Out-Law / Your Daily Need-To-Know

Dutch data watchdog: PSD2 consent must be obtained 'separately'

Out-Law News | 02 Nov 2018 | 3:09 pm | 1 min. read

Third parties seeking access to payment account information held by banks must distinguish their requests to process customer data from broader requests for acceptance of the terms and conditions for their payment services, the Dutch data protection authority has said.

Explicit consent to the processing of that personal data must be gathered "separately", such as by using online 'pop ups', the Autoriteit Persoonsgegevens said in recently published guidance.

Banks and other 'account servicing payment service providers' (ASPSPs) are required to enable 'account information service providers' (AISPs) and 'payment initiation service providers' (PISPs) to access the payment account information they hold under certain circumstances under the EU's second Payment Services Directive (PSD2).

A privacy safeguard hard-wired into PSD2 is that AISPs' and PISPs' access to the customer data is only to be granted by ASPSPs if the third parties have obtained the explicit consent of customers.

In June, the European Banking Authority (EBA) confirmed that ASPSPs do not need to double-check that their customers have given their explicit consent to third parties to access the data before facilitating access. The following month, the European Data Protection Board (EDPB), of which the Autoriteit Persoonsgegevens is a part, explained that consent will not always be needed by payment service providers to process the data of 'silent parties' when providing an AIS or PIS.

Now the Autoriteit Persoonsgegevens has provided further clarity on what is required of AISPs and PISPs in the consent process.

"The requirement of explicit permission implies, among other things, that a payment service provider requests permission from someone else to access his or her personal data separately from the other parts of an agreement," the Autoriteit Persoonsgegevens said.

"Tacit consent or questions to agree to the terms and conditions of your payment service do not suffice. In any case, you must ensure that the consumer expressly agrees with the access to his or her personal data separately from the other parts of the agreement. For example, in a digital environment this can take the form of a separate window ... such as a pop-up or a checkbox in a dialogue. The consumer can then indicate that he gives permission for access to his or her personal data," it said.

Angus McFadyen, an expert in payment services law at Pinsent Masons, the law firm behind Out-Law.com, said that the position taken by the Dutch watchdog was a reasonable interpretation of the 'explicit consent' requirements in PSD2.

"Well-designed AIS products do this already and it can easily be built into the user journeys," McFadyen said. "The point highlighted by the regulator is more likely designed to address the risk of merchants and others that provide PIS seeking to benefit from account information that could be accessed as part of completing a payment transaction."