The European Data Protection Board (“EDPB“) has published a letter sent to the European Parliament in relation to the revised Payment Services Directive ((EU) 2015/2366) (“PSD2“).
The letter is in response to a request from Parliament for further clarification of a number of issues relating to the protection of personal data in the context of PSD2. The EDPB is monitoring developments owing to the complex legal framework in this area.
The EDPB comments on the following issues in the letter:
-
Whether the processing of personal data of “silent parties” is legitimate when explicit consent for the processing has (only) been given by another data subject.
-
Commission Delegated Regulation (EU) 2018/389, which contains regulatory technical standards (“RTS“) on strong customer authentication (“SCA“) and common and secure communications (“CSC“) under PSD2.
-
Whether the legal framework is sufficiently clear in relation to the processes of issuing and withdrawing consent under PSD2. The EDPB considers whether the concept of “explicit consent” included in both PSD2 and the General Data Protection Regulation ((EU) 2016/679) (“GDPR“) should be interpreted in the same way.
-
Whether banks are sufficiently cooperative in establishing secure interfaces and avoiding alternative, less secure, methods of accessing account data.
The EDPB considers that there may be grounds for “fruitful” interaction between EU data protection and financial supervision authorities. It would therefore like a dialogue between these authorities to start, with a view to then establishing a coordinated approach aimed at ensuring greater and more consistent consumer protection.
The EDPB replaced the Article 29 Working Party (“WP29“) on May 25, 2018 (the GDPR application date).