As contactless transactions boom, EU regulators publish draft guidelines on the interplay between the GDPR and PSD2.
By Fiona M. Maclean, Christian F. McDermott, Calum Docherty, and Amy Smyth
Last year, more than half of all payments in the UK were made by card and contactless methods, while cash made up less than a quarter of all payments for the first time, according to the trade association UK Finance. The COVID-19 pandemic has accelerated the shift towards a cashless society, as governments across Europe encourage citizens and businesses to adopt cashless solutions. At the start of the lockdown, in the spring, ATM transaction volumes in the UK fell 62% year on year, while the daily cash transaction volumes dropped by as much as 90% in Spain, according to the Financial Times.
This surge in card and contactless transactions raises questions about how to manage the vast array of data generated from each payments transaction, including cardholder data, transaction metadata, and merchant data, as well as information about chargebacks, refunds, and disputes. In the EU, activities in the payments sector are subject to the revised Payment Services Directive (2015/2366, known as PSD2), as transposed into national law. A key requirement of PSD2 is that regulated firms must process personal data in compliance with EU data protection law, which is substantially set out in the General Data Protection Regulation (the GDPR).
The two regimes impose separate regulatory requirements that at times can seem incongruous. To help the banks and fintechs that are required to comply with these two regimes, the European Data Protection Board (the EDPB) issued draft guidelines in July on the interplay between the GDPR and PSD2 (the Guidelines). Building on a letter issued by the EDPB in 2018 on the same topic (the Letter), the Guidelines focus on what account information service providers (AISPs) and payment initiation service providers (PISPs) (together, third party providers or TPPs) should do to comply with the GDPR and mitigate data protection risk.
Legal Basis for Processing
Under the GDPR, data processing is only lawful if there is a legal basis, as prescribed by the GDPR. One such legal basis is when processing “is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract” at Article 6(1)(b) GDPR.
The EDPB considers Article 6(1)(b) GDPR to be the main legal basis on which personal data may be processed in the provision of payment services (as defined by PSD2), highlighting that such services always involve a contract between the payment service user and the payment service provider. However, as explained below, this legal basis will not cover payee data if there is no direct contractual nexus.
In relation to payment service users, the EDPB refers to its 2019 guidelines on Article 6(1)(b) GDPR, emphasising that TPPs seeking to rely on this legal basis must be able to show that the processing is genuinely “necessary” for the performance of the contract. The EDPB sees this as a strict test, which depends on: (i) the nature of the service; (ii) the mutual perspectives and expectations of the parties to the contract; (iii) the rationale of the contract; and (iv) the essential elements of the contract. The EDPB notes that TPPs should not seek to artificially expand the data categories or types of data processing that are “necessary” for the performance of that contract. Furthermore, TPPs should ensure that they can identify a legal basis for each separate, independent service, even if those services are bundled together in a single contract.
Further Processing
The GDPR and PSD2 each restrict how TPPs can use personal data. Under the GDPR, data must be collected for a specified purpose and not further processed in any incompatible manner (unless a separate legal basis is established for that further processing). Under PSD2, TPPs can only process data for the payment initiation or account information services (for PISPs and AISPs, respectively) as requested by the user (Articles 66(3)(g) and 67(2)(f) PSD2).
The practical result of the combination of these GDPR and PSD2 restrictions is that further processing for a separate purpose, other than payment initiation or account information services, is generally only permitted with user consent (pursuant to the GDPR, as discussed below) or when the processing is laid down under EU or Member State law (e.g., the requirements to conduct customer due diligence in accordance with AML and terrorist financing directives such as Directive (EU) 2015/849).
Explicit Consent
The issue of consent has understandably caused some confusion in aligning the GDPR and PSD2 — because the term has different meanings in each instrument.
Under the GDPR, “consent” and “explicit consent” are legal bases for processing personal data and special category data, respectively. The threshold for valid consent is high: consent must be freely given, specific, fully informed, unambiguous, and capable of being withdrawn. As the Guidelines note, “under no circumstances can consent be inferred from potentially ambiguous statements or actions.”
By contrast, PSD2 provides that TPPs shall access, process, and retain only the personal data that is necessary for the provision of their payment services, and only with the “explicit consent” of the payment service user. PSD2 also requires AISPs to collect “explicit consent” for the provision of their services.
The Guidelines reiterate the EDPB’s position in the Letter that the “explicit consent” referred to in Article 94(2) PSD2 is a contractual consent, distinct from and additional to “consent” under the GDPR. According to the Guidelines, “explicit consent” in the PSD2 context means that individuals should be fully aware of the data processed under the relevant service, they must be fully aware of the purpose of the processing, and they must explicitly agree to these clauses and accept these purposes. These information requirements therefore overlap with the GDPR’s transparency obligations. Further, under PSD2, the payment service user must be able to choose whether or not to use the service (and cannot be forced to do so).
This interpretation is necessary to square how the GDPR and PSD2 use the concept of consent, but it also raises practical questions for businesses. It would seem reasonable that a single point of information could satisfy transparency obligations under both the GDPR and PSD2. It may also be arguable that the acknowledgement of a privacy notice could achieve PSD2 consent for the use of personal data, and equally that acceptance of a contract with clear data protection terms could be sufficient to meet the GDPR consent requirements, though these points are not directly addressed in the Guidelines.
“Silent Party” Data
The EDPB defines “silent party” data in the Guidelines as “personal data concerning a data subject who is not the user of a specific payment service provider, but whose personal data are processed by that specific payment service provider for the performance of a contract between the provider and the payment service user”. This is best illustrated by the diagram below:
If A wants to effect a payment to B, then A needs the help of a TPP. A has a direct contractual relationship with the TPP (which may be A’s bank, a digital wallet provider, or a PISP), so the TPP can process A’s personal data on the basis of contractual performance under the GDPR. However, the TPP does not have a relationship with B (the silent party) — so how can the TPP process B’s personal data, as it cannot rely on Article 6(1)(b)?
The Guidelines clarify that processing silent party data is permitted under the GDPR, and TPPs may be able to rely on legitimate interests as a legal basis for processing for GDPR purposes (Article 6(1)(f)), such as the legitimate interests of the TPP performing the contract with A (but only if the legitimate interests of the TPP are not overridden by the fundamental rights and freedoms of the data subject, here B).
The scope of the legitimate interests basis is not unlimited — the Guidelines state that such processing of silent party data must be genuinely necessary for the purposes of the legitimate interests, as determined by the reasonable expectations of the relevant data subjects. All parties involved must ensure that they implement effective and appropriate measures to protect the interests and fundamental rights and freedoms of the silent parties and to respect their reasonable expectations, including security measures like encryption and data minimisation.
Unfortunately, the Guidelines do not address how TPPs should comply with the GDPR transparency requirements or with the Article 21 requirement that data subjects have the right to object to processing based on legitimate interests, and that this right must be explicitly brought to the attention of the data subject clearly and separately from other information, in relation to a silent party with whom the TPP has no direct relationship.
In relation to the further processing of silent party data for other purposes (such as direct marketing), the Guidelines make clear that such processing is not possible (other than as required by applicable law), as it cannot be based on a legitimate interest or consent, it does not meet the requirements of compatibility, and it does not comply with PSD2 restrictions on the use of personal data.
Special Categories of Personal Data
The GDPR prohibits the processing of special categories of personal data unless there is a relevant derogation/ legal basis (distinct from the legal bases for processing other types of personal data, as discussed above). Under the GDPR, special categories of personal data include information related to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health data, biometric or genetic data, and data concerning a person’s sex life or sexual orientation. In contrast, PSD2 refers to “sensitive payment data,” meaning “data, including personalized security credentials, which can be used to carry out fraud”.
The Guidelines note that certain financial transactions are likely to involve processing special categories of personal data (e.g., through facilitating payments for political donations, trade union dues, or medical bills). As such, the Guidelines recommend that TPPs perform a data mapping exercise, including through a data protection impact assessment, in order to identify any processing of special categories of personal data, and the relevant derogation to be relied upon.
The Guidelines note two possible derogations under the GDPR that may apply in the context of PSD2 and the provision of payment services, though their application in practice is likely to be very limited:
- Substantial public interest: TPPs may process special category data if that processing is necessary for reasons of substantial public interest. TPPs must look to EU or national law for a substantial public interest condition (which must specifically provide for a GDPR derogation to process special categories of data), and at all times assess the proportionality and necessity of the processing and ensuring safeguards for individuals’ rights and interests. There may also be additional local law requirements, such as the requirement to maintain an “appropriate policy document” when processing on a substantial public interest condition under the UK’s Data Protection Act. Therefore, even when relevant national laws do provide for a specific derogation on substantial public interest grounds which could apply to payments services processing (which is not the case in all Member States), reliance on this derogation is not always feasible for TPPs in practice.
- Explicit consent: As a last resort, the Guidelines note that if a substantial public interest condition does not apply, “obtaining explicit consent in accordance with the conditions for valid consent in the GDPR, seems to remain the only possible lawful derogation to process special categories of personal data.” The Guidelines are clear that “explicit consent as set out in Article 9 (2) (a) GDPR must meet all the requirements of the GDPR. This also applies to silent party data.”
The application of these derogations in practice may present challenges for TPPs, as they are limited in scope and narrowly interpreted, and unlikely to be feasible in certain circumstances. If a TPP cannot rely on either derogation, then special category data cannot lawfully be processed under the GDPR. In this case, the Guidelines suggest that TPPs investigate “technical measures … to prevent the processing of special categories of personal data, for instance by preventing the processing of certain data points”. As such, if neither of the above derogations, nor an argument that the relevant data is not, in fact, special category personal data, is viable, TPPs will need to consider operational and process changes in order to exclude access to special categories of personal data, likely with significant technical and cost implications.
Other Data Protection Principles
The final chapter of the Guidelines reinforces the importance of key data protection principles that must be taken into account by TPPs, such as data protection by design and default, security, and restrictions around profiling. The EDPB’s guidance on the following points may have particular implications for TPPs:
- Data minimisation: AISPs should determine what information is genuinely necessary for the provision of their services (e.g., a silent party’s IBAN may not need to be displayed, unless required by EU or Member State law). The Guidelines recommend tools such as digital filters to help AISPs meet their obligations (e.g., if a service provider does not need the transaction characteristics data field, the Guidelines recommend implementing a filter to exclude this field from the processing).
- Transparency and accountability: The Guidelines recommend providing clear privacy notices and suggest implementing a layered approach to avoid information fatigue, and to use privacy dashboards as a single place where users can alter their privacy settings and easily access information. Effective privacy dashboards may be particularly helpful when relying on explicit consent, to show that a data subject can withdraw explicit consent at any time. The Guidelines do not provide any further clarity on transparency obligations vis-à-vis silent parties, such as whether the disproportionate effort exemption can be relied on.
What Next?
The EDPB launched a public consultation on the Guidelines that ended on 16 September 2020. While the Guidelines may be updated once they are finalised, the current draft provides a good indication of the regulatory direction of travel. In the meantime, TPPs should:
- Take the opportunity to minimise their use of personal data and any special categories of personal data, e.g., by implementing tools to automatically filter unnecessary data fields.
- Review privacy notices and processing operations to ensure that the appropriate legal basis for personal data processing is relied on for each operation (e.g., contract for necessary information, legitimate interests for silent party data, explicit consent for any special category personal data, if the appropriate tests are met).
- Ensure that any further processing (such as for AML, marketing, etc.) is properly identified and carried out in accordance with the GDPR.
- Ensure that data protection terms and notices are explicitly brought to the user’s attention in line with the Guidelines to discharge the “explicit consent” requirement in PSD2.
- Conduct a data protection impact assessment or data map to identify when special category data may be processed. Consider technical means to limit special category data processing, and if such processing cannot be avoided, identify an appropriate legal basis for the processing.
This post was prepared with the assistance of Roisin Mbonu in the London office of Latham & Watkins.