The Fintech revolution relies on data flows enhanced by the PSD2, which requires certainty now aimed by the European Data Protection Board guidelines on the interplay between the PSD2 and the GDPR, which leave gray areas though.
The PSD2 drives the Fintech revolution
According to Gartner,
by 2030, 80 percent of heritage financial services firms will go out of business, become commoditized, or exist only formally but not competing effectively. These firms will struggle for relevance as global digital platforms, fintech companies and other nontraditional players gain greater market share, using technology to change the economics and business models of the industry.
The Fintech revolution is expected to lead to a reshaping of the financial services market with technology providers that will replace banks in servicing their customers. And, the showdown for the banking sector occurred with the implementation by the EU Member States of the Directive (EU) 2015/2366 on payment services in the internal market (the so-called PSD2).
The main changes introduced by the PSD2 pertain to the obligation on entities like banks to allow authorized third party providers to
- have access to their customers’ account information and
- initiate payments on a customer’s behalf
regardless of the existence of an agreement between the provider and the relevant bank upon the occurrence of particular conditions that are aimed at avoiding any discriminatory conduct. Such a continuous flow of data occurs through the “famous” open APIs to be set up according to technical standards set up by the European Banking Authority.
As a consequence of the above, banks are shifting to a model of business to become a marketplace for their customers where services of third party providers are offered, as I outlined in this previous article “How the Internet of Things changes Financial Services”.
The EDBP guidelines on the interplay between the PSD2 and data protection obligations
The obligation to keep open APIs provided by the PSD2 inevitably triggers some data protection concerns. Fintech companies would be entitled – within limits provided therein – to access to the payment account information of individuals requesting their service.
The PSD2 already requires that the data processing is performed in compliance with privacy obligation, but the European Data Protection Board now issued its guidelines to clarify some gray areas. My main takeaways on the points addressed by the EDPB in its guidelines on the interplay between the PSD2 and data protection obligations are:
- The legal basis of the processing of payment account information strictly necessary for the provision of the required service by payment initiation service providers and account information service providers is in most of the cases the performance of the contract under Article 6.1 (b) of the GDPR;
- The explicit consent of the payment service user required by the PSD2 to access, process and retain personal data necessary for the provision of payment services is not the legal basis of the data processing under the GDPR, but an additional requirement of a contractual nature which however requires the same level of transparency provided by the GDPR for a consent to be free. Such a different qualification results in a consent that is needed for the provision of the service;
- Silent party data (i.e., personal data concerning a data subject who is not the user of a specific payment service provider, but whose personal data are processed by that particular payment service provider for the performance of a contract between the provider and the payment service user) can be processed based on legitimate interest within limits strictly necessary for the provision of the service and can never include special categories of data. But no usage for further purposes is allowed if not expressly provided by applicable laws;
- The processing of personal data by the banks consisting of granting access to the personal data requested by the payment initiation service providers and account information service providers to perform their payment service to the payment service user is based on a legal obligation;
- The data minimization principle needs to be complied with in enabling access to payment account information. Therefore, account information services providers shall expressly indicate the categories of data necessary for the provision of the service;
- The payment service provider has to implement limited retention periods. Personal data should not be stored by the service provider for a period longer than is necessary for the purposes requested by the payment service user.
A dangerous interpretation that would have no solution
According to the EDPB, “through the sum of financial transactions, different kinds of behavioral patterns could be revealed, including special categories of personal data and additional services that are facilitated by account information services might rely on profiling as defined by article 4 (4) of the GDPR. Therefore, the chances are considerable that a service provider processing information on financial transactions of data subjects also processes special categories of personal data.“. And from this circumstance, the EDPB derives that the processing of such data would require a legal basis of the data processing that could only be either the explicit consent or reasons of substantial public interest. But if such solutions are not feasible, “payment service providers may explore the technical possibilities to exclude special categories of personal data and allow selected access”.
This interpretation is quite dangerous since the same issue would arise for banks or credit card companies that cannot just blank out the details of the receiver of the payment. To avoid challenges, banks should “force” their customers to grant explicit consent to the processing of special categories of personal data. And such an approach would invalidate the given consent as it would not be free.
Companies can adopt solutions limiting the analysis of patterns based on some categories of recipients of payments and request customers to avoid payment descriptions disclosing, for instance, health-related information. But I believe that the potential access to such information shall not be considered as processing of special categories of personal data by banks and payment providers in the first place.
Indeed, as outlined by the EDPB board, special categories of personal data do not arise from the information itself, but from the pattern that can be implied by the analysis of that information. As a consequence, if banks and payment providers do not analyze such information to identify patterns, the details of a payment performed to a hospital or a donation to a political party would be for their purposes equal to the processing of any other data accessible through their services.
My view on the position taken by the EDPB
The view adopted by the European Data Protection Board on the explicit consent provided by the PSD2 for the processing of personal data necessary for the provision of payment services required by users shows a potential “mistake” performed by the European legislator.
If the European legislator deemed that no consent is required for the processing of personal data necessary for the performance of a contract under the GDPR, it appears awkward that payment service users shall be required to grant a (compulsory) explicit consent to a data processing activity for which the privacy information notice provides a different legal basis.
Given that the EDPB could not go beyond what provided by the PSD2, they tried to find a “compromise solution”. But there is no doubt that the inconsistency mentioned above creates confusion and a lack of transparency that will be one of the points to be addressed in the review of the PSD2.
A significant issue relates to the processing of financial transactions from which special categories of personal data could be revealed. The EDPB does not find a real solution to this issue. But the guidelines are now open to consultation up to September 16, 2020, and hopefully, the EDPB will be pressed on to find a solution as the one envisaged above in the final version.
On the topic above, you may find interesting the article “FinTech – between Open APIs and Strong Authentication at the time of the PSD2“