DIGITALEUROPE response to the European Data Protection Board’s consultation on the Guidelines 6/2020 on the interplay of the PSD2 and the GDPR

Executive summary

DIGITALEUROPE welcomes the European Data Protection Board (EDPB) draft guidelines on the Interplay of the Second Payment Services Directive (PSD2) and the GDPR and the opportunity to respond to this consultation.

The PSD2 encourages the creation of innovative and competitive services, such as open banking, that enable broader access to payment services and boost financial inclusion. We fully endorse the EDPB’s emphasis on accountability and the need to embed privacy safeguards into the design of all payment services, products and technologies. At the same time, we also encourage a more pragmatic approach to interpreting the PSD2 to ensure its aims and potential are fully exploited.

In particular, we encourage the EDPB to:

• Revisit its approach to further data processing in the context of open Banking and clarify that legitimate interest is not excluded by default as a legal basis as long as necessary legal requirements are met. A restrictive interpretation of the notion of legitimate interest will exclude processing operations that are legitimately expected by the consumers, such as fraud detection and prevention as well as product development and improvement. It will ultimately undermine innovation in payment services.

• Provide a more nuanced approach to the processing of silent party data. The guidelines should allow data controllers to make their own independent assessment of the relevant legal basis, as well as consideration to balance data subjects’ fundamental rights and freedoms with their own or third parties’ interest. It is the responsibility of data controllers to define if and what appropriate risk mitigation measures are needed.

• Clarify in the guidelines that it is the responsibility of each data controller to undertake its own assessment and determine the scope of data minimisation in relation to the intended purposes and the risks involved. This is without prejudice to our support to the EDPB’s emphasis on privacy-enhancing measures necessary to ensure data processing complies with legal requirements.