Calls out Third Party Providers on silent party data, arguing banks not responsible for their processing, Rejects claim that financial transactions reveal sensitive data, data filtering costly, hinders PSD2 aims
Savings and retail banking association ESBG stressed this week the need to harmonise Europe's data protection requirements.
In a response submitted Wednesday to the European Data Protection Board consultation on the Guidelines 06/2020 on the interplay between Directive (EU) 2015/2366 on payment services (PSD2) and General Data Protection Regulation,
the association representing some 885 banks in 21 countries in Europe
urged greater harmonisation not only between GDPR and PSD2, but also
with the Regulatory Technical Standards on Strong Customer
Authentication and Common and Secure Communication. Doing so would create more legal certainty for all parties involved in the payment system, they argue.
ESBG
pinpoints as crucial final guidelines that clearly distinguish the
respective data protection responsibilities of the various types of
payment service providers – namely Account Servicing Payment Service
Providers (ASPSPs), payment initiation service providers (PISPs) and
Account Information Service Providers (AISPs).
Silent party data: Responsibility rests with AISPs not banks
While
the banking industry considers data protection a key priority, ESBG
sees a need for the final guidelines to properly distinguish the
respective data protection responsibilities of the different types of
payment service providers according to the roles described under PSD2.
The association understands the EDPB expresses concerned that silent
party data could be processed for other purposes than payment initiation
services and account information services. Banks do not have any
obligation to examine and intervene with regard to the legality of a
possible secondary exploitation by the AISP in relation to the
processing of silent party data, ESBG notes, since the responsibility
for this data processing lies solely with the third party provider
(TPP).
Special categories of data: Financial transactions rarely reveal sensitive information
ESBG
fully rejects the assumption that “financial transactions can reveal
sensitive information about individual data subject". Actually,
financial transactions per se rarely reveal sensitive information about
individual data subjects, they note. ESBG called on the EDPB to amend
the draft guidelines so to make Article 9(1) GDPR only applicable if
the controller intentionally processes the data in order to
extrapolate/infer information about any of the personal data listed in
Article 9 GDPR.
Data filtering: Costly burden for banks, ex ante filters technically undermine PSD2 full implementation
The
current wording within the guidelines seems to suggest that banks,
under PSD2, should apply data filtering aimed at removing special
categories of personal data before sharing payment account data with
TPPs. Implementation of such filters would have a major impact on the
market. Indeed, banks would be charged with unnecessary burdens, both in
terms of costs and responsibility. Not only are such ex ante filters
not technically feasible, but they would also create discrepancies
between what PSUs see when using the customer interface compared to when
using an AISP. This would put banks in breach of both PSD2 and the RTS
on SCA & CSC.
ESBG
concludes: “Mandating banks to implement such filters may undermine the
full implementation of PSD2, as it would put additional burdens on
banks that have already heavily invested to implement dedicated
interfaces, thus discouraging the adoption and further development of
APIs and frustrating the PSD2 aims."
ESBG
© ESBG
Key
Hover over the blue highlighted
text to view the acronym meaning
Hover
over these icons for more information
Comments:
No Comments for this Article