PSD2-innovation and GDPR-protection: a fintech balancing act
Part One: Consent
06 November 2019
This article is the first in a planned series of four articles
The revised Payment Services Directive (Directive (EU) 2015/2366) (PSD2), which introduced open banking, aims to encourage innovation and competition in the European payments market. By permitting payment services providers (such as incumbent financial institutions and fintechs) to access and analyse certain financial data from consumers and businesses, PSD2 is an attempt to stimulate the development and provision of new innovative payment services. In parallel, the introduction of the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) has had a significant impact on how personal data must be handled. Any access that payment services providers have to personal data, and the use they make thereof, must comply with the strict regulations of the GDPR. When working to comply with both pieces of legislation, payment services providers need to balance the innovative opportunities offered by PSD2 with the data protection challenges created by GDPR. Some of the key balancing issues relate to consent, data portability, automated decision-making, profiling and data minimisation. In a series of four articles we aim to shed some light on these key issues. This first article elaborates on the ‘(explicit) consent’ under PSD2 and GDPR.
For the purpose of these four articles, an imaginary fintech company called BOLT will be used as an example. BOLT is licensed in The Netherlands as a payment service provider (PSP) and is authorised to provide the new payment services introduced by PSD2: account information services and payment initiation services.
BOLT provides these services through a smartphone application (app). This app collects data from different payment accounts and provides its users with consolidated information on the status of their personal finances (see graphic). BOLT also categorizes and analyses its users income and spending, and provides them at their request with a personalised credit score. In addition, the payment service users of BOLT can also initiate payments from their designated payment accounts directly from the BOLT app.
Both PSD2 and the GDPR contain the concept of (explicit) consent. In order to provide its payment services and to process certain personal data, BOLT needs to obtain certain (explicit) consents from its users in accordance with PSD2 and the GDPR.
(i) Which (explicit) consents does BOLT need for the provision of its payment services and the processing of personal data?
Provision of BOLT’s payment services
The consent that BOLT requires for its payment services is twofold: BOLT needs to obtain the explicit consent (uitdrukkelijke instemming) from the user for the provision of its account information services. In addition, BOLT requires the explicit consent (uitdrukkelijke instemming) from the user for each payment transaction that it initiates.
On the basis of these explicit consents, BOLT may only access information from designated payment accounts and associated payment transactions. Separate consents are required for each bank account and, when a bank account has multiple account holders, the separate consent of each account holder is required. In addition, consent should be renewed every ninety days. Furthermore, these explicit consents do not allow BOLT to (i) request or store sensitive payment data or (ii) use, access, or store any data for purposes other than for performing the payment service(s) explicitly requested by the user.
These explicit consents are a PSD2-requirement that applies to BOLT as a payment services provider. As BOLT may not process any personal data on the basis of solely these explicit consents, they do not fall within scope of the GDPR.
Accessing, processing and retaining personal data necessary for the provision of BOLT’s payment services
BOLT also needs to obtain a separate explicit consent (uitdrukkelijke toestemming) from its users for accessing, processing and retaining the personal data necessary for the provision of its payment services. Examples of such personal data include names, addresses and Internet Protocol (IP) numbers.
It is important to note that BOLT may not include the request for this explicit consent inside a broader request to its users for the acceptance of the terms and conditions of its services. Tacit consent does not suffice. The user must explicitly, and separately from other parts of the contract, agree to access to, and processing of, his or her personal data. To obtain this explicit consent, BOLT could for example let each user tick a checkbox in its app, indicating that the user gives permission for access to his or her personal data necessary for the provision of BOLT’s account information and payment initiation services.
This explicit consent is a PSD2-requirement that applies to BOLT in addition to the rules of the GDPR. The GDPR does not require 'explicit consent' for the processing of regular personal data. This means that for processing payments or transactional data, explicit consent under the GDPR is not required. Instead, for the purposes of the GDPR, it is sufficient that there is a contractual relationship between BOLT and the user which can qualify as the lawful basis to process personal data ('performance of a contract'). Therefore, in our view, the ‘explicit consent’ as set out in the paragraph above should not be interpreted as ‘explicit consent’ under the GDPR. This position is supported by the European Data Protection Board (EDPB). The EDPB stated that 'performance of a contract' is the lawful basis under the GDPR to process personal data for payment services as described above. The EDPB’s view has since been confirmed by the Dutch Data Protection Authority (AP).
The above means that the more stringent GDPR requirements for consent do not apply to the consent for the payment services (described under point 1 above) and the consent for the processing of personal data associated therewith (this point 2).
Processing other personal data (i.e. personal data not necessary for the provision of BOLT’s payment services)
In the event that BOLT processes any personal data for purposes other than the provision of its payment services, it should obtain the separate consent of its users (or have another legal basis for the processing of such personal data). When this personal data includes sensitive personal data (such as ethnicity, race or biometrical data), BOLT requires the separate explicit consent of its users.
This is a GDPR-requirement. On the basis of this (explicit) consent, BOLT may process such personal data in accordance with the GDPR on the basis that the user has consented to the processing thereof. PSD2 does not contain a legal basis for the processing of personal data by payment service providers for purposes other than the provision of their payment services.
(ii) What requirements apply to these (explicit) consents?
For the various activities that BOLT carries out, it requires different (explicit) consents from its users. These (explicit) consents have a divergent legal basis and are subject to different requirements under PSD2 and GDPR. Some of the key similarities and differences are:
As becomes clear from the above, consent is one of the themes where PSD2 and the GDPR overlap, and potentially even clash. This makes it challenging for payment services providers such as BOLT to find out how to comply with both pieces of legislation. Thankfully, there now seems to be consensus that when it comes to consent, PSD2 is not a lex specialis to the GDPR. This means that the ‘explicit consent’ as set out under point 2 above should not be interpreted as ‘explicit consent’ under the GDPR, but that BOLT may process the personal data necessary for the provision of its payment services on the GDPR lawful basis ‘performance of a contract'. This impies that so long as BOLT only processes the personal data necessary for the provision of its payment services, its users’ consents need to only comply with the requirements of PSD2, and not with those of the GDPR. As obtaining consent under the GDPR has a very high threshold, this will in practice significantly increase the opportunities for BOLT to create a more user-friendly consent mechanism in its application.
The next article in the BOLT-series will discuss the issues of automated decision-making and profiling under PSD2 and GDPR.
Sophie Wijdeveld, Advocaat-stagiaire, Amsterdam, also contributed to this article.