EDPB’s consultation on the interplay of the PSD2 and the GDPR: EBF response
BRUSSELS, 17 September 2020 – The European Banking Federation (EBF) has submitted its response to the European Data Protection Board’s (EDPB) consultation on the draft guidelines on the interplay of the Second Payment Services Directive (PSD2) and the General Data Protection Regulation (GDPR). We welcome the EDPB’s efforts to clarify uncertainties that persist between these two essential legislative frameworks for the banking sector. While there are elements which the draft Guidance clarifies, for example, the welcome confirmation that explicit consent under Article 94 PSD2 is different from (explicit) consent under GDPR, other elements are more worrying (e.g. proposals on data minimisation measures). In particular, EBF members are concerned on the lack of coherence in some cases with the provisions of PSD2 which could lead to creating further uncertainties instead of resolving existing ones and result, in some cases, a breach of legal obligations on the part of banks in their role as ASPSPs.
To realize the opportunities offered by the PSD2, ensure legal certainty for all parties and safeguard the protection of consumer data, we encourage the EDPB to consider the following:
- The final EDPB Guidelines should ensure coherence with existing legislation, notably the Regulatory Technical Standards on Strong Customer Authentication and Common and Secure Communication (the RTS on SCA and CSC). They should also not result in new technical measures, given that the PSD2 (level 1) implementation deadline for member states was 13 January 2018 and the compliance deadline with the level 1 EBA RTS on SCA and CSC for market participants was 14 September 2019.
- It is important to make a clear distinction between the respective GDPR responsibilities of the payment service providers – ASPSP, PISP and AISP – based on the roles described in the PSD2. We, therefore, suggest clarifying at each stage of the Guidelines the addressee(s) of the various obligations.
- On further processing under PSD2, the Guidance should be amended to clarify that AISPs and PISPs can process personal data relating to payments on other Article 6 bases, for example, the basis of legitimate interests, provided this is linked to the provision of the core AIS/PIS, and subject to meeting other GDPR requirements. The current interpretation in the Guidelines risks preventing a range of legitimate and important data processing activities by TPPs.
- The current proposals on data minimisation measures, particularly the recommendation on digital filters, do not take into account that it is the responsibility of each PSP, as the data controller, to respect the principle of data minimisation. The Guidance also does not consider that filtering would imply interfering with the data to be accessed by TPPs, whereas the aim of PSD2 is allowing access to the account information as is. For ASPSPs using digital filters could result in a breach of legal obligations.
For more information:
Liga Semane, Policy Adviser Data & Innovation, firstname.lastname@example.org