TOWARDS FINANCIAL INCLUSION THROUGH DIGITAL FINANCIAL SERVICES: EXAMINING THE IMPACT OF THE 'NOTICE AND CONSENT' PRIVACY MECHANISM.

• Author: Razon, Arvin Kristopher

As smartphone ownership and Internet penetration in the Philippines are among the highest in the world, the Philippines is well-positioned to leverage on digital financial services as a means of alleviating poverty. However, with the increasingly active implementation of the Philippine Data Privacy Act ('DPA'), such potential may not be realised. The privacy regulator, the National Privacy Commission, has consistently set 'notice and consent' as the dominant mechanism for data processing in the delivery of digital financial services, directly replicating the European General Data Protection ('GDPR') standard.

Such replication not only disrupts the delivery and development of digital financial services in developing countries, but also inherently conflicts with the use of Big Data for innovation. Financial inclusion may be better achieved through a test-and-learn, industry-based approach supervised by the central bank. Further, regulation must be designed in proportion to the consumer risks digital financial services pose.

CONTENTS I. Introduction 52 II. The Development of Privacy Law in the Philippines 54 A. The Internal Tension of Privacy Law in the Philippines 54 B. DPA's Replication of the EU Approach 57 III. The Impact of Replicated GDPR Standards on the Delivery of Digital Financial Services for Financial Inclusion 60 A. The Dilemma of Financial Exclusion 61 B. DPA's Problematic Framing of Consent 63 C. DPA Disrupting Current Business Models 68 D. DPA Stopping Big Data in its Tracks 72 E. DPA's Anticompetitive Effect 75 IV. A Viable Proposition to Privacy Regulation of Financial Services 76 A. Maintaining the Test-and-Learn, Industry-Based Approach to Financial Regulation 77 B. Going Back to Basics by Generating Privacy Awareness 79 C. Reframing Privacy as a Consumer Protection Issue 80 V. Conclusion 81 I. INTRODUCTION

Technological advancements have enabled disadvantaged and low-income segments in developing countries to access basic financial services. (1) Digital payment platforms, e-money, and mobile-enabled solutions are some of the digital financial services that deliver low-cost basic financial services in ways that traditional banks have been unable to. (2) However, with the processing of personal data at the core of these technologies--from assessing credit-worthiness to determining insurance risks--privacy concerns inevitably arise. (3) Whilst increased ownership of mobile devices presents an opportunity to elevate access to digital financial services, (4) the recent implementation of the Philippine Data Privacy Act (DPA), (5) which was influenced by the provisions of the Data Protection Directive and interpreted according to the provisions of the EU General Data Protection Regulation (GDPR), makes an examination of the privacy implications of digital financial services imperative. The task requires a delicate balance of priorities; done right, the delivery of such services can potentially increase the GDP of developing countries by as much as US$3.7 trillion by 2025, and generate as many as 95 million jobs, fostering economic growth and creating millions of jobs in the process. (6)

The Philippines is a prime example of a developing country that can benefit from financial inclusion, which is defined by the World Bank as access to affordable financial products and services, delivered in a sustainable and efficient manner. (7) The Bangko Sentral ng Pilipinas (the Philippine central bank, or 'BSP') reports that a large segment of the Filipino adult population remains excluded from the formal financial system, with only 22.6% having a formal financial account, (8) and an even fewer 11.5% having a bank account--somehow lower than the recorded 14.1% in 2015. (9) Only 18% of Filipino adults have insurance, citing lack of funds, lack of need, and high cost as the major reasons for not having one. (10) Unsurprisingly, those without formal financial accounts or insurance belong to the poorest sectors of society. (11)

Despite these figures, there is room for optimism: The Philippines is at the cusp of digital transformation in financial services. With the potential to expand access to basic financial services and serve as a great tool for financial inclusion, (12) digital financial services can reach millions of poor Filipinos. (13) Two powerful tools that are essential in the delivery of digital financial services are at their disposal: mobile phones and access to the Internet, with 59% of the Filipinos owning a smartphone and Internet penetration of 55.5%, among the highest in the world. (14) Mobile phones supplement the gap in financial services that traditional banks are unable to address, by giving the poor access to innovative and mobile-based payments, savings, credit, and insurance.

Such a possibility, however, may be tempered by the active implementation of the DPA. The National Privacy Commission ('NPC'), the privacy regulator, has consistently adopted the strict European Union ('EU') standards of privacy, specifically the 'notice and consent' system expressed in the GDPR. As various financial technology ('fintech') services offered in the Philippines, from payment and lending to online wealth management and crowdfunding, are well-positioned to lead to financial inclusion, the DPA presents significant roadblocks that may irreversibly impact the delivery. (15) This paper argues that the DPA, particularly its 'notice and consent' regime, security measures, and stiff penalties, has a direct impact on the delivery of digital financial services for financial inclusion. (16) This paper explores the extent by which the DPA's framing of consent disrupts business models, stifles the use of big data, and leads to unfair competition. (17)

Part II briefly discusses the development of privacy law in the Philippines, from consistently drawing from U.S. jurisprudence to an abrupt pivot to the EUbased approach. This provides the context for the critique that follows in Part III: a discussion of how the DPA disrupts the democratized digital financial services as they are delivered, at present, prevents the use of Big Data and imposes barriers to entry. This Part breaks down the effectiveness of the 'notice and consent' system. Instead of asserting a privacy regime that may not be fit for purpose, Part IV closes with a proposal to ensure that digital financial inclusion is achieved, with the supervision of the BSP and with adequate privacy protections that are more appropriate in the context of developing countries. To be clear, this paper does not propose the wholesale disregard of privacy regulation, as there are perfectly valid reasons for requiring them. Rather, this paper suggests a bottom-up approach to privacy that addresses both financial inclusion and privacy regulation.

2. THE DEVELOPMENT OF PRIVACY LAW IN THE PHILIPPINES

   This section provides a brief overview of the development of privacy law in the Philippines from an approach that consistently drew from the U.S. legal system to a sudden pivot towards the EU approach with the passage of the DPA. It then compares the similarities between the DPA and the GDPR. Highlighting this sudden shift is important, considering that early digital financial services in the Philippines, such as Smart Money and GCash, were offered at a time when the strict privacy requirements of the DPA were not yet in effect. If both financial products were invented today, justifying them to the NPC would have been an insurmountable challenge.

   1. The Internal Tension of Privacy Law in the Philippines

      The diverging approaches to privacy law are influenced by a democratic society's collective choice about the roles that the market, citizens, and government play. (18) Liberal, market-based norms define the privacy regime in the U.S. (19), compared to socially-protective, rights-based privacy norms in the EU. (20) The EU model expresses privacy and data protection as rights that may be asserted against illegal data collection practices of firms. (21) The EU frames data privacy as anchored in human rights, imposing on the government the obligation to ensure equal bargaining terms between corporations and individuals; privacy protection thus applies regardless of the purpose of processing. (22)

      Unlike the EU, the U.S. takes a liberal, sector-based approach to privacy. (23) Specifically, U.S. privacy law is couched as a right to personal autonomy, with constitutional protections against state interference, and sector-specific privacy legislation adopted on an ad hoc basis, based on laissez-faire economics. (24) Indeed, the U.S. and EU approaches have been moving further apart from each other, following international decisions by the EU on information privacy and blockage of data transfers to third party nations, culminating with the passage of GDPR. (25)

      Prior to the enactment of the GDPR-like DPA, Philippine privacy law was largely inspired by the U.S. conceptualization of privacy. Section 2 of the Bill of Rights under the Philippine Constitution provides for the right against unreasonable searches and seizures, while Section 3 emphasizes the right to privacy of communication and correspondence--rights that may be invoked against the state. (26)

      Pre-DPA privacy jurisprudence in the Philippines drew heavily from U.S. decisions, starting with the Philippine Supreme Court case of Morfe v. Mutuc, which dealt with the constitutionality of the requirement for public officers to disclose their assets and liabilities, on the grounds that it violates due process. (27) In its ruling, the Philippine Supreme Court quoted U.S. Justice Brandeis, who characterized the right to be let alone as the "most comprehensive of rights and the right most valued by civilized men." (28) This is how the idea of various zones of privacy created from certain fundamental rights was imported to the Philippine legal system. (29) In another Philippine Supreme Court case, Ople v. Torres, the Court recognized...