The European Data Protection Board’s (EDPB) draft guidelines on the interplay of the second Payment Services Directive (PSD2) and the EU’s GDPR (GDPR) provide helpful guidance to “Payment Initiation Service Providers” (e.g., Revolut, Stripe and Worldpay) (PISPs) and “Account Information Service Providers” (e.g., Revolut, Stripe and Xero) (AISPs).
However, as expected there are areas which have caused concerns/issues. Unlike other guidelines, these aren’t too long so its fairly easy to extract the key points:
- The main focus of the guidance is on the processing of personal data by PISPs and AISPs. It also provides some limited guidance for “Account Servicing Payment Service Providers” (ASPSPs) (e.g., banks).
- The main lawful basis which PISPs and AISPs should use to process personal data of “payment service users” (PSUs) should be performance of a contract – stating that payment services are “always provided on a contractual basis” and highlighting that the purpose of the PSD2 is the “contractual obligations and responsibilities” between the PSU and the PISP/AISP. However, there will undoubtedly be some processing of personal data that doesn’t satisfy the requirements of Article 6(1)(b), and therefore other legal basis should be considered (without specifying what, but highly likely will include legitimate interests and compliance with a legal obligation).
- Any further processing of personal data by PISPs/AISPs for the purposes of complying with money laundering or terrorist financing laws would satisfy the requirements of Article 6(4) of the GDPR (which allows controllers, like PISPs/AISPs, to process personal data for a purpose other than that for which the personal data have been collected). Because PSD2 only permits PISPs/AISPs to use, access and store a PSU’s personal data for the purposes of providing (as applicable) payment initiation services or account information services (both, at the request of the PSU) any further processing of personal data by them for any other purpose (e.g., marketing other services) is not allowed unless the PSU has consented or such is permitted by EU or Member State law.
- The lawful basis for ASPSPs to grant PISPs/AISPs access to a PSU’s personal data will be based on a legal obligation (i.e., the national law(s) transposing PSD2).
- The use of “explicit consent” in PSD2 (Article 94(2)) is different to the concept of explicit consent under the GDPR. This is a welcomed clarification.
- The lawful basis for PISPs/AISPs processing personal data relating to a “silent party” (e.g., a data subject who a PSU has made a payment to) is likely to be legitimate interests, but only if the legitimate interests of the PISPs/AISPs do not override the interests or fundamental rights and freedoms of the silent party. The EDPB states that silent party personal data cannot be used for purposes other than that for which the personal data have been collected, save where such is permitted by EU or Member State law (e.g., PISPs/AISPs would be unable to market their services to a silent party).
- Financial transactions could reveal sensitive information about a PSUs religious beliefs or trade union membership if (as applicable) they make donations or deductions for annual membership are taken from the PSU’s bank account. Behavioural patterns of PSUs could also be revealed. This means PISPs/AISPs would need to seek explicit (GDPR) consent under Article 9(2)(a) before they could process such personal data. As a result, ASPSPs should implement digital filters to remove such personal data. This seems to be going a step too far – are AISPs/PISPs really going to be able to make such assessment? How can ASPSPs implement digital filters when PSD2 requires them to allow access to account information “as is”. And how would ASPSPs explain the rationale to PSUs who have moved to “open banking” for the sole purpose of seeing all their account information in one place? Let’s hope the EDPB sees sense on this particular aspect.
- Strong security measures must be put in place by PISPs/AISPs because processing financial data is connected to a variety of severe risks (e.g., identity theft and theft of funds). This isn’t telling PISPs/AISPs anything that they didn’t already know.
- Controllers of online payment services – so not just PISPs/AISPs – should use layered privacy notices rather than displaying all information is a single notice, as well as ASPSPs providing PSUs with a privacy dashboard that allows them to view privacy information and manage their privacy preferences (e.g., denying access to their payment accounts to one or more PISPs/AISPs). A number of online payment service providers aren’t using layered privacy notices but some do provide privacy dashboards.
If you are an AISP or PISP and would like any further information or advice on the interplay between PSD2 and the GDPR, please contact us.
Disclaimer: This article is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from taking any action as a result of the contents of this article.