The Payment Services Directive 2 (2015/2366) (PSD2) which amended the earlier Payment Services Directive and which is due to be implemented by member states shortly, has been the subject of much debate recently at the European Commission as regards its interpretation.
In June 2016 the Justice and the Finance departments met in Brussels to debate, amongst other things, Article 94 of PSD2 which covers data protection. Article 94 states that “payment service providers shall only access, process and retain personal data necessary for the provision of their payment services, with the explicit consent of the payment service user”. EU officials are concerned that there are differing views within member states as to the meaning of “explicit consent” and that there needs to be clarification.
The recitals to PSD2 make it clear that data protection and human rights of users must be respected and that PSD2 has to sit alongside existing member state data protection laws.
It seems odd that PSD2 requires explicit consent from payment service users to the processing of their personal data in the provision of services that they will have themselves requested. Perhaps PSD2 intended that explicit consent would be needed if payment service providers were using personal data for purposes other than the initial provision of payment services. That would certainly be the interpretation from a strict data protection law point of view.
Apart from the question of explicit consent, payment service providers will for legitimate purposes process customers’ personal data and retain the same for corporate governance and other regulatory purposes and therefore consent should not be the only critical data protection component under PSD2.
It will be a matter for continuing discussion as to how personal data is managed under PSD2 particularly with the impending implementation of the General Data Protection Regulation which comes into force on 25 May 2018. GDPR is intended to encourage legitimate interests as a mechanism for processing personal data alongside consent and also is intended to encourage the free flow of data within the European Union.