The interplay between the General Data Protection Regulation (GDPR) and the revised Payment Services Directive (PSD2) has been an issue for some time, but is increased enforcement action and the rise of data protection activists something that payments institutions should be alarmed about?
At the start of the year, the European Data Protection Supervisor (EDPS) sanctioned the European Parliament in light of a complaint from data protection campaigners None Of Your Business (NOYB).
The EDPS said that the use of Google Analytics and payment service provider Stripe violated the Court of Justice of European Union's (CJEU) previous Schrems II ruling on EU-US data transfers.
The CJEU made the Schrems II ruling back in August 2020, resulting in the EU’s previously approved data privacy shields for US data transfers being rendered illegal. The case itself was brought to court by NOYB founder Max Schrems.
The claim against the European Parliament follows the use of an internal testing website designed to manage COVID-19 cases among politicians.
According to the ruling, the European Parliament was reprimanded for violation of its obligations under the regulation that it is subject to, Regulation (EU) 2018/1725, which replicates the GDPR and is applicable to EU institutions.
The reasons for this included the use of deceptive cookie banners, vague and unclear data protection notices, and the illegal transfer of data to the US.
The European Parliament case is just one of many complaints brought by the NOYB campaign group, and the next few months could result in even more sanctions, reprimands and rulings that could make it tricky for the payments market.
This should be a cause for concern for merchants and who they use as their acquirer, Berend Van Der Eijk, of counsel at Bird & Bird in the Netherlands, told VIXIO. “With US transfers being scrutinised by regulators, we are starting to see data protection ambulance chasers.”
According to Van Der Eijk, these “ambulance chasers or concerned individuals send templates to merchants, looking at what data they hold, as well as getting an overview of the vendors. If these include US vendors, they will claim that transfers to these vendors are not compliant, and claim compensation for damages suffered.”
Although not all of these claims are successful, some courts have awarded damages, he pointed out.
"The news surrounding the sanction from the European Data Protection Supervisor to European Parliament regarding its use of Google and Stripe hasn't got as much traction as it should,” he said. “NOYB are becoming masters at the chess game of GDPR enforcement in the EU where they have lots of different but interconnected cases open."
Considering Schrems II, any international transfer of personal data to the US is very challenging, agreed Rie Aleksandra Walle, a GDPR consultant based in Norway. “The reality, however, is that a significant number of companies and organisations across the world, the European Economic Area included, rely on US services, and for them to stop all transfers is unfeasible, and sometimes impossible."
"A friend feels this is a trade war, and some speculate that EU regulators consciously put up barriers to doing business with the US to accelerate innovation and business in Europe,” she pointed out. “Others emphasise the US' responsibility. Most seem to agree, however, that the change has to come from US laws."
In the last three years, data protection regulators have clearly moved from guidance to enforcement, and in addition to that, NGOs such as NOYB are starting administrative procedures, civil cases and class actions, said Van Der Eijk. “European data protection regulation includes bold and sometimes hyperbolic safeguards around privacy that loop well on paper and show the EU’s ambitions with regards to fundamental rights, but can result in true showstoppers in the context of international transfer to the likes of China and the US."
Often, complying fully with the GDPR and the rulings that have followed can be an impossible task for companies of all shapes and sizes.
"Many try to do the right thing and invest heavily in legal work to comply with the GDPR, but feel it is unfair when competitors do little to nothing and get away with it,” said Walle. “Being picked for an audit by the authorities, however, is unlikely as they have limited resources, but there's always a risk of someone lodging a complaint."
Over the summer, for example, Germany’s supervisory authorities for data protection carried out coordinated compliance checks in light of the Schrems ruling.
For payments companies, in particular, matching the GDPR with PSD2 can still be a cause for concern. "PSD2 is about opening up, yet GDPR is about protecting. These issues don't go well when you put them together, considering the use of sensitive data and silent party data,” said Van Der Eijk.
This means that companies run into a difficult position whereby they may need to consider filters according to guidance but then PSD2 also requires access to all data, he said.
Financial regulators have a different view to the data protection authorities and need to come to a joint decision on this as well, he pointed out. “At the moment, the regulators are in their own towers with their own principles."
The interplay of PSD2 and GDPR has itself been around for a while. In 2018, for example, Dutch member of parliament Sophie in’t Veld requested clarifications from the European Data Protection Board on how the two regulations could work together.
“Third-party providers have certain rights under PSD2 but also obligations under GDPR, and on the ASPSP side, a lot ask questions about how they should give access to payment accounts,” said Scott McInnes, partner at Bird & Bird.
One of the issues that come up a lot is that of silent party data, he continued. “In a bank account, there is not just personal data of the customer, but also data received from who has pushed the payment to the customer, and who has received it.”
This data is supposed to be shared under PSD2, but some account information service providers (ASPSPs) are concerned that this may put them in breach of their GDPR obligations, he cautioned.
Where are data protection authorities probing?
In recent months, there have been two interventions made by the EU’s data protection supervisors in regards to payments.
In October, the French data protection authority, the Commission nationale de l’informatique et des libertés (CNIL), published a white paper on data protection issues associated with contactless payments.
The CNIL noted that the public are unaware of the data involved in payments and transactions, referring to the area as a “complex field”, and opened up a consultation on the matter, which closed on January 15.
In particular, the CNIL recommends that payments operators ensure they identify personal data transfers outside the EU, and implement appropriate data transfer mechanisms for such transfers that are pursuant to the GDPR requirements (such as adequacy decisions, binding corporate rules, codes of conduct or standard contractual clauses).
In addition, the supervisory authority recommended that payments companies should conduct a case-by-case analysis of each data transfer and the adequacy of the relevant data transfer mechanism, and consider whether the transfers are actually necessary to provide the services and, if not, consider alternatives to minimise compliance requirements and risk.
The roles that actors play in the payments ecosystem also needs to be considered given the complexity of the field, the CNIL argued, while also highlighting security concerns. Here, the data protection authority said that companies should use “tokenisation”, which refers to the method of substituting payment data with randomly generated, single-use tokens, on which it intends to publish additional practical recommendations.
The EDPS also put out a bulletin in December regarding card payments, which intended to educate consumers about what kind of data is used during the transactions. This highlighted that cashless payments rely on data processing mechanisms, which can mean traceability as well as data being exposed to risks such as cybercriminals.
All in all, the rise of digital payments has prompted more attention from the EU’s regulators, and with the PSD2 review coming up, the data-sharing rules could easily be changed to better comply with what has become the EU’s signature regulation — the GDPR.