New EU Law on Online Payments: A GDPR Risk?

Just over a year after GDPR hit Europe, a new piece of tech focused legislation is on its way.

Coming into effect 14 September 2019, the Payment Services Directive will change how consumers and vendors interact on online marketplaces.

Replacing an earlier directive adopted in 2007 bearing the same name, this new legislation, commonly referred to as the PSD2, favours consumer rights and sets out to offer greater protection against online payment fraud. 

In order to comply with PSD2, payment service providers, such as banks, will now have to put in place strong customer authentication (SCA) systems for any online payment that exceeds EUR 30.

In order to comply with SCA, consumers will have to provide at least two of the three following elements in order to verify their identity before finalizing a transaction:

1/ Something you know

 This could be a password, a security question, a PIN number, an ID number, etc.

2/ Something you have 

 This could be a smartphone, a connected device, a chip card, etc.

3/ Something you are

 This could be a fingerprint, facial recognition, voice recognition, retina scan, or any other genetic imprint.

Essentially, when a third party wants to access a consumer’s finances, in the case of a vendor taking payment for example, the authentication of the consumer falls on the shoulders of payment service providers given their unique position. These institutions therefore have the obligation to authenticate consumers and to refuse any and all payments that do not meet the PSD2’s strict requirements. Other than preventing fraud and increasing consumer protection, the principal goal of this new directive is to strengthen competition while ensuring a level playing field in an ever-changing market. 

Scope of the PSD2

As we stated above, come 14 September 2019, all transactions over EUR 30 between a European consumer and vendor will be subject to the PSD2. As a result, the consumer will have to provide the relevant information to prove his or her identity in accordance with SCA. The new legislation is also applicable when at least one of the parties is in the EU. Hence, if a European consumer makes an online purchase from a foreign vendor, or vice-versa, the PSD2 will apply and its rules must be respected.

From the consumer’s standpoint, the PSD2 is a positive thing. Although your checkout times when online shopping might get a bit longer, its for good reason. In the event of a fraudulent transaction, payment service providers will have to reimburse the consumer immediately.

What about the GDPR?

Of course, some of the data that is shared by consumers when verifying their identity constitutes “special category data” or “sensitive data” for the purposes of the GDPR. For example, any biometric data, such as fingerprints, facial recognition, voice recognition, retina scan, etc, when given for ID-purposes, is subject to additional protection when compared with “ordinary” personal data. This means that the data collected through SCA by payment service providers needs extra attention, because any breach of the GDPR in respect of this “special category data” could pose a serious risk to an individual’s fundamental rights and freedoms.

In order to lawfully process special category data, payment service providers must identify therefore both a lawful basis for processing and comply with a separate condition for processing special category data, such as biometric data. It seems payment service providers could rely on Article 9(2)(g) of the GDPR as the separate condition for processing such data - i.e., it is necessary for reasons of substantial public interest, on the basis of EU law. Payment services providers will need to ensure that any processing is proportionate, respects the essence of the right to data protection and allows for suitable and specific measures to safeguard the fundamental rights and the interests of the data subjects - in this case, consumers.

Hence, it will be interesting to see how SCA systems implemented by PSD2 will interact with the GDPR. Given that most companies expressed difficulties complying with last year’s General Data Protection Regulation (GDPR), one could only hope that the adoption of this latest data-centered directive will go over more smoothly - overall, whilst there may be some privacy risk, payment service providers are already heavily regulated and will surely implement sufficient safeguards. Overall, the reduced risk of online-fraud seems to be the key takeaway!

If you would like any further information about the PSD2 or data protection issues generally, please don’t hesitate to get in touch.

Authors: Justin Boileau, Legal Consultant and Charlotte Gerrish, Founder @ Gerrish Legal