We would like to place strictly necessary cookies and performance cookies on your computer to improve our website service.
To find out more about how we use cookies and how you can change your cookies settings, please read our  cookies statement.                
Otherwise, we'll assume you are OK to continue.   Please close this message

EU Officials query Payment Services Directive Rules on explicit consent

25 July 2016

The Payment Services Directive 2 (2015/2366) (PSD2) which amended the earlier Payment Services Directive and which is due to be implemented by member states shortly, has been the subject of much debate recently at the European Commission as regards its interpretation.

In June 2016 the Justice and the Finance departments met in Brussels to debate, amongst other things, Article 94 of PSD2 which covers data protection. Article 94 states that “payment service providers shall only access, process and retain personal data necessary for the provision of their payment services, with the explicit consent of the payment service user”. EU officials are concerned that there are differing views within member states as to the meaning of “explicit consent” and that there needs to be clarification.

The recitals to PSD2 make it clear that data protection and human rights of users must be respected and that PSD2 has to sit alongside existing member state data protection laws.

It seems odd that PSD2 requires explicit consent from payment service users to the processing of their personal data in the provision of services that they will have themselves requested. Perhaps PSD2 intended that explicit consent would be needed if payment service providers were using personal data for purposes other than the initial provision of payment services. That would certainly be the interpretation from a strict data protection law point of view.

Apart from the question of explicit consent, payment service providers will for legitimate purposes process customers’ personal data and retain the same for corporate governance and other regulatory purposes and therefore consent should not be the only critical data protection component under PSD2.

It will be a matter for continuing discussion as to how personal data is managed under PSD2 particularly with the impending implementation of the General Data Protection Regulation which comes into force on 25 May 2018. GDPR is intended to encourage legitimate interests as a mechanism for processing personal data alongside consent and also is intended to encourage the free flow of data within the European Union.

For further information, please contact Robert Bond on +44 (0)20 7427 6660 or robert.bond@crsblaw.com