The second Payment Services Directive (PSD2)
Gemserv recently attended the World Digital Finance Forum in Frankfurt on 1 March to present on the privacy challenges that the digital finance world is facing. There is no doubt that the financial sector is going through a lot of transformation at the moment. In particular, the second Payment Services Directive is soon going to be implemented which will revise the existing legal framework for payment services within the European Economic Area (EEA). The aim is to harmonise the promotion of innovative mobile and online payment services, as well as the regulation of those payment services. It goes without saying that, as a plethora of new businesses supporting payment services are emerging, this has to be coupled with an adequate level of data protection.
The General Data Protection Regulation (GDPR) is also coming into force in a few months, which will introduce a legal framework for the protection of personal data and the free movement of this data. The purpose of the Regulation is to harmonise the protection of personal data across the EU.
But how do the two interact?
In a nutshell, chapter IV of PSD2 provides specific rules regarding the processing of personal data for payment services. Article 94(2) sets out the key condition for the lawful processing of personal data, which is that providers of payment services may only access, process and store personal data necessary for the provision of their payment services with the explicit consent of the payment services user.
Now, those who are familiar with the GDPR may spot a potential issue here. Both PSD2 and the GDPR share the same assumption, that data subjects own their data and should therefore be able to choose how it is used and with whom it is shared.
Let’s take an example. Under PSD2, a Third Party Provider (TPP) will be able to access a customer’s account information directly and use a bank’s infrastructure to provide that service. For example, this could be a customer instructing a TPP to provide a plan to deal with an overdraft repayment.
This process is the perfect match for compliance with the data portability requirement as enshrined in the GDPR – however, here is the challenge: which party should obtain the consent? To answer this question, we need to establish who the data controller is. In this case, the bank is the data controller of the customers’ data and are therefore responsible for the purposes and the manner in which this data is processed.
Looking at the data portability element of the GDPR, data controllers must put in place the necessary safeguards to ensure that they genuinely act on behalf of the data subjects. PSD2 states that TPPs can only access information for a specific purpose as requested by the customer, and not for any other purpose.
If the above is logical, then it would fall upon the TPP to collect the consent (including consent for their own activities for which the consent must be granular and specific). Once that has happened, banks might also need to confirm this consent as they, ultimately, remain the data controllers and are therefore responsible for their customers data. Therefore, a two-step process needs to be put in place following these steps.
Another area where the relation between PSD2 and GDPR will need to be assessed include the distinction between sensitive payment data and personal data. A data protection practitioner will immediately understand that there is a lack of clarity as to what qualifies as sensitive payment data. This is because the GDPR only uses the word ‘sensitive’ in relation to special categories of data defined as personal data revealing ethnic or racial origin, political opinions, biometric data or trade union membership.
It is reassuring that in the UK the Financial Conduct Authority (FCA) and the Information Commissioner’s Office have just announced that they will be working together to align the requirements under both GDPR and PSD2.
At Gemserv, we will be keeping a close eye on this and will continue to provide a pragmatic approach to the regulatory challenges that businesses face. We have extensive experience of working in highly regulated markets and if you require any assistance or would like to find out more, you can contact us at:
T: +44 (0)20 7090 1091
To read more about the GDPR click on the links below:
Ivana Bartoletti is a Principal Consultant in Privacy and Data Protection, at Gemserv. Her years of experience in the field span the public and private sectors, including senior roles in the NHS, Barclays and Sky. Ivana holds a Master of Laws degree (LLM) with a Distinction and a postgraduate management degree in European Public Affairs.