.svg)
Nine payments lobby groups have sent a joint letter to the EU’s regulators expressing their concerns about the European Data Protection Board’s (EDPB) guidelines regarding the interplay between the General Data Protection Regulation (GDPR) and the revised Payment Services Directive (PSD2).
PSD2 and the GDPR have become the chalk and cheese of EU regulation. One calls for the opening up of data between companies and the other demands that any personal data sharing is restricted.
Now, nine of the EU’s payments lobby groups have submitted a letter to five of the EU’s regulators and agencies, calling for better guidance on just how payment service providers can juggle complying with both.
“The purpose of this joint industry letter is to point out our concerns regarding the final EDPB Guidelines on the interaction between PSD2 and GDPR, and the tension that the Guidelines create between the two frameworks,” said Anni Mykkänen, payments and innovation advisor at the European Banking Federation.
She told VIXIO: “The broad industry feels that the EDPB guidelines are actually not in line with PSD2 and the Regulatory Technical Standards on SCA & CSC [strong customer authentication and common and secure open standards of communication], especially when it comes to how silent party data and special categories of personal data are considered.”
This follows an earlier letter sent in October 2020 that highlighted concerns about the draft guidelines devised by the EDPB.
This previous letter summarised all of the issues that payments stakeholders were contending with, according to Ralf Ohlhausen, chair of the European Third Party Providers Association.
“I have never seen such broad consensus on any other matter across the whole payments industry. These outstanding issues must be resolved and I hope that the EDPB is willing to hear us out and reconsider our requests,” he told VIXIO.
The EDPB amended some points in the final guidelines, which were welcome, but did not take into consideration some of the fundamental concerns, agreed Mykkänen. “We hope that this letter can help move forward the discussion with the authorities and also emphasise the point that alignment between PSD2 or any revision and GDPR has to be done before implementation, not after.”
A key concern for the interest groups is that at least one national data protection authority is suggesting the implementation of interpretations of these guidelines, which would not align with the PSD2 objectives.
Although nothing has been confirmed, it has been rumoured that the Dutch Data Protection Authority is ready to act.
“This is part of a wider trend with regards to the implementation of the GDPR across the EU, where key provisions of the GDPR, such as the legal basis that constitutes a legitimate interest, or how the interplay between two key pieces of legislation for the banking sector, are interpreted differently,” said Jan Van Vonno, research and thought leadership director at Tink.
This goes against the spirit of the regulation itself, he pointed out. “This fragmentation needs to be stemmed at EU level. We also call upon EU authorities to include considerations of coherence with GDPR obligations in the design of future legislative actions, such as PSD2 and future open finance framework, in order to avoid similar issues and implementation challenges in the future.
Reading between the guidelines
The new letter cautions: “We are still concerned that the enforcement of the guidelines will lead to an outcome that is not in line with PSD2 objectives, therefore hindering innovation and competition in payments and creating additional burdens to all participants.”
Although the final guidelines make a step forward to clarifying certain aspects of the interplay, such as confirmation of explicit consent under Article 94 of PSD2, other elements remain more worrying and raise new uncertainties, according to the associations. For example, the provisions on data minimisation and processing of special categories of personal data.
Pursuant to PSD2, account servicing payment service providers (ASPSPs) are obliged to provide third-party providers (TPPs) with the same information from designated payment accounts and associated payment transactions made available to the payment service user (PSU) when this PSU is directly requesting access to the account information.
ASPSPs abide by the principle of data minimisation when they provide access to accounts in the same way as if the PSU would be directly requesting access to his or her account. They do not provide access to more data than is necessary for the action. Alongside this, it is the responsibility of each payment service provider (PSP), as the data controller, to respect the principle of data minimisation, undertaking its own assessment and determining the scope of data minimisation in relation to the intended purposes and the risks involved.
“We would like to point out that ASPSPs have no means to be aware of the contract between the PSU and the TPP, meaning that banks cannot know the purpose for which the TPP asks to access the PSU payment account,” the letter warns.
The letter also raises concerns about a lack of coherence with the RTS on SCA & CSC, stating that technical measures to comply with the GDPR are not included, which has triggered “legal uncertainty” for payments players.
The interplay between the two laws has long haunted the EU's financial services. This has only been magnified as the GDPR shifts from implementation to enforcement in many of the EU’s member states.
Not just that, but activity groups such as None Of Your Business, which was created by data privacy campaigner Max Schrems, have been taking action against companies for international data transfer breaches.
Last month, US-headquartered merchant acquirer Stripe was at the centre of an action brought against the European Parliament by the European Data Protection Supervisor (EDPS). It was ruled that use of Stripe violated the Court of Justice of European Union's previous Schrems II ruling on EU-US data transfers.
