GDPR and PSD2 are two legal initialisms that have both generated a great deal of press coverage in recent months, but they are seldom considered together.
There were around 122 billion non-cash payments in the European Union (EU) in 2016, with card payments accounting for 49% of all transactionsi and the trend is continuing: UK Finance recently reported that UK debit card payments overtook the number of cash transactions for the first time in the final quarter of 2017. As Europeans increasingly swap cash for cards and live their lives online, businesses have tremendous opportunities to take advantage of the vast amount of personal data generated by the increased use of payment services.
In the EU, activities in the payments sector are subject to the revised Payment Services Directive (2015/2366, known as PSD2). PSD2 was transposed in the UK primarily by the Payment Services Regulations 2017, the majority of which came into force on 13 January 2018.
One of the requirements of PSD2 is that regulated firms must process personal data in compliance with EU data protection law, which is substantially set out in the General Data Protection Regulation (GDPR) (in practice many such firms will be caught nonetheless, given the GDPR’s wide scope).
To assist businesses in meeting the dual obligations of PSD2 and GDPR, the European Data Protection Board (EDPB) — the EU body in charge of applying the GDPRii — recently issued a response to a letter from the European Parliament outlining some sought-after clarifications about silent party data and the divergent concepts of consent in GDPR and PSD2.
Silent Party Data
The EDPB first examined questions around the legal basis for processing “silent party data”. This is best illustrated by the diagram below:
If A wants to pay B, then A needs the help of a payment service provider (PSP). A has a direct contractual relationship with the PSP (which may be A’s bank, a digital wallet provider, or a third party that facilitates payments from A’s accounts, known as a “payment initiation service provider” under PSD2) so the PSP can process A’s personal data on the basis of contractual performance under the GDPR. However, the PSP does not have any relationship with B (the silent party) — so how can the PSP process B’s personal data?
The GDPR allows processing of personal data based on the legitimate interests of a controller or third party and the EDPB noted that “the GDPR may indeed allow” such a legal basis in the context of silent party data so that the PSP can perform its contract with A. However, the EDPB cautioned that the legitimate interests basis is a balancing act, and cannot be relied upon “where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child”. The EDPB also emphasised the fuller scope of applicable GDPR obligations, including transparency and data minimisation, and noted that B’s personal data cannot be further processed in a manner incompatible with the original purposes for which the personal data was collected. However, this still leaves open certain questions about how PSPs should comply with the GDPR Article 21 requirement that data subjects have the right to object to processing based on legitimate interests, and that this right must be explicitly brought to the attention of the data subject clearly and separately from other information.
In the first instance, to deal with silent party data, PSPs should conduct the legitimate interests balancing act (see, for example, this template from the UK Information Commissioner’s Office) if considering the legal basis for processing silent party data, and ensure that they comply with the full suite of GDPR principles.
In addition, the EDPB distinguished consent under GDPR and PSD2. While both laws use the terms “consent” and “explicit consent”, the meanings are not aligned.
Under GDPR, consent and explicit consent are legal bases for processing personal data and sensitive personal data respectively. Explicit consent can also be used as a derogation for certain transfers of personal data to third countries, as explained here. Under the GDPR, there is a high threshold for consent, which is reversible and can be withdrawn at any time, as emphasised by the Article 29 Working Party — the EDPB’s predecessor — in guidance here.
However, the EDPB takes the view that explicit consent referred to in Article 94(2) of PSD2 is a contractual (not a data protection) consent. The EDPB quotes Recital 87 of PSD2, which states that the Directive “should concern only contractual obligations and responsibilities between the payment service user and the payment service provider”. Under GDPR, the appropriate legal basis of the processing would be that the processing is necessary for the performance of a contact to which the data subject is party. As such, the EDPB interprets Article 94(2) of PSD2 as imposing something akin to transparency obligations (rather than GDPR level consent) — the data subject must be fully aware of the purposes for which their personal data is processed, and must explicitly agree to those clauses (which should be set out separately from other contractual matters).
For consent compliance under GDPR and PSD2, the EDPB is clear that data subjects must be fully aware of the personal data processing (which should be clearly distinguishable from other contractual matters), and must explicitly agree to these clauses (we would assume by means of a tick box, which is best practice but not strictly required from a GDPR perspective). However, much of the actual personal data processing can be justified under the legal basis of contractual performance.
The EDPB has promised to continue to monitor current discussions regarding PSD2 in this nuanced and fast-evolving area of law as an ever-increasing volume of personal data is processed.
Latham’s view is that the interrelation between GDPR and PSD2 will take on even greater significance with the rollout of upcoming functionality like ‘Confirmation of Payee’ (allowing customers to verify that they are paying the person they intend) and ‘Request to Pay’ (a mechanism where a payee can send a request for payment to a payer). These and other developments are likely to raise individuals’ awareness of how their personal data is used each time they make or receive a payment.
ii The EDPB is the successor to the Article 29 Working Party, which was established under the previous Data Protection Directive.