Reconciling Consent in PSD2 and GDPR

Author info

The Second Payment Services Directive (PSD2) adds third-party payment service providers – particularly account information service providers (AISP) and payment initiation service providers (PISP) – to the EU’s legal framework on payment services. This means that traditional payment service providers will need to share certain data with those third-party providers. Much of that data will be very personal in nature and may constitute personal data in the sense of the EU’s data protection framework set by the General Data Protection Regulation (GDPR). This results in friction between being required to share personal data and at the same time being required to conduct such sharing under very strict conditions, resulting in a compliance conundrum. Even after the entry into force of both legal frameworks, several uncertainties remain. In this article, we look at one particular matter, namely that of explicit consent, and the guidance provided in this matter by the European Data Protection Board (EDPB).

Published in The Paypers Market Guide

This article was published in the Web Fraud Prevention, Identity Verification & Authentication Guide 2018/2019, an online report by The Paypers. You can learn more about web fraud prevention by downloading your free, printable PDF copy of this report HERE.

Data sharing under PSD2

PSD2’s article 67 provides the rules on access to and use of payment account information in the case of account information services. This article gives payment service users the right to make use of services, enabling them access to account information. Account information service providers, however, can only provide their services based on the payment service user’s explicit consent. They may only access the information from designated payment accounts and associated payment transactions, they may not request sensitive payment data linked to those accounts, and they may not use, access, or store any data for purposes other than for performing the service explicitly requested by the user.

Similarly, according to article 66, a payment initiation service provider may only provide its services on explicit consent. Also, they may not request any data other than those necessary to provide their services, and may not use, access, or store any data for purposes other than for the provision of the service as explicitly requested by the payer.

Article 94 of PSD2 provides the data protection standard of this legal framework, considering that payment service providers shall only access, process, and retain personal data necessary for the provision of their payment services, with the explicit consent of the payment service user. Moreover, all personal data processing in the context of PSD2 must be compliant with the EU’s data protection framework, now set by GDPR.

Consent under GDPR

Under the EU’s data protection framework, personal data may only be processed under a limited number of lawful grounds (article 6 GDPR). These include six types of processing:

  • processing under the data subject’s consent,
  • processing necessary for contractual obligations,
  • processing necessary under statutory obligations,
  • processing necessary for the protection of the vital interests of the data subject,
  • processing necessary for a task performed in the public interest, and
  • processing necessary in the legitimate interests of the data controller.

Regarding consent, the GDPR’s article 7 provides that the data controller must be able to demonstrate that consent was freely given. Consent for one matter must be distinguishable from other matters, and consent may be withdrawn at any time. When processing a child’s information – up to ages between 13 and 16, depending on the Member State – consent must be given or authorised by the holder of parental responsibility. When processing special categories of personal data – such as racial origin, political leanings, or health data – consent must be explicit.

This shows that both GDPR and PSD2 use a notion of consent, or even explicit consent, even though the meanings do not seem to perfectly overlap. Moreover, it can be questioned whether explicit consent is really needed if it can be argued that the processing of the payer’s personal data by a third-party payment service provider is necessary for the fulfilment of a contract between them – i.e. to provide a payment initiation or account information service. The presence of that lawful ground means that under GDPR no consent would be needed – as consent is a di erent lawful ground – even though PSD2 still requires explicit consent.

EDPB guidance

The EDPB provided some guidance on the matter in July 2018.

It confirms that third-party payment services provide their services based on a contract between them and the payment service user, in accordance with recital 87 PSD2. This means that for personal data processing in this relationship under GDPR, the lawful ground of contractual necessity can indeed apply. Contractual clauses – distinct from other contractual matters – should then specify the purposes for which the user’s personal data will be processed, to which the user should explicitly agree. The explicit consent mentioned in PSD2 should be seen as an additional requirement, separate from the requirements following from GDPR. Explicit consent under PSD2 is, therefore, a contractual consent, and not a data processing consent.

Conclusion

The EDPB’s guidance is the first assessment of some of the issues resulting from the interplay between PSD2 and GDPR. While the guidance is not exhaustive, and some issues certainly remain, it does provide a welcomed clarification that the notion of explicit consent under PSD2 must be seen as separate and different from the notion of (explicit) consent under GDPR.

Moreover, it allows for the processing of personal data to be seen under GDPR’s lawful ground of contractual necessity, rather than imposing the lawful ground of consent in this matter. This makes consent under PSD2 more of a transparency requirement (what data are processed and why), rather than being bound to the stricter requirements of consent under GDPR.