In this new environment, data is the asset that customers manage and laws on data use have become stricter. European regulation has harmonized across countries to behave as a single market (equivalent in size to the US market) with the introduction of the GDPR and PSD2. Looking at these two regulations within the same market allows us to compare how a single market may have different objectives on data use.
GDPR aims to protect data on financial services
GDPR sets out a common legal framework for governments, public authorities, businesses and consumers when interacting with each other within the European Economic Area (EEA) and also applies to all entities processing personal data of EEA residents.
GDPR represents the most significant change in the payments’ environment in terms of risk to merchants (data controllers) and entities supporting data processing (data processors and sub-processors). The most important concepts that GDPR introduced are:
- Storage limitation and data minimization
- Breach notification schemes
- Privacy by design (ensuring data security)
- Accountability for personal data
- Accuracy of stored data
- Data portability
- Methods of data collection
- New individual rights
PSD2 aims to open payments to third parties
PSD2 sets out a common legal framework for businesses and consumers when making and receiving payments within the EEA.
Customers have a right to use payment initiation service providers (PISPs) for initiating payments and account information service providers (AISPs) to allow access to information on a bank account where the payment account is accessible online and where they have given their explicit consent (as stated by article 64 of the directive).
This means that, under PSD2, traditional payment service providers like banks will need to share certain data with those third-party providers to access payment accounts (e.g., current accounts) and statement details. PSD2 enables a radical change in the financial industry by forcing banks to open up their data to third parties.
The most important concepts that PSD2 introduced are:
- Enhanced security of online transactions via strong customer authentication (SCA) and fraud reporting
- The creation of a level playing field for market players and an open market for third-party providers (TPPs) to encourage competition and innovation
- Enablement of new business models through account information and payment initiation services (through development of APIs)
GDPR and PSD2: common and discordant elements
GDPR and PSD2 are both laws focused on the processing of consumer data, but with different objectives.
The trend in PSD2 is to make customer data more accessible to third parties. GDPR aims to ensure that the data subject is always adequately informed about how personal data is processed and gains more control over how that data is used.
To compare them, it is necessary to identify a key element of both legislations; in this case, it is the requirement for consent as a legal basis to process data.
Both for GDPR and PSD2 customers, consent to process data must be freely given and for specific purposes. It must be clear, specific and informed and must be “explicit” in the case of sensitive personal data or transborder dataflow.
GDPR also specifies that when giving consent, customers must be informed of the right to withdraw that consent, whereas PSD2 doesn’t clarify this aspect.
For PSD2, the consent is valid for the contract that has been signed by the payment service user, but it is required again every time the payment service company initiates a new payment. For GDPR, consent is no longer valid when the data is no longer used for the purposes it was gathered for.
In addition, PSD2 also provides that data processing and sharing can be explicitly requested by the customer.
The contradictions in the consumer consent management, present in both regulations, can lead to misuse of customer data.
An example of the possible misuse of data
Even though GDPR and PSD2 aim to protect data and payment transactions, in financial services there are still unregulated market scenarios that can lead to misuse of data — and loss of consumer trust as a possible consequence.
With PSD2 in force, thousands of banks in the EU are sharing data with TPPs. This would allow possible third-party data sharing from people who have not consciously given consent, to parties who may have never requested all of the types of data received. When a person initiates a payment through a service provider in order to transfer money to another person, the service provider must necessarily process the data of that other person in order to perform its service.
The question is raised whether the TPP has the legal grounds for processing such personal data. The GDPR Regulator has expressed its point of view on the issue of personal data of other natural persons that could be legally processed on the basis of the legitimate interest. Due care should be taken not to override the interests or fundamental indiv and freedoms of data subjects. The processing also has to be:
- In line with other principles of the GDPR.