Content uploaded by Nicola Jentzsch
Author content
All content in this area was uploaded by Nicola Jentzsch
Content may be subject to copyright.
THE REGULATION
OF FINANCIAL PRIVACY:
THE UNITED STATES VS EUROPE
NICOLA JENTZSCH
ECRI RESEARCH REPORT NO. 5
JUNE 2003
The European Credit Research Institute (ECRI) is a non-profit international association
established in March 1999 in partnership with the Centre for European Policy Studies (CEPS) in
Brussels. Its principal goal is to promote the study of the retail financial services sector at the EU
level. ECRI’s activities include the creation of a database on consumer credit in the European
Union, research and analysis of developments in retail financial markets and the organisation of
seminars on all issues affecting the industry.
This report was prepared by Nicola Jentzsch, Lecturer and Research Fellow with the John F.
Kennedy Institute at the Freie Universität Berlin (jentzsch@zedat.fu-berlin.de). The views
expressed in this study are attributable only to the author in a personal capacity and not to any
institution with which she is associated.
This study was supported by the Credit Research Center (CRC) of Georgetown University,
Washington, D.C. The author would especially like to thank Prof. Dr. Carl-Ludwig Holtfrerich
(Freie Universität Berlin), Prof. Michael Staten (CRC, Georgetown University), Prof. Dr. Peter
Michael von der Lippe (Universität Gesamthochschule Essen), Dr. Thorsten Thadewald (Freie
Universität Berlin), Amparo San José Riestra (ECRI), Nataliya Mylenko (World Bank) and the
participants at the seminar on Financial Privacy Regimes and Competition in the Credit
Reporting Industry: The US vs. Europe at the World Bank for their comments. The author also
thanks Nadine Brandt and Anne Jacobs for excellent research assistance.
ISBN 92-9079-432-4
© Copyright 2003, European Credit Research Institute
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system or
transmitted in any form or by any means – electronic, mechanical, photocopying, recording or
otherwise – without the prior permission of the European Credit Research Institute.
European Credit Research Institute
Place du Congrès 1, B-1000 Brussels
Tel: 32(0)2 229.39.11 Fax: 32(0)2 219.41.51
E-mail: info@ecri.be
Website: http://www.ecri.be
CONTENTS
Executive Summary...................................................................................................i
1. Introduction .......................................................................................................1
2. Financial Privacy Regimes and Their Evaluation ............................................2
2.1 The Evolution of Financial Privacy Regimes in the 1990s................................2
2.1.1 The US Financial Privacy Regimes in the 1990s...................................3
2.1.2 The EU and Member State Financial Privacy Regimes in the 1990s.....5
2.1.2.1 The EU Harmonisation Regime............................................ 5
2.1.2.2 The German Financial Privacy Regime ................................. 7
2.1.2.3 The British Financial Privacy Regime ................................... 8
2.1.2.4 The French Financial Privacy Regime................................... 9
2.2 Current Research on Privacy Evaluation.......................................................11
2.3 Evaluation Instrument...................................................................................12
2.4 Financial Privacy Index (FPI)........................................................................13
2.4.1 Construction of the Financial Privacy Index.......................................13
2.4.2 Results of the Financial Privacy Index ...............................................15
3. Credit Markets and the Costs of Privacy Regulation..................................... 17
3.1 Costs of Data Protection ..............................................................................17
3.2 Credit Markets and Information-sharing .......................................................19
3.3 Data Protection and Consumer Credit Markets.............................................22
3.3.1 Hypotheses .......................................................................................22
3.3.2 Pearson’s Correlations for Individual Countries.................................26
3.3.3 Pearson’s Correlations and Cross-Country Evidence .........................27
3.3.4 Partial Correlation Coefficients: Cross-Country Evidence..................28
4. Competition and Market Structure in Credit Reporting Industries ............. 30
4.1 Competition in Information Markets.............................................................30
4.2 Competition in the US Credit Reporting Industry..........................................33
4.3 Competition in the European Credit Reporting Industry................................37
4.3.1 Germany...........................................................................................39
4.3.2 Great Britain.....................................................................................40
4.3.3 France...............................................................................................41
4.4 International Cooperation.............................................................................44
5. Conclusions ...................................................................................................... 46
References ............................................................................................................... 48
Annex ...................................................................................................................... 57
List of Tables
1. Financial privacy regimes in four selected countries 3
2. Regulation of the French FICP 10
3. Absolute numbers of regulations in four selected countries 13
4. Cobb-Douglas Financial Privacy Index 15
5. Average costs related to access and disclosure 18
6. Surveys of the economic activities of credit bureaus 20
7. Cross-country partial correlation coefficients 29
8. US market leaders in credit information provision 37
9. Concentration by the largest credit reporting agencies (receipts) 37
10. Coverage rates of private credit bureaus 38
11. Coverage rates of public credit registers (Germany and France) 39
A1. Evaluation instrument 57
A2. Pearson correlation coefficients: The US 60
A3. Pearson correlation coefficients: Germany 61
A4. Pearson correlation coefficients: The UK 62
A5. Pearson correlation coefficients: France 63
A6. Cross-country evidence 64
List of Figures
1. Cobb-Douglas financial privacy indices (1990-2001) 16
2. Information allocation in four selected countries (1990-2001) 24
3. Estimated credit risk in four selected countries (1990-2001) 25
List of Boxes
1. Overview of variables used in the study 23
i
THE REGULATION OF FINANCIAL PRIVACY:
THE UNITED STATES VS EUROPE
ECRI RESEARCH REPORT NO. 5
NICOLA JENTZSCH
EXECUTIVE SUMMARY
he consumer credit market depends on the exchange of personal information
among market participants. Credit bureaus are the primary repositories of this
information, and in recent years they have gathered a vast amount of data on
creditworthiness of individuals. Currently Europe as well as the United States are
planning large-scale overhauls of their regimes of information sharing in consumer credit
markets. In Europe, a new proposal for a directive on consumer credit is discussed,
whereas in the US, key provisions of the Fair Credit Reporting Act are expiring by the
end of 2003.
Until recently, however, there has been little independent research on the far-reaching
implications of privacy regulations in consumer credit markets. There has also been little
quantitative analysis of the effects of differing regulatory environments on both credit
reporting agencies and the efficiency of the consumer credit market. The present study
fills that gap by analysing the economic effects associated with different financial privacy
regimes. The US are contrasted with the European Union (with Germany, Great Britain
and France as reference countries) to analyse the differences in the privacy regimes and
their effects on consumer credit markets. There are less privacy regulations in the US
and credit bureaus compete on a nationwide scale. In the EU, on the other hand, data
protection and credit reporting schemes differ from one country to another. Americans
enjoy broad access to credit, but this is correlated with greater indebtedness, whereas in
the EU, credit markets are thinner and households are in general less indebted.
One of the major research questions is whether more stringent data protection
regulations inhibit the distribution of credit reports in consumer credit markets. This, in
turn, could result in reduced access to credit, less integrated markets and increasing
consumer credit risk (measured by the household debt-service burden). With the
Financial Privacy Index (FPI) developed in this study, it is possible to quantify data
protection regimes. The indices show that the US grants less data protection than the
reviewed EU members. Using this index, it is possible to identify the effects of data
protection on information distribution, access to credit, consumer indebtedness and
consumer credit risk.
The international comparison shows that countries with higher data protection exhibit
lower information allocation. However, growing data protection in individual countries is
correlated with increased information allocation. It is shown that the more credit reports
are sold the higher is the access to credit. This is associated with greater consumer
indebtedness and higher consumer credit risk. Among other factors, the latter is due to
T
ii
the fact that access is broadened and marginally less creditworthy households are
entering the market.
The policy implications are the following. To increase access to credit and to expand the
integration of the consumer credit markets in the EU, cross-border dissemination of
credit reports should be facilitated by a standardisation of European credit reporting
systems. The proposal for a new directive on consumer credit provides a chance for such
harmonisation. At the same time, however, this exchange has to be transparent to
consumers – this is of the utmost importance for the trust in consumer credit markets.
Moreover, the European Commission should ensure that the current Data Protection
Directive is equally and quickly transposed in the member countries. A new directive
directed specifically to the exchange of credit information would only increase regulatory
uncertainty and introduce another round of extended and unequal transposition efforts by
member countries. In addition, the European Commission should develop a transparent
evaluation mechanism for reviewing the transposition and operation of the current Data
Protection Directive.
In the US, where the Fair Credit Reporting Act is currently discussed, policy-makers
should ensure that the national standards in credit reporting are kept in place. To some
extend, the US faces the same problems as Europe. If states are allowed to design their
own regulations for information sharing regimes, these regimes will almost certainly
differ and therefore reduce scale and scope effects in the credit reporting industry. Credit
reporting markets are based upon networks and these networks exhibit peculiarities that
should be taken into consideration before applying regulations. The present study also
describes the competition in such markets.
A unified system of credit reporting in Europe is likely to result in broader access to
consumer credit. And cross-border credit, which is still in its infancy in Europe, may also
increase. However, with the broader access seems to come increasing consumer credit
risk, as the analysis of the present study suggests. Intensified competition in consumer
credit markets is certainly increasing the quality of services and decreasing prices in the
long run, but currently Europe does not seem to have adequate instruments in place to
monitor the development of the market. Therefore, the EU also needs common
definitions and procedures of bankruptcy and over-indebtedness of households to
effectively monitor these developments.
1
THE REGULATION OF FINANCIAL PRIVACY:
THE UNITED STATES VS EUROPE
ECRI RESEARCH REPORT NO. 5
NICOLA JENTZSCH
1. Introduction
Credit markets have changed remarkably in the 1990s due to increasing liberalisation and
the widespread adoption of information technology. The intermediating mechanisms of
information-sharing in these markets, however, have largely developed without major
discussion in the public realm. In recent years the information allocation mediated via
credit bureaus has attracted increasing interest and currently the European Union as well
as the United States plan reforms of the regulation of information sharing in their
consumer credit markets. Data protection regulation of this information exchange,
however, and especially its economic implications for consumer credit markets have not
been analysed to date.
The present study is intended to close this gap by analysing the economic effects of
different financial privacy regimes on consumer credit markets. It also provides evidence
about the costs of financial data protection. In this study, the US and the EU (with
Germany, Great Britain and France as reference countries) are contrasted. Broadly, the
US provides less data protection than does the EU. On both sides of the Atlantic,
however, major changes in data protection occurred in the 1990s due to increasing
public pressure for more data protection. Moreover, in the EU the new proposal for a
directive on consumer credit mandates new obligations in this respect and in the US key
provisions of the Fair Credit Reporting Act are currently under review, since they expire
by the end of 2003.
In this study, it is examined whether more stringent privacy regimes portend adverse
effects for the distribution of consumer credit reports in credit markets. This could result
in reduced access to consumer credit and increasing credit risk (measured by the
household debt-service burden), since information on the characteristics of the borrower
is not readily available.
First the differences in data protection regimes in the countries of interest are discussed.
The Financial Privacy Index developed in this study is a quantitative measure that rates
countries according to the protection of personal credit information that is distributed via
credit bureaus. This index is supposed to show the differences in a more detailed way
than the studies that have been conducted in this field so far. Moreover, the approach has
the great strength of showing a dynamic perspective, since the countries are rated for the
whole decade (1990-2001).
The index is then introduced in the statistical tests to analyse adverse effects of increased
data protection on information distribution, access to credit, consumer indebtedness or
consumer credit risk. The picture is completed by a discussion of the competition in
credit reporting industries, which are prone to strong concentration processes. Again,
large differences in the US-EU comparison can be found. Competition in the European
NICOLA JENTZSCH
2
credit reporting industry only recently started to intensify, but credit bureaus still primary
concentrate on their national markets. Their US counterparts, on the other hand,
compete on an international scale and entered the EU markets via mergers and
acquisitions.
It is not the purpose of this study to choose one of the privacy regimes as a benchmark
or as a first-best solution. Instead both positive and negative consequences are examined
since they are associated with each of the different financial privacy regimes.
2. Financial Privacy Regimes and Their Evaluation
Data protection regimes differ widely from country to country – a fact that constitutes
problems not only for international data transfers, but that also led to a dispute between
the US and the EU from 1998 until 2000 over what constitutes adequate protection of
personal information. In what way those countries differ is largely unknown, however,
because this involves an analysis and comparison of laws.
First the data protection regime of the aforementioned countries are described (US,
Germany, Great Britain and France). In addition, the European level is included which
constitutes the harmonisation framework. This descriptive part already hints at the
existing gaps and differences, although a more thorough analysis is given in a later
section.
2.1 The Evolution of Financial Privacy Regimes in the 1990s
Over the last 30 years, one could observe the emergence of international agreements that
include a subgroup of countries or whole regions, depending on the number of signatory
countries. These regimes offer minimum standards of privacy protection on an
international level and sometimes also serve as an example for national legislation. In an
ideal case, a country could choose to adopt the principles of one of the three
international regimes currently in operation: that of the OECD, the EEC or the EU.1
Such regimes vary in the protection they grant to the individual. An important point is
that they are very different in their institutional form; some are simple voluntary
guidelines, while others are binding international contracts. One may state that these
regimes reveal regulatory discrepancies, in the sense that one country may apply very
strict rules, while another may not have any in effect at all. Moreover, if countries have
no data protection laws, nor signed any of the international agreements, this could give
rise to “off-shore data havens”.
The more stringent regimes, on the other hand, are accused of acting as non-tariff trade
barriers to the free flow of information, especially for service industries (Kitchenman and
Teixeira, 1998, p. 104 and p. 106).
1 The 1980 OECD guidelines were intended as a recommendation for a harmonisation of national
regimes. They are based on eight principles: collection limitation, data quality, purpose specification,
usage limitation, security safeguards, openness, individual participation (access) and accountability. We
evaluate only the EEC and the EU regime.
THE REGULATION OF FINANCIAL PRIVACY
3
Table 1 presents an overview of the acts that are important for regulating the collection
and distribution of creditworthiness information. It only includes the federal acts in the
four countries of interest, not the regulatory measures. This simple overview already
shows how often data protection regimes change. The US introduces new regulations on
the federal level with greater frequency than do European countries. This, of course, not
only depends on the efficiency of the legislative institutions, but also on the distribution
of information technologies and the public pressure that arises with large-scale
information collection and processing.
Table 1. Financial privacy regimes in the four selected countries and in the EU
Acts
United States 1970 Fair Credit Reporting Act
1974 Equal Credit Opportunity Act
1992 Fair Credit Reporting Act (as amended)*
1996 Consumer Credit Reporting Reform Act
1999 Fair Credit Reporting Act (as amended)*
1999 Gramm-Leach-Bliley Act
European Union 1981 CEC (Treaty 108/81) Convention for the Protection of Individuals
with regards to Automatic Processing of Personal Data
1995 95/46/EC Directive on the Protection of Individuals with regard to the
Processing of Personal Data and on the Free Movement of such Data
Germany 1977 Federal Data Protection Act
1990 Federal Data Protection Act
1994 Amendment to the Federal Data Protection Act
2001 Amendment to the Federal Data Protection Act
Great Britain 1974 Consumer Credit Act
1984 Data Protection Act
1998 Data Protection Act
France 1978 Act on Data Processing, Data Files and Individual Liberties
1989 Neiertz Act
*The 1992 Act includes earlier amendments. In 1998, the Consumer Reporting Employment
Clarification Act amended the 1992 FCRA.
2.1.1 The US Financial Privacy Regimes in the 1990s
The US is generally characterised as a country that is more market-oriented than other
countries. This induces the observation that the US might change its regulations more
often, but in general, less obligations are posed upon companies. Historically, this might
be attributed to the deeply rooted suspicion with which Americans regard government
interference.
Credit reporting was not regulated at the federal level until 1970, but today this industry
is among the most regulated in the US in the area of data protection. The following
NICOLA JENTZSCH
4
assessment includes laws that establish the regulation of information flows specifically in
credit reporting.2
In the United States, the regulation of consumer credit information is mainly based upon
the Fair Credit Reporting Act (FCRA) of 1970 and its amendments in the 1990s. The
FCRA established permissible purposes of credit information disclosure and formally
codified the information flows as they had already developed in the market. The Act also
introduced dispute settlement mechanisms as well as correction procedures to increase
information quality. Finally, it assigned certain life cycles to derogatory and bankruptcy
information. The already existent information-sharing arrangements were largely left
unaffected by the Act, since a change in information flows could have caused disruptions
in the consumer credit market that depends on such flows. Several other information
transactions were left unregulated also, i.e. information flows among data providers and
credit bureaus and affiliates as well as among non-affiliates that buy and sell credit
reports. This regime was amended after 1995 in a substantive way. Further explanations
of the early regime are provided by Azcuenaga (1991), Federal Trade Commission
(1972), Maurer and Thomas (1997) and Waren (1993).
The regime as described has not been altered in a general way for more than 25 years.
The 1990s, however, brought major reforms that were intended to close the loopholes,
strengthen privacy rights and improve the data quality of credit reporting information.
These acts have primarily been enacted in response to consumer complaints and an
intensifying public debate about privacy erosion in the face of increasing use of
information technologies. For the second part of the 1990s, the following acts were
analysed: Consumer Credit Reporting Reform Act of 1996 (1996 CCRRA), the Fair
Credit Reporting Act of 1999 (1999 FCRA) and the Gramm-Leach-Bliley Act of 1999
(1999 GLBA). 3
The Consumer Credit Reporting Reform Act of 1996 introduced a new information
network requiring a notification system among credit bureaus in the event that
inaccuracies occurred. For the first time, it also introduced duties for information
providers. It mandated an information flow to credit bureaus in order to correct any
inaccuracies as well as a reciprocal flow from the bureaus to the furnishers for the same
reason. The Act also facilitated an increase in the information flows among affiliates of
the same corporate family. Those affiliates are allowed to share information, but only
after they notified the consumer and provided him or her with an opportunity to opt-out.
The Gramm-Leach-Bliley Act (GLBA) of 1999 completed the picture in regulating the
information flows among financial institutions and non-affiliated third parties.
Information may be shared after the provision of a notice and an opt-out opportunity.
While flows among financial institutions and third parties can be interrupted by
consumers (through opt-out), the information network with credit bureaus has been
exempted from this rule – the consumer has to be informed about the sharing
arrangement, but only in the case of an adverse decision based upon the credit report.
2 Some states in the US provide higher data protection in their state laws. For purposes of comparability,
however, we only evaluated the federal acts.
3 Some of these acts have been amended. For instance, the FCRA of 1999 has been amended by the
CCRRA of 1996 and the Consumer Reporting Employment Clarification Act of 1998.
THE REGULATION OF FINANCIAL PRIVACY
5
Reviewed within the US context, these rules may represent a stricter regulation
especially in notification and correction provisions. Compared to Europe, however, the
picture seems to be one of relatively free access to information and market-mediated
information accumulation and distribution. For further explanations, the reader is
referred to Barr and Ellis (1999), Federal Trade Commission (1997, 1999, 2000a, 2000b,
2001, 2002), Fischer and McEneney (1997), Perine (2001) and Swire (1996).
Currently, the FCRA is under review in the US. Certain key provisions of the act expire
by 1 January 2004. This is the case for the national standards provision as passed in
1996, which pre-empts state legislatures from regulating specific aspects of consumer
reporting (for instance, the right to share information with affiliates).
Congress, therefore, must re-authorise the state pre-emption provisions; otherwise,
states could apply their own regulatory approach. In that case, problems could arise
resembling those in Europe in which different regulatory regimes could affect the
competition in the credit reporting industry, which would no longer be subject to a
nationally unified framework. Since the competition in the credit reporting industry is
based upon networks that reveal strong scale and scope effects, regulatory measures
should take such effects into account. As of June 2003, a series of hearings on this issue
were scheduled.4
2.1.2 The EU and Member State Financial Privacy Regimes in the 1990s
2.1.2.1 The EU Harmonisation Regime
Data protection has changed enormously in the EU over the course of the 1990s. This is
largely due to the increasing integration of the European member states, some of which
are still in the process of transposing the Data Protection Directive. Moreover, in 2003, a
proposal for a new directive on consumer credit is discussed that also has some
implications for credit reporting systems (see also Jentzsch 2003a).5
The early data protection regime at the EU level is based on the Council of Europe
Convention that was introduced in 1981.6 It is a regime that was intended to harmonise
minimum requirements in data protection and to strengthen cross-national cooperation
among data protection authorities in Europe.
It does not include specific regulations for industries and therefore one cannot directly
find any specific rules about credit reporting. However, since credit bureaus fall under
these general provisions, the Convention is included to summarise the protection at the
European level before 1995. There are also other general rules at the EU level, such as
Art. 8 of the European Convention on Human Rights (ECHR) and Art. 286 EC of the
Amsterdam Treaty of 1997. These rules are very basic and mainly echo the Convention.
4 Position papers and statements are available on the House Committee on Financial Services website
(http://financialservices.house.gov/hearings.asp?formmode=detail&hearing=213).
5 The full title of the proposed directive is: Directive of the European Parliament and of the Council on
the Harmonisation of the Laws, Regulations and Administrative Provisions of the Member States
concerning Credit for Consumers.
6 The full title is: Council of Europe Convention (Treaty 108/81): Convention for the Protection of
Individuals with regard to Automatic Processing of Personal Data (CEC).
NICOLA JENTZSCH
6
It had to be implemented by the contracting parties, which included Germany, Great
Britain and France.
The Convention is the first binding international instrument in the field of data
protection. The signatory countries are required to take necessary steps to legislatively
implement the principles. These principles protect individuals against abuses that may
arise with the increasing use of information technologies and the collection and
processing of personal data. At the same time, the Convention was intended to regulate
the transborder flow of personal data and strengthen cooperation among data protection
officers. There are several rights to information that are granted to the data subject, for
example, the right to know that information is stored, and if necessary, to have it
corrected. By 2002, the Convention entered into force in 27 European states (Council of
Europe, 2002). Further explanations in this case are provided by Council of Europe
(2001a, 2001b, 2002), Madsen (1992), Mellors and Pollitt (1984) and Reidenberg and
Schwartz (1996).
In 1995, the European Data Protection Directive was enacted.7 This is by far the most
important regulation introduced at the EU level concerning data protection and it also is
the most comprehensive one in terms of rights and obligations. Although it is commonly
assumed that the directive is a minimum standard, this is not the case. The regulation is
primarily supposed to harmonise the regimes, not to minimise data protection. The
Directive is a major example of the increasing integration depth in the EU. The Directive
was set out to establish an equivalent level of lawful data processing preconditions, data
subject rights and administrative practises. It has to be noted that the Directive only
regulates activities that fall under the scope of EU law. “It excludes areas within Titles V
and VI of the Treaty on European Union, public safety, defence, state security (…) and
the activities of the state in areas of criminal law.” (Carey and Russell, 2000, p. 5). To
fully understand the European regime it was necessary to include Boehmer (2000) and
Brühann (1998, 2000) as well as various documents of the European Commission (1997,
1998a, 1998c, 1998d, 1998e, 1999, 2000, 2001, 2002) in the analysis.
In 2002, the proposed directive on consumer credit revealed the increased awareness of
the importance of credit reporting. The proposal was initiated to achieve an optimal
harmonisation level for an integrated European consumer credit market, which is still
largely fragmented into national markets (see Jentzsch, 2003a). Another purpose of the
Directive is to increase consumer protection, which is supposed to be achieved by a new
symmetry of information and responsibility of creditor and borrower.
In Arts. 7 and 8, the proposal also has implications for credit reporting. It states that
personal data may only be collected for the purpose of evaluating creditworthiness and
that it should be destroyed immediately after. Art. 8 states that member states shall
ensure the operation of a central negative credit registry and that creditors are obliged to
consult the data base. It is left open for member states, if they want to go beyond such a
negative registry and also establish a positive one. Creditors, however, will be required
7 In the following, we quote the official version of the Directive as published in the Official Journal
(1995). The full title is: 95/46/EC Directive on the Protection of Individuals with Regard to the
Processing of Personal Data and on the Free Movement of such Data (Directive 95/46/EC).
THE REGULATION OF FINANCIAL PRIVACY
7
to consult the data base before granting credit. The discussion over this proposal
intensified in the first half of 2003.
2.1.2.2 The German Financial Privacy Regime
Germany has been the leading country in the field of data protection; the first codified
data protection law in the world was enacted in the state of Hesse in 1970. The law
assigned the enforcement authority to an independent data protection commissioner and
served as example for the federal law. Seven years later, in 1977, the first Federal Data
Protection Act was enacted, which established the federal data protection authority
(Bundesbeauftragter für Datenschutz) and granted specific rights to data subjects, such
as access, rectification, blocking or erasure of data. The laws in the individual states
(Bundesländer) had to be amended after 1983, the year the federal Supreme Court ruled
in the census case that citizens have a right to “informational self-determination.”8 This
section recounts the most important German laws in this area.
In 1990, the German government adopted the Federal Data Protection Act
(Bundesdatenschutzgesetz), which was amended in 1994. For the first half of the 1990s,
the Federal Data Protection Act of 1990 (1990 FDPA) and the Amendment of the
Federal Data Protection Act in 1994 (1994 AFDPA) are analysed.
The history of the German data protection laws has been described by Lutterbeck (1998)
who states that there have been three phases. As stated, the first Federal Data Protection
Act provided a common ground for the individual states. It followed a comprehensive
approach in applying to the private and public entities at the same time. The second
phase began in 1990, when the Data Protection Act had to be amended to bring it in line
with the census case of the German Supreme Court. Finally, the third phase started with
the Data Protection Directive. As secondary legislation and further literature
Bundesbeauftragter für Datenschutz (1998, 1999, 2002), European Commission (1998c,
pp. 30-38), Madsen (1992), Mitrou (1993) and Weber (1986) are included in the
analysis.
The transposition of the EU Directive in Germany followed two steps: the first was
intended to implement the essential adjustments, while the second was to establish a
comprehensive overhaul of the data protection laws (European Commission, 1999, p. 6).
In May 2001, the new Federal Data Protection Act of 2001 went into effect, marking the
first step in the implementation of EU law. In the aftermath of the Act, six German states
adopted new privacy protection laws.9 Due to the harmonisation at EU level, various
amendments had been introduced at the national level in the member states, which is the
case in Germany. The recent modifications of the German data protection regime are
also reviewed. In this respect, especially the Amendment of the Federal Data Protection
Act of 2001 (2001 AFDPA) is important.10
8 This means that it is an individual’s decision whenever and to what extent he or she wants to disclose
personal information.
9 Brandenburg, Baden-Wurttemberg, Bavaria, Hesse, North Rhine-Westphalia and Schleswig-Holstein.
10 The German title is Gesetz zur Änderung des Bundesdatenschutzgesetzes und anderer Gesetze.
NICOLA JENTZSCH
8
In Germany, creditworthiness data can be used and processed only with written consent
of the data subject. It is common business practice of credit-granting institutions to
include a clause in contracts that enables them to transfer positive data to a credit
register. This is necessary, because in the case of creditworthiness information, the
“legitimate interest” of the bank covers only the transfer of negative data. For positive
data, the bank has to obtain the permission of the data subject. Further explanations are
provided by Bundesbeauftragter für Datenschutz (1998, 1999, 2002) and European
Commission (1998c, 1999).
2.1.2.3 The British Financial Privacy Regime
The debate about privacy legislation in Great Britain started in the early 1970s with a
report by the Younger Committee. This committee proposed 10 guidelines that were
intended to provide basic protection of the individual (Carey and Russell, 2000, p. 1).
The committee proposals were not implemented, but in 1974 major legislation was
enacted to regulate the consumer credit business. The Consumer Credit Act defined
consumer credit business broadly and included “ancillary credit businesses,” a category
that encompasses credit referencing (Goode, 1974, p. 43).
The act stated that such business activities require a licence, which is normally granted
for three years and allows the owner to conduct all activities that are described in it. Any
person engaging in any activities for which a licence is required without holding one
commits an offence. This is explained in the sections 39.1 and 147.1 of the Consumer
Credit Act. The Consumer Credit Act established the early regulation of the credit
reporting business. In 1978, the Lindop Committee published a report that dealt
specifically with the question of data protection (instead of general privacy as did the
Younger Committee). In this report it recommended the establishment of a data
protection authority. However, the British authorities did not react until the Council of
Europe Convention followed in 1981. Three years later, the Data Protection Act of 1984
was passed, which transposed the minimum requirements set out in the Convention. The
Act included eight very broad principles that were not enforceable in courts, but by the
Data Protection Registrar and the Data Protection Tribunal (Carey and Russell, 2000, p.
4). As secondary literature, Carey and Russell (2000), European Commission (1998c,
pp. 17-29), France (1995), Madsen (1992), Goode (1974) are included.
In Great Britain, there are mainly three laws that govern financial data protection: the
Consumer Credit Act (1974), the Data Protection Act (1984) and the Data Protection
Act (1998). The latter transposed the EU Data Protection Directive. It brought
significant changes to the already very complex legislation in Great Britain. The Data
Protection Act of 1998 transposes the Directive 95/46/EC by providing new regulations
of the processing of information relating to individuals, including a notice of purpose of
the data collection as well as the types of data that are collected (Data Protection Act of
1998, chap. 29, part II, 7 (1) a, b). This Act is considered to be the new core of privacy
legislation in Great Britain (European Commission, 1999, p. 8).
The Act of 1998 also provides “principles of good practice”, in which data have to be
processed fairly and lawfully and for only limited purposes. In the case of inaccuracies,
the controller of this data can be mandated to rectify, erase or destroy those data (Data
Protection Act of 1998, chap. 29, part II, 14 [1]). This is very much in line with the new
THE REGULATION OF FINANCIAL PRIVACY
9
European Directive. Prior to the Directive, the situation in Great Britain resembled that
of the US in the sense that no prior consent to data processing was required. Therefore
the reform introduced new regulations in the field of individual rights, the legitimacy of
data processing, regulations concerning sensitive data and international data flows.
Great Britain has a very complex system of enforcement and supervision. For the 1974
Consumer Credit Act, the Department of Trade and Industry issues regulations, while
the Office of Fair Trading is obligated to supervise the enforcement. For the Data
Protection Act of 1998, however, the Home Office issues regulations, while the
Information Commissioner is the enforcement authority. Concerning the latter act, the
Home Office, for example, released nearly 20 regulations, which add precision and
clarify regulatory details (Carey and Russell, 2000, p. 7).11 As secondary legislation and
further literature, the Department of Trade and Industry (2000), Home Office (2000) and
Carey and Russell (2000) are included. Secondary legislation on credit reference
agencies in Great Britain includes the “Consumer Credit (Conduct of Business) (Credit
References) Regulations 1977 No. 330” which was amended by the “Consumer Credit
(Credit Reference Agency) Regulations 2000, No. 290” and the “Consumer Credit
(Conduct of Business) (Credit References) (Amendment) Regulations 2000, No. 291”.
The latter was released in March 2000. Other important legislative orders are the ones on
fees (Nos. 187 and 188), as well as on processing of sensitive personal data (No. 417).
2.1.2.4 The French Financial Privacy Regime
France has one of the strictest privacy regimes in Europe, based on the 1978 Act on Data
Processing, Data Files and Individual Liberties. This act created the National
Commission for Data Processing and Liberties,12 an independent agency that performs
advisory and monitoring functions. Companies that process personal information are
expected to register with the CNIL. The agency also has the power to deny the license
for data processing (Litan and Swire, 1998, p. 23).
Regulatory power concerning bankruptcy information, on the other hand, is vested in the
Banking and Financial Regulatory Committee (Comité de la Réglementation Bancaire et
Financière, CRBF), a committee that is chaired by the Minister of Economic Affairs and
Finance and includes the Governor of the Banque de France. This committee releases
general regulations governing the establishment of data bases on credit and repayment
(the system is described below in the section on “competition” in France).
By 2002, France had not implemented the Data Protection Directive. In February 1998,
the administration issued a report that described the changes in the law, but by October
of the same year, the Directive should have already been implemented. In 1999, a
proposal of a modified legislation was sent to the National Parliament. No results
emerged during the next year, which led the European Commission to initiate a case
11 Moreover, the British credit industry has established the agreement “Information-sharing – Principles
of Reciprocity” that regulates the sharing of account information via credit referencing. The agreement
is registered with the Office of Fair Trading. The Standing Committee on Reciprocity (SCOR) oversees
the sharing arrangement. Despite requests, the author was not able to obtain this document.
12 We refer to the National Commission for Data Processing and Liberties in its original French title, the
Commission Nationale de l’Informatique et des Libertés (CNIL).
NICOLA JENTZSCH
10
before the European Court against France and four other countries that had failed to
transpose the Directive. The CNIL published its opinion concerning the draft bill in
September 2000. The National Assembly reviewed the bill, which is intended to
strengthen the CNIL and to preserve the level of protection granted by the 1978 law, and
it voted in support of it. After the first reading of the bill, however, the process came to a
standstill, because of the elections in France. Therefore, only the Act 78-17 of January
1978 on Data Processing, Data Files and Individual Liberties of 1978 (1978 DPDFIL)13
and the Neiertz Act of 1989 (1989 NA) are included.
Rules and secondary legislation in France are included in Table 2 below. Moreover, two
resolutions of the CNIL are of special interest to us: “Déliberation No. 88-83”
(recommendation concerning the administration of information on borrowers as well as
the right to access and duration of storage) and the “Déliberation No. 98-101”
(Modification of the 88-83 resolution concerning the variable of nationality in scoring
systems) by the Commission Nationale de l’Informatique et des Libertés (1988, 1998a,
1998b, 1999a, 1999b, 2000, 2001).
Table 2. Regulation of the French FICP
Year Title of Regulation File
1986 Règlement No. 86-08 du 27 février 1986 relatif à la centralisation des incidents de
paiement CPII
1989 Neiertz Act (Loi du 31 décembre 1989 relative à la prévention et au règlement des
difficultés des particuliers et des familles), integrated in the Code de la
Consommation, Art. L333.4, L333.6
FICP
1990 Règlement No. 90-05 du 11 avril 1990 relatif au fichier national des incidents de
remboursement des crédit aux particuliers FICP
1993 Règlement No. 93-04 du 19 mars 1993
Modified the No. 90-05 regulation FICP
1995 Règlement No. 95-03 du 21 juillet 1995
Modified the No. 86-08 regulation CPII
1996
Règlement No. 96-04 du 24 mai 1996
Amends the No. 90-05 regulation FICP
1998 Loi No. 98-657 du 29 juillet 1998 d’orientation relative à la lutte contre les
exclusions
Modified the Code de la Consommation Art. 333.4 (Neiertz Act)
FICP
2000 Règlement No. 2000-04 du 6 septembre 2000 modifiant le règlement du 11 avril
1990 relatif au fichier national des incidents de remboursement des crédit aux
particuliers
Modified the No. 90-05 regulation
FICP
The French system is a centralised public credit registry; therefore, one also has to
include regulations that belong to the 1989 Neiertz Act and are included in the Consumer
Protection Code (Code de la Consommation). The regulations published by the CRBF
have changed so many times in the 1990s that they are presented in Table 2. For further
13 Original title is Loi No. 78-17 du 6 janvier 1978, relative à l’informatique, aux fichiers et aux libertés.
THE REGULATION OF FINANCIAL PRIVACY
11
publications on this topic, the reader is referred to the Banque de France (1994, 1995,
1998, 2000a, 2000b, 2001a, 2001b) and Banisar (2000), Leclercq (2000) and Madsen
(1992).
To summarise, all the aforementioned acts and regulations were analysed. The results
constitute an in-depth analysis of data protection in the field of credit reporting. For the
sake of brevity, the survey refrains from presenting the evaluation forms with the
individual acts, their sections and the important sentence that constitutes the right or
task. In the next section, we explain how data protection regimes might be evaluated.
2.2 Current Research on Privacy Evaluation
At the European level, the Commission has to evaluate data protection regimes to find
out if a third country that is not a member of the European Union exhibits adequate data
protection. This is a crucial precondition for data exports to the concerned country.
However, research has not proceeded very far and the tools for evaluation are in their
infancy and might be only seen as first approaches. Moreover, none of them provides a
quantitative measure that would make comparisons easier. Without discussing the known
approaches intensively, we briefly summarise them to contrast our own approach with
them. Bennett (1992) states that there are five different models of privacy regulation that
can be applied to data protection regimes: the Voluntary Control Model, the Subject
Control Model, Licensing Model, Registration Model and the Data Commissioner
Model. Each of these so-called models differs in the way data protection is regulated, if
there are any registration or licensing tasks for data controllers or if there exists a data
protection authority.
Pincus and Johns (1997) criticise Bennett’s approach in judging data protection regimes:
Bennett’s Model only shows the privacy choices of a country with respect to who has
the major responsibility for the protection of data, whereas no mechanism for measuring
the degree or quality of privacy protections is afforded by the single choices. Therefore,
the authors propose a technique for measuring the degree of protection afforded by a
country’s privacy protection scheme. The model consists of two parts, first, the so-called
Privacy Protection Index; and second, the Privacy Protection Scale. Three fields are
included by the authors: 1) constructive notice; 2) commission/body/guidelines; and 3)
remedies, variables in these fields (e.g. data types gathered, storage duration, etc.). Each
variable receives a score that is then added to the others to obtain a total.
Reidenberg and Schwartz (1996) conduct a law analysis for comparing the US and
Europe. This “functional analysis” approach identifies regulations that are functionally
similar to European regulations. The “multi-layered nature of US data protection”
(Reidenberg and Schwartz, 1996, p. 19) excludes any approach that is based upon the
search for a law in the US that is equally comprehensive as the EU laws. Therefore, the
authors compare the specific context of data use (telecommunications, finance, direct
marketing and employment) and examine specific treatments of information. The authors
compare basic elements of European data protection with the combined result of legal
obligations and established practices in the US. They include not only constitutional,
statutory and common law, but also corporate practices or internal policies of companies
(Reidenberg and Schwartz, 1996, p. 25). All in all, the analysis of the authors provides a
comparative overview of principles that are established on both sides of the Atlantic. In
NICOLA JENTZSCH
12
seven cases, the authors find a similar regulations, two are undecided and two are not
similar.
As stated, the European Commission has the task to evaluate data protection regimes as
mandated by Art. 25 of the Data Protection Directive. In the same article, it is
established that the appraisal of adequate protection in a third country must take into
account all circumstances that are important for a data transfer. It is a common
misunderstanding that the directive implies equivalency. Moreover, the imprecision of
the Directive’s text allows a range of interpretations of what circumstances are meant.
Several factors are mentioned by the directive itself: the nature of data, objective and
duration of postings, country of origin and destination as well as general and sector rules
in effect. The primary evaluation tool of the European Commission is a document from
1998 (European Commission, 1998b). However, as recognised by a group of researchers
in a study for the European Commission (1998d, p. 4), the list given in the Directive is
not exhaustive and no details are given that elaborate on its provisions.
According to the EU Article 29 Working Party, adequate protection “is typically
achieved through a combination of rights for the data subject and obligations on those
who process data (…)” (European Commission, 1998b, p. 5). The Commission finds
that such rules only protect the individual’s right if they are followed in practice. Against
this background, the Commission not only evaluates the applicable rules (via legal
analysis), but also the system to enforce the rules.
Therefore, one finds a two-sided approach: the rule’s content is taken into account as
well as the means for their effective implementation. This can be described as a flexible
discretionary “country-by-country approach” that is more pragmatic than “juristic and
abstract” (European Commission, 1998d, p. 4).
The Commission looks at principles of content as well as the enforcement of those
principles. Such principles address, for example, the processing only for limited
purposes, the rights of access and correction as well as technical security measures.
In 2003, there were only three countries that had been judged as providing adequate
protection: Hungary, Switzerland and Canada. The US, on the other hand, is a special
case. The establishment of a “safe harbour” agreement is said to create an environment
of adequate protection, whereas as ad hoc solution contractual agreements between
companies are also said to provide adequate protection. Since we do not elaborate on
this, the interested reader is referred to the decision of the European Commission (2000).
2.3 Evaluation Instrument
The herewith presented approach is based upon the dissatisfaction with the
aforementioned works. Although most of them are relatively useful, none of them
provides a simple comparison that is at the same time quantitative and more transparent.
The presented approach differs in two important respects: more aspects are evaluated
(due to the interest in credit reporting only) and federal acts are included, official
decisions and regulatory rules by the appropriate departments or administration offices as
well as informal directives (especially in the case of Germany). Professional rules and
codes of conduct are excluded, since these rules are not established by democratically
legitimised bodies.
THE REGULATION OF FINANCIAL PRIVACY
13
Information flows in consumer credit markets do reveal network character. Networks
interconnect several players: the right of one player may (at the same time) be the task of
the other player. This is the case if the data subject exerts the right of access that is the
task to disclose the information on the side of the credit bureau. Facing these
interdependencies, we admit that a clear categorisation like “catalogue of data subject
rights” and “duties of credit bureaus” is not always possible. This problem is reinforced
by including the information stream from consumer to data-contributing player and to the
credit bureau. For simplification purposes, we developed four major categories:
1. Supervisory authority (SA)
2. Property rights to information (PR)
3. Obligations by credit bureaus (OC)
4. Judicial remedies and enforcement (JR)
Data-contributing players are excluded, since this would include the whole field of
banking acts or insurance legislation, for example (if they are not regulated by a
comprehensive data protection law). The evaluation instrument is presented in Table A1
in the annex.
The privacy regimes are evaluated for every year within the timeframe 1990-2001.
Therefore, our analysis constitutes one of the first dynamic ones in the field of data
protection. Each time new regulations are introduced, the evaluation instrument captures
their effect and the index changes accordingly. The results of the absolute values gained
by the individual countries are presented in Table 3.
Table 3. Absolute numbers of regulations in four selected countries
Country 1990
1991 1992 1993 1994 1995
1996 1997 1998 1999 2000
2001
US 19 19 20 20 20 20 19 23 26 26 28 28
Europe 17 17 17 17 17 17 17 17 33 33 33 33
Germany 34 34 34 34 34 34 34 35 35 36 36 38
Great Britain
26 26 26 26 27 27 27 27 27 35 36 36
France 40 40 40 40 38 38 38 38 38 39 39 39
2.4 Financial Privacy Index (FPI)
With an index constructed for the quantitative regulation evaluation it is possible to rate
countries on a continuum of regulatory regimes. Moreover, an index allows inter-
temporal comparisons and enhances the understanding of regulatory trends. The
following approach uses a systematic sample (not a random one). It is clear that the
results only hold for the reviewed countries. Due to our approach, we are able to
produce a time-series. We briefly explain how the index is constructed and then discuss
the results.
2.4.1 Construction of the Financial Privacy Index
Indices are numbers that summarise economic information and show relative changes. In
our case, insights derived from index theory are applied to measure regulatory trends (for
a discussion of methodology see Jentzsch, 2003b and Jentzsch, forthcoming). There are
NICOLA JENTZSCH
14
several multiplicative indices available; we chose the Cobb-Douglas index that uses
weights independently from its values or value shares.
This index, however, is a “theoretical curiosity” that normally serves the purpose of
explaining that it is a uniqueness theorem that satisfies all five fundamental axioms.14 In
the context of price measurement, the index is of no real value, since it lacks an
economic interpretation of its weights and the whole index (or the denominator) can
become zero, i.e. determinateness is not fulfilled (for further discussion, the reader is
referred to Eichhorn and Voeller, 1983; Selvanathan and Rao, 1994; Jentzsch, 2003b;
Jentzsch, forthcoming; and von der Lippe, 2002). Especially the latter characteristic does
not make sense in price measurement. The index is therefore not widely used in
academia.
In our context of regulation measurement, however, such peculiar characteristics are
appreciated. The multiplicative feature accounts for the strong interdependencies we
observe due to the strong interrelation of the indicators for property rights and judicial
remedies, for example
As most indices, the index is constructed through the addition of indicators based upon
the same range of value (0=non-existent, 1=existent). A simple additive index, however,
behaves in a way that is not appreciated here, because the score of zero in one
component (SA, PR, OC or JR) can be balanced by positive values in other components.
If there is no judicial remedy or punishment for privacy breaches, enforcement is non-
existent. In this theoretical case all other regulations are rendered ad absurdum as they
cannot be enforced; only the multiplicative construction accounts for this. The whole
index becomes 0 as soon as the judicial remedies variable becomes 0 or in the theoretical
case of no regulations (xSA, xPR, xOC = 0). The latter, however, is irrelevant taking the
empirical reality into consideration. We can therefore conclude that the Cobb-Douglas
index accounts for total ineffectiveness of data protection, if there are no judicial
remedies.
While this characteristic can be appreciated, the Cobb-Douglas index does not meet the
factor reversal test. However, when fixed weights are assigned, it fulfils the time reversal
test and the circular test, i.e. transitivity exists (for further discussion, the reader is
referred to Jentzsch, 2003b). Therefore, the index allows consistent comparisons of
adjacent periods when weights are held constant (which is the case in our application).
For constructing the index, a base has to be selected. This, however, influences the
behaviour of the index and – more important – it may produce biased results. If the
benchmark in the base period is too high, it artificially depresses the index and vice versa.
It also has to be avoided to take the number of regulations of one country as a
benchmark. For instance, if the US (1990) had been chosen, this would have been a
relatively low level of protection (hence an overstating of the indices for other countries).
This problem can be avoided by computing an “artificial base” at a hypothetical period t.
It is the maximum score achievable in the categories SA, PR, OC and JR, divided by
14 Five fundamental axioms are monotonicity, price-dimensionality, linear homogeneity, identity and
commensurability. Not all of these characteristics are important for our purposes.
THE REGULATION OF FINANCIAL PRIVACY
15
factor 2. This assures that half of the index (and not the maximum) serves as benchmark.
Moreover, we include the EU as a “country”, but direct comparisons have to be viewed
carefully, since the EU is obviously not a country and provides only the frame of
harmonisation. This explains the low level in the EU until the Data Protection Directive
remarkably increased the integration depth.
In the present case, there are “quantities” of regulatory measures that are used as
weights, the whole index has a “quantity character.”15 This approach can be justified ex
ante under the hypothesis that for practical purposes, approximate weights are sufficient
and in our case they are already implicitly given.
(1) CDI = n
n
i
ααα
∏
=0
n
1
n
0
2
1
2
10
1
1
1
x
x
x
x
x
x21
K with ∑
==> n
iii 1
1,0αα
(2) FPI = 21 1
t
OC
t
PR
t
SA
1t
OC
1t
PR
1
x x x
x xxαα
++ ++ ++++
t
JR
t
JR
t
SA
x
x
Equation (1) presents a general notation of the Cobb-Douglas index (CDI). In equation
(2) the weights are assigned on a quantity basis. The values as derived are 0.8261 for 1
α
and 0.1739 for 2
α; for simplification, we have rounded them to 0.8 and 0.2. The xSA
denotes values achieved in the category “supervisory authority”, xPR denotes those
achieved in “property rights to information”, xOC in “obligations of credit bureaus” and
xJR in “judicial remedies”. Results are given in the Table 4 below.
Table 4. Cobb-Douglas Financial Privacy Index
Country 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001
US 0.78 0.78 0.84 0.84 0.84 0.84 0.78 0.93 1.12 1.12 1.20 1.20
Europe 0.73 0.73 0.73 0.73 0.73 0.73 0.73 0.73 1.42 1.42 1.42 1.42
Germany 1.47 1.47 1.47 1.47 1.47 1.47 1.47 1.50 1.50 1.56 1.56 1.65
Britain 1.05 1.05 1.05 1.05 1.09 1.09 1.09 1.09 1.09 1.51 1.55 1.55
France 1.74 1.74 1.74 1.74 1.64 1.64 1.64 1.64 1.64 1.69 1.69 1.69
2.4.2 Results of the Financial Privacy Index
In the overall comparison, the FPI1 shows that the US in general remains below EU
member states’ levels in the direct country comparison. In the inter-temporal comparison
within the US, the FPIs indicate that laws and federal guidelines became stricter after
1996 due to reforms under the Clinton administration. However, even after the acts were
introduced, the US did not converge with the other countries, but remained below their
levels (see Table 4 above).
The indices are relatively robust for the results of US-EU comparisons. It is important to
emphasise that these results are only valid for the very specific field of credit reporting
15 It is possible to empirically estimate the weights, however, data on such variables like times a right is
exerted by a data subject is not existent.
NICOLA JENTZSCH
16
regulation, one of the strictest regulated fields in the US economy. As expected, we also
observe a convergence among European regimes, the upward trend after 1998 shows
this. EU member countries are generally above the EU level.
What drives the indices in the individual countries? The US showed strong gains in the
category of obligations to credit bureaus (OC) as well as after 1997 in the category that
counts the rights of data subjects (PR). We also observe that there have been more
changes in legislation than in any of the other countries. Germany, on the other hand,
gained in the same categories as the US (OC and PR), and the same was the case for
Great Britain. France already had a very high level of data protection. France displays
more tasks for data controllers. The development and behaviour of the indices are
plotted in Figure 1.
Figure 1. Cobb-Douglas Financial Privacy Indices (1990-2001)
0,00
0,20
0,40
0,60
0,80
1,00
1,20
1,40
1,60
1,80
2,00
1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001
year
FPI
US
Europe
Germany
GB
France
In reviewing these functions, it can be observed that some of the indices (France and the
US) also decrease. This behaviour accounts for the fact that there were rights or tasks
established that later have been repealed. This is for example the case for the 1992
decision of the Federal Trade Commission in the US to oblige credit bureaus to disclose
credit scores, which was revised with the CCRRA of 1996. In France, periods for
storage of certain data categories have been expanded. One may state that the longer the
period, the less the data protection (very strict protection in this sense would not allow
any storage of such data at all). We also observe a major jump in the EU FPI. This is due
to the increased depth of integration and partially also because of interdependencies in
the index.
What are the major qualitative differences between the US and the EU? In the
supervisory bloc in the EU and unlike the practise in the US, it is the authorities’
competence to administer a publicly accessible list of data controllers and the
THE REGULATION OF FINANCIAL PRIVACY
17
competence of authorities to regulate international data flows.16 In the bloc of property
rights to information, we find differences in the opt-out system of the US as compared to
the opt-in system in the EU. Moreover, there are regulations on automated decisions in
the EU that do not exist in the US. In the case of the obligations on credit bureaus, we
find major differences in the absence in the US of any registering or restrictions on
excessive data collection, which apply in the EU, as well as any explicit security
measures.
In summary, there is an international trend showing a weaker regime in the US and a
more stringent one in Europe. This result holds also for the period after 1995. Viewed
from a broader perspective, the indices show differences in the regulation of credit
reporting agencies and gaps in data protection that may eventually divert information
flows in consumer credit markets, because of the relocation of data controllers.
However, one has to be careful in interpreting the index results and especially the
absolute scores of the individual countries. If a country A achieved the number of 30
regulations and country B of 15, one cannot interpret this result as “A has data
protection twice as stringent as B,” which would constitute a qualitative interpretation.
From the approach above one may only derive that “A has twice as much data protection
regulations as B.” In the absence of other variables, we interpret that as a proxy for the
quality of the data protection regimes, that is, whether the evaluated regime is a less
stringent or more stringent one.
In a further step, we estimate the costs that are connected with the different data
protection regimes. This however may only be seen as explorative analysis, since the set
of data collected from a survey of credit bureaus is incomplete. It is very difficult to
receive replies from some of the credit bureaus, which severely inhibits research in this
field. We proceed as follows: first we discuss the costs that are associated with some of
the surveyed regulations. Then we conduct a statistical analysis of the impact of data
protection on consumer credit markets.
3. Credit Markets and the Costs of Privacy Regulation
3.1 Costs of Data Protection
In all of the reviewed countries it is possible for data subjects to demand to see
information that is stored by credit reporting agencies. This right to access as well as
disclosure is a cost factor for the companies. We compiled data from different bureaus in
the US, Germany and Great Britain. The results are averages weighted by the market
share of the agencies. The results are not representative and only hold for the companies
that answered the questionnaire. The figures might nevertheless still be suggestive.
16 This regulation does not necessarily have to be established under a central authority of a data
protection officer. As far as judicial courts or governmental departments are involved, the author granted
a positive value in the evaluation.
NICOLA JENTZSCH
18
Table 5. Average costs related to access and disclosure*
Task of data controller US
( €) Germany
( €) UK
(€)
1995 2001 1995 2001 1995 2001
ACCESS AND CORRECTION
Average total cost of a credit
report directed at the data
subject
0.45
0.26
9.65
10.77
21.24
15.55
Average working time (in
minutes) for preparation of
report
8.65 min.
5.20 min.
11.66 min.
12.39 min.
35 min.
37 min.
Fee charged to subject for
disclosure of consumer report
7.90
8.61
8.28
7.14
15.67
16.38
No. of credit reports
requested by data subjects
(scaled by population)
n/a 4,876,270
(0.01711) 540,950
(0.00662) 715,886
(0.00897)
n/a 730,000
(0.01216)
Average total costs of
correction of a credit profile
7.89
7.30
21.06
25.87
n/a
n/a
Average working time
(minutes) spent on correction
7.22 min.
5.66 min.
30.30 min.
32.65 min.
n/a
n/a
SUPERVISORY AUTHORITY
Time spent on negotiations
with data protection
authorities (hours)
325 hrs.
500 hrs. 100 hrs. 176 hrs. n/a 81 hrs.
Time spent on
data protection issues by data
protection appointee
100,750
hrs./year 125,775
hrs./year 207,550
hrs./year 249,076
hrs./year n/a
n/a
Opportunity costs produced
by data protection appointee
(p.a.)
n/a n/a 6,641,511
8,304,720
n/a n/a
GER/UK: Cost of seminars
and training concerning data
protection (p.a.)
n/a n/a 58,141
74,992
n/a 1,500
* Numbers represent weighted averages (with weights derived from markets shares of credit bureaus), except for
the Great Britain (arithmetic averages). Exchange rates are as of 17 January 2003; numbers are rounded.
The direct comparison in Table 5 shows that US bureaus are cost efficient in terms of the
average costs (including labour costs) of generating a credit report that is directed to the
data subject. For the reviewed companies in the UK, this seems not to be the case: here
the costs are relatively high compared to the US and Germany. This picture also holds
for time efficiency in the case of the preparation of the reports. In Germany and the UK,
the companies generally estimate that the costs of generating a report for the consumer is
above the actual fees they charge. With a more comprehensive survey that is
representative, those results could be verified for the whole population of credit bureaus.
In general, the information distribution in the consumer credit market of the US exceeds
that of the European countries. A sign of the confidence in the system might be given by
the number of consumers that actually demand to see their credit report. When scaled by
population, the numbers show that in Germany the consumer is least likely to demand the
THE REGULATION OF FINANCIAL PRIVACY
19
report. This could be due to the fact that the public is less aware of credit reporting or
that the system functions more smoothly. In UK, on the other hand, consumers seem to
be more concerned and the number is the highest for the US.
The average costs of correcting a profile for the reviewed companies also differs at least
for Germany and the US. Again, we view lower costs in the US and lower working time
spent on correction of a profile. The differences might be due to scale economies in the
US, but also due to public pressure and a more efficient use of information technologies.
The picture reverses itself when one compares the annual hours spent to negotiate with
data protection authorities on the national as well as state level. It seems that there is
more time involved in the US than in Germany, which could be due to negotiations but
also due to the fact that there is more lobbying in general conducted in the US. However,
when the time is estimated that is attributed to data protection in general, Germany takes
the lead. The mandatory data protection officer in information-intensive companies in
Germany is a major cost factor.
In general it could be assumed that more stringent data protection regimes that pose
more obligations upon credit reporting agencies help to increase consumer awareness
and reinforce the incentive of consumers to request, correct and dispute files. From the
casual evidence above, however, the opposite seems to be the case: the weaker the data
protection, the more complaints about privacy breaches and the higher the public
awareness. This translates into pressure on companies to increase their efficiency by
setting up adequate systems for consumer contact. In the US, this was demonstrated by
the charges that Experian, TransUnion and Equifax had to pay in 2000 due to violations
of the Fair Credit Reporting Act. Together, these agencies had to pay $2.5 million for
failing to maintain a toll-free telephone number at which their personnel are accessible
for consumers during business hours. According to a Federal Trade Commission press
release (Federal Trade Commission, 2000c), the agencies, “blocked millions of calls from
consumers who wanted to discuss the contents and possible errors in their credit reports
and kept some of those consumers on hold for unreasonably long periods of time.” Such
charges obviously increase the incentive to provide more efficient access for consumers.
The disclosure fees also seem to be lower in the United States than in Great Britain and
Germany. It is difficult to explain such prices (in Germany and Great Britain), since
advances in computer technology should have contributed to the cost efficiency of such
activities. However, working time spent on data protection issues, mainly by the
appointee in a company seems to be higher in Germany (no data are available for the
UK). As stated, the evidence is only casual and it is more appropriate to conduct a
statistical analysis of privacy regulations and their effects on consumer credit markets.
This is also a way to estimate the “economic costs” of data protection.
3.2 Credit Markets and Information Sharing
The relationship between credit markets, information sharing and credit reporting has
been at the centre of several studies in the past (for an overview, see Table 6). We briefly
summarise the evidence to date and then present our own approach. One of the first
empirical surveys of information-sharing and credit markets is that of Pagano and
Jappelli (1993). The authors collected information on 14 OECD countries and divided
NICOLA JENTZSCH
20
them into two groups: one with widespread information-sharing and one with data
exchange on a smaller scale.17 The authors find that countries with credit bureaus exhibit
high mobility of consumers and deep consumer credit markets.
Table 6. Surveys of economic activity of credit bureaus
Authors Study design and methodology Results
Jappelli
and
Pagano
(2000a)
39-country comparison
Population: Public and private credit bureaus
Methodology: Regression analysis
Theoretical predictions are consistent with the
data: Information sharing (IS) increases bank
lending, reduces credit risk and is negatively
correlated with default rates (weak correlation)
Jappelli
and
Pagano
(2000b)
17-country comparison (EU plus Turkey)
Population: Public and private credit bureaus
Methodology: Description
Privacy protection affects the amount of
information shared;
CBs originate from local lenders; consolidation
of the industry
Pagano and
Jappelli (1993)
14-country survey (OECD)
Population: Public and private credit bureaus
Methodology: Regression analysis
IS is positively related to borrower mobility and
heterogeneity, size of credit market and advances
in IT;
IS increases lending volume if adverse selection
is severe
Moreover, Pagano and Jappelli (1993, p. 1693 and p. 1714) argue that the incentives of
lenders to share information about borrowers (via a credit bureau) are positively
correlated to the mobility and heterogeneity of borrowers and the advances in
information technologies. The size of the market increases the incentive to share
information, on the one hand, while the benefit of setting up a credit bureau rises with
the increase in loan demand, household mobility and the decrease of operational costs of
the system as well as with the uncertainty about borrower quality. Furthermore, the
utility of a reporting system increases with the number of participants; therefore, credit
bureaus are natural monopolies (Pagano and Jappelli, 1993, p. 1699).
In a follow-up paper, Jappelli and Pagano (2000a) collect information for a sample of 39
countries (1994-95). Those are divided in three groups: countries without a register, a
negative one only or a positive register. The authors then experiment with different
indicators of information-sharing and variables on credit markets.
In testing for information-sharing and bank lending, the authors rely on quality of
information shared (exchange of negative information only and exchange of negative and
positive information). With information-sharing, the ratio of bank lending to GDP is
higher. Their test on the relationship of information-sharing and credit risk shows that
countries with data exchange have lower average credit risk (the latter is the
International Country Risk Guide Financial Indicator, ICRGF). Information-sharing
reduces the credit risk indicator by 3 points, which may translate into a 1 percentage
17 For the purpose of surveying only the consumer credit markets, the authors exclude mortgage reports
(Pagano and Jappelli, 1993).
THE REGULATION OF FINANCIAL PRIVACY
21
point reduction in the fraction of non-performing loans. In general, default rates are
negatively correlated with information-sharing indicators.
In summary, information-sharing is associated with larger bank lending to the private
sector, and mitigates credit risk (as measured by default rates). This is also the case if
one controls for other economic and institutional variables like growth rate and rule of
law.
Like many regression analyses, these results suffer from data problems (noisy indicators)
and the reverse causality problem. The result that information-sharing leads to greater
breadth and depth of consumer credit markets might very well be the other way round:
since credit markets are broader and more transactions take place, information-sharing is
higher.18 This problem is acknowledged by the authors.
Further guidance on the relationship of credit reporting, general information-sharing and
restrictions posed upon data uses might come from micro-level analysis that experiment
with prediction precision of scoring models in creditworthiness tests. The latter
approaches to information-sharing and risk prediction are empirical tests of the
prediction precision of scorecards (for an overview of scoring development, see Thomas,
2000). Scoring models are statistical methods to evaluate the credit risk associated with
the borrower. In general, these models have one assumption in common: data about past
payment behaviour is useful for predicting future performance. This future performance
includes voluntary and involuntary default. The first is strategic default, while the latter is
involuntary, caused by unexpected unemployment or illness (see also Jentzsch and San
José Riestra, 2003).19
In general, the micro-level works analyse the influences that are eroding the prediction
precision of scoring models. This is mainly tested for the US. One reason for this might
be the widespread use of scoring as well as the highly advanced development in the US.
In general, two sources of potential deterioration of a model can be separated: statistical
insufficiencies (due to population drifts, for instance) and privacy-related restrictions of
predictor availability. The latter are of special importance for the present study. The
omitted-variables problem might arise when certain variables are not used due to privacy
restrictions such as contained in the Equal Credit Opportunity Act (ECOA) in the US
and in Europe, in the Data Protection Directive and the acts in the individual member
states. This might lead to an underfitting of scoring models when predictors reveal
statistically significant correlation, but are not included in a scorecard. Only lately has
this problem been addressed by different authors (Barron and Staten, 2000; Boyes,
Hoffman and Low, 1986; and Bostic and Calem, forthcoming).
These studies show that the prediction precision of a model deteriorates when certain
variables are forbidden. Bostic and Calem (forthcoming) analyse this effect for the
gender variable, and Barron and Staten (2000) test these effects for whole information-
18 This view may be underpinned by historical evidence. In the US, banks were the first to be founded
(during colonial times) and credit bureaus followed nearly a century later. One of the first credit bureaus
was established in 1860 in Brooklyn (Cole, 1992, p. 220).
19 The latter is especially a cause for over-indebtedness in the US, due to the health system and reduced
insurance coverage of households.
NICOLA JENTZSCH
22
sharing regimes in the US and Australia. The US is a positive-negative regime – the
distribution of both types of information is allowed, while Australia constitutes a
negative information regime. Barron and Staten (2000) find that the restriction of
information sets of market participants increases fuzzy risk predicting and decreases
allocative efficiency. The authors show how the Australian information set produces
higher rates of type-I and type-II errors.20 Accordingly, the more precise discrimination
of formerly pooled borrowers increases approval rates, whereas an information set with
only negative predictor variables reduces these rates.
In summary, the presented studies show that restrictions on predictive scoring variables
reduce the efficiency of credit scoring models. This also holds if the amount of
information used is varied, like in the Barron-Staten approach. The potential costs of
privacy regulations can be quantified economically by the deadweight loss due to
reduced credit availability, but also by the reduced efficiency if type-I and type-II errors
lead to a misallocation of credit.
3.3 Data Protection and Consumer Credit Markets
The effects of data protection on consumer credit markets are not quite clear. On the one
hand, there could be positive effects due to increasing transparency of information flows,
but on the other data protection acts might reduce the information available to market
participants. The studies reviewed above analyse information-sharing both on the macro-
level by reviewing effects on credit markets and on the micro-level by testing scoring
models. In the following, we present our set of variables and our approach to the analysis
of economic costs associated with different data protection regimes.
3.3.1 Hypotheses
The major research question is whether a more stringent data protection regime
(measured by higher FPI) inhibits information allocation in consumer credit markets. This
could be postulated as the first hypothesis: the higher the FPI, the lower the information
allocation. A second major interest is to find out if a lower information allocation (as
approximated by the credit report sales) is associated with a higher credit risk. After
reviewing the micro- and macro-level literature, it may be stated that more stringent data
protection regimes are associated with lower information allocation and higher credit
risk, because financial service providers have less information on consumers to evaluate
their risk. This may result in misinformed credit decisions that translate into higher credit
risk on the macroeconomic level. Therefore, our second hypothesis is that lower
information allocation is associated with higher credit risk.
A further group of hypotheses refers to credit market characteristics. Lower information
allocation is thought to result in thinner credit markets (lower percentage of consumer
credit to GDP) and lower consumer indebtedness. We assume the latter since consumer
indebtedness is supposed to rise in countries with more credit financing and broader
credit markets.
20 Type-I errors are omission errors in denying good risks credit, whereas type-II errors are errors of
commission in granting loans to bad risks (see also Barron and Staten, 2000, p. 21).
THE REGULATION OF FINANCIAL PRIVACY
23
We proceed as follows. We estimate the relations between the variables by conducting a
series of tests using Pearson product-moment correlations for the individual countries
and for cross-country analysis. In a further step, we expand the tests by including a
cross-country partial correlation analysis.21
Studies in the field of credit reporting and consumer credit markets typically suffer from
problematic data sets (the present study is no exemption). The reason for this is the lack
of proper official data on important variables such as credit risk and the lack of data from
private sources such as credit bureaus. The typical methodology employed in this field is
a large country panel and regression analysis.
The presented approach differs, however. We reviewed only four industrialised
countries, but for the period 1990-2001. For the tests, we work with a new data set and
with data from the European Credit Research Institute. An overview of the variables is
presented in Box 1 below. Since we also requested information from credit bureaus in
the US, Great Britain and Germany (there are no credit reporting agencies in France),
this information was included in our estimates about information allocation and costs of
data protection.
Box 1. Overview of variables used in the study
Financial privacy indices
(FPI) The set of variables is the multiplicative Cobb-Douglas index. The
index is based upon a set of absolute values of data regulations in each
country for the years 1990-2001. The index is a proxy for data
protection regimes in the specific field of consumer credit reporting.
Information allocation
(RS) Information allocation is the absolute number of credit reports sold in a
country on a yearly basis. Since this number cannot be observed
directly, it had to be estimated by using either already published
estimated or own data. The estimation procedure is not disclosed for
confidentiality purposes. RS stands for reports scaled (i.e. sold to
financial service providers). Source: the author.
Consumer indebtedness
(CI) Consumer indebtedness is a ratio expressing the volume of consumer
credit outstanding relative to the disposable income of households. This
ratio rises with the increase of borrowing to finance consumption.
Source: ECRI.
Credit-financed
consumption
(CCPPC)
Credit-financed consumption is outstanding consumer credit as
percentage of private consumption. This measures the weight of credit
in private consumption transactions. Source: ECRI.
Consumer credit
interest rates (INT) This data set is constituted of interest rates on consumer loans to
households. For the European countries these numbers are non-
harmonised. Source: ECB, National Retail Interest Rates Statistics. For
the US, data are taken from the Federal Reserve’s G.19 consumer credit
statistics (commercial banks interest rates).
Real GDP growth
(GDP) Real GDP growth is percentage change from previous period. The US
uses chain-weighted indices to calculate real GDP and expenditure
components. Numbers are available for 1990-2001; for 2001 numbers
21 The author repeated the tests below with inflation-corrected terms and by controlling for GDP growth.
The results, however, did not change significantly and they are not reported.
NICOLA JENTZSCH
24
are projections. Source: OECD, Economic Outlook, 2001.
Credit risk
(RISK) Credit risk is household-debt service burden, which is the ratio of debt
payments, i.e. minimum payments and interest rate payments on
consumer credit to disposable income. Source for US: Federal Reserve.
Source for Europe: the authors calculations (based on data from the
ECB, ECRI, national central banks and estimates of commercial
financial service providers).
The first set is the FPI. As elaborated above, the index is a very specific measure that
was only applied to credit reporting regulation. Therefore, the index is precise enough to
capture the most important regulations.
The variable for information allocation (RS stands for reports scaled), on the other hand,
is more problematic. The credit bureaus were asked to disclose their sales for the years
1995 and 2001, associated growth rates in the 1990s and the percentage of credit reports
sold to financial service providers. From the data, the percentage of reports sold for
consumer credit purposes could be estimated. These numbers, together with estimates
from other sources (like industry publications) were compiled to serve as a rough proxy
for information allocation. The number was then scaled by the population in the country.
The results are plotted in Figure 2.
Figure 2. Information allocation in four selected countries (1990-2001)
0
0,5
1
1,5
2
2,5
1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001
Germany
France
United Kingdom
United States
The credit market indicators are less problematic. Consumer indebtedness (CI) is the
ratio of consumer credit outstanding to disposable income of households. Credit-
financed consumption is the outstanding consumer credit as a percentage of private
consumption (CCPPC) and as credit market breadth or availability, we included
consumer credit (excluding mortgages) as a percentage of GDP (CCGDP). On consumer
credit interest rates (INT), moreover, data from the European Central Bank and the
Federal Reserve Board is used. These data are available for all countries, except for the
Great Britain (1990-95).
THE REGULATION OF FINANCIAL PRIVACY
25
Real GDP growth rates (GDP) as proxy for business cycle fluctuations were collected
from the OECD Economic Outlook (with estimates for 2001). Another somewhat
problematic variable is the credit risk estimate (RISK). For the US, there are official
numbers on debt-service burden of households: the service on consumer debt in relation
to disposable income.22 This service includes average monthly minimum payments as
well as interest rate payments. European numbers are calculated by using consumer
credit interest rates and disposable income. However, data on minimum payments are
neither collected by the European Central Bank nor by the individual central banks.
Therefore, estimates from governmental departments as well as financial service
providers were used. With these estimates it was possible to construct a time-series of
credit risk in the individual countries, however, some of the information is missing in the
case of Great Britain.23 The results are plotted in Figure 3.
Figure 3. Estimated credit risk in four selected countries (1990-2001)
0,00
2,00
4,00
6,00
8,00
10,00
12,00
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001
Year
risk
U.S.
Germany
Great Britain
France
We also discussed the inclusion of other possible intervening variables such as creditor
rights as presented by La Porta et al. (1997). This is problematic, however, since the
indicator is estimated only for one year. There is not really an statistical explanation for
including it as constant quantity.
22 This is regarded to be “credit risk”, because it tends to lead delinquencies and predict bankruptcies
(Maki, 2000, p. 5)
23 This is a better approximation of (consumer) credit risk than other indicators such as the ICRGF
which includes risks unrelated to consumer credit (such as losses from exchange controls).
NICOLA JENTZSCH
26
3.3.2 Pearson’s Correlations for Individual Countries
Results for the test of interdependency of FPI and information allocation for the
individual countries are given in Tables A2-A5 in the Annex. For the US, we have a
strong positive correlation (.873) that is statistically significant at the 0.01 level. The
same holds for Germany (.919) and Great Britain (.843), both statistically significant at
the 0.01 level. Note that the signs are positive. The implication of this is contrary to our
hypothesis that higher FPIs are associated with lower information allocation. It seems
that for those countries the reverse is true: the higher the distribution of credit reports,
the higher is also the FPI (that is, more data protection regulations exist). We will
explain this counterintuitive result further below. France, however, displays a correlation
that is statistically not significant. Growth rates of disclosures in France could be severely
underestimated, producing a misleading result in this case.
The observation that in other countries sales of credit reports increase with increasing
data protection regulations crucially depends on assumptions about credit report sales.
As stated, we had to estimate the numbers, but from the questionnaires of our survey we
got strong evidence that suggests that credit report sales increased remarkably in the
1990s, which is certainly due to increasing information technology adoption and the
reduced costs of administration of such files. The results cannot, of course, be
interpreted as causality. However, the strength of the relationship proposes an alternative
explanation that can be further augmented by historical evidence.
It seems that increasing information allocation leads to increasing public awareness about
privacy problems in general. In the 1990s, this was accompanied by the large-scale
adoption of the internet that further raised such concerns. In a political economy
approach, one might state that this awareness translated into increasing pressure from
constituents to alter legislation and increase the rights of data subjects and the tasks for
data controllers. That is something we could demonstrate by the evaluation of individual
countries and the upward trend in the FPIs. Increasing data protection awareness has
obviously not been on the agenda of the French data subjects – they already enjoy very
high protection. Of course, it would be necessary to wait another ten years to measure
how the legislative changes in the latter half of the 1990s affected the relationship of the
FPI and information distribution in the long-run.
The second hypothesis stated that increasing credit report sales increase risk prediction
capabilities of financial service providers and therefore should be negatively correlated
with credit risk on the aggregate level. As we review the individual countries, we get
mixed evidence for such a relationship (Tables A2-A5 in the Annex).
Again, we take the scaled credit report distribution, but this time, we relate it to credit
risk. For the US and France, the coefficients are not statistically significant. Germany, on
the other hand, displays a negative correlation (-.780) and Great Britain a positive one
(.918), both statistically significant at the 0.01 level. Therefore, the tests on the level of
individual countries do not show any clear relation between information distribution and
credit risk.
Another interesting question is whether reduced sales of credit reports result in less
access to consumer credit (as a percentage of GDP) and lower levels of consumer
indebtedness. The connection between sales of credit reports and consumer credit as a
THE REGULATION OF FINANCIAL PRIVACY
27
percentage of GDP is the following. In the US (.777), the Great Britain (.899) and
France (.939), the relationship is positive and significant. That means that higher sales of
reports are associated with a higher ratio of consumer credit and GDP. Access, if we
interpret the variable in this way, is then increased by higher information allocation.
Germany, however, does not fit this picture, for here we discern no statistically
significant relationship. The same kind of association also holds for consumer
indebtedness in the US (.790), the Great Britain (.890) and France (.925). Here too,
Germany displays no relationship. Along with the broadened access to consumer credit
(facilitated by the increasing distribution of information about potential borrowers)
comes the increase of consumer indebtedness. The latter is highly associated with this
expanded access.
We originally assumed that stringent data protection rules reduce information allocation.
This relationship cannot be observed in the individual countries, instead the contrary
holds. If we directly test for the association of the FPI with credit access and consumer
indebtedness, the following picture emerges: in the first case a positive correlation exists
only for the US and Great Britain as English common law countries. The correlations for
Germany and France are again not significant in both tests. Therefore, we find no general
relationship that would hold for all of our countries. In a next step, we turn to cross-
country evidence.
3.3.3 Pearson’s Correlations and Cross-Country Evidence
Due to the very little numbers of observations in each country, we expand the tests by
conducting a cross-country analysis. On the background of the initial tests, we now
modify the first hypothesis by stating that a higher FPI is correlated with higher
information allocation. The results of the analysis are presented in Table A6 in the annex.
This time, however, the association of both indicators is statistically significant correlated
with a negative sign (-.622) – the one we would have expected in the analysis above. In
cross-country comparisons, a higher FPI is obviously associated with lower credit report
sales. This reinforces our initial assumption that the US, for example, has lower data
protection and more credit report sales, whereas the opposite holds for more stringent
data protection regimes like France.
Within the individual countries, however, the relation seems to be positive due to the
reasons explained above. The political economy approach, however, does not work on
the international level, since there is no international data protection authority to which
complaints could be directed (note that we have not included an EU aggregate). Note
also that we did not rely upon absolute indicators of consumer credit markets, but on
percentages of GDP.
Concerning information allocation and credit risk, we did not receive a strong result that
credit report sales decrease credit risk. Therefore, we reiterate our assumption that the
variables must be intuitively correlated in a negative way, i.e. higher information
allocation is associated with lower credit risk.
This time, we find a positive relation (.592). This is as counterintuitive as the weak
results in the individual countries. It was stated that risk prediction capabilities should
increase and as a consequence, credit risk should be lowered. If a household already has
NICOLA JENTZSCH
28
a relatively high debt-service burden as a consequence of indebtedness, the marginal
propensity to grant credit should decrease.
We initially assumed that this translates into lower credit risk on the aggregate level. The
result is statistically significant on the 0.01 level, as well as the positive relations of credit
report sales with the variables for consumer indebtedness (.585) and consumer credit as a
percentage of GDP (.724). On the international level, a higher distribution of credit
reports is obviously associated with increased consumer indebtedness and broader credit
markets. Such a positive relationship also holds for credit risk.
One explanation for this is that with increasing consumer indebtedness, a higher part of
consumption will be financed by credit and more credit reports are sold as a
consequence. Less surprising is that credit risk is highly associated with consumer
indebtedness (.762) and consumer credit as percentage of GDP (.778). When we repeat
the tests directly with the FPI, we find that it is significantly negatively correlated with
consumer indebtedness (-.477), consumer credit as percentage of GDP (-.632) as well as
consumption financed by credit (-.318).
The following relationships can now be established: the more stringent are data
protection regimes in cross-country comparisons, the lower are credit report sales. With
increasing information allocation, both consumer indebtedness as well as consumer credit
as a percentage of GDP rise. Both go hand in hand it was stated. The more credit reports
are sold, the more credit risk will increase, since both variables are positively correlated.
If we exclude the reports and conduct the tests directly with the FPI, we find that
countries with higher FPIs have lower credit access, credit risk and consumer
indebtedness.
How can these results be explained? First, we have to state that the analysis above
involves only simple Pearson correlations for a few countries, but they might provide
some first indications. Such an analysis always suffers from problems of omitted
variables and we are not able to draw any conclusions about causal relations. Moreover,
rising credit risk as well as consumer indebtedness are certainly a function of economic
conditions. Households will borrow more if wages rise or job prospects look good.
Wage income is still the major income source of the average US household, so the job
market and the stability of the income stream – both of which are related to the business
cycle – will be of the utmost importance. We now turn to partial correlation coefficients.
3.3.4 Partial Correlation Coefficients: Cross-Country Evidence
We start to control for variables in the following way: first, the interdependency of the
FPI and information allocation will be checked by controlling for economic growth.
Table 7 presents the results. The negative relationship as we observed in cross-country
comparisons remains statistically significant, but to a somewhat weaker extent. However,
the statistical significance vanishes when we control for consumer market breadth or for
the latter and consumer indebtedness in a second-order partial correlation.
The interdependency of information allocation and credit risk, on the other hand, remains
statistically significant in first-order test with controlling for GDP. In the other cases, the
relationship vanishes. In the relation of the FPI with the risk proxy, we also get statistical
significance, the sign remains the same: negative, and this is the case in first-order partial
THE REGULATION OF FINANCIAL PRIVACY
29
analysis (controlling for GDP growth) and in the second-order analysis controlling for
consumer indebtedness and consumer credit.
Table 7. Cross-country partial correlation coefficients
Control variables
(2-tailed significance) FPI – RS RS – RISK FPI – RISK
First-order partial correlations
GDP growth
-.6156** .5480** -.6514**
Consumer credit % GDP
-.3069 .0747 -.2924
Second-order partial correlations
Consumer indebtedness,
consumer credit % GDP -.2048 .1509 -.5140**
** Correlation is significant at the 0.01 level (2-tailed).
Especially GDP growth appeared to be a candidate for intervening influence, but the
interdependencies of the FPI with information allocation or credit risk or information
allocation and risk remain statistically significant on the 0.01 level. Due to the small data
set, the model should not be over-fitting. Therefore, we refrain from including further
variables (household saving or consumer expenditure, for example) and we refrain from
conducting a regression analysis.
In sum, we observe that across countries, a rising number of data protection regulations
is associated with lower information allocation, lower credit risk and decreased
consumer indebtedness. However, with decreasing FPIs (and hence increasing
information allocation), consumer indebtedness increases as well as the other variables
that served as indicators for the consumer credit market. In addition, credit risk will rise.
In the following, another explanation of the observations is proposed. As stated, in the
individual countries, higher information allocation is associated with higher FPIs,
whereas countries with high FPIs in comparison to those with lower ones do exhibit
lower information allocation. However, if credit markets are broader, more transactions
take place and more credit reports will be sold. The expansion of the consumer credit
market increases marginal risk associated with less creditworthy households – this is the
reason why credit risk increases on the aggregate level.24
Current statements from the credit reporting business (see e.g. Experian, 1996, p. 12)
might help to further reinforce these assumptions: “In general, the usage of credit
profiles (and related services) is driven by consumer demand for credit (via new credit
cards, automobile loans, home mortgages and refinancing and other consumer loans) and
lenders’ efforts to develop new, and monitor existing, credit relationships.” Hence, the
broader the credit market, the higher the information allocation and the higher the credit
risk.
24 Note that this aggregate level is not the overall credit market in the economy, but the consumer credit
market.
NICOLA JENTZSCH
30
4. Competition and Market Structure in Credit Reporting Industries
4.1 Competition in Information Markets
One of the major questions that arises in the context of efficiently working consumer
credit markets is what kind of industrial organisation exists in the credit reporting
industry. It could be very well the case that competition in such markets increases
information allocation and leads to a more efficient distribution of consumer credit.
However, information markets differ in certain important respects from traditional
markets, and the credit reporting industry in Europe in particular underwent major
changes in the 1990s.
The competition in the credit reporting industry constitutes an example of competition in
information markets par excellence. Such markets differ from traditional markets in
several specific characteristics, because they are dependent on network structures within
which information goods are traded. We will first elaborate on the general characteristics
of information markets and then describe the trends in credit reporting.
Networks are a form of industrial organisation and market governance. As coordination
mechanism, networks influence market structures as well as aggregate economic results.
Different authors have modelled networks among economic agents employing influence
matrices (Steyer and Zimmermann, 1998), cascade models or polya urn schemes
(Willinger and Ziegelmeyer, 1998). Others have employed spatial models that locate
agents on lattices (Jonard and Yildizoglu, 1998, and Nelson and Winter, 1982). These
models are mainly concerned with technology adoption, localised learning and network
externalities; few of them explicitly focus on information networks.
Network structures, however, reveal some economically significant characteristics that
cannot be neglected. With the aforementioned approaches, it is possible to explore
economically relevant problems such as dependence on initial conditions (Arthur, 1990
and 1994), path-dependence (David, 1985), critical mass, bandwagon effects, positive
feedback (Economides, 1993 and 1996), as well as standardisation problems (Besen and
Farrell, 1994). These features generate concentration processes that transform a polypoly
to an oligopoly or even a monopoly (so-called winner-takes-most markets; see
Economides, 2001).
The technological complementarities of network components generate network
externalities and positive feedback (in some cases also negative feedback) on the demand
or supply side. While these characteristics are normally observed in telecommunications
infrastructures, some of them can also be applied to information networks. These kinds
of networks abstract from technological infrastructures, since participants that share the
same information constitute such a network. These agents can be described as nodes in
the network, whereas the links between them depend on a probability that varies inter-
temporally (for a broader example, see Kirman, 1997).
The architecture of the network is constituted of the number of participants as well as
the symmetry (or asymmetry) of data flows between them and the system of information
flows. This is the problem of star networks with a monopolist information producer vs.
multiple point networks with several information producers constituting an information
oligopoly, for instance. Information diffusion and its efficiency are influenced by the
THE REGULATION OF FINANCIAL PRIVACY
31
network architecture and the channels; hence architecture influences economic
outcomes. In this context, information is at the same time integrated in vertical networks
(as part of the value chain) as well as in horizontal networks (exchanges among different
firms of the same industry). Despite the fact that there is little economic literature on the
specific efficiency problems, one can apply certain network characteristics to credit
reporting as discussed below.
In credit reporting markets, the information flows among agencies, information suppliers
and consumers constitute such a network of information which reveals strong feedback
effects: its value increases as more creditors are connected to it. An increasing number of
data sources produces a more detailed profile of the data subject and in turn enhances the
risk prediction capabilities of the interconnected participants. The contributions of an
increasing number of data sources will almost inevitably (regulatory architecture ceteris
paribus) increase the flow of information among the agents.
Information exchange, however, has to be standardised (as well as the meaning of terms
such as bankruptcy) to ensure an effective flow among network participants. Moreover,
the more a network of one agency increases, the more attractive it will be for potential
participants leading to considerable bandwagon effects and network externalities. As far
as financial service providers deliver information to one of the agencies, excess inertia
may be generated from the costs that arise from switching to another network. This has
not been discussed in the literature so far. Instead, there is only anecdotal evidence.
Experian, for example, claims that it has long-standing customer relationships with the
top 25 customers for over a decade (Experian, 1996, p. 44).
Credit reporting competition reveals specific demand- and supply-side characteristics.
The information furnisher is the bank, insurance or any other credit-granting company.
However, this party is also the demander of the information as codified in reciprocity
contracts in credit reporting arrangements. These contracts have to establish incentive
alignments (the disclosure of truthful information) to ensure the efficiency of the
reputation system. All information suppliers are granted access to the data base, while
non-disclosure is sanctioned. This has not always been without problems, since it
produces significant effects on competition.
Market dynamics are to a crucial extent dependent on the consumer demand for credit.
This demand for credit cards, mortgages, automobile loans or other consumer loans
expands the demand for consumer profiles and related services:
Consumer demand for credit tends to increase during periods of economic
expansion, and lenders’ efforts to monitor credit relationships tend to increase during
periods of economic contraction. Consequently, revenue from consumer credit
information products is influenced by cyclical economic trends related to consumer
debt (Experian, 1996, p. 12).25
Market barriers in this competitive surrounding are created by the already existent
network of the triopoly as found in the US, for example, and the high costs establishing
25 Note that this is turning the logic around, as discussed in the section on empirical surveys.
Information-sharing is higher, because consumer credit markets are broader and deeper in times of
economic expansion.
NICOLA JENTZSCH
32
such a network. Companies will only enter the market if benefits are greater than the
costs of market entry and if it is expected that the market will further expand in the
future. As long as profit margins are high enough, other players will be attracted. In the
US as well as Great Britain, a triopoly developed. The intense pricing competition as
well as the established networks in the US may operate like private barriers to market
entry.
Credit reports as information goods exhibit problems that may deteriorate the allocative
efficiency of competitive market mechanisms. These characteristics are: non-excludability
as in the case of public goods, non-rivalry, indivisibility, immateriality and experience
character (Allen, 1990, and Romer, 1990). In the commodification process some of the
natural characteristics of information have to be transformed to achieve tradability. This
is for example done via the definition of a property rights structure. The thinner property
rights are, the more likely are externalities that may eventually produce market failure
(Coase, 1960). Specifically relating to privacy, problems of externalities and the
definition of property rights have been discussed by Varian (1996) and Laudon (1996).
One has to distinguish three kinds of transactions: (1) the primary transaction between
the consumer and the bank with aligned incentives; (2) the secondary transaction
between the bank and the credit reporting agency; and (3) tertiary transaction between
the credit reporting agency and third parties. In the secondary and tertiary transactions,
externalities can arise, since incentives of consumers and credit reporting agencies are no
longer aligned; moreover, if information transactions are not transparent, consumers
cannot exert their rights of blocking access which may result in information
misallocation. The general characteristics of information goods, as well as their
associated scale and scope economies lead to product diversification through
differentiation strategies, something that is observable in the credit reporting market.
Property rights for information are split among furnisher and information intermediary
(the credit bureau). The value added by the information intermediary is the accumulation
of the information from different sources that are depersonalised and the analysis of the
data.
In summary, one can observe network structures, while on the other hand there are
certain characteristics of information goods (similar to those of public goods) and
externalities that are typical of information markets. Another problem arises from the
strong concentration processes. However, they do not naturally result in weak
competition (depending on the strength of competition supervision). Upstream market
inefficiencies, it has to be noted, may reveal effects on downstream industries that
depend on such information goods (for example, the banking or insurance industry).
Upstream inefficient information allocation, may inhibit the competition in downstream
industries.
Apart from the aforementioned general economic insights, there are certain trends that
can be observed especially in the 1990s. First, the traditional core business of credit
reporting has changed enormously in the 1990s due to the progress in information
technologies and the increasing competition pressure in the mature information market of
the US. Today’s credit reporting bureaus – information service providers – not only
provide profiles, but all kinds of risk management products (e.g. scoring or screening
services) and increasingly also products and services for consumers such as score
THE REGULATION OF FINANCIAL PRIVACY
33
simulators and advice on consumer credit habits. TransUnion and Experian only lately
started to expand their business into the consulting field, advising their clients on data
assessment and modelling as well as on fraud reduction (Lee, 2002a, p. 8). The reason
for this is the high pressure on consumer reporting agencies in pricing as well in
servicing. While one observes an expansion into new areas on the one hand, there is the
reduction of some traditional activities like the collection business on the other.
Second, there are convergence processes in respect to segments of the information
market (for example, marketing information and creditworthiness information). This
seems to be especially the case in e-commerce with the emergence of vast collections of
personal data that are intended for marketing purposes (Groupement Français de
l’Industrie de l’Information, 2000). The reporting agencies also hold vast direct
marketing data bases that contain lifestyle and demographic information (Lee, 2002a, p.
8); moreover, in the US, the major credit bureaus have cooperation arrangements with
the information services and data mining company Acxiom to provide packages that
combine demographic and credit information (Fickenscher 1999).
Third, there are signs that new competitors are also entering the market from the side of
scoring services or business reporting services. For example, Fair, Isaac, the major US
provider of scoring products, intends to establish a service for consumers to notify them
if their scores have changed and to provide consolidated consumer reports (that is,
reports merged from all three credit bureaus). This would actually put the company in
more direct competition with the credit bureaus (Lee, 2002b). In Germany and the UK,
we have found examples of business reporting companies (Creditreform as well as D&B)
expanding their operations into the field of consumer reporting.
And fourth, there is the trend of integration of certain parts of the value chain, e.g. the
convergence of information and software applications (Groupement Français de
l’Industrie de l’Information, 2001).
We briefly review in the next section the competition trends in the relevant countries.
Due to severe problems with limited data availability on this issue, it is not possible to
construct a concentration index like CR4, CR8 or the Herfindahl-Hirschman index for
the European countries. There are, however, official indices for the US. It is only
possible to roughly describe the competition in the individual EU countries and to add
anecdotal evidence on important merger and acquisition activities. This is sufficient,
however, to gain an overview of the latest developments.
4.2 Competition in the US Credit Reporting Industry
Credit bureaus developed in the United States with the increased household mobility and
mass urbanisation in the second half of the 19th century, as Pagano and Jappelli (1993, p.
1711) note. Due to these socio-economic developments, informational asymmetries
between creditors and borrowers worsened – a problem that could be ameliorated by the
information collection of credit bureaus. In the US, banking regulation contributed to the
establishment of information-sharing arrangements, because it created barriers of entry
by establishing the dual banking system (National Bank Acts of 1863 and 1864) and
restrictions on branching (McFadden Act of 1927). The latter resulted in state-w