The PSD2 (Payment Services Directive 2) creates privacy risks. Banks, fintechs and politicians say that privacy is adequately protected in the PSD2 and are hardly aware of the risks that arise. This is why Privacy First has started a number of projects around PSD2. The site psd2meniet.nl is the home base for the Don't-PSD2-me register. In this project we are looking for solutions to the core problem of the PSD2: it is not possible to filter payment data.
Solutions
The core of the PSD2 privacy issue arises because consumers have no control over which data is processed by a PSD2 service provider. You give permission to share all your data, or you share nothing. But even if you don't want to share anything, your data will still be distributed. We want to prevent your data from leaking or too much data being shared. That's why we're developing a PSD2-me-not registry to filter data.
With the Don't-PSD2-me register, we are working on an opt-out register to ensure that banking information is not provided to third parties undesirably. The idea was launched on 7 January 2019 in the television show Radar and in this press release. The Don't-PSD2-me register should actually provide users with a tool to protect their own personal data. In the long run, further filtering and restriction should become possible.
- Restrict and filterConsumers cannot limit or filter the amount of bank information. Even if a financial service provider does not need this data, all data will still be shared after giving permission.
- Silent third partyA consumer's bank details also include the details of another person's account, the 'silent third party'. This person does not know that his data is being shared and cannot prevent this. Because the transaction data will be analysed much more widely via Big Data and data analyses than before the entry into force of PSD2, there is a great risk of privacy violations.
- Filtering of special personal data: Bank details contain "special personal data" which may only be processed under strict conditions. A payment to a trade union, health care provider, pharmacy, political party or organization that discloses sexual orientation must be considered as special (sensitive) personal data according to Privacy First (and also the AVG). At the moment it is not possible to filter these data and they are provided to parties that are not allowed to process these data.
- Honest informationConsumers are insufficiently well and honestly informed. This is a bad thing, especially since their explicit consent is attached a great deal of value. But how much value does consent have if a consumer cannot sufficiently assess the consequences? The PSD2-me-not register project should also produce a usable website, in which consumers can indicate that they do not want their data to be provided by third parties.
It takes more than that...
Because PSD2 is a European directive, there is little legal scope to change the operation of PSD2. That is why we are looking for practical measures to reduce the risks. The PSD2-me-not register could first of all be used on a voluntary basis. But more is needed. Whether in the PSD3, or during the evaluation, privacy must be better safeguarded in the PSD2. The ambition is to embed the PSD2-me-not register at European level on a voluntary basis, but preferably through legislation.
Join the PSD2 Privacy Panel
In order to take stock of the wishes of consumers, Privacy First launched a broad and representative survey in February 2019. PSD2 Privacy Panel launched. The initial results of the PSD2 Privacy Panel have shown a high level of public support for the Privacy First initiatives around PSD2, as well as an urgent social need for a PSD2-me-not register. Participate in the PSD2 Privacy Panel? Then click on here! (The Privacy Panel has been closed down)
Made possible for donors, SIDN fund and volunteers
An ambitious project such as the PSD2-me-not register requires the necessary resources. Donors and volunteers make Privacy First possible. A very important contribution comes from the SIDN foundation.