Luxembourg: PSD2 Not Incompatible With The GDPR But Attention Required

What happened?

In July 2020, the European Data Protection Board ("EDPB") adopted Guidelines on the interplay of the Second Payment Services Directive and the GDPR  ("Guidelines"). The Guidelines were open for public consultation until the end of June 2020.

What does this matter concern?

In the first half of 2018, two main pieces of European legislation came into force under the provisions of the second Payment Services Directive¹  ("PSD2") and the General Data Protection Regulation²   ("GDPR"). They share at least one common point: security of data. However, they also share some common concepts that must be interpreted differently so as to apply seamlessly.

The first Payment Services Directive of 2007³  made possible the sharing and use of data held historically and exclusively by banks. This was already a revolution in itself, opening up the path to open banking. Although the latter directive initially aimed at governing all players in the payment sector, it also gave rise to the development of new services. Framing them in a generalised way while ensuring data security became a challenge.

Under the provisions of the PSD2, new Payment Initiation Service Providers ("PISPs") and Account Information Service Providers ("AISPs") can provide certain payment services and therefore access to information held by Account Servicing Payment Services Providers ("ASPSP")⁴.

To enable the innovation brought in by the modernisation of the payment services market by the PSD2⁵, personal data may need to shared between PSPs, while one of the main objectives of the PSD2 remains to guarantee the security of exchanges between the different players involved in payment transactions (PSPs are obliged to ensure the security of exchanges).

How does the PSD2 deal with the protection of personal data?

Chapter V of the PSD2 exclusively deals with security in general. Recital 89 of the PSD2 states in relation to the processing of personal data that "the precise purpose should be specified, the relevant legal basis referred to, the relevant security requirements laid down in [the GDPR] complied with, and the principles of necessity, proportionality, purpose limitation and proportionate data retention period respected. Also, data protection by design and data protection by default should be embedded in all data processing systems developed and used within the framework of this [PSD2]". Recital 93 of the PSD2, in turn, states that "the PISIP and the AISP on the one hand and the account servicing payment service provider on the other, should observe the necessary data protection and security requirements established by, or referred to in, this [PSD2] or included in the regulatory technical standards."

Article 94 of the PSD2 (correlated to former Article 79 of the first Payment Services Directive) deals with data protection specifically by saying that processing of personal data by payment service providers is permitted "when necessary to safeguard the prevention, investigation and detection of payment fraud."

In addition, "the provision of information to individuals about the processing of personal data and the processing of such personal data and any other processing of personal data" for the purposes of PSD2 shall be carried out in accordance with the GDPR⁶.

If not to provide legal certainty as regards an important purpose of public interest⁷  or simply because that provision was already in the first Payment Services Directive, it is not entirely clear to the author why Article 94 of the PSD2 had to permit processing of personal data when necessary in the context of payment fraud. Article 6.1(e) of the GDPR allows such processing if it is "necessary for the performance of a task carried out in the public interest".

No-one will be surprised, however, that the processing of personal data in the framework of the provision of payment services must comply with the GDPR, should that processing fall within the material scope of this regulation. Certain operations may also require the processing of so-called special categories of personal data⁸  or personal data relating to criminal convictions and offences⁹.The GDPR protects the latter by even higher standards.

Is consent required from customers?

The answer is complex. Article 94(2) of the PSD2 introduces a new requirement compared to the first Payment Services Directive. PSPs "shall only access, process and retain personal data necessary for the provision of their payment services, with the explicit consent of the payment service user" (emphasis is ours).

The GDPR sets out strict conditions for consent to be valid. Briefly, valid consent of data subjects must be freely given, specific, informed and with an unambiguous indication signified by a statement or clear affirmative action. A valid consent is therefore difficult to obtain and, in addition, is quite fragile once obtained as data subjects can withdraw their consent at any time without justification (without this affecting processing operations that took place before the consent was withdrawn). According to Article 94(2) of the PSD2, consent shall also be explicit (as opposed to being implicitly obtained further to the inaction of the person concerned).

Nevertheless, according to the Guidelines, "explicit consent" as mentioned in Article 94 (2) of the PSD2 should not be interpreted in the same way as consent under the GDPR (which is one out of six exhaustive legal bases for processing). The legal basis for processing should be the necessity for the performance of a contract. Explicit consent under the PSD2 should therefore be regarded as "an additional requirement of a contractual nature in relation to the access to and subsequent processing and storage of personal data for the purposes of providing payment services, and is therefore not the same as (explicit) consent under the GDPR." Such an interpretation was necessary to avoid any possible clash between both European legislations at stake, and others (in particular as consent may be withdrawn at any time).

Is my business affected and how to deal with these rules?

Yes, obviously, if you are a payment services institution or provide services to such institutions.

The Guidelines provide specific guidance on data protection aspects in the context of the PSD2, more specifically on the processing of personal data by AISPs and PISPs. As such, the Guidelines provide guidance as regards the conditions for granting access to payment account information by ASPSPs, the processing of personal data by PISPs and AISPs, the processing of special categories of personal data and of so-called silent party data (information about a party that is not in direct contractual relationship with the service provider concerned). It also addresses the specific application of certain principles set out in the GDPR such as data minimisation, transparency and profiling.

However, not all the information that PSPs need to share will necessary contain personal data¹⁰.

Footnotes

1. Directive 2015/2366 of 25 November 2015 on payment services in the internal market (...) and repealing Directive 2007/64, OJ L 337, 23.12.2015, p. 35-127.

2. Regulation 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

3. Directive 2007/64 of 13 November 2007 on payment services in the internal market (...), OJ L 319, 5.12.2007, p. 1-36.

4. The amended Law of 10 November 2009 on payment services implemented both payment service directives into Luxembourg law.

5. In a nutshell, PISPs establish the link between the merchant's platform and the manager of the payment account. AISPs provide users with a set of information on one or more payment accounts that the user holds with one or more Payment Service Providers ("PSPs"), typically banks. Application developers are therefore able to go even further in integrating payments into their services. For example, aggregators can offer their users quick access to all of their bank accounts on a single platform, regardless of the institution keeping these accounts.

6. Although it entered into force in January 2020, the PSD2 was adopted before the GDPR and therefore still refers to the Directive 95/46/EC that was repealed by the GDPR. Article 94 of the GDPR states, however, that any reference to the repealed Directive shall be construed as references to the GPDR.

7. Recital (49) of the position of the European Parliament adopted at first reading on 24 April 2007 with a view to the adoption of the first Payment Services Directive states that "in order to facilitate effective fraud prevention and combat payment fraud across the Community, provision should be made for the efficient exchange of data between payment service providers who should be allowed to collect, process and exchange personal data relating to persons involved in payment fraud. All those activities should be conducted in compliance with [the GDPR]"; EU legislative procedure 2005/0245(COD).

8. See Article 9 of the GDPR. The concept of special categories of personal data fundamentally differs from that of 'sensitive payment data' in the PSD2.

9. See Article 10 of the GDPR.

10. The GDPR defines 'personal data' as "any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person."

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.