MASTER THESIS_11004800_HU.pdf

Privacy in payment initiation services

The incompatible interplay between the PSD2 and the GDPR

Author: Hannah Uleman (11004800) January 8, 2021

L. LM European Union and international law, UvA Supervisor: Prof. Steven Blockmans

TABLE OF CONTENTS

ABSTRACT ... 3

INTRODUCTION ... 4

1. WHICH SERVICES DOES THE TECH INDUSTRY PROVIDE AND WHAT ARE THE RISKS? ... 8

1.1. FINTECH AND BIGTECH ... 8

1.2. FROM TRADITIONAL BANKING TO OPEN BANKING ... 8

1.3.1. DATA-SHARING ... 12

1.3.2. ACCUMULATION OF DATA/ TRACEABILITY ... 13

1.3.3. PRIVACY PARADOX ... 14

2. EU LEGAL FRAMEWORK ON DATA PROTECTION IN PAYMENT SERVICES... 16

2.2. THE GENERAL DATA PROTECTION REGULATION... 17

2.2.1. MATERIAL SCOPE OF APPLICATION ... 17

2.2.2. PERSONAL SCOPE OF APPLICATION ... 17

2.2.3. TERRITORIAL SCOPE OF APPLICATION ... 19

2.2.1.SCOPE ... 24

2.2.2.TERRITORIAL SCOPE ... 25

2.2.3.INTERIM CONCLUSION ... 26

3. DATA PROTECTION IN PISPS ... 27

3.1. INTERACTION BETWEEN PSD2 AND GDPR ... 27

3.2. WHAT PERSONAL DATA IS PROCESSED BY PISPS? ... 28

3.3. HOW CAN PISPS BE DEFINED UNDER THE GDPR AND WHAT IS THE LEGAL BASIS FOR PROCESSING? ... 30

3.3.1. LEGAL BASIS ... 30

3.4. PROPORTIONALITY ASSESSMENT ... 32

3.5. EXTRATERRITORIAL APPLICATION OF PISPS ... 36

4. CONCLUSION ... 38

ABSTRACT

We have entered into a new digital era. An era during which both merchants as well as the payment industry must rapidly adapt to meet the new changing needs of their customers in the current Covid-19 pandemic. The proliferation of the use of digital payment services has evoked a debate about the potential threats to privacy caused by data accumulation and data sharing. This study seeks to grasp whether the current EU legal framework on data protection in payment services protects the consumer effectively against these threats. The lacuna in law has partially been addressed by the adoption of the GDPR and the PSD2. However, the incompatibilities between the legislations makes the compliance to both regulations simultaneously challenging and difficult to foresee whether the consumer is sufficiently protected against personal data breaches.

Introduction

Digitalisation is accelerating swiftly, businesses across the world are rapidly adapting their business models and products to bring them into the new digital era. The core of this business adaption is the processing of personal data, that has expanded considerably over recent decades and which has become the centre of assets of digital business. The use of personal data is increasing in every sector and is an irreversible development. 1 _Especially during the Covid-19 pandemic, in which countries have been in and out of lockdowns and people are avoiding public spaces, businesses must adapt quickly to meet the changing needs of their customers.2 _{While it was predicted that consumers’ concern for privacy could} decrease the growth of ecommerce,3 _{currently however, consumers’ online purchasing} behaviour is increasing.4 _{According to the Financial Times, there is “a boom in internet} shopping spurred by the Covid-19 pandemic.” 5 _{The Dutch newspaper, Financieel Dagblad,} has also stated that this behaviour will not change, even after the pandemic.6

Indeed, the new digital age requires the payment industry to adapt as well. Commonly, businesses have contractual relationships with Financial Technology (‘Fintech’) firms that provide payment services. Today, the financial industry without Fintech firms is not imaginable anymore. Fintech firms and financial institutions are either competing on the market or are collaborating with one and other. Firms such as Alipay (China), Stripe (US), Klarna (Sweden) and Adyen (the Netherlands) are gaining market share and are growing rapidly,7 _{while at the same time, there is a flood of new entrants and exits, such as Wirecard} (Germany). 8

1 _{Michiel Bijlsma (head of DNB) in Rutger Betlem, ‘Waar blijft de revolutie in het betaalverkeer’, Financieel Dagblad} (Amsterdam, 24 February 2020), https://fd.nl/beurs/1335072/waar-blijft-de-revolutie-in-het-betaalverkeer accessed on 13 September 2020.

2 _{Susan Meyer, ‘Understanding the Covid-19 effect on online shopping behaviour’, Bigcommerce (Texas)}

https://www.bigcommerce.com/blog/covid-19-ecommerce/ accessed on 26 September 2020.

3 _{Miriam J Metzger, ‘Privacy, trust, and disclosure: exploring barriers to electronic commerce’ (2004) 9 JCMC 942.} 4 _{Meyer, (n 2).}

5 _{Michael Pooler, ‘Royal Mail launches doorstep parcel collection in ecommerce boom’, Financial Times (UK, 21 October} 2020)< https://www.ft.com/content/0b1f151e-f75f-4ddb-867c-1cadf0df420f> accessed on 22 October 2020.

6 _{Rutger Betlem, ‘ECB waarschuwt voor dominante positie Amerikaanse techgiganten’, Financieel Dagblad (Amsterdam,} 30 Augustus 2020)< https://fd.nl/beurs/1355270/ecb-waarschuwt-voor-dominante-positie-amerikaanse-techgiganten> accessed on 30 August 2020.

7 _{See i.e., Rutger Betlem, ‘Betaaldienstverlener Stripe meer waard dan Adyen’, Financieel Dagblad (Amsterdam, 16 april} 2020) https://fd.nl/beurs/1341660/betaaldienstverlener-stripe-meer-waard-dan-adyen accessed on 15 September 2020, and Pim Kakebee, Els Engel, Rutger Betlem, ‘Adyen is meer waard dan ABN Amro en ING samen’, Financieel Dagblad (Amsterdam, 13 mei 2020) https://fd.nl/beurs/1344750/adyen-is-meer-waard-dan-abn-amro-en-ing-samen assessed on 15 April 2020 and Rutger Betlem, ‘Zweedse kredietbedrijf Klarna na investering bijna 9 mrd waard’, Financieel Dagblad (Amsterdam, 15 Sep 2020) <https://fd.nl/beurs/1357313/zweeds-kredietbedrijf-klarna-na-investering-bijna-9-mrd-waard> assessed on 15 September 2020.

8 _{Lennart Zandbergen, ‘Wirecard is 1.9 mrd en vertrouwen van belegger kwijt’ Financieel Dagblad (Amsterdam, 18 juni} 2020) https://fd.nl/beurs/1348236/koers-wirecard-stort-in-1-9-mrd-blijkt-zoek accessed on 15 September 2020.

Also, Big Techs, being Alibaba, Apple, Amazon, Facebook, Google, Microsoft and Tencent are making entry into the payment industry a logical extension of their business process. Approximately one year ago, Apple had launched their new digital wallet, which was a huge success. Also, Alibaba’s Alipay and Tencent’s WeChat are increasingly growing. In fact, more than 90% of the payments in China come from these Big Tech companies.9

However, the Cambridge Analytica scandal which impacted the 2016 presidential elections has proven that the possession of personal data can undermine the functioning of democratic society. Also, the recently released documentary ‘Social Dilemma’ emphasizes the

democratic constraints and privacy implications evolving from the Tech-industry. The

combination of data from different aspects of our lives, whether social, political and now, our purchasing behaviour, might form an even bigger threat.

With firms operating cross-border, they often must comply with regulatory obligations originating from both areas simultaneously and across all their offices, regardless of disharmony amongst States or the level of protection of these regulations. In response, the European Union (‘EU’) adopted the General Data Protection Regulation (‘GDPR’) on 14 April 2016, which came into effect in May 2018. The GDPR replaces the outdated 1995 EU directive on data privacy (‘DPD’). Essentially, the GDPR is applicable to any firm

processing personal data of EU-subjects, regardless of where the firm is physically located. Approximately, at the same time, the Commission has adopted the Payment Service Directive 2 in 2016 (‘PSD2’) which was implemented by all Member States in 2019. A handful

Member States did not meet the transposition deadline in 2018, and as a consequence, the European Commission started infringement proceedings against them.10 _{The purpose of the} directive is to create a level playing field between financial institutions and payment service providers and to increase security over customers’ personal data.11

9 _{Wei Wang and David Dollar, ‘What’s happening with China’s Fintech industry?’ (Brookings, 8 February 2018)} <https://www.brookings.edu/blog/order-from-chaos/2018/02/08/whats-happening-with-chinas-fintech-industry/> accessed on 18 September 2020.

10 _{European Commission, ‘Payment Service Directive 2 – transposition status’, (Ec.europa, 2 Oct 2020)}

<https://ec.europa.eu/info/publications/payment-services-directive-transposition-status_en> retrieved on December 22nd 2020.

Given that the Tech-industry will keep evolving and expanding over time and that the possession of that data will constantly enrich with both transactional and transnational behaviour, focusing on the balance between the right to provide payment services and the right to data protection will be the focal point of this study. The research question is as follows: Does the EU legal framework on data protection in payment services provide for a sufficient balance between the right to provide payment services and the right to data protection?

Therefore, the sub-questions are as follows:

1. What privacy risks do online payment services pose?

2. What is the EU legal frame work on data protection in payment services? 3. What are the incompatibilities between the two legislations?

4. Does the EU legal framework protect the EU-customer against personal data breaches?

The ‘sufficient balance’ test is measured by looking at the current payment industry,

describing both regulations, and subsequently by comparing the regulations to one and other by analysing their incompatibilities. At the same time the notion of ‘extraterritoriality’ and ‘proportionality’ are assessed from an external descriptive point of view, by shading light to relevant case-law and other legal systems.

This thesis is structured as follows, in the first chapter I will elaborate on the distinction between the traditional payment card network and the current payment industry in which other parties have entered the market. I will focus on fintech and Bigtech companies and will touch on privacy risks.

Chapter two provides an overview of the current EU legal framework on data protection in payment services. I will discuss the notion of ‘payment initiation service provider’ and will address the scope of the GDPR and the PSD2. In particular, I will address the notion of ‘extraterritoriality’.

In chapter 3, I will elaborate on the interrelationship between the PSD2 and the GDPR and I will analyse what personal data are processed by the payment services providers. The scope mentioned in the previous chapter will be applied to third party service providers and hence will raise questions to the compatibility between the PSD2 and the GDPR. More in specific it

will address the issue of “proportionality” and “extraterritoriality” in the context of both legislations. I will end with whether the customer is protected by the current EU legal framework, and hence to whether the framework provides for a sufficient balance between the right to provide payment services and the right to privacy.

1. Which services does the Tech industry provide and what are the risks?

1.1. FinTech and BigTech

Fintech is defined as “the financial innovation based on the use of digital technologies and big data.”12 _{As the definition is very broad; this thesis focuses on ‘Fintech’ in the narrow} sense of the word by focusing merely on those firms that serve as payment service provider in the payment industry and in particular the Payment Initiation Service Provider (‘PISP’).13 While Fintech firms focus on providing ‘bank-like’ services, BigTech firms, referred to as “technology companies with established presence in the market of digital services”14_{, main} business model is the processing of personal data. Hence, distinctive is that the payment services provided by Big Tech are often ancillary in nature, whereas Fintech’s core business model focuses on providing payment services. In fact, Big Tech’s payment services only represent approximately 11% of their business. 15

1.2. From traditional banking to open banking

“I have always been afraid of banks”, was a famous statement of Andrew Jackson, the 7th president of the United States of America. Currently, however, we are entering into a new digital era, during which the combination of telecommunications, cryptography, big data and machine learning technologies are changing the whole banking industry.16 _{Technology is} facilitating the unbundling of many services that traditionally were provided by banks, while at the same time, the Tech industry is adopting new services which meet the cotemporary demand of efficiency and swiftness of this century. Many customers are changing their payment methods thereby increasingly relying on non-cash methods. Indeed, customers are switching to e-commerce and payments are made through the mobile phone. As technological innovation gives new entrants more efficient and cheaper ways to compete with banks, the latter’s competitive position is being challenged. This innovation in the payment industry causes data to be collected, processed and shared against lower costs and in larger scale.17 Therefore, it is important to understand how the payment industry functions, what the

12 _{René M Schulz, ‘Fintech, Bigtech and the future of Banks’ (2019) Fisher College of Business Working Paper No.} 2019-03-020 < https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3455297> accessed on May 25 2020.

13 _{Explanation of the PISP will be provided in chapter 2.}

14 _{Jon Frost et al, ‘Bigtech and the changing structure of financial intermediation’ (2019) BIS Working Paper No 779 <}

https://www.bis.org/publ/work779.pdf> accessed on 14 September 2020. 15 _{Ibid. 768.}

16 _{Yves Mersch, ‘Lending and payment systems in upheaval – the fintech challenge’ (BIS Speech, 26 February 2019) <}

https://www.bis.org/speeches/sp181205.htm> accessed on 21 October 2020)

difference is between the current landscape and the traditional landscape, and what the role is of payment service providers in this landscape.

Financial institutions were normally the providers of payment services. Traditionally, a card-based payment, concerned five parties; the customer (payer), the merchant (payees), the customer’s bank (issuers), the merchant’s bank (acquirers) and the payment card network (the ‘schemes’: Mastercard and Visa). 18 _{The payment stream goes as follows; the issuer issues} the customer a payment card which includes the payment authorization data (credit or debit). At the event that the customer aims at buying goods or services from a merchant, they pay via the merchant’s payment terminal. Via this terminal, the customer’s payment authorization data is transferred to the acquirer – which acquirers the payment right of the transaction. The scheme, sends an authorization request to the issuer – which subsequently verifies whether the debit or credit is available on the customer’s account. The scheme sends either an approval or a denial to the acquirer. Finally, the acquirer delivers this information to the merchant.19 _{For every step of the way, a fee must be paid by either the merchant or the} customer.

In the past, issuers and acquirers were always financial institutions. However, the recent innovation in the payment sector has been from the tech-industry.20 _{Digitalisation has made it} possible to create new payment services which are more efficient. Customers aim at having secure payments and want the payment to be swift and against low costs. As a response, this requires payments to be easy-to-use and online. New players have entered the financial market, which are positioned as ‘sale intermediaries’ between the bank and the customer or the merchant. These parties are referred to as Third Party Service Providers (‘TPSP’), which often undertake the role of PISP or Account Information Service Provider (AISP).21 _These players, are creating new payment services and hence, often obtain the role of an acquirer or issuer in the payment-industry. In practice, when a consumer pays through a payment

18 _{Adam J Levitin, ‘Pandora’s digital box: the promise and perils of digital wallets’ (2018) 166 University of Pennsylvania} Law Review 305, p. 312.

19 _{Dilja Helgadottir, ‘The interaction between Directive 2015/2366 (EU) on Payment Services and Regulation (EU)} 2016/679 on General Data Protection concerning Third Party Players’ (2020) Trinity College 23.

https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3455428 accessed on 23 September 2020.

20 _{Fernando Zunzunegui, ‘digitalisation of payment services’ (2018) Ibero-American Institute for Law and Finance Working} Paper Series 5/2018 < https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3256281> accessed on 10 September 2020, p 23. 21 _{The exact meaning of PISP will be discussed in the subsequent chapter.}

platform or with a payment app, provided by the PISPs, a transaction request is sent out to the financial institution which authorizes the transaction.22

Fintech and Big Tech firms are both engaging in this role. Whereas, traditionally, with regard to the acquiring side, a company would have been partnering up with four different providers in order to accept payments – these parties sometimes differed per country – and when a company was expanding globally, the parties facilitating the payment, grew. 23 _{Currently, a} company parties with the third-party service provider, such as Adyen or Stripe, which provides all these capabilities (acquiring, preventing fraud and other risks, Know Your Customer (‘KYC’), authentication), and for all kind of payment methods from different parts of the world in one common interface. As a result, Fintech’s have access to bank accounts to initiate payments or to refund the merchant’s customers in case of a dispute. Indeed, instead of having to partner up with various parties, the merchant merely has to partner up with one partner. Therefore, the one partner acquires all the data from their merchants across the border, and can thrive for an ultimate customer experience. Also, the costs are decreased, because there are not as many partners to pay fees to.24

Source: Author

22 _{See chapter 2.}

23 _{Adyen, ‘Capital Markets Day’ (Adyen, 29 September 2020), <}

https://www.adyen.com/investor-relations/events/capital-markets-day-september-29> accessed on 29 September 2020. 24 _{Zunzunegui, (n 20) p. 5 and 6.}

The above described situation in which Fintech firms are taking part in the payment industry as an acquirer, is also true for the issuing side of the market. As will be explained in chapter 2, these third-party service providers, can initiate payments from customers’ account, and hence, have access to their bank accounts. In other words, these parties can subtract funds directly from customers’ bank account and pass this information to the schemes.

Digital wallets are also PISPs. Digital wallet holders have access to the customers’ bank account after the user has entered their payment details into the wallet. When customers purchase something online, the digital wallet initiates the payment and requests authorization from the merchant. Essentially, digital wallets are computer software applications which have the ability to store financial or other personal data.25 _{The digital wallet data storage is one of} the features of digital wallets as it allows users to buy online goods and services or send money to other users of digital wallets.There are varieties of digital wallets, one being the mobile wallets, Alipay, WeChat and Applepay being exemplary. Also, Facebook recently launched its Whatsapp-based digital payment service in multiple countries, two being Brazil and India.26 _{Distinguishing about mobile wallets is that they can be used to pay in-store at} payment terminals. Important for the context of this thesis is that digital wallets do not only have the ability to store financial data, but also other personal data, such as our driver’s license, health cards, flight tickets and our identification cards.27

1.3. Privacy risks

The Fintech industry is subject to privacy risks. EU-law explicitly mentions the right to privacy in article art. 7 Charter and the right to data protection in article 8 Charter. Also, the ECHR enshrines the right to privacy article 8 European Charter of Human Rights (‘ECHR’). The European Court of Human Rights (‘ECtHR’), the guardian of the ECHR, recognizes that all forms of personal data breaches fall within the scope of article 8 ECHR (right to

privacy).28 _{Therefore, it can be presumed that mentioning a ‘data protection breach’ that it} falls within the scope of the right to privacy.29

25 _{Levitin (n 18) at 315}

26 _{Hannah Murphy, ‘Facebook launches WhatApp-based digital payments service in Brazil’, Financial Times (San} Francisco, June 14 2020) <https://www.ft.com/content/a93bc0a3-e328-4e9c-9c49-579c06e763a6> accessed on 22 October 2020.

27_{Levitin (n 18) at 372.}

28 _{E.g. Amann v Switserland (2000) 30 EHRR 843, paras 65-67.}

29 _{Dara Hallian, Ronald Leenes, Serge Gutwirth and Paul de Hert, data protection and privacy: data protection and} democracy (1st _{edn Springer 2019), p. 37.}

The difference between security and privacy is important for the focus of this thesis. Whereas data security is related to protecting the confidentiality, availability and integrity of the data, and thus aims at withholding information from unauthorized parties, privacy controls who, when, where and how the individual reveals their information. 30 _{The two are interrelated} because when personal data is not secured properly, it will immediately threaten the privacy of users. On this footing, in the data protection world, customers’ data security is not merely subject to the traditional issues of privacy, but are also based on the analysis, research and targeting of users’ data, and subsequently, with the use of this data, the prediction of their behaviour.31

Privacy research mainly focuses on two central privacy concerns evolving from the current payment industry, the first one being the data sharing environment32 _{and the second one} being Bigtechs’ accumulation of data originating from different sources (traceability).33

1.3.1. Data-sharing

Data sharing is grounded in the multi-layered processing environment pursuant to article 28 GDPR. According to this provision, data controllers are obliged to execute Data Protection Agreement (‘DPAs’) with data processors. As will be discussed more in depth in Chapter 2, the controller is mostly the merchant where the customer purchases goods or services and the processor is the fintech or Bigtech company which payment service the merchant uses. On the contrary, the controller may also be the payment service initiator which holds the digital wallet used by the customer. This agreement enshrines that the data processor adopts

appropriate technical and organizational measures in order to ensure the that customers’ data is well protected.34 _{The controller can verify this by conducting audits or other inspections.}35 Moreover, frequently, processors also engage sub-processors.36 _{When this occurs, the same} data protection obligations as set out in the contract between the controller and processor shall be imposed on the sub processor by way of a (sub)contract.

30 _{Stan Sater, ‘Financial Privacy in a cashless society’ (2019)}

<https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3367610> accessed on 4 December 2020. 31 _{Ibid at 26.}

32 _{EBA (2020), ‘B2B Data Sharing: Digital consent management as a driver for data opportunities’ Paris June 2020.} 33 _{Peter P Swire, ‘Financial Privacy and the Theory of High-Tech government Surveillance.’ (1999) 77 Wash U L Q 461, p.} 464.

34 _{Article 28(1) GDPR in conjunction with article 32 GDPR} 35 _{Article 28(3)(h) GDPR}

Commonly, not only one such agreement is adopted, but multiple as clouding services and or hosting services are used by processors. Clouding services are used to store consumers’ payments and their credit scoring.37 _{Thus, controllers outsource the processing to multiple} processors specialized in the processing of the data, and subsequently, it is common that the processor also further delegates part of the processing to sub-processors. Indeed, the plurality of actors engaged in the processing of personal data decreases the control and the

responsibility for the data processing. 38 _{Therefore, it can be assumed that, in this scattered} landscape of shared data, the customer does not always know in whose hands their data lands and for which purposes the data is collected. This raises privacy implications and regulatory challenges, because there is no contract between the customer and the sub processor (i.e., cloud-storing service) while at the same time processors are increasingly using outsourced cloud-computing services (i.e., Amazon Web Services) that are emerging from different jurisdictions and have differing and sometimes conflicting regulations.39

1.3.2. Accumulation of data/ traceability

Continuing on the second risk, research in 1999 already expressed concerns about this data accumulation evolving from the payment industry. It was predicted that the rise of internet commerce would increase consumer’s traceability.40 _{Currently, Bigtechs collect large}

amounts of personal data from their customers, such as information related to the person and their financial records.

To date, more tech companies are harvesting alternative data, namely, consumers’ online spending behaviour and social media use and patterns which develop traceability.41 _{This data} is processed and stored with marketing aims, to increase sales and to determine the

customer’s risk profile which can be concluded from the customers’ data all together.

37 _{FSB (2019), ‘Fintech and market structure in financial services: market developments and potential financial stability} implications’ February 2019, at 7.

38 _{Lindqvist, ‘New Challenges to personal data processing agreements: is the GDPR fit to deal with contract, accountability} and liability in a world of the internet of things?’ International Journal of law and information technology (2018), 26, 45-63, at 51.

39 _{Daniel Gozman, Leslie Willcocks, ‘The emerging Cloud-dilemma: balancing innovation with cross-border privacy and} outsourcing regulations’ (2019) Journal of Business Research, 235-256

<https://www.sciencedirect.com/science/article/abs/pii/S0148296318302935> accessed on 6 September 2020 40 _{Peter P Swire (n 33) at 464.}

41 _{Claudia Ng, ‘Regulating fintech: addressing Challenges in Cybersecurity and Data Privacy’ (Harvard, 22 February 2018)}

https://www.innovations.harvard.edu/blog/regulating-fintech-addressing-challenges-cybersecurity-and-data-privacy accessed on 17 October 2020.

It must be noted that customers’ spending behaviour and habits are extremely sensitive data,42 _{as it reveals conveying information about customers interests, personality and} potential personal problems.43 _{This data collection is playing a huge role in Big Tech’s} success in the payment industry. This can be seen in China, where Alibaba and Tencent have a dominant role in the Chinese payment industry.44 _{It can be assumed that Tencent and} Alibaba essentially “know everything you’ve purchased in your life.”45 _{In the cashless China,} financial data is used for social credit scores. From these scores, people can be excluded from social activities, blocked from flying, refused into particular schools or others consequences as a result of their financial debts or online spending behaviour.46 _{Some authors argue that the} Chinese social credit system is a model for other countries yet to become. 47

1.3.3. Privacy paradox

Indeed, this collection and storage of data raises privacy issues. However, although individuals have concerns about the use and abuse of their data and are aware of the new levels of access third parties have, paradoxically, there is rather a growth of the use of services which disclose personal data to third parties.48 _{This is called the ‘privacy paradox’} which stems from the fact that consumers’ activities are contradictory to what they want – claiming that they want more privacy, and yet rather disclose more information about themselves.49

With the growth of ecommerce in the current covid-19 pandemic – in which people are bulk-buying and are purchasing more online, it is not surprising that customers are naturally using more digitalized payment services and that therefore the Tech industry has increasingly more access to customers’ data.50 _{Earlier research conducted distinguishes four categories of} information either the individual or the outside world knows from the individual: the open self, which is the category where the information of the individual is shared by both the individual and the third party; the hidden self – the situation in which the information that the

42 _{Article 4 GDPR} 43 _{Ng, (n 41)}

44 _{Miguel de la Mano, ‘Big Tech banking’ (2019) 14(4) Journal of Competition Law & Economics 295-526, p. 497.} 45 _{Shira Ovide, ‘Don’t even try paying cash in China’, New York Times (New York, 27 October 2020)}

<https://www.nytimes.com/2020/10/27/technology/alipay-china.html> accessed on 27 October 2020. 46 _{Lindqvist, (n 38) p. 13.}

47 _{Sithigh, Siems, ‘The Chinese Social Credit System: A model for other countries?’ (2019) The modern law review 1468 –} 2230.

48 _{Meyer (n 2)}

49 _{Ipsos (2018), ‘Open Banking Data Sharing Dilemmas: A report prepared for Barclays’ London March 2018. p 20.} 50 _{Meyer (n 2)}

individual knows about herself or himself is information the third party does not know. The blind self is the situation where a third party knows things about the individual that the individual does not know about themselves. Lastly, the unknown self, which is distinctive because it is the situation where neither the individual itself nor a third party knows the information.

The research emphasises that the current payment industry is shifting from the situation in which the information about our financial behaviour previously belonged to the category ‘hidden self’ towards the category where third parties have increasingly access to our banking data. Hence, there is an increase of the ‘open self’. Arguably, we are becoming more aware that the blind self exists, in which third parties know more about ourselves than we know about us. Also, as the tech-industry is innovating and getting better at developing services to get insight into our banking data, there will be a decrease in size of the ‘unknown self’.51

2. EU legal framework on data protection in payment

services

2.1. Intro

In this chapter, I will provide a descriptive analysis of the current EU legal framework on data protection in payment services. It must be noted, that there does not exist a specific set of regulations that cover all the services in the Tech-industry. Rather the contrary, there are multiple regulations relevant; the payment regulations (i.e., PSD2 and Electronic Money Directive), consumer regulations (Consumer Right Directive, e-Commerce Directive and more), and lastly, privacy regulations (GDPR and e-Privacy directive). This thesis focuses on the PSD2 and the GDPR.

In response to the in chapter 1 described changes in the current payments landscape, the regulatory framework also had to adapt to meet the current demand of this swift and seamless payment industry. Considering the fact that third party service providers have been

increasingly providing payment services and are simultaneously collecting and processing data from the consumer, it was not a coincidence that the PSD2 and the GDPR were adopted around the same period. Even though the PSD2 was adopted a little earlier than the GDPR,52 the discussion will start with an analysis of GDPR since this makes more sense from an analytical point of view.53

52 _{The PSD2 directive was adopted in November 2015; and the GDPR in April 2016.}

53 _{When discussing the territorial component of the GDPR, an in depth-analysis is given about the concept of} extraterritoriality is provided, which hence can be applied to the territorial concept of the PSD2.

2.2. The General Data Protection Regulation

With the strong need for a harmonized EU-regime, the GDPR was adopted in May 2016 on the basis of article 16 Treaty of the Functioning of the European Union (‘TFEU’) in

conjunction with 8 Charter of the European Union (‘Charter’) and replaces Directive 95/46. 54 Article 16 TFEU gives the European Council and the European Parliament the explicit

mandate to regulate data protection.

2.2.1. Material scope of application

The GDPR applies to the ‘processing of personal data’.55 _{Since the adoption of the GDPR,} the interpretation of the material scope of ‘processing’ and ‘personal data’ has not changed. Until date, the material scope of application is guided by art. 29 Working Party (‘WP’) opinion 4/2007 of personal data.56 _{Personal data as defined in DPD, and currently enshrined} in the GDPR, has a wide definition. Essentially, any information that relates to a natural person, constitutes personal data.

Secondly, processing is “[a]ny operation or set operations which is performed on personal data or on sets of personal data, whether or not by automated means.” 57 _{The provision} continues with a list of examples for processing operations. The paraphrase ‘any operation or set operation’ is not further elaborated on in the text of the GDPR, but implies that operations that are part of a set of operations “may take place simultaneously or in different stages” and that “a set of operations” may take place as well as in a situation where only one actor (controller or processor) processes as well as in a situation where more than one processor or controller processes the same personal data.58 _{Essentially, processing constitutes a wide range} of operations, but de facto, it refers to any operation relating to personal data.

2.2.2. Personal scope of application

Both the data controller and the data processor fall within the personal scope of the GDPR. The definition of the concept of both actors is crucial as the controller bears the primary responsibility under the GDPR. Indeed, the GDPR is not only addressed to controllers or

54 _{Council Directive (EC) 95/46 on the protection of individuals with regard to the processing of personal data and on the} free movement of such data [2015] OJ L00/46.

55 _{Article 2 (1) in conjunction with 4 (1) and (2) GDPR}

56 _{Article 29 Data Protection Working Party - Opinion 4/2007 on the concept of personal data [2007].} 57 _{Article 4(2) GDPR}

joint controllers, but also to processors as it introduces specific rules on the processing of personal data by processors. 59

However, for many years, there has been somewhat confusion for entities both on a

contractual and compliance level about the meaning of controller and processor in the GDPR. As a response, the European Data Protection Board (‘EDPB’) recently adopted Guidelines to give more context to article 4(7) and 4(8) GDPR.60 _{The Guidelines state that the controller is} mostly an organisation as such, and not an individual within the organization.61 _Importantly, the controller determines the purposes and means of processing.62 _{For the concept of a} processor, two criteria are determent, namely that it is a separate entity in relation to the controller and it that it processes personal data on behalf of the controller.63 _{Essentially, the} controller’s instructions are leading and the processor may not process for other purposes. The processor, does however, have a level of discretion in determining how to suit the controller’s best interest and therefore may choose the most appropriate technical and organisational measures which ensures the security of processing.64

Important for this thesis is to establish whether both the controller and the processor can be held accountable for personal data breaches pursuant to the GDPR. As stated in chapter 1.3.3., payment service providers frequently engage in the role of data processor and execute sub-processing agreements with other processors to store consumers’ payments and ] credit scoring.65 _{The processor is therefore gaining more responsibility in the sense that if the} processor infringes the GDPR by acting ultra vires and determines its own purposes and means, it will be deemed to be a controller.66 _{This is also the case when the processor enters} into sub-processor, and therefore, a fortiori, acts as a controller by ‘determining the means and the purpose’ of the processing.67 _{Essentially, when the processor does not comply with} the obligations specifically directed at them, they will be held liable pursuant to article 5(1) GDPR. Article 58 enshrines that both controllers as well as processors can be fined when they are non-compliant with the obligations of the GDPR. Both the controller and the

59 _{C. H. Beck, Hart, Nomos New European General Data Protection Regulation a practitioner’s Guide, (1th edn, Nomos} Verlagsgesellschaft 2018), p. 31.

60 _{EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR [2 September 2020].} 61 _{EDPB [2020] (n 60) p.3.}

62 _{Article 4(7) GDPR} 63 _{EDPB (n 60) p.3.}

64 _{Article 28(3) in conjunction with article 32 GDPR} 65 _{FSB (n 37) p. 7.}

66 _{Article 28(10) GDPR} 67 _{Article 28(3) GDPR}

processor are hence directly accountable towards the supervisory authorities.68 _Lastly, pursuant to article 82(4) GDPR, data subjects can sue both the controller and processor for personal data breaches.

2.2.3. Territorial scope of application

The GDPR represents a significant evolution in data protection law. While it was evident that the increase of the use of internet, and hence, the flow of personal data is an irreversible development which on the one side generated a huge economic growth in digital business,69 at the same time, it was noticeable that the flow of personal data originating from different sources and differing jurisdictions also brought substantial risks to one’s liberties. This interconnected world, as we have seen in the jurisprudence of the European Court of Justice (‘ECJ’),70 _{seeks borderless regulation, which aims at regulating activities from entities not} necessarily established in the EU, yet violating liberties of those established in the EU. As a consequence, the EU adopted the GDPR that, unlike many other privacy regulations,71 applies to conduct that occurs abroad.72

Extraterritoriality is defined as the measure triggered by something other than a territorial connection with the regulating state.73 _{Extraterritoriality is very rare under EU-law and the} EU has frequently adopted legislation that has “territorial extension”.74 _{Territorial extension} exists where the territorial connection with the EU influences conduct that takes place outside the EU.75

Analysing foreign jurisdictions, the U.S. Supreme Court has adopted a three-step approach in determining whether legislation has extraterritorial application.76 _{Morrisson, a} ground-breaking judgment on the notion of extraterritoriality, concerned foreign plaintiffs that

68 _{EDPB (n 60) p. 8 and 9.} 69 _{FSB (n 37)}

70 _{Case C-131/12 Google Spain v. AEPD [2014] ECLI:EU:C: 2014:317, para’s 46-60.} 71 _{E.g., HIPAA, CCPA}

72 _{J Scott, The new EU “extraterritoriality”, [2014] CMR 51: 1333-1496 at 815.}

73 _{J Scott, “extraterritoriality and territorial extension in EU law”, 62 AJCL (2014), 87-126.}

74 _{Council Regulation (EC) 2111/2005 on the establishment of A Community list of air carriers subject to an operating ban} within the Community and on informing air transport passengers of the identity of the operating air carrier, O.J. 2005, L 344.

75 _{Scott (n 72), p. 4.}

purchased shares in a foreign company on a foreign stock exchange. Some of the fraudulent conduct had occurred in the U.S. The Supreme Court (‘SC’) was confronted with the

question whether the Security Exchange Act 193477 _{has extraterritorial application. First, the} SC stated that “legislation of Congress, unless a contrary intent appears, is meant to apply only within the territorial jurisdiction of the United States”.78 _{An exception to this rule is} when “there is the affirmative intention of the Congress [that] clearly expressed to give a statute extraterritorial effect.”79 _{If however, if there is no clear affirmative indication, one} must look at the conduct relevant to the provision’s focus to assess whether the legislation is applied extraterritorial.80 _{The SC continued by stating that the focus of the provision was not,} as alleged by plaintiffs, on the location of the conduct (i.e., also in the U.S.), but rather on the location of the transaction, which was not in the U.S. Therefore, the Security Exchange Act 1934 did not have extraterritorial application.

Morrison adopted a ‘transactional test’ for assessing the territorial reach of the Security

Exchange Act, rather than merely looking at the conduct.81 _{Indeed, in RJR, the SC held that} when the focus of the provision is found within the U.S., then application of the provision can be considered permissible, regardless of whether the conduct in question occurred outside the U.S. In casu, the location of the injury was not enough to establish its application.82

Whereas the U.S. has been willing to accommodate extraterritoriality in the exercise of prescriptive jurisdiction over foreign conduct that is intended to have substantial effects within the territory of the U.S.,83 _{extraterritoriality in the EU has not gained the same level of} discussion.84 _{In Air Transport Association of America, the ECJ however upheld the legality} of an EU regulation that regulated a conduct taking place outside EU territory, since the regulation only applied to in the EU arriving and departing flights.85 _{EU-law focusses on} particular “triggers” that spark EU-law’s application.86

77 _{Security Exchange Act of 1934 § June 6, 1934, ch. 404, title 1, 48 Stat. 881.} 78 _{Morrisson [2010] (n 76)}

79 _Idem.

80 _{Morrisson (n 76) para 35.}

81 _{Dodge, William S., The Presumption Against Extraterritoriality in the U.S. Supreme Court Today (2018). U.S. Litigation} Today: Still a Threat for European Business or Just a Paper Tiger? (2018), ISBN 187-196, p. 190.

82 _{RJR Nabisco v. European Community 136 S. Ct. 2090 (2016).} 83 _{Third Restatement of the Foreign Relations Law of the U.S.}

84 _{Discussion has been more focussed on extraterritoriality in competition law, i.e., Florian Wagner-von Papp, Competition} law, Extraterritoriality and Bilateral Agreements, in Research Handbook on international competition law (Ariel Exrach ed.,

2012)

85 _{Case C-366/10 Air Transport Association of America and Others v. Secretary of State for Energy and Climate Change} [2011] ECR 2011- 00000.

Article 3 GDPR clearly establishes extraterritoriality. Article 3(1) GDPR states that the GDPR “applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the

processing takes place in the Union or not.”87 _{Recital 22 enshrines that the threshold for} ‘establishment’ is a ‘stable arrangement’. The Guidelines on the concept of territoriality emphasise that the determination of a ‘stable arrangement’ is a factual analysis and is not tied to a legal form.88 _{The Guidelines enshrine that it suffices when only one employee or agent of} a non-EU entity is in the EU.89 _{However, there must be a connection between the activities} of the establishment in the EU and the non-EU controller or processor. In Google Spain the ECJ ruled that this connection exists where the third country operator of a search machine that has set up a subsidiary within that Member State and it intends to promote and sell advertising space offered by that search machine if it orientates its activities towards the inhabitants of that Member State.90 _{This interpretation to the territorial component of data} protection law is significant because the connection between the processing of the non-EU controller or processor and the establishment can exist, even if the establishment is not taking a direct role in the processing itself. The Court found this definition necessary in order to prevent circumvention of the rules and to ensure an effective protection of the fundamental right to privacy.91

Alternatively, even in the absence of an establishment in the EU, a controller or processor can still be subject to the GDPR if it is targeting in the EU. On this footing, it can be said that the scope of the GDPR is connected to the processing in itself, rather than the location of the entity. The first sub paragraph of article 3(2) GDPR focuses on one of the elements of targeting, being ‘offering goods and or services’ in the EU. For the content of this thesis, focus will only be on the first subparagraph of article 3(2) GDPR. Firstly, targeting refers to

any person in the EU and hence, it does not matter whether or not the data-subject is an

EU-citizen or an EU-resident, it simply refers to “everyone”. 92 _{Moreover, the Guidelines state} that the processing activities related to offering goods or services, must be intentionally and

87 _{Article 3(1) GDPR}

88 _{EDPB, Guidelines 3/2018 on the territorial scope of the GDPR (art. 3) [12 November 2019].} 89 _{EDPB [2019] p. 6.}

90 _{Case C-131/12 Google Spain v. AEPD [2014] ECLI:EU:C: 2014:317, para’s 46-60.} 91 _{Idem, para 53.}

not inadvertently or incidentally.93 _{Similarly, the EDPB states that case law related to} Regulation 44/2001 (Brussels I) can be put in parallel with the targeting principle of the GDPR. The Court held that “the trader must have manifested its intention to establish commercial relations with such consumers.”94

Importantly, while there are a few prominent criteria that must be considered for the

application of the article 3 GDPR, the EDPB, both for paragraph 1 as well as for paragraph 2 of article 3, frequently mention the terminology ‘in concreto’, by implying that the analysis is concrete, and crucially, on a case-by-case analysis. In other words, there are no bright rules on which circumstance precisely triggers the application of article 3. One must look at the context and the totality of the facts.

Indeed, while the U.S. SC case-law has adopted a clear three-step analysis on when extraterritoriality applies, in EU-law the extraterritoriality seems rather rare and open to a case-by-case analysis.

2.2.3.1. Transfers to third countries (proportionality)

It should be pointed out that under article 44ff GDPR, the data controller or processor may only transfer personal data outside the EU if the conditions of Chapter V are complied with. This means that the European Commission (‘EC’) must have adopted an adequacy decision, 95 _{enshrining that the level of protection in that third country is equivalent to the level of} protection in the EU, alternatively, additional measures must be adopted.96 _{This notion of} ‘equivalence’ means that the third country’s protection scheme is equivalent as compared to the one guaranteed in the EU by arts. 7 and 8 Charter and secondary data protection

legislation.97 _{As the notion of ‘equivalence’ evokes a fundamental right analysis, it brings} proportionality to the realm of data transfers. The reason for this is when determining

whether a conduct interferes with a fundamental right, a balancing assessment must be made which includes the notion of proportionality pursuant to article 52(1) Charter.

93 _{EDPB [2019] p. 15.}

94 _{Joined cases C-585/08 and C-144/09 Pammer v Reederei Karl Schluter GmbH & Co and Hotel Alpenhof v Heller ECR} 2012 I-12527.

95 _{Article 45 GDPR.} 96 _{Article 46ff GDPR}

In the absence of such an adequacy decision, the conditions of standard contractual clauses (‘SCC’) must be met by the exporter and importer of the personal data, or alternatively,98 binding corporate rules must be adopted.99 _{Schrems II concludes that in the absence of an} adequacy decision, that indeed the protection guaranteed by EU fundamental rights, must travel with the data, regardless of where the data is, and no matter whether such travelling is based on an adequacy decision or on additional safeguards (i.e., SCC).100 _{In this context, the} data controller or processor that transfers data to a third country is responsible for the proportionality assessment.

An interesting discussion, as will be discussed in chapter 3, is whether such a proportionality assessment is made (correctly) by the controller and processor.

2.3. Payment Services Directive 2

In order to promote the development of online banking and e-commerce within the European Union, the Directive 2015/2366/EU of the European Parliament and of the Council of 23 December 2015 (‘PSD2’) was adopted. The Directive replaces Directive 2007/64/EC (‘PSD1’) and ‘provides new rules to ensure legal certainty for customers, merchants and companies within the payment chain and modernizing the legal framework for the market for payment services.’101 _{Whereas PSD1 was important in order to open up payment services to} non-banks, (“payment institutions”) PSD2 allows tech companies to provide payment services as “payment initiation service provider” (‘PISP’) or and “account information service provider” (‘AISP’). As a consequence, PSD2 opens up the doors to the payment industry for third parties other than banks and payment institutions.

The legal basis for the freedom to provide payment services are regulated by the provisions 49 (‘freedom of establishment’) and 56 (‘freedom to provide services’) TFEU and must be implemented according to the principles recognized by the Charter.102 _{On the one hand, the} vital purpose of the PSD2 is to increase competition in the payment industry. It does so by enhancing the competitive position of financial institutions, which were already operating on the market and are subject to strict regulatory requirements against the new players on the

98 _{Article 46 GDPR} 99 _{Article 47 GDPR}

100 _{Case C-311/18 Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems II [2020]} ECLI:EU:C:2020:559, para 200.

101 _{Recital 6 PSD2.}

market, which offer alternative payment services.103 _{On the other hand, the directive}

strengthens customers’ rights by providing for more security. The preamble states that there has been a “rapid growth in the number of electronic and mobile payments and the

emergence of new types of services in the market place, which challenges the current framework” and that “the security risks relating to electronic payments have increased.” Therefore, the “safe and secure payment services continues a vital for the well-functioning payment service market.”104

2.2.1. Scope

According to article 1, the directive applies to various categories of ‘payment service providers’ (‘Psp’) which, according to article 2 provide payment services within the Union. Importantly, the directive gives TPSPs access to payment data, including personal data. These TPSPs essentially, can be divided into two groups: payment initiation service providers (‘PISPs’) and Account Information Service Providers (‘AISPs’). Given the quantitative limitation of this thesis, the focus will be on PISPs.

The prevalence of electronic payments has increased largely due to the internet and smart phones. Customers can now make payments online through non-traditional means. The traditional way of banking, as described in the previous chapter, is commonly replaced by PISPs. Article 4(15) defines PISP as “a service to initiate a payment order at the request of the payment service user with respect to a payment account held at another payment service provider”. Customers with an online payment account can use PISP. It enables payments to be transferred directly from the customer’s (‘payer’) account to the merchant’s (‘payees’) account and therefore allows customers to purchase online, without using an actual payment card. Indeed, instead of the customer paying through the financial institution, the payment is made via the Psp. The PISP passes the payment request to the customer’s bank, which then authenticates the customer to confirm the payment.105 _{Hence, the PISP functions as a bridge} between the customer’s account and that of the merchant. It must be noted that explicit

consent of the account owner is sufficient, and that the PSD2 does not require any contractual relationship between the Psp and the financial institution. 106 _{However, PSD2 does require}

103 _{Recital 6 PSD2 in conjunction with recital 27.} 104 _{Preamble 7 PSD2.}

105 _{EDPB, Guidelines 06/2020 on the interplay of the Second Payment Services Directive and the GDPR [June 2020], p. 6.} 106 _{Article 66(5) PSD2.}

Psps to have a license in order to operate such services. 107 _{Although the PISP never has} control over the customer’s account, it does ensure that the payments are made.

2.2.2. Territorial scope

As mentioned above, the PSD2 applies to payment services provided within the Union.108 Essentially, where both the Psp of the payer and of the payee are established in the EU, the PSD2 applies.109 _{However, title III and title IV of the PSD2 also apply to transactions where}

only one of the payment service providers of the payee or payer, is based within the EU. Title

III contains provisions regarding the ‘transparency of conditions and information

requirements for payment services’ and title IV enshrines provisions regarding ‘the rights and obligations in relation to the provision of payment services.’ The provisions which are

excluded from the abovementioned ‘one leg (out)’ transactions are those related to recourse against another PSP, liability for non-execution and rules around refunds.110 _{PSD2 therefore} contains particular obligations, such as information and transparency obligations from financial institutions and payment service providers located within the EU towards the payer (customer) or payee (merchant) established outside the EU. The payer and payee which are established across border, can invoke rights enshrined in the directive. An example of a one-leg transaction is where the merchant (and its payment service provider, ‘acquirer’) are EU-based, but the customer (and its payment service, ‘issuer’) are not.

Importantly, non-EU Psp do not have to comply with the PSD2. This can be implied from the European Commission’s 2015 factsheet in which it emphasized that these one-leg

transactions will have implications for payment service providers and financial institutions established within the EU.111 _{Unfortunately, as will be mentioned in the next chapter, the} Commission does not make any reference to non-EU Psp and their potential to become subject to the requirements of the PSD2.

107 _{Article 5(1) and article 13(2) PSD2.} 108 _{Article 2 (1) PSD2}

109 _{Article 2(2) and (3) PSD2}

110 _{Nadja Van der Veer, ‘One-leg out transactions: what does it really mean?’ (paymentsguru 10 April 2018)}

https://paymentsguru.eu/psd2-one-leg-transactions/ assessed on 1 October 2020.

111 _{European commission, ‘Payment Services Directive: frequently asked questions’ (Ec.europa 12 January 2018)}

Indeed, since the PSD2 does not merely apply to transactions within the EU, a purely territorial application, which is the conduct that occurs within a State that forms the basis of the exercise of territorial jurisdiction, is not applicable.112 _{Arguably, since literature has not} firmly discussed this matter in the context of PSD2, the latter has territorial extension.113 _The territorial application of the PSD2 is somewhat extended to transactions outside the EU as Psp established in the EU also have information and transparency obligations under the PSD2 towards payees and payers outside the EU.

As shall be analysed later, an interesting discussion is whether the PSD2 should have extraterritorial application, making also those Psp established outside the EU subject to the PSD2.

2.2.3. Interim conclusion

Indeed, the scattered landscape of data sharing and data accumulation originated from

different sources and differing jurisdictions, illustrates both the potential privacy implications evolving from the Tech-industry and the difficulty to establish a comprehensive framework to combat these risks. As I have described, the GDPR and the PSD2 have been adopted during a crucial time. However, the differing territorial scope as well as the proportionality requirement calls for an interesting debate on whether the consumer currently is sufficiently protected. Therefore, chapter 3 will discuss these two topics in light with the incompatibilities between the two regulations.

112 _{Scott (n 73) p. 4.}

3. Data protection in PISPs

The previous chapter analysed the current legal framework on data protection in payment services. Interesting is that both the GDPR and the PSD2 were adopted around the same time. According to Payment Systems Regulator (‘PSR’),114 _{this was not a coincidence, as the PSD2} poses privacy risks as Psp can initiate payments and therefore have access to customers’ bank account.

This chapter delves deeper into the interplay between the PSD2 and the GDPR and considers whether this framework protects the consumer against data breaches in payment initiation services. It will start by describing the interplay between the PSD2 and the GDPR.

Subsequently, it will apply the applicable legal framework to PISPs and by doing so, it will address the incompatibilities between the PSD2 and the GDPR and apply these in the context of extraterritoriality and proportionality. Lastly, it will address possible solutions to these incompatibilities.

3.1. Interaction between PSD2 and GDPR

Whereas the GDPR applies to personal data in general, the PSD2 is sector specific as it focuses on data processed by Psp. One would therefore assume that the PSD2 is lex specialis and prevails. However, this presumption can be rebutted by the fact that the PSD2 mentions in recital 94 that the PSD2 must be carried out “in accordance with the (repealed) Directive 95/46/EC and national rules which transpose Directive 95/46/EC and with Regulation (EC) No 45/2001.” Also, recital 29 states that PSD2 raises data protection issues, in particular regarding the protection of payment service users’ data in accordance with EU data protection rules. In continues by emphasizing that PSD2 should therefore respond to those issues. Also, both legislations were adopted for different purposes. While PSD2 aims at getting access to personal data, the GDPR aims at protecting personal data.115_{Indeed, it can} be said that one must look at both regulations and therefore they must be applied ‘at the same level.’116

114 _{PSR (2018), ‘Discussion paper: data in the payments industry’ London June 2018.} 115 _{Recital 29 PSD2.}

The fact that one regulation does not prevail over the other, is of importance for the

compliance to both regulations. As we shall see, compliance to both regulations is not always uncomplicated, as one may be confronted with significant incompatibilities between the two.

3.2. What personal data is processed by PISPs?

As mentioned in an earlier chapter, PISPs collect various data. According to the discussion paper of the PSR “Data in the payments industry” payments data can be divided between ‘payments data’ and ‘ancillary data’. The latter are not necessarily processed when settling a transaction.

Core data preceding from a payment transaction include personal or identity details of the payers (e.g., names, telephone numbers and email addresses), sort codes and account

numbers for the payers and the payees, reference information for the payment, data and time of the payment and Permanent Account Numbers for card transactions. Whereas ancillary data contains the location of the payment, information of the channel through which the payment was made, specific information about the devices of the payment (such as

identification numbers, IP addresses and cookies for online payments) and usage data such as the frequency with which consumes log on to their online/mobile banking or payment

accounts. 117

In addition to the data processed for the settlement of a transaction, additional alternative data are collected, which are essentially customers’ spending data and social media patters.118

Both the GDPR and the PSD2 enshrine the notion of ‘sensitive’ (payment) data.119 _{It is} however misleading that the definition differs in both legislations. Whereas ‘sensitive data’ pursuant to the GDPR entails “personal data revealing racial or ethnical origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, health-related data, data concerning a person’s sex life or sexual orientation,”120 _{and is data that is} particular sensitive in relation to the fundamental rights and freedoms,121 _{according to article}

117 _{PSR, Data in the payments industry, 16-17.} 118 _{Ng (n 43)}

119 _{Article 4(32) PSD2 and 9(1) GDPR}

120 _{Article 4(13) (14) and (15), art. 9(1) and recital 51 GDPR, see also. European commission, ‘what personal data is} considered sensitive’ (ec.europe) https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/legal-grounds-processing-data/sensitive-data/what-personal-data-considered-sensitive_en> assessed on 3 121 _{Recital 10 GDPR}

4(32) PSD2, ‘sensitive payment data’, are “personalised security credentials which can be used to carry out fraud.”

Under the GDPR, the processing of sensitive personal data is essentially prohibited,122 _but allows for an exhaustive list of derogations.123 _{Two derogations to the prohibition are} relevant for the processing of personal data by PISPs: when the data subject has explicitly consents to the processing of sensitive personal data; and when the processing is necessary for reasons of substantial public interest.124 _{With regard to the public interest requirement,} article 9(2)(g) GDPR enshrines that the specific public interest, must be incorporated either in EU law or in MS law and that this aim meets the conditions of proportionality.125

Confusingly, the EDPB states that ‘explicit consent’ pursuant to article 94(2) PSD2 is a contractual obligation.126 _{However, for the processing of sensitive personal data, a}

contractual obligation according to the EDPB is insufficient as it previously also held that article 9(2) GDPR does not recognize “necessary for the performance of a contract” as a derogation to the prohibition of processing sensitive data. Due to this inconsistency, it is not clear on which grounds sensitive personal data may be processed.

A different discussion is whether the customer knows that sensitive data is processed. PISPs can easily get access to sensitive data; only if one donates to a political party, pays for medical bills, or purchases goods that reveals one’s sexual preferences, sensitive personal data are revealed to PISPs.127

Due to this inconsistent interpretation on the notion of sensitive data, the EDPB recommends service providers to “at least map out and categorize precisely what kind of personal data will be processed.” 128 _{However, in my opinion, although this statement of the EDBP will allow} the customer to know what data will be processed, it is questionable whether merely this statement is robust enough. Not only is it necessary for the customer to know which data is processed, it is also necessary to have less confusion amongst PISPs on the definition of

122 _{Article 9(1) GDPR} 123 _{Article 9(2) GDPR} 124 _{Article 9(2) GDPR}

125 _{Guidelines on the interplay PSD2 and GDPR, p. 18.} 126 _{Recital 87 GDPR. EDPB [2020] (n 105), p. 14.} 127 _{Guidelines on the interplay PSD2 and GDPR, p. 17.} 128 _{Guidelines on the interplay PSD2 and GDPR, p. 17.}

‘sensitive personal data’. One possible solution to this incompatibility between the PSD2 and GDPR is, to clarify what ‘sensitive personal data’ is by incorporating article 9(1) GDPR in article 4(32) PSD2.

3.3. How can PISPs be defined under the GDPR and what is the legal basis for processing?

In the context of payment platforms as described in chapter 1, PISPs can be both controllers as processors pursuant to the GDPR. When the PISPs acts as an acquirer in the payment landscape and initiates a transaction for one of their merchants, they act as a data processor for the settlement of the transaction. The merchants are considered to be a data controller in this context as they determine the means and the purposes of processing.However, when the PISPs are complying with regulatory obligations, such as KYC and AML obligations, they operate as a data controller.

Mobile wallet issuers are considered to be data controllers. These issuers determine if and how this payment service is provided within the context of the PSD2. When they get access to the account data, they can be considered as controllers over the data. The data processors of mobile apps are e.g., app developers.

3.3.1. Legal basis

In order for PISPs to process personal data, there must be a legal basis. While article 94(2) PSD2 enshrines that the legal basis for processing payment data is ‘explicit consent’, the GDPR enshrines six legal bases for processing personal data.129 _{However, the EDPB has} stated that “the legal basis for processing of personal data for the provision of payment services is, in principle, article 6(1) (b) GDPR.”130 _{This provision enshrines that the}

processing must be necessary for the performance of a contract to which the data subject is party. This implies, that ‘explicit consent’ in itself, cannot be regarded as a legal basis for the processing of personal data. Explicit consent under PSD2 refers to the situation that when data subjects are entering into a contract with a payment service provider (pursuant to article

129 _{Article 6(1) GDPR} 130 _{EDPB [2020] (n 105) p. 17.}

6(1)(b) GDPR), they must be made fully aware of the specific purpose for which their data will be processed and they must have explicitly agreed to this.131

Confusingly however, article 94(1) PSD2 enshrines that processing shall also be permitted when “necessary to safeguard the prevention, investigation and detection of payment fraud.” This paragraph seems to provide for additional legal bases, other than ‘explicit consent.’ It is therefore somewhat contentious whether PISPs can process data merely on the basis of a contractual relationship or also on additional legal bases. On the one side, the EDPB has held that “when a payment service provider needs access to personal data for the provision of a payment service, explicit consent in line with article 94(2) PSD2 of the payment service user is needed”132 _{and that therefore “explicit consent is a contractual consent” while on the other} hand, the European Banking Federation states that “all legitimate grounds for processing provided by the GDPR should be considered valid, also for the further processing of data by TPP.” 133 _{Therefore, it is evident that the EU-authorities seem to disagree on which ground} personal data may be processed.

One solution is for the highest national court, when confronted with the question about the interpretation of art. 94 PSD2, to request a preliminary ruling pursuant to article 267(3) TFEU. As two EU authorities have a differing opinion regarding the interpretation of a secondary law provision, only the highest national court is under the obligation to refer such question to the ECJ.134 _{However, subordinate courts have the discretion to refer a preliminary} question pursuant to art. 267(2) TFEU to the ECJ where it considers that a question

concerning the interpretation of EU-law has arisen.135

131 _{Ibid p. 20} 132 _{Ibid p. 14.}

133 _{EBF response to the European Data protection Board’s consultion on the Guidelines 6/2020 on the interplay of the} Second Payment Services Directive and the GDPR, < https://www.ebf.eu/wp-content/uploads/2020/09/EBF_042474-European-Banking-Federation-response_EDPB-guidelines_PSD2-GDPR_.pdf> accessed on October 2020, p. 1. 134 _{C-283/81 CILFIT v. Ministero della Sanita (1982)ECR 1982- 03415.}