Hi,
I think this topic should have its own thread under GDPR, as an Android user I’d never have found it if I hadn’t messaged the Admins via the app.
I’m still extremely concerned by what happens here.
Your customers ( e.g. me) are caught by the effects of GDPR upon them, (I.e. your customers’ employers) IF they have any business contact data on their phones. Put another way, my contacts are somebody elses’s personal data. They own it, not me, and they now determine what can happen to it and must be told if it is used without their consent.
From reading this explanation, their data is used in some way, to create whatever a hash is and then matched with a larger has from someone else’s personal data.
I run a head hunting business with some extremely sensitive contact data on my phone, yet my business makes no provision for this in its GDPR declaration, how can it? I shudder to think what my contacts would think if they knew their data is being used by a fledgling bank (that must be considered at financial risk as it is not making profits and still making cash calls on its shareholders).
Honestly, I am alarmed by phrases such as (can’t remember exactly) “we will not contact your contacts without your consent” implies you have the ability to contact them and “if Monzo shares / benefits from their data with third parties…” reinforces the belief you have access to their data.
It looks to me as though you are putting your customers and their employers at risk of breach of GDPR without their knowledge. The minimum I think you should do is seek legal clarification and clearance from reputable and suitably knowledgeable solicitors (or barrister) to reassure us that us, your customers, and our employers are not at risk.
I believe this to be urgent and I hope you will give it the highest priority.
Thanks
Could you reference where you have seen such phrases, as I can’t recall Monzo ever implying that they have access to our contact data in a way they can use it. I’d be interested to understand this further.
On the issue more generally, if you have these concerns you should to start with deny Monzo access to your contacts (the first time it tries to access them, your phone should put up a dialogue asking for Monzo to have permission). Then, once (if?) you are satisfied with how Monzo handles these data, you can enable it in the future.
Also, as a warning if you’re worried about sharing your contacts’ data with third parties (which I agree is a legitimate concern, and one I share): many chat, social network, and other apps will demand access to your contacts, and they do upload all details to a server in a way that the service can see and use these details (unlike Monzo’s approach where they essentially have a list of random strings). You need to be very careful what apps you use, and which you grant permission to access your contacts.
I’m not an expert, but the training I’ve had on GDPR has indicated that it’s about other people’s personal data. A random set of characters derived from their personal data is not in itself their personal data because:
It can’t be tied back to them, except by yourself (who already hold the personal data).
It is meaningless to them. You could put the string on the front page of your website, and no one could do anything with it.
I guess I’ll put it here as well, but is there any chance of hiding the “invite” contacts bit? It makes Monzo look more like a social media network than a bank.
Additionally Monzo themselves only store the hashes of people who are already customers.
The app on your phone generates a hash, and then only sends part of it to Monzo. Monzo then responds with matching full hashes which are compared on-device, none of which could be considered personally identifiable.
Monzo have stated that they will allow you to use the payments page without having “payments with friends” turned on, which will alleviate the concerns anyway.
If you read the rest of the post, it’s clear that Monzo never transmit any contacts’ personal data off of your phone. The statement about them not getting in touch without your permission is to let you know that they’re also not going to start using the contact data from within the app on your phone to contact people. But this post is very clear that personal data from your contacts does not leave your phone (for this feature, at least).
I think that Monzo could/should post a statement about how they treat data like your contacts and photos (basically anything they ask access to) on their Transparency page.
There’s a link at the bottom where you can post a request for further topics to be considered for the page.
Nobody is an expert on GDPR, because nobody has been sued under it yet. The indisputable point here is that, no matter how or where it happens, Monzo (an unknown third party as far as contacts on my phone are concerned) has matched data on my phone with data on lots of other phones and returned one of two results, both of which are new data.
Either my customers (and in return I) have a Monzo bank account, or my customers don’t have a Monzo account. This is NOT information I should have of my customers - either clients or candidates, and it was not given to me by my customer.
Yes, this is a good point. Though in this case it would be Monzo contravening the regulations (essentially providing someone else’s personal information to you, without their permission). There is a thread on GDPR, but it hasn’t got very far.
Not sure why not? When you enable P2P payments (they are disabled by default and opt-in), Monzo makes it clear that you will a) be able to see who of your contacts has Monzo b) vice versa. That would presumably be within GPDR as you are agreeing to those terms?
I mean it says “People with your phone number will be able to see you are on Monzo”:
Good point. Only those who have opted in will show up on your contacts list, and by opting-in, they are giving permission for this information to be shared.
I am really confused with what the actual issue is here.
user A signs up to Monzo
user A wants to use Monzo with friends (agrees anyone with their phone number and also on Monzo will see them and can send money to them). Opt in consent.
user B signs up to Monzo
user B wants to use Monzo with friends (agrees anyone with their phone number and also on Monzo will see them and can send money to them). Opt in consent.
User A and user B can now see each other as they have both agreed to share the fact they have a Monzo account because they have each other’s number in their contacts. Both provided consent for this.
I see no fault on Monzo’s in this as they are covered by the opt in consent. And if a user does not want to publicise they have a Monzo account to other Monzo users they simply do not opt in (or opt out).
Can consent given in a private and personal capacity be used as part of a business relationship? Should my business GDPR declaration say, “and if you have a Monzo account I will know about it” since my business is responsible for knowing what data is stored, how it is stored, how it is used (and clearly it is used here by Monzo), map the data flows… and so it goes on.
We are all guessing. I have suggested to Monzo that they ask their solicitors, Taylor Wessing, to think about this and give us, the customers, a considered and reasoned view.
I think the issue here is your use of your customers personal data, which is your responsibility.
You should probably have (on Android) two separate Google Accounts which you can switch between on your phone which will firewall your business contacts from your personal contacts (and allow you to have the Monzo app logged in on one account, but not on your personal account).
I’m afraid I fail to see how this is Monzo’s fault/problem?
