Both PSD2 and GDPR constitute regulatory benchmarks attempting to harmonize two opposite worlds, the strict and stable legal spectrum with the volatile technological/financial framework. However, the Directive has raised substantial questions regarding its compliance with the data protection regulation.
While PSD2 aims towards the improvement of competition and innovation in the internal market, GDPR focuses more towards the protection of citizens across the EU from privacy infringements and data breaches in a progressively data-driven world. There is, nevertheless, a growing concern with respect to the overlap among GDPR and PSD2 and, mainly, how fintech companies and financial institutions in general can find an appropriate balance between these two. The high degree of concern was reflected officially in July 2020 when the European Data Protection Board (EDPB) published draft guidelines regarding this interplay. Even though the European Banking Federation (EBF) has welcomed these guidelines, it has also concretely expressed doubts. In particular, the guidelines do not cohere in some cases with the PSD2 provisions resulting to potential legal infringements from the banks’ side as Account Servicing Payment Service Providers (ASPSPs). The guidelines should also provide a solid distinction among the PSP’s GDPR responsibilities according to the roles explained in the PSD2. The overplay between these two regulations is more salient in three specific circumstances.
1) Performance of a contract
In particular, PSD2, which provides a regulatory infrastructure for PSPs offering payment services in the EU, stresses that GDPR and its principles, such as storage limitation, proportionality, transparency etc, shall dictate the processing of personal data. The first arising issue concerns the necessity for the performance of a contract, as laid down in GDPR, which is considered the most appropriate legal basis for the processing of user’s personal data by the payment service provider. However, the EDPB comes to clarify the blurry scenery and stresses that, when additional services, which are not defined in the PSD2, are being embedded in the contract, the payment service providers are obliged to interpret whether the processing operations are necessary for the performance of the contract and, in case they’re not, they should invoke a different legal basis.
2) Explicit consent
In addition, both GDPPR and PSD2 define the meaning of explicit consent (Art.6 GDPR & Art.94 PSD2). On the one side, GDPR requires the provision of a free, unambiguous, specific and informed consent while PSD2 stipulates that payment service providers ought to get user’s explicit consent to process, access and retain their data. Nevertheless, these two concepts, as interpreted in these regulations, entail significantly different legal outcomes since consent under PSD2 is not considered as a supplemental legal basis for processing operations (as considered under GDPR) but as an additional contractual prerequisite (contractual consent). Users must be aware of the categories of personal data being used, the purposes of payments services and finally explicitly acknowledge these clauses. The aforementioned clauses must be distinguished from the corresponding of GDPR, even though the EBF considers this differentiation needless and mystifying for payment users.
3) Special categories of data
Finally, the concept of special categories of personal data is worth mentioning. Under the PSD2, sensitive data refers to individualized security credentials, distancing itself from Article 9 of GDPR. Even though financial exchanges can disclose sensitive personal data, as set out in GDPR (medical bills/donations of political character), EBF stands that financial transaction data should not be considered as special category of data except if providers process data to extract this information.
In a concluding note, the domains of digital payments and data protection are firmly interconnected, however there are several blurry points to be clarified. The EDPB, a crucial player for the cleanup of this scenery, should guarantee a coherence of its guidelines with the existing regulations and clarify at each stage of them the addressees of the legal obligations.
The editorial team