The European Data Protection Board (EDPB) gave the opportunity to provide feedback on their draft guidelines on the relationship between the PSD2 Directive and the General Data Protection Regulation (AVG). We have of course made use of this. The better the guidelines, the better data will be protected by providers of PSD2 services.
The purpose of the guidelines is to provide payment service providers with more clarity about the way in which they can process personal data. The guidelines focus, among other things, on consent, data minimisation, security and transparency. The EDPB also pays ample attention to 'special categories of personal data'.
39 parties commented...
In total gifts 39 parties their comments on the guidelines. The comments immediately show how difficult the PSD2 is to set up. Apples are regularly compared with pears. The fact that certain concepts are not clear is cause for concern. We therefore hope that the EDPB will soon come up with better guidelines.
...and sometimes get in each other's way.
We focus on the account information service providers (AISP). This is a provider of a service that allows you to view your bank details in a 'consolidated view'. For example, a total overview of three banks in one overview. This is quite different from a service that deals with payments, the payment initiation services (PISPs). Unfortunately, rules for PISPs and AISPs are also mixed up in the guidelines. As a result, the complex matter remains rather... complex.
One of the tricky things about the PSD2 is that different payment services are included in one directive. As a result, measures that are good for protecting privacy in one case may be unnecessary in the other. An example of this is transactions of special personal data, such as a donation or membership fee from a trade union or political party. The fact that data is required for a payment made by a PISP is rather obvious. But in their reactions, PISPs indicate that the EDBP is making things far too difficult for them: get rid of those rules! For us, the rules do not go far enough, because we see risks in processing by AISPs. We have to be careful not to throw the baby out with the bathwater.
Moments when risks arise are insufficiently protected
With account information services, privacy risks can arise at two points in time. The first is as soon as an AISP engages other parties to process the data. For example, when the AISP engages a third party to categorise the data. The second moment where risks arise is when an AISP offers additional services. Think of offers based on your payment behaviour, but also budget management or links with other files.
If credit orders or risk assessors are involved in these processes, there is a good chance that your details will somehow be added to your profile. Privacy First is not for nothing one of the parties who a lawsuit feeds!
One of the ways to prevent your data from being incorrectly processed when using an account information service is to filter it. This can be done with the PSD2-me-not filter. But filtering is like cursing in church for PISPs, so there is still a lot of work to be done. We continue to highlight our solutions, and have now found 38 parties to approach.