Last December 15, the European Data Protection Board (EDPB) adopted the 'Guidelines 06/2020 on the interplay of the Second Payment Services Directive and the GDPR...to. We gave our comments during the consultation. In 20 pages and 40 comments, we made clear how the guidelines and PSD2 can be adapted to better protect the privacy of users. We found that the first version already pretty good and concretebut saw plenty of room for improvement. The better the guidelines, the better data will be protected by providers of PSD2 services.
Have the guidelines improved?
After the first read, we wondered if they had been modified at all :-). Apart from some dots, commas and minor adjustments, the guidelines remain as they were proposed. Does the EDPB fail to make use of good comments from the field? We regularly saw good comments from other respondents that were worthy of inclusion. We did not see them again. And the few adjustments that we did see, we had not seen before. We just have to assume that it has been read and taken into account ...
We see the fact that the guidelines have hardly been modified as good news. The paragraphs that we consider important are fairly concrete and provide good guidelines for providers to apply better privacy by design. It would have been a pity if those paragraphs had been watered down by the lobbying violence.
Barely adjusted? That's good news...
The concrete implementation by the directives is an important aid in the complex playing field. Both laws want to set frameworks and especially give space to companies to use financial and personal data. The AVG is complex because of its 'open standards' and the PSD2 is a tricky law because AISP (account information services) and PISP (payment services) are intertwined. In addition, the PSD2 mainly points to the AVG when it comes to privacy protection and easily distances itself from the discussion with the 'explicit consent' of Article 94(2) PSD2. In such a context, any clarification is an advantage.
...but still a bit of a shame.
The guidelines are quite clear about transparency, special personal data and 'silent third party data'. They fall short on a number of points. Examples are:
- exercising must be as fast as the other services provided. The statutory maximum period should only occur in exceptional cases;
- the manner of providing information, in accordance with good practices, and that the information is machine-readable
- work out how a provider should handle data if consent is withdrawn within the 90 days
- elaborate on the differences and similarities of 'consent' between AVG and PSD2, an area of much confusion
- stress the possibility to exclude also categories of personal data, including special ones
- deal with the handling of criminal data: the PSD2 can circumvent the existing Black Lists (AP, are you reading this?)
- be clear about what account information services are and can quickly imply detailed profiling in addition to the digital housekeeping book
Although the EDPB misses an opportunity to produce even better guidelines, we should be pleased with what we have here. It certainly helps our PSD2 project along. The guidelines regularly leave no room for misunderstanding that measures must be taken to limit data processing.
Unfortunately, even with the guidelines in hand, major risks remain for users of account information services. The saying 'once given, never given' still applies here. If you use a service and you engage other parties to do so, your profile is updated with the financial data within seconds. Reversing this will be difficult, if not impossible. All the more reason to keep on building the PSD2-me-not-filter.