Questions continue to arise over the interplay of the second Payment Services Directive (PSD2) with the General Data Protection Regulation (GDPR). Both PSD2 and the GDPR are complex legislation and the relationship between distinct provisions of each law and how they work together is not altogether clear, which has led to uncertainty for payment service providers, including banks. For example, when is “consent” required to access payment data and what does consent mean? To this end, the European Data Protection Board (EDPB) — the EU body composed of representatives of the data protection authorities of each Member State, responsible for the consistent application of the GDPR across Member States — has published draft guidelines for consultation that has now closed. A number of firms and industry bodies, however, have voiced concerns over their workability for providers. For example, the European Banking Federation’s (EBF) response emphasises that the draft guidelines should be coherent with payments regulation, its terminology and regulatory technical standards, in particular on Strong Customer Authentication.

PSD2, which provides a legal and regulatory framework for payment service providers offering payment services in the EU, stipulates that the processing of personal data must be in accordance with the GDPR and its principles of data protection, such as data minimisation, transparency, proportionality, storage limitation and security measures. The draft guidelines focus primarily on the processing of personal data by the providers of payment initiation and account information services that access customers’ payment accounts. In general terms, they interpret the GDPR narrowly (consistent with the approach taken in previous guidance from the EDPB and Article 29 Working Party), thereby restricting and making more burdensome the ability of payment service providers to process personal data. There are concerns in the payments sector that the draft guidelines may in certain respects be practically difficult to implement and unduly restrict future innovation. It is also clear that many banks, as account service providers, are concerned that the draft guidelines place a data protection burden on them as regards the new third-party services under PSD2 that should more properly fall on those providers.

A good example of these issues concerns the legal grounds under Art. 6 of the GDPR that permit the processing of personal data. Where there is a contract in place with the payment service user, in the EDPB’s view, the most appropriate lawful basis will generally be that processing is necessary for the performance of a contract for payment services to which the payment service user (the data subject) is a party. The EDPB expressly refers to its earlier 2019 guidelines to make clear that this does not cover processing which facilitates a payment service provider’s other business purposes, but which is not “objectively” necessary to perform the contractual service. The EDPB’s position on the scope of the “necessary for performance of a contract” is consistent with previous guidance on this topic and reiterates that this lawful basis should be interpreted narrowly. In particular, as regards additional services that are not among those defined and regulated by PSD2, but incorporated into the contract as an additional service, the EDPB emphasises that payment service providers must assess whether processing is objectively necessary for the performance of the contract and, if not, find another legal basis. 

With COVID-19 accelerating digitalisation on the one hand, but the risk of IT outages and cyberattacks growing on the other, the draft guidelines also reiterate the importance of payment service users pursuing high security standards. It considers that given the amounts of data involved, a personal data breach could significantly affect the data subject’s daily life and cause them financial loss or other harm. The EDPB warns that service providers will be held to high standards, including over Strong Customer Authentication mechanisms, as well as high security standards for technical equipment. For a more in-depth discussion of the draft guidelines, please click here.

Author

Sue is a Partner in our Technology practice in London. Sue specialises in major technology deals including cloud, outsourcing, digital transformation and development and licensing. She also advises on a range of legal and regulatory issues relating to the development and roll-out of new technologies including AI, blockchain/DLT, metaverse and crypto-assets.

Author

Ben advises clients in a wide range of industry sectors, focusing in particular on data protection compliance, including healthcare, financial services, adtech, video games, consumer and business-to-business organisations. Ben regularly assists clients with global data protection compliance projects and assessments as well as specific data protection challenges such as international transfers and data security breaches. Ben is also regularly involved in drafting and negotiating data protection clauses in agreements for various clients in a wide range of industry sectors. Ben also regularly advises clients on electronic direct marketing and cookies.

Author

Dr. Michaela Nebel is a partner in the Frankfurt office of Baker McKenzie. Prior to joining Baker McKenzie she studied law at the University of Passau. She obtained her Doctor of Law degree on a topic related to privacy in the Web 2.0. From July until December 2014 she practiced at the San Francisco office of Baker McKenzie. She is a member of the International Association of Privacy Professionals (IAPP) and since May 2015 a Certified Information Privacy Professional/Europe (CIPP/E) and since May 2017 a Certified Information Privacy Professional/United States (CIPP/US). She is also the author of numerous articles on information technology law, in particular on data protection law and e-commerce law, and the co-author of an English language commentary on the EU General Data Protection Regulation.