European PSD2 legislation puts privacy under pressure. Privacy First requires Don't-PSD2-me registry

New European legislation PSD2 in force 

PSD2 will come into force in the Netherlands at the beginning of 2019. (Revised Payment Services Directive). This new European banking law allows consumers to share their bank details with parties other than their own bank. For this, the consumer must first give explicit permission. After this, the bank must share all transaction data[1] of the consumer (account holder) with an external party (financial service provider) for a period of 90 days, after which the consumer can renew his consent. The consumer can also withdraw his consent at any time.

PSD2 gives birth Privacy First major concerns

Privacy First has big concerns about PSD2. The law is too much focused on improving of competition and innovation and the privacy interests of account holders is out of lost an eye. The biggest objections of Privacy First are:

  • Consumers cannot limit the amount of bank details. Even if a financial service provider does not need this data, all data will still be shared after consent has been given.
  • A consumer's bank details also include the details of someone else's contra account. This person does not know that his details are being shared and cannot prevent this. The fact that transaction data will be analysed via Big Data and data analyses on a much broader scale than before the PSD2 came into effect means that there is a high risk of privacy violations.
  • Bank details contain "special personal data" that may only be processed under strict conditions.[2] According to Privacy First, a contribution payment to a trade union, political party or organisation that discloses sexual orientation must be regarded as special (sensitive) personal data. Transactions with healthcare providers and pharmacies should also be regarded as special personal data. At the moment it is not possible to filter these data and they are provided to parties that are not allowed to process these data.

During the broadcast of AVROTROS Radar from Monday evening 7 January 2019, Privacy First explicitly asked attention for these things.

PSD2 label for transparency

Privacy First wants consumers to be informed honestly and transparently about what happens to their data. Instead of long privacy statements, Privacy First pleads for independent information on one A4 page, offering information determined by consumers. After all, consumers are best placed to decide for themselves what information they find valuable when making a choice. During 2018, Privacy First worked on this initiative together with the Volksbank and other partners from the financial sector.


Privacy First is surprised that no attention has been paid to the role of "special personal data" in transactional data. These data may only be used under strict conditions are shared and must therefore be filtered. Also consumers who do not want their data to be shared by others with financial service providers should be given the opportunity to prevent this from happening. That is why Privacy First wants an opt-out register for PSD2, similar to the don't call me. During the broadcast of Radar announced Privacy First take the initiative for this proposal, endeavouring to develop this further with the financial sector and politics. The goal In addition, the use of an opt-out register is made compulsory. The The European PSD2 directive will have to be adapted for this purpose.

[1] Additional information: this concerns all transaction data. How far these data going back varies by bank. See the overview of the Consumers' Association: Majority keeps statements of account for at least 5 years

[2] Additional information: this is included in article 9 AVG and article 22 UAVG. In short, the processing of special personal data is prohibited, unless. See .