The PSD2 will require institutions to open access to personal information related to customer accounts to third parties which the institution has no contractual agreement with. The GDPR, however, forbids sharing information with third parties, basically, it is up to the individual to give consent and to provide the data to the data processor - not a decision made by other processors. Considering the overlapping scope and conflicting targets of these two pieces of legislation, surprisingly little has been said in the regulations about their coexistence.
Not surprisingly, the GDPR does not mention the PSD2, whereas the PSD2 has an entire chapter on data protection.
Chapter 4 - article 94, 7 lines of text total. The chapter refers to the data protection regulations of 1994 and 2001 and does not acknowledge the existence of the GDPR, nor does it refer to potential future regulations. Much more is actually written in the preamble, but still it is all about compliance to regulations which will no longer be in force at the time the PSD2 is to be implemented.
The conclusion is that the text of the acts is of little help if the two conflict each other. The assumption that the PSD2 directive explicitly excludes itself from the scope of GDPR is tricky at best!
One could be fooled into believing that the RTS would cover the details. In the end, this is what the Directive says:
'When developing regulatory technical standards on authentication and communication, EBA should systematically assess and take into account the privacy dimension, in order to identify the risks associated with each of the technical options available and the remedies that could be put in place to minimise threats to data protection.'
I have read the draft RTS quite a few times. As the technical options are not named there, one can hardly find any remedies for the risks linked to those options.
There is one element that is common to both regulations: customer consent. In the end, the power is to be with the customer, and if the customer decides to share his/her data with any institution, no one is to challenge that.
But there are at least two problems:
At this point, we arrive at another important omission: the relation to the regulations about identity and trust services, virtually missing from both the GDPR and PSD2. eIDAS seems to be an unknown idea to the GDPR... and the PSD2 only mentions it in the context of authenticating TPPs.
The potential penalties an institution may face if found in breach of the GDPR regulation are enormous - up to €20M or 4% of global turnover, whichever is bigger. At the same time, the PSD2 does not name any penalties for non-compliance. I am not surprised financial institutions are so slow in preparing for the PSD2. Were I a compliance officer of any bank, if the slightest doubts arose, I would forget the PSD2 in favour of the GDPR, applying the most rigid interpretation possible.
For the PSD2, however, this may mean that it will become a dead letter, or at least delayed severely...