What We Think
August 18, 2020
GDPR Constraints in Open Banking – The Interplay between PSD2 and GDPR
Introduction – Setting the scene for PSD2 and GDPR
In the first half of 2018, two major pieces of legislation were introduced, namely the Second Payment Services Directive (PSD2) and the General Data Protection Regulation (GDPR).
With data becoming an ever increasingly vital component for most modern enterprises, both PSD2 and GDPR are founded on the principle that individuals should own their personal data and in turn have full autonomy on who has access to it, what it is used for and how it is stored.
On one hand, PSD2 seeks to create access for third party providers (TPPs), such as Account Information Service Providers (AISPs) and Payment Initiation Service Providers (PISPs), to tap into personal financial data of individual customers, commonly referred to as Payment Service Users (PSUs), thus paving the way for concepts such as “Open Banking” to flourish. On the other hand, GDPR is generally viewed as a fail-safe mechanism which ensures that the processing and storage of such data occurs in a controlled environment.
Having said this, issues and challenges quickly arise when transitioning from the high-level principles to implementation, creating areas of contention for industry players. In this article we will be discussing three issues in particular.
Explicit Consent under GDPR vs PSD2
The first point of contention one should consider is whether ‘explicit consent’ as mentioned under Article 94(2) of PSD2 should be interpreted in the same way as explicit consent under GDPR.
In terms of PSD2, explicit consent, from PSUs, is required for access, processing, and retention of any personal data, including the two main forms data predominantly utilised by TPPs namely, payment and transaction data. This differs to the requirements set under Article 9(1) of the GDPR, which states that explicit consent is only required for the processing of certain special categories of data, which exclude both payment and transaction data. This gives rise to the presumption that the PSD2 explicit consent mechanism should not be seen or treated as homogenous to its GDPR counterpart, with the former creating a more onerous requirement of a contractual nature on TPPs that must be met in accordance with PSD2 provisions.
The European Data Protection Board (EPDB) shared this view by expressing that explicit consent under PSD2 is tantamount to contractual consent due to the fact that AISP or PISP services are always conducted under a contractual basis. This implies that data subjects are to always be made fully aware of the purpose as to why their data is being processed and explicitly consent to each distinguishable clause in the contractual agreement with the TPP. Therefore, in terms of GDPR, the processing of data for contractual necessity, as stated in Article 6(1)(b), is seen as the most adequate legal basis for GDPR compliance when applying it to AISP and PISP services.
Realistically speaking therefore, TPPs need to devise a mechanism to honour the requirement of explicit consent in terms of PSD2 specifically and not GDPR, as compliance with the latter may be achieved through contractual necessity under Article 6(1)(b) of the GDPR. This distinction is essential to enable TPPs to simplify the user experience and ensure compliance under both regimes.
Silent Party Data
Through the sharing of PSUs transaction data, instances arise whereby TPPs may in fact be processing data of individuals or companies who have not explicitly authorised such use. This type of data is known as “silent party data”. Examples of this may include the name and/or address and/or international bank account number of persons to whom the PSU recently transferred money, or from whom the PSU recently received money.
As a result, this scenario poses the question as to whether the TPP is in breach of GDPR due to the access and processing of data from these unconsenting ‘silent parties’.
The EPDB once again provides guidance on this point, whereby it purports that the lawful basis for the processing of silent party data lies in the TPP’s legitimate interest to provide the service to the PSU. Thus, the only requirement under GDPR in this context is for TPPs to demonstrate that they have an actual legitimate interest in fulfilling their contractual obligations with its PSUs, when processing silent party data, by referencing certain elements such as the type of data collected, the context and circumstances within which it is used and the risks posed to the individuals. Conversely, it can also be inferred that TPPs cannot process silent party data which is not necessary to fulfill their contractual obligations, or which falls outside of the PSU’s reasonable expectations from the service.
‘Recycling’ of Data
This issue is tackled clearly with respect to PISPs through Article 66(3)(g) of PSD2 which reads as follows:
The PISP shall, “[…] not use, access or store any data for purposes other than for the provision of the payment initiation service as explicitly requested by the payer.”
This indicates that PISPs may solely process consumer data in the execution of payment initiation services and not for the provision of any other service.
AISPs, on the other hand, are held to the same requirements as PISPs in this regard, with the added condition that data processing must be done “… in accordance with data protection rules”, as stated in Article 67(2)(f) of PSD2. Whilst it is clear that explicit consent under PSD2 is a necessary requirement for the carrying out of AISP services, it is unclear whether an AISP can then use any GDPR legal basis under Article 6 as grounds for the processing of that same data for additional services.
As propounded in our recently published report, r(Evolution) – PSD2, Open Banking and the Future of Payment Services, the nuances of this issue and the interplay between PSD2 and GDPR are yet to be tested. Nevertheless, when recycling data, TPPs are always advised to take a prudent approach and obtain explicit PSU consent which is freely given, informed, specific and unambiguous.
Despite the challenges discussed above, established financial institutions and other emerging players need to adopt a more congruent and coordinated strategy to align their offering with PSD2 and GDPR regulations by considering the subtleties and requirements of these two legislative instruments.
On the other hand, the EU and national regulators need to bridge these gaps and act more as facilitators in a digital landscape which is continually evolving. Failure to do so may restrict TPPs’ access to data and limit the reach for Open Banking in its entirety.
Parts of this article were first published on The Sunday Times of Malta.