European Data Protection Board Clarifies Application of GDPR to Payment Service Providers
On July 5, 2018, the European Data Protection Board (EDPB)1 replied to a request from a Member of the European Parliament (MEP), Dutch Democrat Sophie in ‘t Veld, for clarification on a number of issues relating to the protection of personal data under the EU General Data Protection Regulation (2016/679) (GDPR) and the revised EU Payment Services Directive (2015/2366) (PSD2). In its response, the EDPB set out its position on how the requirement to obtain explicit consent from payment service users under PSD2 interacts with the GDPR. The EDPB also provided guidance on the use of personal data relating to a payee by an account information service provider or a payment initiation service provider acting for a payer.
This post summarizes the EDPB’s stated positions on these points and explores the implications for firms providing payment services in the European Economic Area (EEA).
Explicit Consent Under PSD2 and the GDPR
MEP Sophie in t’ Veld raised the question as to whether the PSD2 legal framework is sufficiently clear regarding the process of issuing and withdrawing consent for processing personal data.
On this point, the EDPB noted that the GDPR and PSD2 have their own separate versions of explicit consent. Article 94(2) of PSD2 states that “[p]ayment service providers shall only access, process and retain personal data necessary for the provision of their payment services, with the explicit consent of the payment service user.” The EDPB confirmed that should be interpreted as a requirement to make payment service users fully aware of the purposes for which their personal data will be processed and to obtain their explicit agreement to such provisions at the time they enter into a contract with the payment service provider. Such provisions must be clearly distinguishable from other matters in the contract. The EDPB also considers the consent required under PSD2 to be “an additional requirement of a contractual nature,” which does not therefore automatically qualify as “explicit consent” to process personal data for the purposes of the GDPR. As such, the obtaining of the explicit consent required under PSD2 is not itself a legal basis to process personal data under the GDPR.
Under the GDPR, “consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. While “consent” is one of the legal grounds for a controller to process any type of personal data under the GDPR, “explicit consent” is only required in specific circumstances when special categories of personal data are being processed (e.g., health data or data revealing racial or ethnic origin, political, religious or philosophical beliefs).
As such, while a payment service provider will always need explicit consent from its payment service users pursuant to PSD2 to process personal data, it may not need it to process such data pursuant to the GDPR and may instead rely on alternative legal grounds. For example, the EDPB considers that a payment service provider may be permitted to process personal data of its payment service users where this is “necessary for the performance of a contract to which the data subject is a party” pursuant to Article 6(1)(b) of the GDPR.
Firms that provide payment services in the EEA should have regard to EDPB’s interpretation of “explicit consent” under PSD2 in their customer onboarding and documentation processes and ensure that in addition to obtaining explicit consent from a PSD2 perspective, they also consider the most relevant legal grounds to process personal data of the payment service users and other individuals under the GDPR. Such legal grounds could include, but need not necessarily be limited to, “consent.”
Third-party Providers and Payees
Another question addressed by the EDPB relates to the processing of personal data relating to a payee by a payment initiation service provider (PISP) or an account information service provider (AISP) that has a contract with the payer but not the payee.2
In response, the EDPB confirmed that the legal basis for such processing of personal data could be the PISP or AISP’s legitimate interests to perform the contract with the payer. However, the EDPB noted that such processing can occur only when the legitimate interests of the controller are not “overridden by the interests or fundamental rights and freedoms of the data subject.” The EDPB also stated that such personal data cannot be used for a purpose other than that for which the personal data has been collected.
Further, the EDPB indicated that personal data of individuals must be collected and processed in accordance with the data protection principles under Article 5 of the GDPR – lawfulness, fairness and transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality.
Firms that are considering providing account information or payment initiation services under PSD2 should therefore consider whether their processing of personal data relating to payees fulfils these GDPR requirements. Firms considering partnering with such third-party providers or using their services should consider whether the third-party provider is able to demonstrate that its processing of personal data will not undermine the firm’s own GDPR policies and procedures.
1 The EDPB replaced the Article 29 Working Party when the General Data Protection Regulation came into force on May 25, 2018.
2 See further on the PISPs and AISPs in Sidley Update “EU Payment Services Directive II Introduces Broader, More Stringent Regulation of Payment Services.”
You might also like
U.S. Employers Need to Reconsider Use of Confidentiality and Nondisparagement Provisions in Light of New NLRB Decision Employers frequently seek to include confidentiality and nondisparagement provisions in severance agreements provided to departing employees. Last week, the U.S. National Labor Relations Board (NLRB or Board) significantly altered the legal landscape governing such provisions, making it much more difficult for unionized and nonunionized employers alike to use them for nonsupervisory employees without running afoul of the National Labor Relations Act (NLRA). The decision is likely to be appealed, and we will issue updates as they become appropriate. In the interim, however, it is critically important for employers to understand the implications of the decision (see below) and to adjust their use of these provisions to limit their risk.
Employee PrivacyPolicy
Substantial changes to Hong Kong’s privacy laws coming In a briefing to the Legislative Council (Hong Kong’s legislative body) on February 20, 2023, the Privacy Commissioner (“the Commissioner”) announced that substantive amendments to the Personal Data (Privacy) Ordinance (“PDPO”) will take place.
APEC Privacy LawsInternationalLegislation
New FTC Guidance for Mobile Health Apps Healthcare providers, health plans, and technology companies that use mobile health apps to access, collect, share, use, or maintain information related to an individual’s health should take note of the recently issued Federal Trade Commission (FTC) Mobile Health App Interactive Tool. The purpose of the tool is to help mobile health developers determine the federal regulatory, privacy, and security laws and regulations that may apply to the use of a consumer’s health information, such as information related to diagnosis, treatment, fitness, wellness, or addiction. While the tool should not be considered legal advice and cannot guarantee compliance with legal requirements, it can help healthcare providers, health plans, and technology companies issue-spot to manage risk in this heavily regulated space.