Background on the PSD2
The European Data Protection Board (‘EDPB’) adopted Guidelines 06/2020 (‘Guidelines’) on the interplay of the Second Payment Services Directive (‘PSD2’) and the General Data Protection Regulation (‘GDPR’) on July 17, 2020, which are currently open for public consultations. While the GDPR provided a comprehensive legal framework for the processing of personal data, the PSD2 provides for a legal framework across the European Union (‘EU’) for modern payment systems and to ensure legal certainty between all processes related to these payment systems and the merchants, consumers, etc. The PSD2 regulation is even more important for the open banking regime as it allows merchants or ‘payment service providers’ access to payment accounts of data subjects. While this is essential for the purpose of providing modern payment services, it raises concerns with respect to ensuring data protection and compliance with the GDPR. Data protection compliances have been embedded in the PSD2 itself through clauses such as Recital 89 which states that the processing of personal data shall be done only after specifying the purpose and after implementing the relevant security requirements laid down in the GDPR. In addition to this, Recital 89 of the PSD2 also provides for privacy by design to be implemented. Moreover, Recital 93 of the PSD2 also states that the payment initiation service providers (‘PISPs’), the account information service providers (‘AISPs’), and account servicing payment service providers (‘ASPSPs’) should follow all technical regulatory standards and data protection requirements as provided in the PSD2.
The PSD2 and the GDPR may often be viewed to be in contrast with each other. This is because while the GDPR provides for control to be in the hands of the data subject while processing data, the PSD2 provides entities and service providers access to personal data and they are also required to share such personal data with third parties in the lieu of incorporating competition and innovation standards.
Previously, stakeholders in the payments industry, especially open banking service providers, have cited concern over the current form of the PSD2 with regards to ensuring user privacy. The Regulatory Technical Standards for PSD2 came into force in September 2019, however, there have been significant delays in the enforcement of such standards. Specifically, in the open banking regard, concerns have been raised as banks often did not maintain a ‘register’ of all third parties that have access to consumers’ financial data. Moreover, the banks should also be informed of the exact nature of data that has been provided to such third parties. In order to provide answers and structural access to data in a better manner, the Guidelines introduced by the EDPB were released to ensure further compliance with the GDPR.
The Guidelines
The Guidelines emphasize on the processing of persona data and various other processing activities in the context of the PSD2. The Guidelines state that data controllers must ensure compliance with the GDPR and also Directive 2002/58/EC of the European Parliament (‘ePrivacy Directive’). The Guidelines are mainly focussed on the processing of personal data by AISPs and PISPs. The Guidelines provide for the furtherance of the following data protection principles:
Lawful Grounds and Further Processing of Data under PSD2
The GDPR has already classified lawful grounds under Article 6 for the processing of personal data. One of the aspects for processing data, as provided under Article 6(1) (b)(processing is necessary for the performance of a contract), is the processing of personal data on the basis of the contractual relationship. The PSD2 signifies that it only concerns itself with the contractual obligations between the consumer and payment service provider. In this regard, the data controller must establish that the main object of the performance of the contract between consumers and service providers could not be done unless the activity of processing of data took place. In this regard, Article 6(1)(b) of the GDPR does not necessarily cover processing which is useful but objectively necessary for the performance of the contract. Emphasis is also placed on Article 7(4) under which the EDPB through guidelines 2/2019 made a distinction on processing activities that are necessary and the terms of making the service conditional on certain processing activities which may not be necessary for the performance of the contract. In this regard, the term ‘necessary for performance’ should go beyond the mere existence of a contractual clause and hence, a simple reference of data processing in a contract is not enough and the controller shall be able to demonstrate the necessity of performance value. The Guidelines also go on to provide lawful grounds for granting access to ASPSs. The Guidelines provide emphasis on the rights guaranteed under Articles 66(1) and 67(1) of the PSD2. In this regard, the ASPSPs must provide personal data for PISPs and AISPs services.
Explicit Consent
GDPR emphasizes on obtaining an exclusive consent of the data subjects. The Guidelines also reiterate the manner in which consent shall be obtained, mainly providing that the consent can only be on a lawful basis if a “data subject is offered control and a genuine choice with regard to accepting or declining the terms offered or declining them without detriment”. However, in this context, it is noted that both the GDPR and the PSD2 provide for the concept of ‘explicit consent’ making the regime complex. A question in this regard arises as to whether an explicit consent as provided under Article 94(2) of the PSD2 shall be interpreted in the same manner as provided by the GDPR. The PSD2 provides an exhaustive list of activities where the processing of personal data shall be permitted. In this sense, it is provided that the explicit consent in the context of PSD2 is a contractual consent which means that data subjects shall be made aware of the categories and instances of data that shall be processed for providing payment services. The explicit consent in the PSD2 regards to obtaining access to personal data for the purpose of payment services. Hence, Article 94(2) of the PSD2 should be assessed as an additional requirement of a contractual nature when providing services for a payment service.
Processing of ‘Silent Party Data’
The Guidelines provide for the much-debated issue of privacy concerns around silent party data. Silent party data is defined as “personal data concerning a data subject who is not the user of a specific payment service provider, but whose personal data are processed by that specific payment service provider for the performance of a contract between the provider and the payment service user”. For example, if a data subject A has utilised services of an AISP, and data subject B has initiated a payment towards data subject A, then data subject B shall be regarded as a silent party. In this context, the GDPR under Article 6(1)(f) states that the processing of silent party data may be permitted when data controllers or third parties are pursuing a legitimate interest and such legitimate interests do not override the rights of the data subjects. In the context of the PSD2, such processing of silent party data may be done when PISPs and AISPs have legitimate interests to perform the contract with the payment service user. Controllers in this regard shall establish security and technical provisions to ensure the rights of the data subjects.
Processing of Special Categories of Data
It is possible that certain financial transactions reveal sensitive personal information related to data subjects. An example in this context may be donations made which may reveal political inclinations or religious beliefs. Similarly, hospital bills may reveal facets of health data. The EDPB in this regard notes that the definition of ‘sensitive payment data’ in the PSD2 is considerably different from the definition of ‘sensitive personal data’ in the GDPR. The PSD2 provides for “data, including personalized security credentials which can be used to carry out fraud” while the GDPR is focussed on providing special security protection for special categories of personal data. Considering this, the EDPB states that mapping out of the nature of the processing of data to assess what kind of data may be processed shall be done by payment service providers. This may be done by conducting a Data Protection Impact Assessment (‘DPIA’). In this context of the processing of special categories of personal data, the service provider shall also note the explicit consent of data subjects and also the substantial public interest.
Data Minimisation, Security, Transparency, Accountability, and Profiling
When considering the open regime, various entities utilise financial data for the purpose of advertisements and profiling. Considering the vast amounts of data that may be made available to AISPs, PISPs, ASPSPs, and third parties, the EDPB provides an emphasis on the data minimisation principle enshrined in Article 5(1)(c) of the GDPR. In this regard, controllers shall only process such data that is necessary to obtain the specific purpose and such technologies and systems shall also have built-in data protection standards. Emphasis is placed on Article 25 of the GDPR which provides for data protection by design and default and the data controller shall ensure appropriate compliance with technical standards. The payment service providers shall also take into account unlawful access to financial data which may pose severe risks more than just the loss of identity. Payment service providers shall implement procedures against unauthorised access to data.
BlockSuits Comments
Financial data has become extremely important for various entities in the European Union. Moreover, countries such as Sweden, where merchants prefer cashless payments, adequate measures have to be ensured in order to protect user data and prevent any unlawful access. The Guidelines provided by the EDPB does answer some need of the hour questions, but mainly state that all rights of data subjects as provided by the GDPR shall also be applicable to the PSD2. The conduct of a DPIA is essential to understand and obtain the explicit consent of the data subject. Most stakeholders in the payments industry have called for a ‘PSD3’ which will resolve more issues that are faced by service providers, especially with regards to the list of activities for the processing which is iterated under GDPR and PSD2.
Authored by Samaksh Khanna, Co-founder and Shivani Agarwal, Founder.
Comments