ESBG, Payment Industry Associations share with European Data Protection Board concerns
>> See letter (.pdf)
BRUSSELS, 27 October 2020 – ESBG sent a letter earlier today on behalf of several Payment Industry Associations to European Data Protection Board chairperson Andrea Jelinek on concerns over three main issues around the the interplay between the Payment Services Directive (PSD2) and the General Data Protection Regulation (GDPR). The letter springs from an EDPB consultation on Guidelines 06/2020 around the respective EU directive and regulation . The signatories – ESBG, EBF, EACP, ETPPA, EPIF, EAPB, PE, EFA, and EMA – drew attention within the letter to the EDPB the trio of issues on special categories of data, silent-party data and data filtering and data minimisation that caused concern among the broader industry and have been already raised by ESBG in its response to the consultation.
Special categories of data
More specifically, ESBG refuses the assumption that “financial transactions can reveal sensitive information about an individual data subject”. The association argues that financial transactions per se rarely reveal sensitive information about individual data subjects. Instead, ESBG highlighted that to extrapolate information about any of the personal data mentioned in Article 9 GDPR, it is necessary that an ad hoc processing has to be intentionally undertaken by the controller. This is confirmed by the EDPB Guidelines in the context of social media or profiling, whereby the EDPB stated that where the data itself is not explicitly special category data, the additional purpose of the processing – such as data analysis, inference or combination – determines whether the processing of special category data takes place.
Silent Party data
Echoing contents of the letter, ESBG also calls out the EDPB to amend the guidelines clarifying that it is not the responsibility of “all parties involved” to “establish the necessary safeguards for the processing in order to protect the rights of data subjects”, but that of the party that is concretely processing the data. Banks have no means to know the contract between their customers and the third-party providers. As a consequence, they are not allowed and do not have any obligation to examine and intervene with regard to the legality of a possible secondary exploitation by the AISP in relation to the processing of silent party data, since the responsibility for this data processing and for compliance with GDPR in this context lies solely with the TPP.
Data filtering and data minimisation
ESBG highlights that, pursuant to PSD2, banks are obliged to provide AISPs with the same information from designated payment accounts and associated payment transactions made available to the payment service user when this PSU is directly requesting access to the account information. The current guidelines seem to suggest instead that banks should apply a case by case analysis to mask certain types of data before complying with their PSD2 obligations. This would result in negative consequences: not only it would lead to negative outcomes for consumers, but it would also be discriminatory for banks that have heavily invested on implementing dedicated interfaces, eventually frustrating the objectives of the PSD2. Last, but not least, it would inevitably bring banks in breach of PSD2. ESBG recommends each data controller shall undertake its own assessment and determine the scope of data minimisation in relation to the intended purposes and the risks involved. In line with this principle, ESBG welcomes clear acknowledgment that each data controller is responsible for implementing appropriate measures, including data minimisation in respect of its own data processing activities, so that banks are not responsible for ensuring it on behalf of other parties.