The changes in the EU’s legislative framework concerning payment services have opened the way to a new era of payments in Europe. While the Payment Service Directive 2015/2355/EC (PSD2) is intended to improve competition and innovation in the internal market, the General Data Protection Regulation 2016/679 (GDPR), on the other hand, aims to protect all EU citizens from privacy and data breaches in an increasingly data-driven world. The two separate regimes have important overlaps as both establish strong requirements for data protection and for the customer’s consent to the processing of personal data. This can create a conflict between payment service providers being ordered to share personal data in accordance with PSD2, while simultaneously being required to regulate such sharing under GDPR.
1.Consent under PSD2
Third-party providers’ access to accounts is provided for in Articles 66 and 67 of PSD2. Banks are obliged to support these new service providers if the account holder consents to access of their payment accounts. Consent may be provided in any form and through any course of action agreed between the customer (ie the payer) and the provider. When the customer has given consent for the initiation of a payment to be executed, it may only be repealed under certain conditions and inside a particular time frame.
With the customer’s consent under PSD2, third-party providers can request and receive from banks, access to their customers’ payment accounts ‘on an objective, non-discriminatory and proportionate basis.’ The access should be sufficient to enable third-party providers to provide payment services in an efficient manner. The scope of access is limited to what is strictly necessary to provide the payment service requested by the user of the payment service.
When banks receive an access request from third-party providers, consented to by the customer, banks can only refuse access for appropriate reasons, which should be sent to the competent supervisory authority. The reasons for refusing the access request must be duly justified and duly evidenced. Furthermore, they must relate to ‘unauthorised or fraudulent access to the payment account by that account information service provider or that payment initiation service provider, including the unauthorised or fraudulent initiation of a payment transaction’.
In contrast, PSD2 does not mention the need for banks to obtain the consent of customers before providing third-party providers with access to customer payment accounts through banks’ application programming interfaces (APIs). However, third-party providers must have customer consent in place to ensure that their access to bank account information and payments made on their customers’ behalf are fully compliant. Once consent is in place, consumers can exercise the account information or payment initiation service of the third-party provider. The third-party provider can then process the information request to the relevant bank to see whether consent has been granted. The bank’s role is to verify whether the customer’s proper and legitimate consent has been obtained by the third-party provider.
Finally, Article 94 of PSD2 states that the processing of personal data for the purposes of PSD2 must comply with EU data protection law. The second paragraph of Article 94, moreover, states that payment service providers, such as third-party providers, shall only access, process, and retain personal data necessary for the provision of their payment services, with the ‘explicit consent’ of the payment service user. The European Data Protection Board (EDPB) highlights in Guidelines 06/2020 that the consent must be freely given, meaning the payment service user must be able to choose whether or not to use the service and cannot be forced to do so. This poses the question of whether Article 94(2) of PSD2 is lex specialis, thereby prevailing over the GDPR. If so qualified, the legal basis for payment service providers to process personal data could only be explicit consent in accordance with PSD2, rather than any other legal basis for processing provided for under the GDPR.
2.Consent under GDPR
GDPR establishes a strong and comprehensive data protection framework, which should ensure application throughout the EU. Article 6 of GDPR provides the legal basis for processing data. GDPR also rules that data controllers (ie financial institutions, banks, third-party providers) cannot process a data subject’s (ie a customer’s) data without a legal basis. The consent of the data subject means ‘any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed.’
There are six potential lawful grounds for processing data: (a) processing under the data subject’s consent, (b) processing necessary for contractual obligations, (c) processing necessary under statutory obligations, (d) processing necessary for the protection of the vital interests of the data subject, (e) processing necessary for a task performed in the public interest, and (f) processing necessary in the legitimate interests of the controller.
Clearly, consent is just one potential legal basis for processing. The conditions for consent state that the consent must be freely given. The data subject can withdraw consent at any time without a reason. There are some exceptions to this; for example, when processing the information of a minor, consent must be given by the parent or the person with legal authority over the child. The question therefore arises: how does consent under GDPR relate to PSD2? As stated in recital 87 of PSD2, the Directive ‘should concern only contractual obligations and responsibilities between the payment service user and the payment service provider’. The legal basis for processing is, therefore, when it is necessary for the performance of a contract to which the data subject is party (cf Article 6(1)(b) of GDPR).
Even so, in line with the EDPB Guidelines 2/2019 where controllers cannot indicate that the processing of the personal payment account data is objectively necessary for the provision of each of these services separately, Article 6(1)(b) of GDPR is not a valid legal ground for the processing. In these cases, the controller should consider another legal basis for processing.
The customer’s consent could play a major part, with approval being mentioned in both PSD2 (as a prerequisite for providing payment services) and GDPR (as one of the legal grounds permitting the processing of personal information). However, the ‘consent’ provided for in PSD2 and GDPR is incompatible. As under GDPR, so-called ‘data subjects’ are entitled to withdraw their consent when they want.
|1. Customer consent to process data must be freely given and for specific purposes.|
|2. Customers must be informed of their right to withdraw their consent.|
|3. Consent must be ‘explicit’ in the case of sensitive personal data.|
|4. Data processing and sharing is explicitly requested by the customer.|
|5. Consent expires automatically.|
|6. Consent must be clear, specific, and informed.|
Table: Main differences between consent under GDPR and PSD2 summarised
3. The European Data Protection Board (EDPB)
After the entry into force of PSD2, the EDPB defined ‘explicit consent’ as a contractual consent whereby payment services are always provided in a contractual manner between the payment service user (ie the customer) and the payment service provider. This is in accordance with the aims of PSD2, which should concern only contractual obligations and responsibilities between the payment service user and the payment service provider. That being the case, it is important not to confuse the concept of payment service user ‘consent’ as referred to in PSD2 with the concept of data subject ‘consent’ under GDPR.
The EDPB stated that customers entering into a contract for payment services should be informed of the purposes for which their data is processed and give explicit consent to those purposes. The EDPB noted that further processing of customer data for other purposes, not necessary for the performance of the contract, could be based on consent under GDPR in the event that the relevant conditions and requirements laid out in Article 7 and Article 4(11) GDPR are fulfilled.
There is an apparent conflict concerning data sharing under PSD2 and obtaining consent to share such data under GDPR. Under GDPR, financial institutions cannot process customer data without consent or one of the lawful grounds provided in Article 6 of GDPR. Under PSD2, payment service providers must have obtained customer’s consent to access the customer’s bank account. Explicit consent is, therefore, required to provide services to customers. The term ‘explicit consent’ was not clearly described in PSD2.
However, the EDPB has stated that explicit consent under PSD2 is different from (explicit) consent under GDPR. Explicit consent under PSD2 is an additional requirement of a contractual nature. Payment services are always provided on a contractual basis between the payment service user (ie the customer) and the payment services provider. Therefore, when a payment service provider needs access to personal data for the provision of a payment service, explicit consent in line with Article 94 of PSD2 of the payment service user is needed.
To conclude, PSD2 is not lex specialis to GDPR. To be lex specialis, PSD2 should have given a specific definition of explicit consent. Payment service providers, therefore, must both fulfil the explicit consent requirement under PSD2 and be able to rely on one of the other five lawful bases available under the GDPR for processing personal data.
Diljá Helgadóttir holds LLB and ML in Law qualifications from Reykjavik University and an LLM qualification from Duke University, and is an Incoming Associate at Van Bael & Bellis in Brussels