Background

PSD2 and privacy in practice

On paper, the PSD2 seems to have good safeguards when it comes to the protection of personal data. Not only is reference made to the General Data Protection Regulation (AVG), but a consumer must also give his explicit consent before data is processed by a payment service provider. In this article we describe how the PSD2 deals with privacy.

PSD2 through the eyes of 'Alice' and 'Bob'

To better follow the tough PSD2 we illustrate the PSD2 with some people, Alice and Bob. They regularly transfer money to each other. Alice has an account with several banks and would like to make use of a account information service. It's about the 'Eve' service, from which she saw an ad. Bob deliberately chooses not to use an account information service.

Because the PSD2 account information can be used more widely, services such as the online checkbook, budget management, overview of several accounts or advice on financial services. Sometimes before the PSD2 was also possible, but then you had to download the data from your bank and then upload it. PSD2 makes this process a lot easier.

Alice downloads the app 'Eve' and agrees to the terms and conditions. At this moment she is a customer of Eve, but Eve is not yet able to process payment details. For this Alice will explicit approval have to give.

Data from Alice' bank to AISP

Alice gives Eve permission to retrieve her payment details. She has to confirm this permission at her bank. With Alice' permission, Eve asks Alice's bank for the payment details. The bank is mandatory then provide all the information requested. Eve receives the data and updates and uses the data for its services.

Alice will be after 90 days have to renew her consent. In the meantime, Eve has access to the payment details of Alice as far as Alice can see in her online environment. This can be done differ from one bank to another. At the bank of Alice this can be up to 8 years. After 90 days, access is automatically terminated and Eve receives no more mutations. The data received by Eve may no longer be used for the purposes for which they were collected.

Data from Alice are processed by AISP

Alice's data is now at the AISP. The AISP is not allowed to do anything other than as agreed in the contract. The PSD2 emphatically repeats some important privacy principles. An important privacy principle is target retention, knowing what personal data are collected and processed for enables a person to agree or disagree with a processing, and to know what their rights (such as the right of access) are aimed at. The purpose limitation is through the definition of an account information service pretty well delineated. Another principle is data minimization. This is limiting the amount of data to only that which is necessary to carry out a processing operation.

#Adv "Hey Alice, is this something for you?

Eve offers more services than just the account information service. Eve offers the possibility to receive offers based on the payment details, for example from energy suppliers. Alice wants to know more about this. It sounds fun, but who does her data go to? At Eve, the payment details of Alice are converted into a profile. This profile is offered to various energy suppliers.

Alice sees that she can save on the costs of an energy supplier. She decides to switch from an energy supplier. A button in the Eve app takes her to the registration site of the energy supplier. She concludes a contract with the supplier. Isn't that nice? Bob hesitates. He read in Eve's terms and conditions that the company uses an external service provider that specialises in making profiles. Alice's data does not remain with Eve, but is also processed by Mallory Ltd. In the privacy statement he reads that Mallory Ltd. draws up risk profiles, partly from open sources and sources that are not public, for example Collection agencies and (trade) information agencies.

Alice withdraws her consent

Alice isn't comfortable. She decides to quit Eve. You'll need your permission anytime and in an easy way can withdraw In de app klikt ze op de knop ’toestemming intrekken’. De verbinding tussen de bank en Eve is nu verbroken. De betalingsgegevens van Alice staan nog bij Eve. En omdat Alice meerdere diensten via Eve heeft afgenomen staan haar gegevens ook bij die partners. Alice heeft het recht om de gegevens te laten wissen, the 'right to be forgotten'. Alice will have to ask for this right, not only from Eve but from all the partners from whom she has obtained services. Exercising the 'rights of the person concerned' are often difficult to perform. In addition, certain financial data must be kept for 7 years, during which time they will lead a dormant existence. Anonymised data or data in models and profiles will also underperform

Alice notes: withdrawing consent is not automatically deleting data

Alice soon finds out she has to ask for her data to be erased for every service she has taken through Eve. Only the transfer of payment data is deactivated. This will make her have to do with Eve, too. Because Alice is still a customer of Eve and only the services ceases, Eve won't erase the data yet. This may also apply to other providers whose contracts are still ongoing. Chances are that Alice leave it at that.

This article is constantly being expanded. Do you have any suggestions or do you want to know how Bob is getting on? Let us know via martijn@privacyfirst.nl.