With data becoming an ever-increasing vital component for most modern enterprises, both PSD2 and GDPR are founded on the principle that individuals should own their personal data and, in turn, have full autonomy on who has access to it, what it is used for and how it is stored.
On one hand, PSD2 seeks to create access for third party providers (TPPs), such as Account Information Service Providers (AISPs) and Payment Initiation Service Providers (PISPs), to tap into personal financial data of individual customers, commonly referred to as Payment Service Users (PSUs), thus paving the way for concepts such as ‘open banking’ to flourish. On the other hand, GDPR is generally viewed as a fail-safe mechanism which ensures that the processing and storage of such data occurs in a controlled environment.
Having said this, issues and challenges quickly arise when transitioning from the high-level principles to implementation. We will be discussing three areas of contention for industry players.
Should explicit consent be interpreted the same way under PSD2 and GDPR?
In terms of PSD2, explicit consent is required, from PSUs, for access, processing and retention of any personal data, including payment and transaction data which are the most commonly used forms by TPPs. This differs to the requirements set under Article 9(1) of the GDPR, which states that explicit consent is only required for the processing of certain special categories of data, which excludes both payment and transaction data. One can thus presume that under PSD2, the explicit consent mechanism should not be seen or treated as homogenous to its GDPR counterpart, with the former creating a more onerous requirement of a contractual nature on TPPs.
The European Data Protection Board (EPDB) shares this view as it purports that PSD2 explicit consent is tantamount to contractual consent due to the contractual nature of TPP services. Realistically speaking therefore, TPPs need to devise a mechanism to honour the requirement of explicit consent in terms of PSD2 specifically and not GDPR, as compliance with the latter may be achieved through contractual necessity under Article 6.
Silent party data
Silent parties are other individuals or companies, whose data is processed, without authorisation, resulting from a TPP offering a service to a PSU. Examples may include the name and/or address and/or international bank account number of persons to whom the PSU recently transferred money or from whom the PSU recently received money.
TPPs need to devise a mechanism to honour the requirement of explicit consent in terms of PSD2 specifically and not GDPR
Consequently, this scenario poses the question as to whether the TPP is in breach of GDPR due to the access and processing of data from these unconsenting ‘silent parties’.
Guidance on this by the EPDB points towards the TPP’s legitimate interest to provide the service to the PSU as the lawful basis for processing silent party data.
In such context, under GDPR rules, TPPs only have to demonstrate that they need to legitimately fulfil their contractual obligations with the PSU when processing silent party data.
‘Recycling’ of data
This issue is tackled clearly with respect to PISPs through Article 66(3)(g) of PSD2 which reads as follows:
The PISP shall “[…] not use, access or store any data for purposes other than for the provision of the payment initiation service as explicitly requested by the payer”.
This indicates that PISPs may solely process consumer data in the execution of payment initiation services and not for the provision of any other service.
AISPs, on the other hand, are held to the same requirements as PISPs, with the added condition that data processing must be done “… in accordance with data protection rules”.
While explicit consent is a clear prerequisite under PSD2, the unclarity stems from whether an AISP can then use any GDPR legal basis for the processing of that same data for additional services.
As propounded in our recently- published report, ‘R(Evolution) – PSD2, Open Banking and the Future of Payment Services’ − seedconsultancy.com/revolution/ − the nuances and repercussions of this issue are yet to be tested.
Nevertheless, when recycling data, it is recommended that TPPs take a prudent approach and obtain the necessary consent from PSUs through an informed, specific and unambiguous process.
Karl Wismayer, Analyst at Seed Consultancy
Independent journalism costs money. Support Times of Malta for the price of a coffee.Support Us