With adoption of the Payment Services Directive 2015/2366/EU (“PSD2”) and the transposition period underway, start-ups and large companies alike are looking for opportunities to break into the payment service provider market. One of these key possibilities is an existing, yet new, form of service: the payment service initiator. One major company that has made a name in this market is Apple, with Apple Pay. While the benefits from these services are undeniable, regulatory obligations and market experience have shown that the survivability, or success, of these services is intrinsically dependent on their ability to create a product or service that incorporates the notion of “Data Protection by Design”. Only by incorporating data protection principles at the conception and creation stage of these products or services will a payment service initiator be able to comply with the PSD2 requirements and those of the recently signed General Data Protection Regulation (“GDPR”) and succeed in the EU market.
Personal data, inherent to the PSD2 payment service initiation framework
From the Wild-West to a regulatory framework, existing payment service initiators were not covered under the PSD1 regime and thus benefited from a lack of regulatory compliance. With their inclusion within the PSD2, they will not only have to comply with PSD2’s security and confidentiality requirements but also those of the existing data protection framework and of the GDPR since the common underlining factors within these regulations are: 2018 as a Member State transposition deadline and personal data.
As the processing of financial information is at the heart of many regulations within the banking sector, PSD2 is no different and goes even further by creating new terms such as “unique identifier” (a data protection technique called pseudonymisation) and “sensitive payment data” (a term closely relatable to personal financial information within the U.S. legal framework). Moreover, it establishes obligations for the security of the personal data stored, processed and transferred as well as the confidentiality authentication security credentials used for the execution of payment services.
While security measures in PSD2 refer to security credentials used for the services, security measures in the GDPR refer to the technical channels by which payment service providers protect the “integrity and confidentiality” of the personal data being processed. Data protection specialists should recognize this as the accountability principle and the obligation for data controllers to implement measures to protect the security of the processing. Indeed, these obligations are an integral part of compliance with the existing and future data protection regimes. For example, non-compliance that results in unauthorized access or data breaches of this personal data will, according to the GDPR, result in administrative fines up to €10 million or 2% of the worldwide annual turnover.
Applicability of parallel regulations: Data protection woven into PSD2
When deciphering the necessary security and confidentiality measures required by PSD2 and the GDPR, it doesn’t matter whether a financial institution is a pure player only providing payment initiation services, the security and confidentiality obligations of both regulatory frameworks will apply. The interesting aspect, however, the role PSD2 has in reinforcing data protection principles.
PSD2 tries hard to open up the digital market to payment service initiators by introducing a risk-based approach to security credentials, the possibility of piggy-backing on customer authentication already established between an account servicing payment service provider and the user, as well as by excluding their data processing of account information from the definition of “sensitive payment data”. PSD2 focuses on the creation of security credentials to prevent fraudulent access and use of sensitive payment data and payment services, which in turn creates a unique identifier and verifies this information by using at least two of the three types of security elements: knowledge, possession, and inherence. In other words, information only the user knows (password); something only the user possesses (smartphone or authentication card); and something the user is (fingerprint or voice recognition). Meaning, any form of security credentials will automatically generate information that relates to an identifiable individual, or personal data.
Even though PSD2 tries to separate payment service initiators from other services because of their limited data processing, this does not exclude the fact that users’ personal data, their transaction histories and their security credentials are being collected, stored and processed by initiators. Understanding this, it creates a mini-data protection framework within Article 66 entitled “Rules on access to payment account in the case of payment initiation services”. In said Article, data protection specialists will find the following principles in PSD2 vocabulary: (c) the user consent principle, (f) the data minimization principle, (g) the purpose limitation principle, and (b) the prohibition of transferring data to third parties. While these separate obligations may exist, they do not circumvent the applicability of the data protection framework and the GDPR to the processing of personal data by payment service initiators, rather they reinforce them.
Past experiences and future innovation: Data Protection by Design means success
Going beyond regulatory requirements and security obligations, certain case subjects have shown in depth how much confidentiality and data protection by design is vital to the success of a product or service. The perfect example is Apple and their development of Apple Pay. Apple Pay was introduced into the American market in October 2014. Innovator in this sector, it developed a product that bypassed the need for a credit/debit card for the purchasing of goods and services.
Mobile payments before and after Apple Pay have struggled to gain the confidence of banks because of their lack of security measures and robust authentication credentials. Apple Pay integrated an approach to authentication which is similar to PSD2’s previously mentioned notion of “strong customer authentication”, which is the user’s IPhone, a one-time use security code and the user’s fingerprint (Possession, Knowledge and Inherence). One of Apple Pay’s selling points is that none of the consumer’s credit card information or personal information is transferred to the merchant when using Apple Pay.
They go even further to say that they do not track the transaction history of Apple Pay user’s. This is accomplished by having the account servicing payment service provider directly upload and control the financial information fed to the device. For accountability reasons, Apple creates anonymous statistical data regarding approximate payment amounts that are not traceable to any specific individual. In a European market where consumers are much more conscious of the use their personal data, this type of minimization of actors processing personal data is very attractive to consumers.
Nevertheless, if a giant like Apple has already settled in the payment initiation market how can and why should smaller companies or start-ups toss in their hat? The key here is the European market; a market where Apple Pay is not present and where innovation goes hand-in-hand with personal data and Data Protection by Design. Since the Snowden revelations and the invalidation of the EU-US Safe Harbor adequacy decision, European residents and EU companies alike are looking for new ways to keep personal data in Europe without having it being mirrored, copied or transferred to the United States. Thus, making users feel like they are in the driver’s seat in regard to their personal data will not only create confidence in a product or service, but will also ensure its compliance with the GDPR and its survivability in the EU market.
Even though new actors must wait until PSD2 is transposed into national law, this gives them enough time to integrate the GDPR data protection principles at the conception and development and stage. This is a competitive advantage since adjusting, modifying or completely changing existing products to comply with regulatory changes is much more difficult than introducing them at the design and conception stage. Where services like Apple Pay who are unfamiliar with the EU regulation will have to re-think, renegotiate and adapt to introduce regulatory obligations such as rights for data subjects and data portability, home-grown services will flourish because data protection is in their blood and incorporated into their way-of-business.
CIL Consulting proposes services to accompany financial institutions and companies from the conception to the commercialization stage by providing regulatory counsel, drafting privacy impact assessments, providing data protection training to personnel, and completing the necessary administrative formalities with data protection authorities. Data Protection by Design is good for payment service initiators, because privacy is good for business.