Statement 2/2024 on the Financial Data Access and Payments Package

On May 23, 2024, the European Data Protection Board (“EDPB”) adopted the Statement 2/2024 on the financial data access and payments package (the “Statement”), which was published on May 27, 2024.

This document addresses various data protection issues relating to the EU Commission’s three legislative proposals on payment services and financial data access: (i) the Payment Services Regulation (“PSR”); (ii) the Payment Service Directive (“PSD3”); and (iii) the framework for Financial Data Access (“FIDA”).

In the Statement, the EDPB mentions the Opinions Nos. 38 and 39 issued by the European Data Protection Supervisor (“EDPS”) in August 2023 and notes that (i) some of the EDPS’s recommendations on FIDA have not been fully implemented and (ii) many recommendations on PSR have not yet been taken on board.

The EDPB’s analysis then focuses primarily on the PSR proposal and the obligation for Payment Service Providers (“PSPs”) to implement transaction monitoring mechanisms (“TMM”) in order to improve, inter alia, the prevention and detection of fraudulent transactions (Article 83). While acknowledging the importance to prevent payment fraud, the EDPB stresses the importance of balancing this purpose with the protection of the rights and freedoms of data subjects, especially in cases where the required monitoring involves cross-border data sharing by PSPs. In particular, the EDPB recommends, among other things, to:

1. Further specify the categories of personal data that PSPs will process in the context of TMM;
2. Provide for an obligation for PSPs to clearly and objectively identify the factual conditions triggering the TMM in relation to transactions before the relevant processing of personal data takes place;
3. Provide an obligation for PSPs to document the reasons underpinning the processing;
4. Limit data access only to authorized and specially qualified personnel of the PSPs;
5. Provide for an obligation for PSPs to inform the data subjects about the criteria underlying the processing of their personal data in the TMM context;
6. Provide that personal data processed in the context of the TMM is not reused (i) for the purpose of establishing the credit score of the customers as well as (ii) for the purpose of strong customer authentication (as an element of “inherency”); and
7. Define appropriate data storage periods for personal data collected in the TMM context.

Regarding the transmission of personal data collected in the TMM context, the EDPB recommends, inter alia, that the PSR: (i) limits the exchanges of personal data, in principle, to PSPs only (in particular, the EDPB notes that where data sharing with public authorities is allowed, it will be necessary to include specific conditions and limits for such sharing – e.g., only where there is a justified suspicion that a serious criminal offence has taken place); (ii) limits the transmission of data to what is strictly necessary to warn the other PSP of fraudulent payment transaction; (iii) avoids tasking the European Banking Authority with setting up a dedicated IT platform for information exchange; and (iv) avoids that, in the event a PSP shares information with another PSP, this automatically leads to the blocking of the execution of the payment order.

Moreover, the EDPB recommends including obligations for Payment Initiation Service Providers (“PISPs”) and Account Information Service Providers (“AISPs”) on transparency, data minimization, and privacy by design and default. Specifically, PISPs and AISPs should (i) inform the account servicing PSP about the legal basis under Article 6(1) GDPR and (if applicable) the exception under Article 9(2) GDPR that they would rely on to access the personal data of the payment service user and (ii) implement technical and organizational measures to limit access to personal data that is strictly necessary to provide the requested service to the customers. Similar information, according to FIDA proposal, should be provided by users to data holders when requesting access to personal data contained in the customer dataset.

The EDPB also recommends specifying in the PSR in relation to which specific, designated payment service the providers of payment systems and PSPs are allowed to process specific special categories of personal data under Article 9 GDPR.

In addition, the EDPB calls for the inclusion in the PSR of a clear differentiation between the term “permission” and the legal basis for processing under the GDPR and recalls, by way of example, what was done in the FIDA.