In the first half of 2018, the second Payment Service Directive came into force (PSD2), and few months later the General Data Protection Regulation became applicable (the GDPR) Within this article the relationship between PSD2 and the GDPR is discussed, as well as the way in which fintech business activity affects processing of personal data of users of payment services.
The aim of PSD2 is to include third parties within the usual framework of payment services and thus create a regulatory framework that would allow new services on the market. It creates the obligation of payment service providers to grant third parties (Third Party Providers – TPPs) the access to payment accounts that belong to payment service users. Aforementioned third parties, i.e. TPPs, are: a) account information service providers and b) payment initiation service providers.
Such grant of access to payment account data also enables the access to personal data and, therefore, the GDPR is applicable alongside PSD2. While the purpose of the GDPR has been to regulate personal data processing, PSD2 created regulated approach to personal data within the framework of payment services. The aim of PSD2 was to strengthen the competition and innovation on the European market of payment services by allowing TPPs to enter the payment market. Many users began to wonder how this access to personal data will affect their privacy and certain questions have been raised regarding the application of PSD2 and the GDPR in the context of personal data protection.
In its letter, the European Data Protection Board (the Board) answered to the enquiry made by the European Parliament member regarding some ambiguities that arise from PSD2. The Board provided certain guidelines regarding the interpretation of PSD2 in a manner that does not contradict the GDPR provisions.
The Board remarks that Article 94 of PDS2 prescribes that processing of personal data shall be carried out in accordance with the European data protection laws. PSD2 also prescribes the obligation to specify the precise purpose of the processing, to comply with the relevant security requirements laid down in the GDPR and to respect the principles of necessity, proportionality, purpose limitation, and proportionate data retention period. Additionally, data protection by design and data protection by default should be embedded in all data processing systems developed and used within the framework of the GDPR.
In Article 94(2), PSD2 prescribes that:
payment service providers shall only access, process and retain personal data necessary for the provision of their payment services, with the explicit consent of the payment service user.
Since PSD2 does not define the “explicit consent”, the matter of consent shall be examined within the context of the GDPR. In the GDPR consent is one of the six legal basis for processing of personal data, while in PSD2 consent is necessary for processing of personal data. Also, in accordance with the GDPR, consent can be withdrawn, and data subject can obtain permanent erasure of the data that was processed based on the consent. This is not always feasible within the framework of payment services, due to the regulations regarding the payment and regulations on anti-money laundering and countering financing of terrorism.
However, the Board has elaborated on this issue in its letter and clearly stated that there is substantial difference between the meaning of consent as laid down in PSD2 from the consent defined in the GDPR. Explicit consent, as laid down in PSD2, concerns the contractual consent, i.e. the consent of the parties required to conclude a contract. As PSD2 prescribes, payment services are always provided based on the contract between user of payment services and provider of payment services. Regarding the legal ground of processing of personal data, performance of the contract could be appropriate legal ground in accordance with the GDPR. The Board points out that, while concluding the contract with the providers of payment services, data subjects (users) must be fully aware of the purposes for which their personal data will be processed. This shall be accomplished by clearly distinguishing the consent clauses from other contractual clauses, and such clauses shall be explicitly accepted by the users of payment services. Explicit consent under PSD2 is therefore additional requirement of contractual nature and is not the same as the (explicit) consent under the GDPR.
Herein also arises the issue of silent party data, e.g. when the data subject utilises services of payment initiation service providers in order to transfer money to another natural person, the service provider must necessarily process the data of that other natural person in order to perform its service. The question is raised whether the TPP has the legal ground for processing such personal data. The Board has expressed opinion that personal data of that other natural person could be legally processed on the basis of the legitimate interest. Due care should be taken not to override the interests or fundamental rights and freedoms of data subjects. The processing also has to be necessary, proportional, and in line with other principles of the GDPR.
Furthermore, payment service providers and TPPs must establish a platform between themselves, i.e. interface, through which payment services are going to be provided. Regarding personal data protection, PSD2 introduces standards of effective procedures for incident management and stronger procedures for authentication.
Supervisory authorities are competent to evaluate whether data controllers and data processors take all the technical and organisational measures required to ensure the appropriate level of security and whether the data protection by design and by default has been employed.
In this respect, European Banking Authority (EBA), on 27th of November 2017, has set forth the Regulatory Technical Standards on strong customer authentication in a form of the amendment to the Directive (EU) 2015/2366.
PSD2 mentions special group of personal data named “sensitive payment data”. This data is defined as data, including personalised security credentials, which can be used to carry out fraud. Even though the terminology is similar, it is important to remark that this does not refer to special categories of data as defined in the GDPR.
PSD2 offers special protection to the sensitive payment data and determines that payment initiation service providers must not store sensitive payment data on the payments of users of payment services. Therefore, sensitive payment data is personal data with additional protection under PSD2.
Regarding the roles that the GDPR defines concerning the processing of personal data, payment service providers and TPPs will have to assess their mutual relationship on a case to case basis and determine whether the TPPs will be considered data controllers or data processors. In the event that TPPs also determine means and purposes of processing (which will likely occur in most of the cases), it will be necessary to assess whether they are separate controllers or joint data controllers with payment service providers. However, Articles 66 and 67 of PSD2 determine that provision of account information services shall not be dependent on the existence of a contractual relationship between TPPs and the account servicing payment service providers. This means that providers of payment services cannot refuse enabling TPPs access to the client’s data if they do not want to conclude a contract. Such inexistence of the obligation of concluding a contract can put many difficulties regarding burden of proof and accountability principle when it comes to personal data processing.