ESBG urges European Data Protection Board in consultation response on Guidelines 06/2020 on interplay between PSD2 and GDPR.
Calls out Third Party Providers on silent party data, arguing banks not responsible for their processing
Rejects claim that financial transactions reveal sensitive data
Data filtering costly, hinders PSD2 aims
>> See response to EDPR consultation
BRUSSELS, 17 September 2020 – Savings and retail banking association ESBG stressed this week the need to harmonise Europe's data protection requirements.
In a response submitted Wednesday to the European Data Protection Board consultation on the Guidelines 06/2020 on the interplay between Directive (EU) 2015/2366 on payment services (PSD2) and General Data Protection Regulation, the association representing some 885 banks in 21 countries in Europe urged greater harmonisation not only between GDPR and PSD2, but also with the Regulatory Technical Standards on Strong Customer Authentication and Common and Secure Communication. Doing so would create more legal certainty for all parties involved in the payment system, they argue.
ESBG pinpoints as crucial final guidelines that clearly distinguish the respective data protection responsibilities of the various types of payment service providers – namely Account Servicing Payment Service Providers (ASPSPs), payment initiation service providers (PISPs) and Account Information Service Providers (AISPs).
Silent party data: Responsibility rests with AISPs not banks
While the banking industry considers data protection a key priority, ESBG sees a need for the final guidelines to properly distinguish the respective data protection responsibilities of the different types of payment service providers according to the roles described under PSD2. The association understands the EDPB expresses concerned that silent party data could be processed for other purposes than payment initiation services and account information services. Banks do not have any obligation to examine and intervene with regard to the legality of a possible secondary exploitation by the AISP in relation to the processing of silent party data, ESBG notes, since the responsibility for this data processing lies solely with the third party provider (TPP).
Special categories of data: Financial transactions rarely reveal sensitive information
ESBG fully rejects the assumption that “financial transactions can reveal sensitive information about individual data subject". Actually, financial transactions per se rarely reveal sensitive information about individual data subjects, they note. ESBG called on the EDPB to amend the draft guidelines so to make Article 9(1) GDPR only applicable if the controller intentionally processes the data in order to extrapolate/infer information about any of the personal data listed in Article 9 GDPR.
Data filtering: Costly burden for banks, ex ante filters technically undermine PSD2 full implementation
The current wording within the guidelines seems to suggest that banks, under PSD2, should apply data filtering aimed at removing special categories of personal data before sharing payment account data with TPPs. Implementation of such filters would have a major impact on the market. Indeed, banks would be charged with unnecessary burdens, both in terms of costs and responsibility. Not only are such ex ante filters not technically feasible, but they would also create discrepancies between what PSUs see when using the customer interface compared to when using an AISP. This would put banks in breach of both PSD2 and the RTS on SCA & CSC.
ESBG concludes: “Mandating banks to implement such filters may undermine the full implementation of PSD2, as it would put additional burdens on banks that have already heavily invested to implement dedicated interfaces, thus discouraging the adoption and further development of APIs and frustrating the PSD2 aims."