The European Union is often caricatured for its vast and slow-moving regulatory processes, but European regulators have, in less than three years, put into force two sets of groundbreaking regulations, PSD2 and GDPR, which combine to address the core of the contemporary online economy.
The EU shook up the global data industry in 2018 when its sweeping General Data Protection Regulation (GDPR) imposed new rules for getting consent before collecting data on individual internet users. GDPR gave EU residents significantly more control over their personal data.
The EU is shaking up the European banking, payments, and fintech industries with PSD2, the second Payment Services Directive, which went into effect January 1, 2021. PSD2 is the regulatory foundation for a continental payments industry. The goal is to spur fintech innovation.
At the core of PSD2 are strict anti-fraud provisions to assure individual consumers that their money and personal financial data are safe when entrusted with payment service providers operating in compliance with the directive.
PSD2 was written with GDPR in mind. Obviously, processing a payment by removing money from a consumer’s bank account and moving that money into the account of the online merchant they purchase from requires access to that consumer’s personal data. PSD2 requires organizations to handle that data in accordance with the GDPR.
Both PSD2 and the GDPR are complex and detailed. Even now, not every question about how the two intersect and affect each other has been answered definitively.
The only guidance regulated industries have, so far, about how to stay in compliance with both PSD2 and GDPR are draft guidelines published by the European Data Protection Board (EDPB). The EDPB is composed of representatives of the data protection authorities from each EU member state. The board oversees GDPR enforcement and compliance throughout the EU.
The guidelines, which for now remain just that, haven’t settled key questions from the European Banking Federation (EBF). The EBF, in a response to the EDPB guidelines, noted the incongruence of GDPR terminology and regulatory technical standards pertaining to PSD2’s strong customer authentication requirement.
Neither GDPR nor PSD2 were written for the convenience of the regulated entities. PSD2 sets stringent anti-fraud measures that are sure to add steps to ordinary online retail transactions. And GDPR assures individual internet users in the EU that the personal data they provide for a specific purpose, such as subscribing to an online newsletter, won’t be used for purposes they didn’t authorize, such as being sold to marketers.
Both regulations are designed to protect ordinary, individual users, on the assumption that consumer confidence will fuel market growth.
Under GDPR, there must be an established legal basis to allow a third party to process an individual’s personal data. Article 6 of the GDPR specifies six legal grounds, any one of which can establish a legal basis for processing personal data.
The EDPB guidelines suggest the most common legal basis under PSD2 for processing personal data that’s also GDPR compliant is for the performance of a contract. In practice, this could mean that, after completing the two-step strong customer authentication process, consumers need to sign a contract with a payment service provider (PSP) to allow access to their bank accounts or credit cards to complete an online transaction.
EDPB guidelines make it clear that a contract between a consumer and a PSP to make a payment doesn’t establish a legal basis for other uses of personal data by the PSP that isn’t “objectively” necessary to perform the contractual service. PSPs must determine another legal basis for processing personal data for any use other than performance of the contract, i.e., processing a payment.
The phrase “explicit consent” is significant in both the GDPR and PSD2, but according to the EDPB guidelines, what qualifies as explicit consent for PSD2 is different from explicit consent under the GDPR.
The GDPR sets what many regard as the gold standard for explicit consent in the constant struggle for data privacy. Under the GDPR, consent must be freely given, specific, informed, and unambiguous. Under PSD2, explicit consent is required specifically for payment service providers to access, process, and retain personal data.
According to the EDPB guidelines, “explicit consent” under PSD2 requires payment service providers to provide customers with a contract that clearly states the specific categories of personal data that will be used and the purpose of the specific payment service. Only then can payment service providers access the customer’s personal data.
Sometimes PSD2 is even stricter than GDPR
The GDPR outlines certain circumstances under which a third party that has legitimately obtained personal data can further use the data, without obtaining consent a second time. The secondary use of the data must be “compatible” with the initial purpose for which consent was initially given.
Under the EDPB’s PSD2 guidelines, personal data can be used only for the specific purpose for which consent was granted. That data cannot be used for any other purpose without the user’s consent.
GDPR and PSD2 are groundbreaking legislation for an ever growing digital economy. While there’s considerable overlap between the two, particularly in their shared focus on protecting individual consumers, businesses in the EU cannot assume that being in compliance with one means they are automatically in compliance with the other.