In response to questions from a Member of the European Parliament, the European Data Protection Board (EDPB) has provided much needed clarification on the overlap between the General Data Protection Regulation (GDPR) and the EU Payment Services Directive (PSD2) in an open letter. As we identified in a previous blog post on this topic, the interaction between PSD2, aimed at increasing the seamless sharing of data, and the GDPR, aimed at regulating such sharing, raises complicated compliance concerns. The EDPB’s letter aims to clarify some of these difficult compliance questions.
As identified in our previous blog post, one of the difficulties with aligning the two pieces of legislation is the extent to which “explicit consent” is required under both. It is unclear from the legislation that when customers provide consent to sharing their data in the context of payment services, whether the processing of that data for GDPR purposes is then based on that same consent, rather than another lawful basis. As we previously identified, there are many other lawful bases on which personal data can be processed under the GDPR which are much more desirable, such as where it is necessary to perform a contract. Where the data is processed based on a customer’s consent, this potentially entitles the customer to many additional rights, such as the right to deletion.
The EDPB was asked to clarify this overlap, and now advances an interpretation according to which the “explicit consent” referred to in Art. 94 of PSD2 in relation to personal data is in fact not a consent for the processing of personal data, but is instead a contractual consent. The EDPB states that “[p]ayment services are always provided on a contractual basis between the payment services user and the payment services provider.” As such, the relevant lawful basis under the GDPR is that it is necessary for the performance of a contract.
The EDPB does further state, however, that PSD2 should still be interpreted in accordance with the data protection legal framework and as such when entering into a contract with a payment service provider, the customer should be “made fully aware of the purposes for which their personal data will be processed and have to explicitly agree to these clauses. Such clauses should be clearly distinguishable from the other matters dealt with in the contract and would need to be explicitly accepted by the data subject.”
The EDPB also clarified that “authentication”, for which the Regulatory Technical Standards on Strong Customer Authentication provides the relevant standards and procedure, is merely a “technical measure” that ensures that consent from the legitimate user of the service is obtained, and should “not be confused with the consent itself.”
Silent party data
Another question raised to the EDPB is the extent to which the processing of personal data of “silent parties” is legitimate where only the explicit consent of one party has been obtained. This issue arises in the context of a customer who consents to using a payment service, however naturally as part of that process other third parties’ personal data will be processed, such as to effect a payment made by that customer to a third party or vice versa. However, that third party has not consented to that arrangement. The EDPB clarifies that in this context the lawful basis for processing silent parties’ personal data could be the legitimate interest of a controller or a third party. This processing will then be “limited and determined by the reasonable expectations of the data subjects.” Processing of that silent party data is strictly limited to the purpose for which it was collected, and should not be further processed for any other purpose.
Position of banks
The EDPB was also asked to clarify whether “banks are sufficiently cooperative in establishing secure interfaces and avoiding alternative, less secure, methods of accessing account data.” The EDPB acknowledged that this touches on competition concerns, i.e., where a bank is required to share the data with third party providers, but then refuses because they are under competing obligations to ensure the security of personal data. In this context, the EDPB provides that this question is better posed to a competition regulator. However, the EDPB does warn that data protection authorities are fully competent to assess whether banks are ensuring a sufficient level of protection that is in line with the GDPR. Banks need to have in place measures that ensure “a level of security appropriate to the risks” and that they implement privacy by design and privacy by default to protect the rights of their customers. Data protection authorities may take action where banks are not complying with these requirements.
The EDPB will continue to monitor discussions on this topic, and they encourage “fruitful interaction” between EU data protection and financial authorities to ensure a coordinated approach.
As ever, we will continue to monitor key developments in relation to the GDPR and PSD2, and will provide further updates.