Questions continue to arise over the interplay of the second Payment Services Directive (PSD2) with the General Data Protection Regulation (GDPR). Both PSD2 and the GDPR are complex legislation and the relationship between distinct provisions of each law and how they work together is not altogether clear, which has led to uncertainty for payment service providers, including banks. For example, when is “consent” required to access payment data and what does consent mean? To this end, the European Data Protection Board (EDPB) — the EU body composed of representatives of the data protection authorities of each Member State, responsible for the consistent application of the GDPR across Member States — has published draft guidelines for consultation that has now closed. A number of firms and industry bodies, however, have voiced concerns over their workability for providers. For example, the European Banking Federation’s (EBF) response emphasises that the draft guidelines should be coherent with payments regulation, its terminology and regulatory technical standards, in particular on Strong Customer Authentication.

PSD2, which provides a legal and regulatory framework for payment service providers offering payment services in the EU, stipulates that the processing of personal data must be in accordance with the GDPR and its principles of data protection, such as data minimisation, transparency, proportionality, storage limitation and security measures. The draft guidelines focus primarily on the processing of personal data by the providers of payment initiation and account information services that access customers’ payment accounts. In general terms, they interpret the GDPR narrowly (consistent with the approach taken in previous guidance from the EDPB and Article 29 Working Party), thereby restricting and making more burdensome the ability of payment service providers to process personal data. There are concerns in the payments sector that the draft guidelines may in certain respects be practically difficult to implement and unduly restrict future innovation. It is also clear that many banks, as account service providers, are concerned that the draft guidelines place a data protection burden on them as regards the new third-party services under PSD2 that should more properly fall on those providers.

A good example of these issues concerns the legal grounds under Art. 6 of the GDPR that permit the processing of personal data. Where there is a contract in place with the payment service user, in the EDPB’s view, the most appropriate lawful basis will generally be that processing is necessary for the performance of a contract for payment services to which the payment service user (the data subject) is a party. The EDPB expressly refers to its earlier 2019 guidelines to make clear that this does not cover processing which facilitates a payment service provider’s other business purposes, but which is not “objectively” necessary to perform the contractual service. The EDPB’s position on the scope of the “necessary for performance of a contract” is consistent with previous guidance on this topic and reiterates that this lawful basis should be interpreted narrowly. In particular, as regards additional services that are not among those defined and regulated by PSD2, but incorporated into the contract as an additional service, the EDPB emphasises that payment service providers must assess whether processing is objectively necessary for the performance of the contract and, if not, find another legal basis.

With COVID-19 accelerating digitalisation on the one hand, but the risk of IT outages and cyberattacks growing on the other, the draft guidelines also reiterate the importance of payment service users pursuing high security standards. It considers that given the amounts of data involved, a personal data breach could significantly affect the data subject’s daily life and cause them financial loss or other harm. The EDPB warns that service providers will be held to high standards, including over Strong Customer Authentication mechanisms, as well as high security standards for technical equipment. For a more in-depth discussion of the draft guidelines, please click here.

Sue McLean
Author

Sue McLean is a partner in Baker McKenzie's Technology practice in London. Sue advises clients on a wide range of technology matters, including outsourcing, cloud computing, technology procurement, licensing and distribution, digital and disruptive technologies including AI and blockchain. Sue has significant experience in advising clients in the financial services sector and is a member of the firm's FinTech group.

Author

Dr. Michaela Nebel is a partner in the Frankfurt office of Baker McKenzie. Michaela advises German and international companies on all aspects of information technology law, data protection law (domestic and cross-border data privacy), IT contract law as well as on e-commerce, IT litigation and IT outsourcing related matters.

Author

Ben is a senior associate in Baker McKenzie’s London office, having joined the Firm as a trainee in 2008. He advises clients in a wide range of industry sectors, focusing in particular on data protection compliance, including healthcare, financial services, adtech, video games, consumer and business-to-business organisations.

Author

Richard Powell is a Lead Knowledge Lawyer within Baker McKenzie's Financial Institutions Group where he is responsible for supporting the group's legal and technical knowledge.