European Data Protection Board Clarifies Application of GDPR to Payment Service Providers
On July 5, 2018, the European Data Protection Board (EDPB)1 replied to a request from a Member of the European Parliament (MEP), Dutch Democrat Sophie in ‘t Veld, for clarification on a number of issues relating to the protection of personal data under the EU General Data Protection Regulation (2016/679) (GDPR) and the revised EU Payment Services Directive (2015/2366) (PSD2). In its response, the EDPB set out its position on how the requirement to obtain explicit consent from payment service users under PSD2 interacts with the GDPR. The EDPB also provided guidance on the use of personal data relating to a payee by an account information service provider or a payment initiation service provider acting for a payer.
This post summarizes the EDPB’s stated positions on these points and explores the implications for firms providing payment services in the European Economic Area (EEA).
Explicit Consent Under PSD2 and the GDPR
MEP Sophie in t’ Veld raised the question as to whether the PSD2 legal framework is sufficiently clear regarding the process of issuing and withdrawing consent for processing personal data.
On this point, the EDPB noted that the GDPR and PSD2 have their own separate versions of explicit consent. Article 94(2) of PSD2 states that “[p]ayment service providers shall only access, process and retain personal data necessary for the provision of their payment services, with the explicit consent of the payment service user.” The EDPB confirmed that should be interpreted as a requirement to make payment service users fully aware of the purposes for which their personal data will be processed and to obtain their explicit agreement to such provisions at the time they enter into a contract with the payment service provider. Such provisions must be clearly distinguishable from other matters in the contract. The EDPB also considers the consent required under PSD2 to be “an additional requirement of a contractual nature,” which does not therefore automatically qualify as “explicit consent” to process personal data for the purposes of the GDPR. As such, the obtaining of the explicit consent required under PSD2 is not itself a legal basis to process personal data under the GDPR.
Under the GDPR, “consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. While “consent” is one of the legal grounds for a controller to process any type of personal data under the GDPR, “explicit consent” is only required in specific circumstances when special categories of personal data are being processed (e.g., health data or data revealing racial or ethnic origin, political, religious or philosophical beliefs).
As such, while a payment service provider will always need explicit consent from its payment service users pursuant to PSD2 to process personal data, it may not need it to process such data pursuant to the GDPR and may instead rely on alternative legal grounds. For example, the EDPB considers that a payment service provider may be permitted to process personal data of its payment service users where this is “necessary for the performance of a contract to which the data subject is a party” pursuant to Article 6(1)(b) of the GDPR.
Firms that provide payment services in the EEA should have regard to EDPB’s interpretation of “explicit consent” under PSD2 in their customer onboarding and documentation processes and ensure that in addition to obtaining explicit consent from a PSD2 perspective, they also consider the most relevant legal grounds to process personal data of the payment service users and other individuals under the GDPR. Such legal grounds could include, but need not necessarily be limited to, “consent.”
Third-party Providers and Payees
Another question addressed by the EDPB relates to the processing of personal data relating to a payee by a payment initiation service provider (PISP) or an account information service provider (AISP) that has a contract with the payer but not the payee.2
In response, the EDPB confirmed that the legal basis for such processing of personal data could be the PISP or AISP’s legitimate interests to perform the contract with the payer. However, the EDPB noted that such processing can occur only when the legitimate interests of the controller are not “overridden by the interests or fundamental rights and freedoms of the data subject.” The EDPB also stated that such personal data cannot be used for a purpose other than that for which the personal data has been collected.
Further, the EDPB indicated that personal data of individuals must be collected and processed in accordance with the data protection principles under Article 5 of the GDPR – lawfulness, fairness and transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality.
Firms that are considering providing account information or payment initiation services under PSD2 should therefore consider whether their processing of personal data relating to payees fulfils these GDPR requirements. Firms considering partnering with such third-party providers or using their services should consider whether the third-party provider is able to demonstrate that its processing of personal data will not undermine the firm’s own GDPR policies and procedures.
1 The EDPB replaced the Article 29 Working Party when the General Data Protection Regulation came into force on May 25, 2018.
2 See further on the PISPs and AISPs in Sidley Update “EU Payment Services Directive II Introduces Broader, More Stringent Regulation of Payment Services.”
You might also like
On 29 March 2023, the UK’s Department for Science Innovation and Technology (“DSIT”) published its long awaited White Paper on its “pro-innovation approach to AI regulation” (the “White Paper”), along with a corresponding impact assessment. The White Paper builds on the “proportionate, light touch and forward-looking” approach to AI regulation set out in the policy paper published in July 2022. Importantly, the UK has decided to take a different approach to regulating AI compared to the EU, opting for a decentralised sector-specific approach, with no new legislation expected at this time. Instead, the UK will regulate AI primarily through sector-specific, principles based guidance and existing laws, with an emphasis on an agile and innovation-friendly approach. This is in significant contrast to the EU’s proposed AI Act which is a standalone piece of horizontal legislation regulating all AI systems, irrespective of industry.
AIEUInternationalLegislationPolicyUK
Since China’s Personal Information Protection Law (PIPL) came into effect in November 2021, there has been widespread uncertainty amongst offshore fund managers and investors with entities outside Mainland China as to how and whether the regime applies to them. Given the potential for foreign asset managers to overlook or misinterpret PIPL, this brief update outlines some guidance as to how PIPL can apply, and to whom, in a practical context.
Asia Privacy LawsFinancial PrivacyInternationalPIPA
The European Union is moving closer to adopting the first major legislation to horizontally regulate artificial intelligence. Today, the European Parliament (Parliament) reached a provisional agreement on its internal position on the draft Artificial Intelligence Regulation (AI Act). The text will be adopted by Parliament committees in the coming weeks and by the Parliament plenary in June. The plenary adoption will trigger the next legislative step of trilogue negotiations with the European Council to agree on a final text. Once adopted, according to the text, the AI Act will become applicable 24 months after its entry into force (or 36 months according to the Council’s position), which is currently expected in the second half of 2025, at the earliest.