Open Banking, Payment Services and the GDPR

In December 2020, the European Data Protection Board adopted new guidelines in relation to the relationship between the second Payment Services Directive (“PSD2”)[1] and the GDPR, setting out clear guidance for payment service operators with regard to how the personal data which they process may be dealt with in a GDPR-compliant manner.  The PSD2 was adopted into Irish law in January 2018[2] and is a critically important piece of EU legislation, as it seeks to ensure legal certainty for consumers, merchants and companies within the payment chain, while also serving to modernise the EU legal framework for the payment services market.

The interplay between the PSD2 and the GDPR is particularly important, due to the fact payment service operators may access and process large quantities of personal financial data, much of which may be ‘sensitive’ personal data, and the GDPR applies to the processing of personal data carried out in the context of payment services.  As a result, controllers of personal data who are subject to the provisions of the PSD2 are required to always ensure compliance with the GDPR.  Of course, even for those operators whose services fall outside the scope of the PSD2 (such as creditworthiness assessment services), or for accounts other than payment accounts (such as savings or investment accounts), the GDPR will still apply.

Payment Service Operators

One of the most important aspects of the PSD2 is the introduction of two new types of payment services providers – Account Information Service Providers (“AISPs”) and Payment Initiation Service Providers (“PISPs”).  In brief:

  • AISPs are companies which are authorised to access an individual (or company’s) account data by the relevant bank, a common example being a money management or budgeting application which allows users to consolidate their different current accounts in various banks, create a budget, and monitor their spending.
  • PISPs are companies which can not only access an individual (or company’s) account data, but are also authorised to make payments on behalf of their customers by initiating transfers directly to or from the user’s bank account. An example of a PISP would be an application which transfers a portion of the user’s account balance to a savings account each month.

Of course, without being able to access a user’s bank account, the operations of AISPs and PISPs would be virtually impossible.  The PSD2 therefore obliges banks to provide access to users’ payment account information where requested by an authorized AISP or PISP and the latter entities have fulfilled all the legal requirements allowing them to access the relevant account.

Understanding the Relationship between the PSD2 and the GDPR

The reason why the relationship between the PSD2 and the GDPR is so important is because of the fact that an individual’s financial transaction history can reveal highly sensitive information about that person.  The recent guidelines adopted by the European Data Protection Board set out a number of important examples:

  • Political opinions and religious beliefs may be revealed by donations made to political parties or organisations, churches or parishes;
  • Trade union membership may be revealed by the deduction of an annual membership fee from a person’s bank account;
  • Personal data concerning health may be gathered from analysing medical bills paid by a data subject to a medical professional (for instance a psychiatrist);
  • Information on certain purchases may reveal information concerning a person’s sex life or sexual orientation; or
  • Through the sum of financial transactions, behavioural patterns can be revealed which may include special categories of personal data.

With regard firstly to the obligations of the relevant bank with regard to personal data, banks are obliged under the PSD2 to provide the personal data to the AISP or PISP as this is necessary in order for AISPs and PISPs to provide their services in the first place.  As a result, the processing of personal data by the bank in granting access to the relevant accounts is based on a legal obligation, and therefore permissible under the GDPR.  Of course, it is important for banks to be aware that they are only permitted to rely on this legal basis in relation to payment account information only – there is no legal basis under the PSD2 for providing access in relation to savings or investment accounts, or mortgages.  Therefore, the relevant bank will need to ensure that appropriate measures are in place to ensure that any access provided to an AISP or PISP is limited to payment account information only.

For AISPs and PISPs, payment services are provided on a contractual basis between the service provider and the user, allowing AISPs and PISPs to rely on the legal basis of contractual necessity under Article 6(1)(b) of the GDPR in order to process the personal data of the user.  However, it is often the case that the contract with the user will consist of several different categories of services, which may be performed independently of each other.  As a result, whether the service provider can rely on the GDPR basis of contractual necessity must be assessed in the context of each of these services separately, taking into account an objective assessment of what is necessary to perform each of the services the user has signed up for.  The service provider must therefore be able to demonstrate how the objects of the contract with the user cannot be performed if the specific processing of the personal data in question does not occur.  Where the service provider cannot demonstrate that the processing of the personal payment account data is objectively necessary for the provision of each of these services separately, Article 6 (1) (b) of the GDPR is not a valid legal ground for processing this personal data.

In addition to the legal basis of contractual necessity, the requirement of explicit consent exists in relation to the access to and subsequently processing and storage of personal data for the purpose of providing payment services.  Explicit consent under the PSD2 is different to the consent requirement under the GDPR as it is an additional requirement of a contractual nature, required when a payment service provider needs access to personal data for the provision of a payment Service.  Service providers must therefore provide, and users must accept, specific and explicit information about the specific purposes identified by the service provider for which their personal data is accessed, processed and retained.

Particular attention must also be paid to the principles of data minimisation, data protection by design and default, and data security – as processing personal financial data is connected to a number of significant risks (identity theft, exposure of aspects of a user’s private life, etc.), security measures employed by AISPs and PISPs must be accordingly high.

Silent Party Data

‘Silent party data’ relates to the personal data of a third party who is not a party to the contract between the service provider and the user.  A helpful example is set out in the European Data Protection Board guidelines:

Where a payment service user, data subject A, makes use of the services of an AISP, and data subject B has made a series of payment transactions to the payment account of data subject A.  In this case, data subject B is regarded as the ‘silent party’ and the personal data (such as the account number of data subject B and the amount of money that was involved in these transactions) relating to data subject B, is regarded as ‘silent party data”.

The GDPR may allow for the processing of silent party data when this processing is necessary for purposes of the legitimate interests pursued by a controller or by a third party.  However, any further processing of silent party data on the basis of legitimate interest, cannot be undertaken for a purpose other than the specific purpose for which the personal data has been collected, on the basis of an EU or Member State law.  Consent of the silent party is not feasible, because in order to obtain consent, personal data of the silent party would have to be collected or processed, for which no legal ground can be found under Article 6 GDPR.  As a result, an AISP or PISP must implement technical measures to make sure that silent party data is not processed for any purpose other than that for which it was originally collected.

Compliance Measures

In light of the recent guidelines adopted by the European Data Protection Board, it is critical for all payment service operators, and the banks which they deal with, to understand their obligations under both the PSD2 and the GDPR when it comes to ensuring that the personal data which they access is processed in accordance with the GDPR, and users are provided with clear and transparent information about the measures taken in relation to their data and the legal basis upon which it is being processed.

The European Data Protection Board has recommended that AISPs and PISPs implement a number of helpful tools to provide the information required under the GDPR to their users.  One such mechanism to consider may be a ‘privacy dashboard’, which would allow users to manage their privacy preferences and provide information with regard to nature and quantity of personal data that has been accessed by the service provider.  Layered privacy statements, which avoid displaying a vast quantity of technical privacy information to the user in one go, are also recommended in order to ensure the information contained in these statements is effective.

[1] Directive 2015/2366/EU of the European Parliament and of the Council of 23 December 2015.

[2] The European Union (Payment Services) Regulations 2018 S.I. No.6 of 2018 (Payment Services Regulations 2018)

How we can help

Our Technology and Data Privacy teams are always available to offer our services to new clients and for further information about any of the points raised in this article please contact Joe McVeigh (jmcveigh@bhsm.ie) or Lee Taren (ltaren@bhsm.ie).

This article is for general information purposes.  Legal advice must be obtained for individual circumstances.  Whilst every effort has been made to ensure the accuracy of this article, no liability is accepted by the author for any inaccuracies.

Insight

Latest News