutions at all levels that are accountable”, “ensuring inclusive, participatory and representative decision-making at all levels that responds to needs” and “ensuring public access to information and protecting fundamental freedoms, in accordance with national laws and protecting international agreements”.
This system of governance is not a new concept in the legal framework, especially in the international context. The idea is to open up institutions (in the most metaphorical sense) in order to bring them closer to citizens, so that the connection with them is not lost, by safeguarding the trust and credibility that citizens must place in them. For this reason, transparency, participation and collaboration with the entire society are intended to be considered as basic operating principles. In this way, Open Government would imply a concept that is more advanced than the mere incorporation of new technologies, since it includes certain values that are intrinsic to the working of institutions.
Similarly, Open Government can be defined as the opening of democracy to citizens through three fundamental elements: (1) the transparency of the actions of the executive power; (2) the collaboration of citizens in public activities; and (3) the participation of citizens in the preparation and design of public policies and services. The benefits of this system of government are obvious, as it allows for greater participation and collaboration between the executive power and citizens, giving rise to a kernel of popular control over how a country’s assets are managed and allowing the people to be heard in order to find the best solutions to potential dilemmas.
For this reason, the construction of an Open Government in Spain has focused on the transparent design of institutions, mainly through active advertising in transparency websites and through access to documents via electronic procedures. However, Fintech can become another tool that increases citizens’ control over the decisions of public authorities in the exercising of their duties. Additionally, these technologies provide great advantages for controlling banking assets and movements within the economy, which makes them very efficient tools for preventing tax evasion and fraud in the system. Fintech has a huge transformational capacity that, until now, has not been addressed by various governments. The legal framework of Fintech is insufficient for its development in Europe and in Spain. For this reason, it is necessary to analyse Fintech’s legal regime in order to determine the problems that the legislator will have to face and the possible solutions for promoting Fintech’s consolidation within the legal system.
V. Legal framework of Fintech: an analysis of the problems affecting its development
1. RegTech of Fintech
Having presented the working system of Fintech, it is now important to analyse the legal foundation supporting it. Law plays an important role in promoting sustainable development.Footnote 34 No specific legislation to promote the consolidation of these financial applications has been developed either inside the EU framework or in the Spanish context. However, we must highlight that a parliamentary legislative draft aimed at implementing the digital transformation of the financial system is being constructed.Footnote 35 This law aims to provide the financial authorities with the required instruments needed to carry out their functions in this era of new digital technologies, while at the same time facilitating technological processes to achieve more equitable development.
In order to do this, a significant portion of the regulation is focused on ensuring that innovations applied to the financial system are reliable and benefit society in such a way that they do not affect the level of protection of consumers, the market’s integrity or become used in money laundering or in financing terrorism. On the other hand, the innovations promoted by this legislative draft are not intended to immediately change the Spanish financial system, but they depict a “sandbox” legal framework. Consequently, this draft establishes an appropriate legal regime for a controlled project of financial innovation tests with a technological base in such a way that the authorities do not lose managerial control over what is happening. Despite this, the law itself foresees the exclusion of any type of patrimonial responsibility in the case of consumers damaged by this pilot project.
Consequently, until this regulation is approved and consolidated and its ambit of application is extended beyond this controlled project, the applicable law would be that corresponding to the main activities of these technologies. That is to say, we would have to define whether we are dealing with payment services, bank loans or investments in order to analyse the legal regulation according to the specific rules to be applied in the corresponding sector. However, as anticipated in the previous paragraphs, the fundamental elements of these technologies are personal data, whether private or not. Data have become highly valued assets,Footnote 36 probably representing the most important goods in the current market in comparison with the traditional goods commercialised in the twentieth century.Footnote 37 For this reason, we must take into account the provisions laid out in the legal framework in order to guarantee the protection of these interests, in this case Organic Law 3/2018, 5 December, regarding Personal Data Protection and Digital Right Assurance; EU Regulation 2016/679, 27 April, referring to the protection of natural persons with respect to private data treatment and data-free circulation, which repealed Directive 95/46/CE; and finally EU Regulation 2018/1807, 14 November, referring to a free framework for non-private data circulation in the EU. In this case, the recommendations and the legal regime to be taken into account must be included in both public and private regulations.
2. The principle of algorithmic transparency and data minimisation
Fintechs are based on algorithms designed from certain guidelines or patterns whose objectives are to achieve logical conclusions in such a way that they are addressed to achieve some specific targets in financial matters. One of the main legal problems of the working system of Fintech is that these algorithms are designed by people whose proposals could be contrary to some legal framework, which would allow for the adoption of decisions that are detrimental to citizens’ rights. For this reason, current doctrine advocates for the necessity of implementing, inside the legal framework, the so-called principle of algorithmic transparency,Footnote 38 which allows for the establishment of the rules that have motivated the adoption of a particular resolution and also the verification that they are not based on subjective criteria promoted by a specific initiative, but instead they represent community values and respect the legal framework.
The principle of algorithmic transparency becomes transcendental to provide legitimacy to the adopted decisions and to protect citizens’ rights. As advised by the European Parliament, some rights might be violated, such as no discrimination, equal treatment in defence, data protection and subject privacy,Footnote 39 both in the context of individual rights and also by affecting certain specific sectors. An example could be a Fintech application that excludes the granting of a loan to people belonging to a certain ethnic group, race or nationality without any objective data supporting its decision. As a result, and as claimed by current doctrine, the principle of algorithmic transparency must observe the decision’s rationality by naming a responsible agent that is able to verify that the decision is appropriate by determining the particular data to be utilised in decision-making, by certifying the absence of bias and partial criteria in decision-making and by generating trust in users when describing the security system used.Footnote 40
However, the principle of algorithmic transparency is a doctrinal contribution that has not been included in the Spanish legal framework; moreover, there is no consolidated jurisprudence supporting its inclusion inside the legal system. Nevertheless, some specific legal agencies have offered their input on this matter. Thus, at a European level, we can find the sentence issued by the District Court of The Hague (The Netherlands), 5 February 2020, which has become the competent European institution in charge of establishing the criteria to be followed in the regulation of algorithmic transparency. This sentence highlights the need for demonstrating that the working system of this algorithm does not use discriminatory or stigmatised criteria to defend its use. For instance, it is demonstrated that the algorithm only affects people with a low socioeconomic status or to districts with immigrant populations,Footnote 41 contrarily to the rights enshrined in the various international and communitarian texts. Furthermore, at the Spanish level, we can analyse the Resolution of 21 September 2016, which admits Reclamations 123/2016 and 124/2016 brought by the Commission on the Guarantee of the Right to the Access to Public Information (in Catalonia, Spain). Its transcendence lies in the fact that it is the first resolution admitting the right of a citizen to know the working system of an algorithm that solves a process of competitive concurrence.
In addition, these technologies are based on the use of multiple data, especially those that are indexed to the Web, since their source is big data. However, other data could be included, such as social media activity, publications, the brand and model of mobile phone or the commercial activity conducted in recent months, which is provided by accessing the device’s cookies. This type of work goes against the legal framework of data protection in Europe. The General Data Protection Regulation and the Law on Data Protection and Digital Rights Assurance guarantee and defend the minimisation of data as a basic principle for the working of any systemFootnote 42 and the legitimate purposes of its useFootnote 43 when considering that its treatment suggests interference in people’s private lives.
Hence, derived from European regulation, there is a commitment to minimise the use of data when adopting a solution, which is in opposition to the working systems of these technologies. As previously indicated, these technologies use big data as an information source and do not discriminate between any of the supplied data. In effect, the basis of the working systems of these technologies is that the greater the amount of data on a person, the better the decisions that can be adopted by these algorithms. Moreover, it is necessary to take into account that the collected or requested information may not have a specific aim, but they may aim to acquire additional criteria to enable the construction of a more general profile of the user. For example, the use of the brand or model of a mobile phone is associated with a specific social status that, depending on other indicators such as the place of origin or residence, could indicate whether a person has enough solvency or lives beyond their economic level.
Therefore, we can see that the problems derived from algorithmic transparency, such as the principle of minimisation of data use and the principle of legitimate and specific purpose, are some of the main legal challenges to accelerating Fintech’s implementation.Footnote 44 As such, legislators must resolve this situation (probably by excluding some specific objectives of the law) at the European level in order to guarantee its development within the financial system.
3. The problems of personal data protection and their automated processing
The problems derived from the legal source of these technologies do not finish with the establishment of a transparent and non-discriminatory system that uses only relevant data; indeed, there are other legal conflicts.
First, app designers must respect the general rights consolidated in the regulations of data protection. For example, they must guarantee that the following items could be obtained from the application: a copy of the reported personal data,Footnote 45 the right to a rectification of the data provided to the system,Footnote 46 the right to data blocking,Footnote 47 the right to objection to the creation of profiles that are not specifically allowed,Footnote 48 the right to be forgottenFootnote 49 and the right to erasure.Footnote 50 In this manner, this app’s configuration must be prepared correctly in order exercise these rights during the entire period of data processing. As a consequence, technological companies must foresee, from the beginning, a system that ensures the rights guaranteed by legal regulations, in spite of the fact that this could represent a risk for these apps’ operating systems.
Second, special focus must be given to the origin of the analysed data used by Fintechs in their decision-making processes. The most controversial situation arises when data have been gathered from social media or cookies. In effect, the designers of these platforms employ all of the online information available in the understanding that, in case of such information being in the public domain, they do not need explicit consent issued by its owner. Courts have already sentenced that this behaviour is not illegitimate, but it is contrary to the protection provided by the legal system to personal data. In this way, the Constitutional Court understands that, by the mere fact of being a social media user and providing general treatment consent, these data cannot be used for any purpose.Footnote 51 Thus, the consent that in most cases users give without their complete understanding cannot be used both indefinitely and for an undetermined aim, and more specifically, as indicated by current doctrine, when data are gathered without receiving any service in exchange – that is to say, when the economic value of their data has no counterparty for users.Footnote 52 For this reason, a specific user’s consent must be incorporated into the working system of these technologies to allow for the use of the information collected by social media. Otherwise, the fundamental right of data protection would be violated.
The same applies to the use of the information provided by browser cookies or the used device. Needless to say, a data owner’s consent is indispensable when treating information gathered online. Nevertheless, this virtual consent must be issued in the same terms as in the material world, without any differences. Therefore, the consent must be free, specific, informed and unequivocal when treating data for a particular purpose and endorsed by an affirmative declaration. In this way, the supplier in charge of collecting these data must provide clear and complete information in such a way that the user can understand the consequences of their consent in case of a service provision. Thus, the provided information must include the time period in which cookies would be active on the device, the purpose for gathering this information and the transfer of data to third parties that can be done, provided that they are considered to be private.Footnote 53
On the other hand, in order to obtain accurate procedural resolutions, it is essential that the used data have not been biased by using certain criteria. Hence the importance of employing original macrodata, not data derived from platforms where they have already been transformed. However, the problems are not limited to this information mining, because data storage also generates some controversies. Today, due to the huge amount of data available, conventional computer architecture programs cannot be used, and so companies are opting to share their storage or for disseminated computation over various webservers. The issue here is that, according to where these webservers are located, different legislations and competent jurisdictions could be applied in the matter.Footnote 54 In the EU, this is not a significant problem because all Member States implement the same regulations on personal and non-personal data protection. The dilemma arises when these data come from countries outside the EU where the legal framework may be less strict.
Finally, although sometimes these technologies do not use purely personal data, it is true that their working methodologies lead to the creation of professional profiles through aggregation systems. The elaboration of these profiles, as claimed by current doctrine,Footnote 55 is subject to the legal regime of the General Data Protection Regulation and, consequently, all rights could be applied. However, it is essential to state that if there is no expressed consent, even if data are not strictly personal, the citizen can object to the decisions made by the program, as their consent has legal effects.Footnote 56 In this way, all information stored in a network of communications takes a part of users’ private lives and must be protected in accordance with the European Convention on Human Rights. Consequently, this protection is applied to all stored data in the aforementioned computer equipment, regardless of whether they are or not personal data, and this protection is specifically intended to protect users against the risk that hidden IDs or other similar devices could get in the users’ devices without their knowledge.Footnote 57
VI. Conclusion
Fintech has become one of best partners of sustainable development, but it is necessary to assess its potential contribution to achieving the SDGs. However, at this time, Fintech’s expansion is being held back by a protective legal regime of data protection that affects the entire EU. This is not an issue that is exclusive to Fintech; rather, it is inherent to all technologies that handle data as basic working elements and that use big data to improve and provide services of a higher quality. This is the case for the Internet of Things and artificial intelligence. However, the General Data Protection Regulation must be placed in the context of a European society that aims to build a digital societyFootnote 58 founded on the optimisation and massive use of data.Footnote 59
For this reason, among the measures agreed by the European Data Strategy, we can quote the elaboration of a study regarding the need for adopting legal measures related to matters affecting the relationships between the various economic actors inside a flexible economy of data management. This strategy also opts for an ambitious project regarding European data spaces that includes data exchange architecture, governance mechanisms and a European federation of cloud infrastructure, all from an energetic and reliable point of view, as well as its related services. In economic terms, it has been suggested that this would require a combined investment of between four and six billion euros.Footnote 60
Additionally, the development of European common data spaces for certain strategic economic sectors of the public domain is also expected. This must lead to the possibility of building big data repositories in specific areas that, along with the necessary tools and technical infrastructure, would allow for using and exchanging all types of data. In this regard, the creation of some adequate governance mechanisms responsible for the treatment and management of these data would also be necessary. Based on this experience, the European Cloud of Open Science would be constructed, whose common spaces would be the following: industry, the European Green Deal, mobility, health, financial matters, energy, the agricultural sector, public administrations and qualifications.Footnote 61 These sectors expect a lot from Fintech, as they have an appropriate legal regime at their disposal that allows for the expansion of all of their possibilities.
Therefore, the current tendency is to opt for the construction of a data market in which certain guarantees and citizens’ rights are respected. However, this objective of protecting personal data in particular through a rigid legal treatment will probably disappear in the future, specifically if our goal is economic growth. Policy implications and economic interests will define the system of data protection in the future. In this way, it will not be easy to achieve a balance between the economic interests of companies and citizens’ right to data protection. Therefore, governments must provide a transitional legal regime that, imitating the green economy model,Footnote 62 satisfies both sides. That is why governments have to design an alternative system: either citizens must pay to use digital services but companies have to guarantee the protection of their private data (that is to say, they cannot use them for their own benefit); or companies must pay customers for using their data. It is clear that achieving a sustainable economy depends on public policies. This represents an intriguing line of research: how the framework changes in order to adapt the working processes of these new technologies to our legal systems, either by increasing citizens’ rights or by reducing their guarantees.
VII. Appendix
The main regulatory standard groups of the applicable rules are as follows:
1. International law
-
Universal Declaration of Human Rights of 1948
-
International Covenant on Civil and Political Rights of 1966
-
Convention for the Protection of Human Rights and Fundamental Freedoms, Rome, 1950
-
Convention 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data, 28 January 1981
-
Additional Protocol amending the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, 23 May 2001
-
United Nations General Assembly Resolution 68/167 on the right to privacy in the digital age
2. EU law
-
Charter of Fundamental Rights of the Union, Nice, 2000
-
Treaty on the Functioning of the European Union, Lisbon, 2007
-
Directive 2009/136/EC of 25 November amending Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and Regulation (EC) No 2006/2004 on consumer protection cooperation
-
Directive 2009/140/EC of 25 November amending Directive 2002/21/EC on a common regulatory framework for electronic communications networks and services, Directive 2002/19/EC on access to, and interconnection of, electronic communications networks and associated facilities, and Directive 2002/20/EC on the authorization of electronic communications networks and services
-
Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market and amending Directives 2002/65/EC, 2009/110/EC, 2013/36/EU and Regulation (EU) No 1093/2010 and repealing Directive 2007/64/EC
-
Regulation (EU) 910/2014 of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC, which aims to ensure consumer security in order to encourage more e-commerce transactions
-
Regulation (EU) 2016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC
-
Regulation (EU) 2018/1725 of 23 October 2018 on the protection of individuals with regard to the processing of personal data by Union institutions, bodies, offices and agencies, and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC
-
Regulation (EU) 2018/1807 of 14 November 2018 on a framework for the free flow of non-personal data in the European Union
-
Resolution (2017/2772) of 3 October on distributed log and blockchain technologies: fostering trust with disintermediation
-
Resolution (2018/C 263/10) of 14 March on the fundamental rights implications of big data: privacy, data protection, non-discrimination, security and law enforcement
-
Judgment 5/2014 on anonymization techniques, Strasbourg, 10 April 2014
3. Spanish law
-
Constitución española, de 29 de diciembre de 1978
-
Ley 34/2002, de 11 de julio, de servicios de la sociedad de la información y de comercio electrónico
-
Ley 25/2007, de 18 de octubre, de conservación de datos relativos a las comunicaciones electrónicas y a las redes públicas de comunicaciones
-
Ley 9/2014, de 9 de mayo, General de Telecomunicaciones
-
Ley 4/2015, de 30 de marzo, de protección de la seguridad ciudadana
-
Ley 39/2015, de 1 de octubre, del Procedimiento Administrativo Común de las Administraciones Públicas
-
Ley 40/2015, de 1 de octubre, de Régimen Jurídico del Sector Público
-
Ley 3/2018, de 5 de diciembre, de Protección de Datos Personales y de Garantía de los Derechos Digitales
-
Ley 6/2020, de 11 de noviembre, reguladora de determinados aspectos de los servicios electrónicos de confianza
-
Real Decreto 1494/2007, de 12 de noviembre, por el que se aprueba el Reglamento sobre las condiciones básicas para el acceso de las personas con discapacidad a las tecnologías, productos y servicios relacionados con la sociedad de la información y medios de comunicación social
-
Real Decreto 1720/2007, de 21 de diciembre, por el cual se aprueba el Reglamento de desarrollo de la Ley Orgánica 15/1999, de protección de datos de carácter personal
-
Real Decreto 899/2009, de 22 de mayo, por el que se aprueba la carta de derechos del usuario de los servicios de comunicaciones electrónicas
-
Real Decreto 3/2010, de 8 de enero, por el que se regula el Esquema Nacional de Seguridad en el ámbito de la Administración Electrónica
-
Real Decreto 4/2010, de 8 de enero, por el que se regula el Esquema Nacional de Interoperabilidad en el ámbito de la Administración Electrónica
-
Real Decreto-ley 19/2018, de 23 de noviembre, de servicios de pago y otras medidas urgentes en materia financiera
Competing interests
The authors declare none.