knowledge | 15 December 2020 |

PSD2 Customer Authentication Requirements and the GDPR

In a year like no other, the landscape for e-commerce has changed significantly over the course of 2020.  This landscape is about to shift again on 1 January 2021 when new requirements for strong customer authentication under the second Payment Services Directive (Directive 2015/2366) (“PSD2”) come into effect.  These measures will require banks to request additional information from customers, such as a one-time pass code or a fingerprint, to authorise a payment. 

This brings into focus a consistent issue in the application of PSD2, namely its interplay with the General Data Protection Regulation (the “GDPR”).  The GDPR establishes a framework to ensure that entities holding personal data keep that personal data secure.  PSD2, on the other hand, requires financial institutions that maintain payment accounts (so-called account service payment providers (“ASPSPs”)) to open up their infrastructure and give access to data to third party providers (TPPs), of which there are two types: account information service provides (“AISPs”) and payment initiation service providers (“PISPs”).

With these seemingly contradictory legislative objectives causing compliance concerns among organisations, on 17 July 2020, the European Data Protection Board (the “EDPB”) issued welcome guidelines (the “Guidelines”) dealing with the interplay between the GDPR and PSD2, which it is worth revisiting in the context of the upcoming PSD2 requirements.  The Guidelines discuss the legislative interplay on a number of matters, including lawful grounds and further processing; explicit consent; “silent party data”; special categories of data; and principles of data minimisation, security, transparency and profiling.

Some key aspects of the Guidelines are:

1. Legal Basis and Further Processing

The primary legal basis for the processing of personal data in a PSD2 context is Article 6(1)(b) of the GDPR, that the processing is necessary for the performance of a contract. The Guidelines provide that controllers must assess what level of processing of data is objectively necessary to perform the contract, which links in with guidelines on legal basis issued by the EDPB in October 2019.

The Guidelines specifically address cases in which data subjects may be faced with ‘take it or leave it’ situations when, for example, a controller wishes to bundle several separate services or elements of a service with different fundamental purposes, features or rationale into one contract. Where the contract consists of several separate services or elements of a service that can in fact reasonably be performed independently of one another, the applicability of Article 6(1)(b) should be assessed in the context of each of those services which the data subject has actively requested or signed up for.

In this context, Articles 66(3)(g) and 67(2)(f) of PSD2, which provide that PISPs and AISPs shall not use, access or store any data for purposes other than for the provision of the payment initiation service as explicitly requested by the payer, must be carefully considered to ensure compliance with data protection rules.

This interpretation of how Article 6(1)(b) applies in this context could considerably restrict the possibilities for the further processing of personal data by financial entities under PSD2. Processing for another purpose is not permitted, unless an alternative legal basis can be relied upon or Article 6(4) of the GDPR applies.

2. Explicit Consent

The Guidelines acknowledge that the legal framework regarding explicit consent is complex, as both PSD2 and the GDPR include the concept, however, the Guidelines confirm a welcome distinction between consent in the two regimes.  Under Article 94 of PSD2, the Guidelines note that explicit consent is a requirement of a contractual nature, i.e. a form of permission, which applies in addition to the existence of a legal basis for processing.  According to the EDPB this is not to be conflated with the concept of explicit consent in Article 4(11) of the GDPR, which has a particular meaning set out in the GDPR. 

3. Silent Party Data

In the context of the payment process, ‘silent parties’ are those who do not have a direct contractual relationship with the payment service provider but whose personal data is processed during a transaction.  For example the recipient of funds, whose bank account information is processed to effect a transfer by the payment service user through the payment service provider.

Article 5(1)(b) of the GDPR requires that personal data is only collected for specified, explicit and legitimate purposes and may not be further processed in a manner that is incompatible with those purposes.  The Guidelines provide that a lawful basis for the processing of silent party data by PISPs and AISPs – in the context of the provision of payment services under PSD2 – could therefore be the legitimate interest of a controller or third party to perform the contract with the payment service user.

The Guidelines further provide that the controller must establish the necessary safeguards for the processing in order to protect the rights of such silent data subjects. This includes technical measures to ensure that silent party data are not processed for a purpose other than the purpose for which the personal data were originally collected by PISPs and AISPs. If feasible, also encryption or other techniques should be applied to achieve an appropriate level of security and data minimisation.

4. Special Categories of Data under PSD2

The Guidelines distinguish the term ‘sensitive payment data’ in PSD2 from the term ‘sensitive personal data’ in the GDPR.  PSD2 considers sensitive payment data to be data, including personalised security credentials, which can be used to carry out fraud. The GDPR, alternatively, emphasises the need for specific protection of special categories of personal data, which under Article 9 of the GDPR are, by their nature, particularly sensitive in relation to fundamental rights and freedoms, such as data about health or ethnicity.

The Guidelines recommend that controllers map out and categorize precisely what kind of personal data will be processed. A Data Protection Impact Assessment will likely be required in accordance with Article 35 of the GDPR, which would assist in this mapping exercise.

5. Data Minimisation, Security, Transparency, Accountability and Profiling

The Guidelines recommend the use of digital filters in order to support AISPs in their data minimisation obligation under Article 5(1)(b) of the GDPR.  For instance, when a service provider does not need the transaction characteristics (in the description field of the transaction records) for the provision of their service, a filter could function as a tool for third party providers to exclude this field from their overall processing operations.

Under PSD2, ASPSPs may only provide access to payment account information. There is no legal basis under PSD2 to provide access with regard to personal data contained in other accounts, such as savings, mortgages or investment accounts. Accordingly, under PSD2, technical measures must be implemented to ensure that access is limited to the necessary payment account information, in compliance with GDPR requirements.

Next Steps

The EDPB received numerous submissions on the Guidelines in response to its public consultation process, which generally welcomed the Guidelines but sought clarification of a range of points.   The EDPB has not yet published an updated version of the Guidelines that takes account of these submissions and it remains to be seen to whether any material changes will be made in the finalised version.

Also contributed by Aoife Mac Ardle and Róisín Finn

This briefing is for general guidance only and should not be regarded as a substitute for professional advice. Such advice should always be taken before acting on any of the matters discussed.

Key contacts