In response to questions from a Member of the European Parliament, the European Data Protection Board (EDPB) has provided much needed clarification on the overlap between the General Data Protection Regulation (GDPR) and the EU Payment Services Directive (PSD2) in an open letter. As we identified in a previous blog post on this topic, the interaction between PSD2, aimed at increasing the seamless sharing of data, and the GDPR, aimed at regulating such sharing, raises complicated compliance concerns. The EDPB’s letter aims to clarify some of these difficult compliance questions.
Continue Reading European Data Protection Board Provides Clarification On PSD2
The GDPR and Blockchain
Blockchain technology has the potential to revolutionise many industries; it has been said that “blockchain will do to the financial system what the internet did to media”. Its most famous use is its role as the architecture of the cryptocurrency Bitcoin, however it has many other potential uses in the financial sector, for instance in trading, clearing and settlement, as well as various middle- and back-office functions. Its transformative capability also extends far beyond the financial sector, including in smart contracts and the storage of health records to name just a few.
A blockchain is a shared immutable digital ledger that records transactions / documents / information in a block which is then added to a chain of other blocks on a de-centralised network. Blockchain technology operates through a peer network, where transactions must be verified by participants before they can be added to the chain.
Notwithstanding its tremendous capabilities, in order for the technology to unfold its full potential there needs to be careful consideration as to how the technology can comply with new European privacy legislation, namely the General Data Protection Regulation (the “GDPR”) which came into force on 25 May 2018. This article explores some of the possible or “perceived” challenges blockchain technology faces when it comes to compliance with the GDPR.
Overlap Between the GDPR and PSD2
The Payment Services Directive (PSD2), which took effect on January 13, 2018, puts an obligation on banks to give Third Party Providers (TPPs) access to a customer’s payment account data, provided the customer expressly consents to such disclosure. The new legislation is intended to improve competition and innovation in the EU market for payment services. The General Data Protection Regulation (GDPR), which is due to take effect from May 25, 2018, enhances individuals’ rights when it comes to protecting their personal data. The interaction between PSD2, aimed at increasing the seamless sharing of data, and the GDPR, aimed at regulating such sharing, raises complicated compliance concerns.
For example, where banks refrain from providing TPPs access to customer payment data for fear of breaching the privacy rights of their customers under the GDPR, competition authorities may consider this a breach of competition law. This concern is already becoming a reality for banks – on October 3, 2017, the European Commission carried out dawn raids on banking associations in Poland and the Netherlands following complaints from fintech rivals that the associations were not providing them with what they considered legitimate access to customer payment data.