- PSD2 and the GDPR are complex legislation and the relationship between distinct provisions of each law and how they work together is not altogether clear, which has led to uncertainty for payment service providers (e.g., banks, standalone payment firms and the new PSD2 payment initiation and account information service providers).
- The draft guidelines propose narrow interpretations of the GDPR that, if adopted, would potentially increase the compliance burden on payment service providers.
- There are concerns in the payments sector that aspects of the draft Guidelines may be practically difficult to implement and unduly restrict future innovation. It is also clear that many banks, as account service providers, are concerned that the draft guidelines place a data protection burden on them as regards the new third party services under PSD2 that should more properly fall on those providers.
- The draft guidelines state that where there is a contract in place with the payment service user, the most appropriate lawful basis will be 'contract performance'. However, the EDPB emphasises that payment service providers must assess whether processing is objectively necessary for contract performance.
- Regarding the further processing of personal data, the EDPB points out that PSD2 and the GDPR restrict the possibilities for other purposes.
- The EDPB states that 'explicit consent' under PSD2 is different from (explicit) consent under the GDPR. However, when determining whether explicit consent has been given for the purposes of PSD2, the test is likely to be analogous with the test under the GDPR.
- The draft guidelines state that financial transactions can in some circumstances reveal 'special categories of personal data', the processing of which could be justified, provided that all conditions are fully met, via 'explicit consent' or the derogation that processing is necessary for 'substantial reasons of public interest'. If there is no derogation available, the EDPB requires putting in place 'technical measures' to prevent its processing.
- With regard to silent party data, the EDPB states that 'legitimate interests' could be a legal basis. However, it points out that effective and appropriate measures must be taken to ensure that reasonable expectations of silent parties are respected.
In more detail
The EDPB — the EU body composed of representatives of the data protection authorities of each Member State, responsible for the consistent application of the GDPR across Member States — published draft guidelines in July 2020. The public consultation period ended on 16 September 2020. Although the EBF has generally welcomed the draft guidelines, it has expressed certain concerns in its consultation response and emphasised that they should be coherent with payments regulation, its terminology and regulatory technical standards, for example, on Strong Customer Authentication.
PSD2, which provides a legal and regulatory framework for payment service providers offering payment services in the EU, stipulates that the processing of personal data must be in accordance with the GDPR and its principles of data protection, such as data minimisation, transparency, proportionality, storage limitation and security measures. The draft guidelines focus primarily on the processing of personal data by the providers of payment initiation and account information services that access customers' payment accounts. In general terms, the draft guidelines interpret both PSD2 and the GDPR narrowly (consistent with the approach taken in previous guidance from the EDPB and Article 29 Working Party), thereby restricting and making more burdensome the ability of payment service providers to process personal data. As the draft guidelines focus on the new PSD2 services, the EBF calls for greater clarity on the use of terminology and to what extent they apply to conventional payment firms and banks.
Payment service providers will act either as a controller or as a processor under the GDPR. The EDPB does not discuss these roles further in the draft guidelines, but instead notes it is currently working on guidelines on the concepts of controller and processor under the GDPR (which have in the meantime been published —see here— but they discuss the roles in general). Since various actors are involved in providing the payment services, the EBF suggests being clear on the addressees of the various obligations.
From a GDPR perspective, it is necessary to rely on a legal basis to process personal data, such as one of six legal grounds under Article 6 of the GDPR.
Necessary for the performance of a contract
Where there is a contract in place with the payment service user, in the EDPB's view, the most appropriate lawful basis will generally be that processing is necessary for the performance of a contract for payment services to which the payment service user (the data subject) is a party. The EDPB expressly refers to its earlier EDPB guidelines (2/2019) to make clear that this does not cover processing which facilitates a payment service provider's other business purposes, but which is not 'objectively' necessary to perform the contractual service. The EDPB's position on the scope of the 'necessary for performance of a contract' is consistent with previous guidance on this topic and reiterates that this lawful basis should be interpreted narrowly. In particular, as regards additional services that are not among those defined and regulated by PSD2, but incorporated into the contract as an additional service, the EDPB emphasises that payment service providers must assess whether processing is objectively necessary for the performance of the contract and, if not, find another legal basis.
Further processing of personal data
The GDPR also allows for the further processing of personal data for a purpose other than that for which it has been collected, provided the other purpose is compatible with the one for which it was initially collected. However, in the EDPB's view, PSD2 restricts the processing possibilities for other purposes. This is because it provides that data is not to be used for any purpose other than for the provision of the service requested by the payment service user and, thus, other purposes are not compatible. This means that, for further processing, the user must either consent under Art. 6 (1) lit. a of the GDPR or the processing must be laid down in EU or Member State law to which the controller is subject, such as legal obligations regarding anti-money laundering or terrorist financing. Where a payment firm relies on consent, it must meet the requirements of consent and, in particular, show that the payment service user had a genuine choice. The EBF takes issue with the EDPB on the basis that its interpretation would prevent a number of important and 'legitimate' processing activities. The EBF argues that the concept of 'further processing' and the limitations in PSD2 should be interpreted more broadly.
The draft guidelines note that an account service provider, typically a bank, granting access to necessary personal data requested by a payment initiation or account information service provider should be able to rely on Art. 6 (1) lit. c of the GDPR, namely that the processing is necessary for compliance with a legal obligation to which the controller is subject. Under PSD2, as transposed into national law, the account service provider must provide certain personal data to a payment initiation or account information service provider so that it can provide its payment services.
Both the GDPR and PSD2 include the concept of 'explicit consent'. The GDPR sets a high standard for 'consent' that, if relied on as a legal basis for processing under Art. 6 (1) lit. a of the GDPR, must be freely given, specific, informed and unambiguous. Art. 94 (2) PSD2 requires payment service providers to obtain the explicit consent of payment service users to access, process and retain their personal data. The draft guidelines helpfully clarify that the standard of explicit consent required under PSD2 is not the same as that required under the GDPR and that these are different in nature.
As mentioned above, the draft guidelines confirm that the most appropriate legal basis for processing personal data in this context is generally where it is necessary for the performance of a contract. In the view of the EDPB — and that of the EBF — consent under PSD2 should not be seen as an additional legal basis for processing personal data nor be on the same footing as explicit consent under the GDPR, but as an additional contractual requirement.
According to the EDPB, 'explicit consent' in Art. 94 (2) PSD2 should be interpreted in a manner that when payment service providers enter into a contract, those customers must know (1) the specific categories of personal data that will be used and (2) the purpose of the specific payment services, and customers must explicitly agree to these clauses. The objective of explicit consent under PSD2 is to authorise payment service providers to access customers' personal data held by account providers before they actually process it, and the giving of consent obliges a bank to give access.
Although it is helpful that the EDPB has confirmed 'explicit consent' as referred to in PSD2 is a 'contractual consent', rather than consent as interpreted from a GDPR perspective, given the EDPB's comments regarding special categories of personal data, discussed further below, it may be that in practice explicit consent from a GDPR perspective is required in any event, depending on the context. In addition, although explicit consent required under PSD2 is not the same as defined under the GDPR, in practice the test over whether explicit consent has been given for the purposes of PSD2 is likely to be analogous with the test under the GDPR. Finally, it is suggested that these contractual clauses should be clearly distinguishable from those relating to data protection — something which the EBF views as unnecessary and potentially confusing for payment users.
Special categories of personal data
PSD2 contains a definition of 'sensitive payment data' but this relates to personalised security credentials that could be used to carry out fraud, and is different from the concept of 'special categories of personal data' as set out in Art. 9 (1) of the GDPR.
The draft guidelines state that financial transactions can sometimes reveal 'special categories of personal data' about individuals from a GDPR perspective, for example the payment of medical bills, donations to political parties or payments to trade unions, etc. Since, in the EDPB's view, it is highly likely that financial transactions can reveal special categories of personal data, payment service providers are advised (assuming they have not already) to carry out a Data Protection Impact Assessment to map out and categorise what kinds of personal data they will be processing. Subject to derogations under Art. 9 (2) of the GDPR, the processing of special categories of personal data (e.g., revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, etc.) is prohibited under the GDPR.
In this context, the EDPB states that to process special categories of personal data, either explicit consent or the derogation that the processing is necessary for reasons of substantial public interest on the basis of EU or national law could suffice. Where payment service providers cannot rely on a suitable derogation, they need to put in place 'technical measures' to prevent its processing. Whether this is possible from a practical standpoint is not clear. The EBF and other respondents argue that financial transaction data is not in itself a special category of personal data. They recommend revising the draft guidance to the effect that payments data is not inherently a special category unless the controller is processing the data to derive such inferences. In any event, the EBF argues that bank account providers may do so. This is on the basis that they are under a legal obligation in PSD2 to comply with third-party provider requests and the GDPR allows processing as PSD2 is an EU law with a public interest objective (i.e., greater consumer control over data and market competition). More specifically, the legal obligation under PSD2 is to provide the same information to the third-party provider as the payment service user has access to online.
Click here to access Full Alert.