Expanded collection, sharing and processing of data from BankID

Stø, the company that delivers BankID, has participated in the regulatory sandbox and explored possibilities for greater collaboration and information sharing among providers of digital services.

Illustration: banknotes on a clothesline

About the project

Stø AS (formerly BankID BankAxept AS) is owned by Norwegian banks and delivers electronic ID and payment solutions on behalf of the banks. The company’s main products are BankID and the national payment system BankAxept.

Norwegian banks have issued BankID since 2004. The framework conditions for electronic ID are now changing, partly due to rapid technological developments, the EU’s revised eIDAS Regulation and the national eID strategy.

In this sandbox project, Stø, under the guidance of the Data Protection Authority and the Financial Supervisory Authority, has assessed certain legal issues related to a new solution for preventing eID abuse, called BankID Anti-Fraud 2.0. The legal assessments were conducted with the future setup in mind, where Stø will serve as the sole formal and legal issuer of BankID personal and user certificates.

The final report by Stø summarises the assessments made by the company in the project. The assessments are based on the guidance provided by the Data Protection Authority and the Financial Supervisory Authority through their collaboration in the regulatory sandbox.

The need for regulatory amendments was also discussed. The Data Protection Authority used the experience from the project as a basis for providing input to the Ministry of Finance’s consultation on amendments to the Financial Institutions Act. This experience was also used by the Financial Supervisory Authority in its consultation draft.

Summary of findings and discussions in the project

Stø’s legal assessments are summarised below. The assessments may be of relevance to similar organisations. The report provides the context for the assessments, and we therefore recommend reading it in its entirety.

Confidentiality obligation: In its role as a contract-based third-party provider of ICT services (contractor) to the banks, Stø will not be considered ’unauthorised’ under the Financial Institutions Act.
Data controllership: BankID Anti-Fraud 2.0 is a necessary measure under the eIDAS Regulation (eIDAS) given the current threat landscape. Stø, as issuer, acts as data controller for the processing of personal data related to BankID Anti-Fraud 2.0, including the gathering of new data points.
Basis for processing: Stø uses ‘legal obligation’ as the basis for processing (Article 6(1) (c) of the GDPR), with eIDAS as a supplementary legal basis. For the processing of special categories of personal data, Stø relies on the exception in Article 9(2) (g) of the GDPR, together with eIDAS. A relevant legal basis for the user sites’ disclosure of data points to Stø may be ‘legitimate interests’ (Article 6(1) (f) of the GDPR. Stø does not rule out that information they receive from certain user sites may constitute special categories of personal data. The user sites’ right to disclose such personal data to Stø was therefore discussed in the sandbox. The Data Protection Authority does not exclude an interpretation of Article 9(2) (g) in which the legal basis does not have to apply directly to the data controller.
New data points – The scope of data point collection in BankID Anti-Fraud 2.0 was discussed in light of the principles of data minimisation, necessity and proportionality. Stø considers that the data use is necessary and proportionate to prevent identity abuse.

The final report has been prepared by the sandbox participant – Stø AS. The legal assessments in the report have been made by the company, under the guidance of the Data Protection Authority and the Financial Supervisory Authority.

The final report is only available in Norwegian. Go to the article.