PSD2 and the GDPR, a Happy Marriage or a Bad Partnership?

By Ady van Nieuwenhuizen

The Payment Service Directive 2 (PSD2) is a new European directive for payment services. The directive must ensure uniformity of payments within the European Union. The ultimate goal is to alleviate the concerns with the monopolistic position of banks and to ensure more competition and innovation. An additional goal is to remove the barriers for new entrants to the payment market.

 

In order to be able to bring this payments uniformity into reality, it is necessary, among others things, to make use of personal data. This unavoidable consequence can lead to clashes with the new privacy legislation, the General Data Protection Regulation (GDPR). All providers of payment services must not only comply with the GDPR, but in the future also with the PSD2. This is the reason why it is important that the PSD2 is in tune with the GDPR.

 

By 13 January 2018, PSD2 should have been implemented in national legislation. This has not happened yet (in the Netherlands). One of the reasons for the delay is that the implementation of PSD2 will have a great impact for permit issuers, permit applicants, banks, as well as payment service users and regulators. Careful weighing of all the diverse interests requires close coordination among the different regulators of these interests, among other things, and thus has required far more time than had been anticipated. Particularly, the privacy aspect has received specific attention in the preparation process.1

 

Below is a more detailed explanation of PSD2 and its privacy aspects. The background and the development of PSD2 will first be briefly explained.

 

PSD1

The PSD (Payment Service Directive) is a European directive that regulates payment services in the European Union. In 2007 the first directive (PSD1) was adopted by the European Parliament. The goal was mainly a uniform payment market within the European Union.

 

The directive has been the basis for Single Euro Payments Area (SEPA). For example, since this directive, it has been easier to transfer money free of charge to other SEPA countries.

 

PSD1 also opened the market for new entrants, so-called payment institutions. These are non-banking companies, with a license from De Nederlandsche Bank (DNB), which can also offer payment services to consumers (just like banks). For example, offering payment cards, such as credit cards and facilitating online payments such as iDEAL or direct debit.

 

From PSD1 to PSD2

The revised version of PSD1 is PSD2, which should lead to more innovation and competition. PSD2 has been in place since 2016, but the EU member states had until January 2018 to implement the directive’s changes in their national legislation. In October 2017, the Dutch Minister of Finance requested a postponement. It is still unknown when the directive is definitively introduced and implemented in the Netherlands.

 

Changes that PSD2 entails

A few of the most important changes that are coming are:

• Access to the payment account by third parties. Banks must make it possible for third parties to gain access to their customer’s payment account, provided the customer gives his consent.

• Shops, web shops and other companies may no longer charge surcharges for payments with the debit card and credit card payments (with credit cards from MasterCard and Visa, among other things).2 Now companies can pass on the (actually incurred) costs they pay for payment transactions to consumers, for example a surcharge of 2% if you want to pay online with your credit card. For other means of payment, such as AfterPay and Giro, the surcharges may still be charged, but never more than the actual costs.

• The own risk in the event of theft or loss of a payment instrument, such as your debit card, has been reduced to €50 (was €150).

• The new legislation must also improve the security of In many cases, two-step verification is required.

 

Access to payment account by third parties

There is much to do about one of the changes; banks are obliged to give third parties access to the payment account of their customers, provided that

• The customer gives his permission to his bank;

• This permission for third party access is provider specific: the customer who gives consent to a payment service provider is valid only for that particular provider;

• The third party has a license from the DNB or another equivalent regulator from the European Union.

These changes mean that banks have to adjust their systems (or have already adapted). In any case, customers must be able to clearly see and manage which party has access to which data.

 

Privacy

Under PSD2, payment service providers may only access personal data with permission. The customer has the control in this. However, the customer’s personal data that is necessary to perform the payment service becomes visible. When a customer has payment and savings accounts with various banks, the access of a third party to the customer’s payment accounts can have certain advantages for that third party, such as providing an entire overview of that customer’s expenses and income.

 

Customers must be aware of what data they share with which third parties. By giving permission, a huge amount of information can be obtained by the third party about a customer: with transaction data alone a lot can be learned about someone’s life. For example, it can be clear whether someone has a mortgage, whether someone often visits a certain place and where the person is working. In addition, it must be borne in mind that third parties who obtain permission can also apply for a permit in other EU countries, which, in any case, would not fall under Dutch supervision.

 

Back door: personal data visible without permission

However, there is also much discussion over a negative consequence of the PSD2. If money is transferred to an account by a payment service provider, then the personal data of the receiving third party (regardless of whether permission is given) is visible to this provider. This personal information is necessary to implement payment transactions. As a result, personal data becomes visible to other parties without consent of the data owner. Furthermore, it cannot be ruled out that there are providers that are less careful than others with your data when dealing with all possible negative data security consequences.

 

This unconsented disclosure of personal data is a possible conflict with the legal provisions of the GDPR. According to the Dutch Data Protection Authority (AP), the processing consent given is limited to the personal details of the party that has given such permission. Payment data containing personal data of third parties, therefore, cannot be processed solely on the basis of permission given to the payment provider to make payment. The GDPR also states that the party whose personal data is shared should not suffer any adverse consequences.

 

This is a difficult problem to solve. Currently, banks are busy looking for a solution to this problem because the sharing of personal data without consent generates serious resistance from customers.

 

Regulators

The AP has therefore advised to revise the draft of the PSD2 because it does not yet fully take into account the GDPR. The AP is involved in the PSD2 as a regulator for the processing of personal data. But the AP is not the only regulator. The Dutch Central Bank (DNB), the Authority for Consumers and Markets (ACM) and the Dutch Authority for the Financial Markets (AFM) are the other regulators charged with monitoring compliance with the PSD2. Because the supervision is divided, this can lead to fragmentation of the control over PSD2. But in reality, many more supervisors play a role. If permits are granted by a regulator from another EU country, this permit also applies in the Netherlands. As a result, a regulator from Bulgaria, for example, can also play a role in monitoring compliance with PSD2 in the Netherlands. This cross-border aspect may result in payment service providers looking for the mildest regulatory regime to be able to offer their services across Europe. The security of Dutch payment data may be compromised.

 

ING/Consumer Authority Austria (ECLI:EU:C:2018:466)

The Austrian consumer authority has already filed a case against ING with the aim of obtaining clarity about the frameworks of PSD2. ING savings accounts run together with a payment account, which means that payment service providers can not only gain access to the payment data but also access to a customer’s savings balances. Questions arose about the definition of the term ‘payment account’ and the Austrian court asked a preliminary question to the Court of Justice of the European Union (CJEU). The Advocate General answered the question as follows: savings data does not fall within the scope of PSD2. The CJEU’s ruling will be rendered around the end of this year.

 

PSD2 quality mark

A number of banks and payment service providers are now working on a PSD2 quality mark. This quality mark must provide certainty about the reliability of how personal data is being handled by a provider. There are only a few specific standards in the directive with regard to the handling of personal data. For example, a payment service provider can now set up a retention period and a complaints procedure. The objective of the quality mark is to provide certainty to the consumer that the provider is correctly dealing with personal data.

 

Conclusion

The last word has not yet been said about PSD2. It is still far from clear when the directive will be implemented in the Netherlands, and, in addition, there is still much work to be done for both the various regulators as the banks and payment providers with regard to the permission requirement, the systems, the further elaboration of the quality mark, etc. Finally, the consumer himself plays a role in the PSD2. He will have to pay careful attention to which parties he gives his permission to open his bank details. A quality mark can offer some guidance as to the reliability of providers.

 

About the author

Ady van Nieuwenhuizen is partner IP, IT & Privacy at Fieldfisher. She is a European intellectual property, marketing, IT and privacy lawyer, with a particular focus on privacy (GDPR/AVG), cybersecurity, digital/social media, e-commerce and new technologies.

Photo: Manisha Ramsaran
  1. Document from the Ministry of Finance with frequently asked questions and answers in the delay of the implementation of PSD2 in Dutch legislation (23 October 2017)
  2. There is an exception for credit cards from, for example, American Express and Diners Club and credit cards for the business market. They may still calculate surcharges.
Share your thoughts

No Comments

Leave a Comment: