The second Payment Services Directive (PSD2) includes requirements in relation to the processing of data, but they do not work very well in conjunction with the General Data Protection Regulation (GDPR).
Payment service providers, lawyers and regulators have been wrestling with the interaction for some time and now the European Data Protection Board (EDPB) – which replaced the Article 29 Working Party (WP29) earlier this year – has joined the fray.
The EDPB is composed of representatives from the national data protection authorities and the European Data Protection Supervisor and so its views carry significant weight.
But do they provide answers or just add to the confusion?
The EDPB has weighed into the debate in a letter dated 5 July 2018, to Sophie in 't Veld, a member of the European Parliament, in which it responds to some of the issues that have been raised in relation to the protection of personal data under PSD2.
The questions have arisen because PSD2 both includes specific obligations on payment service providers (such as requiring "explicit consent" for the provision of payment services), and also states that the processing of personal data for the purposes of PSD2 must be compliant with EU data protection law.
A key issue relates to the use of the concept of "explicit consent" both under PSD2 and the GDPR and whether it should be interpreted in the same way in both pieces of legislation.
In line with the approach taken by the majority of the payment services industry, the EDPB confirmed that "explicit consent" under Article 94(2) of PSD2, is an additional "contractual consent" and a separate concept to 'explicit consent' under the GDPR.
In its view, customers entering into a contract for payment services must be fully aware of the purposes for which their personal data will be processed and explicitly agree to those clauses.
While the EDPB stated that such clauses should be "clearly distinguishable" from other matters dealt with in the contract, it has not offered guidance as to what this means or how this can be achieved.
The board also acknowledged that the further processing of personal data for other purposes (not necessary for the performance of the contract) could be based on consent under the GDPR provided the relevant conditions and requirements are respected.
Briefly touching on the issue of special categories of personal data, the EDPB simply noted that the specific conditions under Article 9 of the GDPR must be satisfied.
Under the GDPR, a lawful basis for processing is required in order to process personal data.
The first issue this requirement has created is uncertainty as to whether the processing of personal data of "silent parties" is legitimate when explicit consent for the processing of personal data has been given by only another person.
An example of this scenario under PSD2 would be where Person A (a customer or payment service user) has given explicit consent to a Payment Initiation Service Provider (PISP) to process their personal data for the performance of this service in accordance with Article 94(2) of PSD2.
When Person A uses the services of a PISP to transfer money to Person B without there being a contractual relation between Person B and the PISP, the questions is whether the PISP can also process the data of Person B – the "silent party" – in order to make the transfer by relying on the "legitimate interest" ground for processing under Article 6(1)(f) of the GDPR.
The EDPB makes it clear that a lawful basis for the processing of silent-party data, by PISPs or Account Information Service Providers (AISPs), could be the legitimate interests of that PISP or AISP to perform the contract with the service user, but only where:
- the legitimate interest of the AISP/PISP "is not overridden by the interests of fundamental rights and freedoms of the data subject [the customer and the silent party – Person B] which require protection of personal data" (Article 6(1)(f));
- the processing of personal data must be both necessary as well as proportional and in line with the other principles of the GDPR, such as those of purpose limitation, data minimisation and transparency;
- the legitimate interest of the AISP/PISP is limited and determined by the reasonable expectations of the customer/payment service user and the silent party; and
- the data is not used for a purpose other than that for which the personal data was collected, given the restrictions on processing set out in Article 66(3)(g) and Article 67(2)(f) of PSD2 and that customers/payment service users do not reasonably expect any further processing.
Implementation by payment service providers
The second question put to the EDPB was whether "banks are sufficiently cooperative in establishing secure interfaces and avoiding alternative, less secure, methods of accessing account data".
In response, the EDPB has made it clear that it is not within the remit or competence of data protection authorities to assess whether banks are sufficiently co-operative in establishing such interfaces from the perspective of competition law.
However, the question of whether the interfaces that are, or will be, developed by banks are sufficiently secure from a data protection perspective is within its remit and competence.
The EDPB states that data protection authorities are competent to assess whether banks provide a level of protection of personal data that is in line with the GDPR and may decide to take appropriate action if there is any doubt regarding the safety of these new interfaces.
The EDPB also points to Articles 32 and 25 of the GDPR, which strengthen obligations to ensure a level of security appropriate to the risks and oblige banks to implement privacy by design and privacy by default measures.
The approach taken throughout the EDPB's response letter – which largely reflects the pragmatic approach taken by the industry in implementing PSD2 – is to be welcomed.
While the EDPB has not said anything obviously unhelpful, neither has it provided proactive guidance to move some of the issues forward significantly. As a result, payment service providers remain in a state of limbo to some extent.
The EDPB does, however, suggest that there may be grounds for "fruitful" interaction between EU data protection and financial supervision authorities with a view to establishing a co-ordinated approach aimed at ensuring strengthened and consistent consumer protection.
So it may well be that there is more to come from the EDPB on the interaction between PSD2 and the GDPR.
Watch this space!
Take advantage of the far-reaching changes brought about by the GDPR with our European Privacy Tool, which offers realistic, practical and workable insights as well as templates, helping to ensure that you are successful in meeting the applicable regulatory requirements.
For a comprehensive and interactive look at all European and UK legal provisions relating to PSD2, together with latest news and insight from the Hogan Lovells Team, take a look at our PSD2 Toolkit.
For more news and analysis that is tailored to you, as well as access to Hogan Lovells' cutting-edge interactive Lawtech tools, register for free on Engage.
You can also keep track of all the Engage content by following our LinkedIn page.