July 15, 2020

Volume X, Number 197

July 15, 2020

Subscribe to Latest Legal News and Analysis

July 14, 2020

Subscribe to Latest Legal News and Analysis

July 13, 2020

Subscribe to Latest Legal News and Analysis

European Data Protection Board Provides Clarification On PSD2

In response to questions from a Member of the European Parliament, the European Data Protection Board (EDPB) has provided much needed clarification on the overlap between the General Data Protection Regulation (GDPR) and the EU Payment Services Directive (PSD2) in an open letter.  As we identified in a previous blog post on this topic, the interaction between PSD2, aimed at increasing the seamless sharing of data, and the GDPR, aimed at regulating such sharing, raises complicated compliance concerns.  The EDPB’s letter aims to clarify some of these difficult compliance questions.

Explicit consent

As identified in our previous blog post, one of the difficulties with aligning the two pieces of legislation is the extent to which “explicit consent” is required under both.  It is unclear from the legislation that when customers provide consent to sharing their data in the context of payment services, whether the processing of that data for GDPR purposes is then based on that same consent, rather than another lawful basis.  As we previously identified, there are many other lawful bases on which personal data can be processed under the GDPR which are much more desirable, such as where it is necessary to perform a contract.  Where the data is processed based on a customer’s consent, this potentially entitles the customer to many additional rights, such as the right to deletion.

The EDPB was asked to clarify this overlap, and now advances an interpretation according to which the “explicit consent” referred to in Art. 94 of PSD2 in relation to personal data is in fact not a consent for the processing of personal data, but is instead a contractual consent.  The EDPB states that “[p]ayment services are always provided on a contractual basis between the payment services user and the payment services provider.”  As such, the relevant lawful basis under the GDPR is that it is necessary for the performance of a contract.

The EDPB does further state, however, that PSD2 should still be interpreted in accordance with the data protection legal framework and as such when entering into a contract with a payment service provider, the customer should be “made fully aware of the purposes for which their personal data will be processed and have to explicitly agree to these clauses.  Such clauses should be clearly distinguishable from the other matters dealt with in the contract and would need to be explicitly accepted by the data subject.”

The EDPB also clarified that “authentication”, for which the Regulatory Technical Standards on Strong Customer Authentication provides the relevant standards and procedure, is merely a “technical measure” that ensures that consent from the legitimate user of the service is obtained, and should “not be confused with the consent itself.

Silent party data

Another question raised to the EDPB is the extent to which the processing of personal data of “silent parties” is legitimate where only the explicit consent of one party has been obtained.  This issue arises in the context of a customer who consents to using a payment service, however naturally as part of that process other third parties’ personal data will be processed, such as to effect a payment made by that customer to a third party or vice versa.  However, that third party has not consented to that arrangement.   The EDPB clarifies that in this context the lawful basis for processing silent parties’ personal data could be the legitimate interest of a controller or a third party.  This processing will then be “limited and determined by the reasonable expectations of the data subjects.”   Processing of that silent party data is strictly limited to the purpose for which it was collected, and should not be further processed for any other purpose.

Position of banks

The EDPB was also asked to clarify whether “banks are sufficiently cooperative in establishing secure interfaces and avoiding alternative, less secure, methods of accessing account data.”   The EDPB acknowledged that this touches on competition concerns, i.e., where a bank is required to share the data with third party providers, but then refuses because they are under competing obligations to ensure the security of personal data.  In this context, the EDPB provides that this question is better posed to a competition regulator.  However, the EDPB does warn that data protection authorities are fully competent to assess whether banks are ensuring a sufficient level of protection that is in line with the GDPR.  Banks need to have in place measures that ensure “a level of security appropriate to the risks” and that they implement privacy by design and privacy by default to protect the rights of their customers.  Data protection authorities may take action where banks are not complying with these requirements.

The EDPB will continue to monitor discussions on this topic, and they encourage “fruitful interaction” between EU data protection and financial authorities to ensure a coordinated approach.

As ever, we will continue to monitor key developments in relation to the GDPR and PSD2, and will provide further updates.

Gemma Nash is also a contributor. 

© 2020 Covington & Burling LLPNational Law Review, Volume VIII, Number 206


About this Author

Bruce Bennett, Covington Burling, Corporate financial attorney

Bruce Bennett represents financial institutions and other market participants on transactional and regulatory aspects of the global markets. His work for investment and commercial banks, asset managers and other institutional investors and trade associations spans capital markets and futures and derivatives markets, as well as regulatory matters involving the SEC, the CFTC and banking regulators. A recognized leader in capital markets, futures and derivatives and banking regulation, he has focused extensively on the foreign exchange markets. Mr. Bennett leads the firm’s...

Charlotte Hill, financial services lawyer, Covington

Charlotte Hill is a financial services and regulation partner in the London office.  She specialises in advising financial institutions on regulatory and commercial matters.

Ms. Hill has had considerable industry experience during her career, having worked at the regulator, IMRO (a predecessor regulator of the FCA) in the enforcement division and subsequently, was Director of Legal at Threadneedle Investments.  This industry experience is invaluable in providing clients with truly commercially focussed advice.

44 20-7067-2190
Kristof Van Quathern, Covington, data privacy attorney
Special Counsel

Kristof Van Quathem advises clients on data protection, data security and cybercrime matters in various sectors, and in particular in the pharmaceutical and information technology sector. Mr. Van Quathem has been specializing in this area for over fifteen years and covers the entire spectrum of advising clients on government affairs strategies concerning the lawmaking, to compliance advice on the adopted laws regulations and guidelines, and the representation of clients in non-contentious and contentious matters before data protection authorities.

Sophie Bertin, Senior financial advisor, Covington
Senior Advisor

Sophie Bertin is a former senior official who served as Head of Unit in the “Financial Crisis” Task Force within the Directorate-General for Competition at the European Commission. At DG COMP, Ms. Bertin was responsible for the state aid review, approval and monitoring of the interventions of the European Member States in the financial services sector during the height of the financial crisis. She was personally involved in a number of the key banking cases, such as cases in Belgium (KBC and Dexia), France, Luxembourg, Austria, Bulgaria, Latvia, among others, as well as...

+32 2 549 5230