The PSD2 will require institutions to open access to personal information related to customer accounts to third parties which the institution has no contractual agreement with. The GDPR, however, forbids sharing information with third parties, basically, it is up to the individual to give consent and to provide the data to the data processor - not a decision made by other processors. Considering the overlapping scope and conflicting targets of these two pieces of legislation, surprisingly little has been said in the regulations about their coexistence.
5 min read
PSD2 & GDPR regulations on collision course?
The second half of 2018 looks interesting. Two major EU regulations which are of importance to banks will come into force at roughly the same time. The Revised Payment Services Directive (PSD2) and the General Data Protection Regulation (GDPR) have a substantial area of common concern: customer data.
However, while the PSD2 is all about making the data of individuals available to third parties, the GDPR is all about keeping this data private.
A closer look at GDPR and PSD2
Not surprisingly, the GDPR does not mention the PSD2, whereas the PSD2 has an entire chapter on data protection.
Chapter 4 - article 94, 7 lines of text total. The chapter refers to the data protection regulations of 1994 and 2001 and does not acknowledge the existence of the GDPR, nor does it refer to potential future regulations. Much more is actually written in the preamble, but still it is all about compliance to regulations which will no longer be in force at the time the PSD2 is to be implemented.
The conclusion is that the text of the acts is of little help if the two conflict each other. The assumption that the PSD2 directive explicitly excludes itself from the scope of GDPR is tricky at best!
The Regulatory Technical Standard does not help
One could be fooled into believing that the RTS would cover the details. In the end, this is what the Directive says:
'When developing regulatory technical standards on authentication and communication, EBA should systematically assess and take into account the privacy dimension, in order to identify the risks associated with each of the technical options available and the remedies that could be put in place to minimise threats to data protection.'
I have read the draft RTS quite a few times. As the technical options are not named there, one can hardly find any remedies for the risks linked to those options.
Consent – the common element of both regulations
There is one element that is common to both regulations: customer consent. In the end, the power is to be with the customer, and if the customer decides to share his/her data with any institution, no one is to challenge that.
But there are at least two problems:
Both the regulations are a bit vague about the form of the consent required - and, considering that consent in electronic form is a practical necessity for PSD2, the technical means of providing consent are also absent.
The subject of consent - the GDPR requires customer consent for processing, the PSD2 for sharing with other institutions the ASPSP is not the controller for (see "controller" in GDPR). Can a bank provide access to some third party based on the customer's consent to do so, without checking whether the consent to process the data by the other party is in place? How is the bank is to verify this?
At this point, we arrive at another important omission: the relation to the regulations about identity and trust services, virtually missing from both the GDPR and PSD2. eIDAS seems to be an unknown idea to the GDPR... and the PSD2 only mentions it in the context of authenticating TPPs.
The potential penalties an institution may face if found in breach of the GDPR regulation are enormous - up to €20M or 4% of global turnover, whichever is bigger. At the same time, the PSD2 does not name any penalties for non-compliance. I am not surprised financial institutions are so slow in preparing for the PSD2. Were I a compliance officer of any bank, if the slightest doubts arose, I would forget the PSD2 in favour of the GDPR, applying the most rigid interpretation possible.
For the PSD2, however, this may mean that it will become a dead letter, or at least delayed severely...