On 28 June 2023, the European Commission (EC) published its proposed revisions to the current EU payment services legislation, the second Payment Services Directive (PSD2), in a package that includes the proposed Payment Services Regulation (PSR proposal) and the third Payment Services Directive (PSD3 proposal). The Plenary of the European Parliament (EP) adopted its final report on the PSR Proposal on 23 April 2024.
Some data protection lawyers are looking at these developments and new proposal with great interest because there has been notable friction and continued discussions regarding the interplay between the General Data Protection Regulation (GDPR) and PSD2’s open banking regime.
As discussions on these proposals continue, we wanted to take a moment to compare the old and newly proposed rules by providing an overview of the key issues that have arisen in relation to the interplay between PSD2 and GDPR and the position in relation to these issues under the new EC and EP proposals and the related considerations from the subsequent European Data Protection Supervisor (EDPS) Opinion and European Data Protection Board (EDPB) Statement.
With the intended revisions to EU payment services legislation, the EC is proposing that the existing legislation, PSD2, would be split into two different instruments:
The PSD3 Proposal deals in particular with the authorisation process for payment institutions. The separate PSR Proposal essentially deals with rules (and related penalties) for payment service providers and users. The PSR Proposal is the most relevant for data protection purposes, as it contains the open banking rules.
While this article covers data protection considerations in relation to the PSR Proposal, we refer to this Bird & Bird article for broader commentary on the proposals.
The open banking rules under PSD2 resulted in uncertainty and discussions in the context of the interplay with the GDPR. An often referred to example was the use of the terminology ‘explicit consent’ under PSD2, with Article 94(2) of PSD2 setting out that payment service providers can only process personal data necessary for the provision of their payment services with the explicit consent of the payment service user. This provision caused confusion and triggered data protection lawyers, as consent as well has a very distinct meaning under the GDPR and has a material effect on how organisations can process personal data lawfully.
The EDPB (the joint body of EU and Member State supervisory authorities) therefore felt compelled to publish Guidelines 06/2020 on the interplay of the Second Payment Services Directive and the GDPR in December 2020 (EDPB Guidelines). While the Guidelines clarified the position of the European regulators to a certain extent, uncertainty remained and discussions continued. This is well-illustrated by the letter sent by a broad coalition of payment industry representative bodies to (amongst others) the EDPD and the European Banking Authority. In the letter, the position of the EDPB is challenged from various angles, including in relation to the interpretation of interpretation of data minimisation obligations in relation to Account Service Payment Service Providers and the processing of special categories of personal data.
In relation to the EC’s proposed revisions to PSD2, the EDPS published Opinion 39/2023 on the Proposal for a Regulation on payment services in the internal market and the Proposal for a Directive on payment services and electronic money services in the Internal Market (EDPS Opinion). Following the EP’s final report, the EDPB recently published a Statement 2/2024 on the financial data access and payments package (EDPB Statement) – the EDPB notes in this statement that many recommendations from the EDPS Opinion on the PSR Proposal have not yet been taken on board.
Topic | Position under PSD2 and EDPB Guidelines | Position under PSR Proposal | Comments from the EDPS Opinion and EDPB Statement | Our initial thoughts |
Special categories of personal data | According to the EDPB Guidelines, “the chances are considerable that a service provider processing information on financial transactions of data subjects also processes special categories of personal data”. For example, political opinions and religious beliefs could be revealed by donations made to political parties or religious organisations. The EDPB highlights that even a single transaction can contain special categories of personal data. It also highlights that the sum of financial transactions could reveal behavioural patterns from which special category data could be inferred. The situations in which a controller could process such data lawfully is limited. The controller would be required to satisfy an Article 9 GDPR condition. The GDPR sets out two possibilities – substantial public interest (Article 9(2)(g) GDPR) and explicit consent (Article 9(2)(a) GDPR). However, the EDPB Guidelines also consider the possibility that the processing could not be justified under Article 9 conditions (in which case, technical measures would need to be in place to prevent processing of special category data). |
It looks like the EC’s aim in Article 80 PSR Proposal is to address the issue of lawfulness in relation to special category personal data. It provides that payment systems and payment service providers are allowed to process such data “to the extent necessary for the provision of payment services and for compliance with obligations under this Regulation, in the public interest of the well-functioning of the internal market for payment services, subject to appropriate safeguards for the fundamental rights and freedoms of natural persons”. Article 80 then goes on to set out a non-exhaustive list of ‘appropriate safeguards’. | The EDPS Opinion states that it does not consider that Article 80 meets the requirements under Article 9(2)(g) for a valid lawful basis on the grounds that it does satisfy the requirements of necessity and proportionality. It sets out particular recommendations to: (i) further delineate the specific purposes of the processing, by specifying the type(s) of payment service(s) for which the payment systems and payment service providers would be entitled to process which special categories of personal data; (ii) provide justifications (in a recital) as to why the processing of the special categories of personal data for the designated service at stake is strictly necessary and cannot be avoided (i.e. it would not be possible to avoid processing of such data); and (iii) clearly indicate which special categories of personal data would be necessary to achieve the specific purpose and to whom (exactly which type of commercial operators) this legal basis would apply. The EDPS Opinion also says that in some cases, consent will be more appropriate, and this should be reflected in the PSR – the example they give is multi-factor authentication of the payment service user (PSU) where it is possible to use non-biometric means of authentication. The EDPB Statement calls on the co-legislators to specify in the PSR Proposal in relation to which specific, designated payment service the providers of payment systems and payment service providers are allowed to process specific special categories of personal data pursuant to Article 80. |
The proposed Article 80 seems like a double-edged sword. It would provide a legal basis for some use cases. However, it may not extend to all use cases. Also, many in the industry have argued that the EDPB's view on this point is too strict and that processing of payment account data does not, and should not, automatically result in the processing of special category data. Article 80 PSR could be read as an acknowledgement of the discussion on this point or (as the EDPB no doubt will argue) an acknowledgement of the EDPB’s onerous interpretation. |
Consent | The use of the terms “consent” and “explicit consent” in PSD2, in particular in relation to open banking, had triggered lengthy discussions around whether or not those were the same concepts as “consent” and “explicit consent” under the GDPR. The EDPB Guidelines confirmed that PSD2's “explicit consent” is more akin to a contractual permission rather than a GDPR consent. |
The words “consent”, “explicit consent” and “explicitly requested” in PSD2 have been replaced in favour of “permission” and “permitted”; not only in the provisions on open banking (e.g. Articles 46-47, 49, 66 PSR Proposal) but also in other non-open banking related provisions (e.g. Articles 51 and 61 PSR Proposal). Article 43(4)(b) of the PSR Proposal would require payment initiation service providers (PISPs) and account information service providers (AISPs) to inform account servicing payment service providers (ASPSPs) in real time of a new permission granted by a PSU. Article 44(1)(c) and Article 49(4) of the PSR Proposal essentially prohibit ASPSPs from seeking verification from PISPs or AISPs that permission has been obtained. This is meant to limit the obstacles for payment initiation and account information services. |
The EDPS Opinion notes that that Recital 69 of the PSR Proposal specifies that “[…] permission should not be construed exclusively as ‘consent’ or ‘explicit consent’ as defined in [GDPR]”. The EDPS considers that the term ‘exclusively’ introduces a degree of uncertainty in the differentiation between ‘permission’ (referring to the acceptance of the commercial service by the consumer) on the one hand, and consent/explicit consent as a lawful basis under Article 6/Article 9 GDPR on the other hand. The EDPS Opinion’s recommendation is that the PSR Proposal should make it clear that permission should not be construed as ‘consent’ or ‘explicit consent’ or ‘necessity for the performance of a contract’ as defined in GDPR. The EDPB Statement echoes this. The EDPS also recommends specifying - similar to recital 10 of the FIDA Proposal - the need for PISPs and AISPs to secure a lawful ground under the GDPR to process personal data. |
The change from consent/explicit consent to permission is helpful; it provides differentiation from consent as a lawful basis under GDPR. Recital 69 notes that the purpose of the change is to increase legal certainty and create differentiation between the requirements under payment services legislation and data protection legislation. However, as the EDPS Opinion notes, Recital 69’s reference to ‘permission’ not being construed exclusively as ‘consent’ or ‘explicit consent’ under GDPR leaves uncertainty here. PISPs and AISPs would still need to ensure a lawful basis under GDPR. Recital 69 says that references to ‘permission’ should be without prejudice to obligations of payment service providers under Article 6 GDPR, but does not go on to say what the lawful basis would be. Could the broad reference to Article 6 be a suggestion that it could be something other than contractual necessity? |
Use of data/purpose limitation | Articles 66(3)(g) and 67(2)(f) PSD2 considerably restrict the possibilities for PISPs and AISPs to use the information for other purposes. Essentially, processing for a purpose other than providing the relevant service is not allowed, unless: (i) the processing is laid down by EU or Member State law (e.g. anti-money laundering laws); or (ii) the data subject has given consent – this must meet the GDPR standard. | Similar provisions are found in Article 46(2)(c) and Article 47(2)(b) PSR Proposal. There is an additional provision in Article 46(2) under which PISPs can request from the PSU only the data that are necessary to provide the payment initiation service – though there is no equivalent provision for AISPs. Article 83 of the PSR Proposal sets out an obligation for payment service providers to have transaction monitoring mechanisms in place that, among others, enable payment service providers to prevent and detect potentially fraudulent payment transactions, including transactions involving PISPs. |
The EDPS Opinion welcomes the limitation that PISPs and AISPs can process personal data only for the provision of the payment or account information service for which the PSU has granted permission. The EDPS recommends that a provision equivalent to Article 46(2) is inserted in relation to AISPs (i.e. requiring AISPs to only request data from the PSU that is necessary to provide the account information service). The EDPS Opinion and the EDPS Statement both put forward recommendations in relation to Article 83 of the PSR Proposal regarding the requirement to carry out transaction monitoring mechanisms. |
The provisions on use of data under PSD2 have proven to be restrictive to open banking providers and their ability to expand their commercial offerings. The PSR Proposal does not change the fundamental position for PISPs and AISPs. Article 83 would give payment service providers a legal obligation under EU law to process personal data within transactions for fraud monitoring purposes. |
Silent party data | PSD2 does not apply to silent party data – i.e. data of individuals party to a transaction that are not the PSU. The EDPB Guidance took a restrictive view on the further processing of silent party data in connection with a payment service regulated by PSD2, stating that “[w]ith regard to further processing of silent party data on the basis of legitimate interest, the EDPB is of the opinion that these data cannot be used for a purpose other than that for which the personal data have been collected, other on the basis of EU or Member State law.” |
The PSR Proposal does not address this issue. |
Neither the EDPS Opinion nor the EDPS Statement address this issue. | The EDPB’s position in relation to silent party data has proven to be restrictive to payment service providers and their ability to expand their commercial offerings. The PSR Proposal does not address this point. |