Faculty of law blogs / UNIVERSITY OF OXFORD

Promise Not Fulfilled: FinTech, Data Privacy, and the GDPR


Time to read

2 Minutes

OBLB categories

Commercial Law

OBLB types



Gregor Dorfleitner
Full Professor of Finance and Director of the Center of Finance, University of Regensburg
Lars Hornuf
Professor of Business Administration at the University of Bremen
Julia Kreppmeier
Research Assistant at the Department of Finance, University of Regensburg

Data have become a critical resource for many business models as a result of digitalization and globalization. Individuals disclose personal information intentionally and unintentionally over the Internet and when using their smartphones. Because of the international location of servers and cloud computing services, the processing of data often takes place in different jurisdictions and does not stop at national borders. On May 25, 2018, the General Data Protection Regulation (GDPR) became binding in the European Economic Area (EEA) to address the increasing challenges of data security and privacy. The GDPR extends its territorial reach even outside the EEA if European data are involved.

The financial sector and, in particular, the recently emerging Financial Technology (FinTech) industry process much sensitive data. Payment data, for example, can entail information about racial or ethnic origin, political opinions, religious beliefs, health or sex life. The different FinTech business models, which frequently rely on artificial intelligence, big data, and cloud computing, thus represent an important and relevant industry to examine the impact of the GDPR. Companies are not required by law to have a privacy statement; however, they often comply with the requirement to inform their users (art 13-15 GDPR), by publishing such statements, about the personal data they process. Therefore, privacy statements serve as research objects for many studies that analyze privacy.

A central goal of the GDPR is that communication to data subjects about the processing of data occurs in a concise, transparent, intelligible and easily accessible form, using clear and plain language (art 12 GDPR). In our recent CESifo working paper, we analyze 308 privacy statements published by German FinTech firms before and after the GDPR became binding. We analyze readability, standardization, whether company and industry-specific factors affect the quantity of data processed, and the transparency of privacy statements. We perform textual analysis on the privacy statements and provide evidence that their readability has worsened since the GDPR became binding. Specifically, the texts have become longer and more time-consuming to read. We also find an increase in the use of standardized text, reducing the informational content that users can draw from the privacy statements. These findings contradict the primary objectives of the GDPR. Further, we investigate the quantity of data processed and transparency and its determinants. We document a significant increase in the quantity of data processed but find no significant change in the level of transparency.

External investors can contribute knowledge and experience to build a proper and future-oriented company. In our study, the number of external investors positively influences the quantity of data processed and transparency before the GDPR became binding. Cooperation with a bank does not have any significant impact on FinTech privacy practices. Legal capital, that we interpret as ex-ante founder-team dedication, is positively related to data processed and is particularly relevant for transparency before the GDPR became binding. These results underline that prior to GDPR externally induced pressure of investors and internal engagement of the founders resulted in better privacy practices. However, the results vanish after the GDPR became binding, as all FinTechs began to act in a similar manner to ensure data privacy. We also provide evidence that mimicking behavior in terms of industry pressure positively influences privacy practices after the GDPR became binding, which indicates that the regulation gave companies an incentive to adopt their direct industry peers’ data-processing methods or privacy statements.

One might ask whether it is possible for a user to give informed consent (art 7 GDPR) if they cannot capture the language and the content of privacy statements. Thus, the question arises whether the GDPR has really fulfilled its promises regarding its main provisions and objectives, especially for the FinTechs.


Gregor Dorfleitner is Full Professor of Finance and Director of the Center of Finance, University of Regensburg.

Lars Hornuf is a chaired Professor of Business Administration at the University of Bremen, Germany, specializing in the areas of financial services and financial technology.

Julia Kreppmeier is Research Assistant at the Department of Finance, University of Regensburg.



With the support of