New and innovative payment services will have to wait a little longer. The Dutch implementation of the Payment Service Directive (PSD2) continues to be postponed. The implementation deadline of 13 January 2018 was not met. Dutch newcomers to the payment market are in danger of missing the boat. What is going on?
On 14 June, Finance Minister Wopke Hoekstra notified the President of the House of Representatives that the implementation (or conversion) of the revised payment services directive (directive 2015/2366/EU; PSD2) is further delayed. The reason for the delay given by the minister was that, among other things, it is necessary to have better privacy safeguards under the directive.
Privacy and PSD2, wat is going on?
The discussion revolves around the conversion of article 94(2) of the revised directive. This article relates to data protection with regard to payment services. On the conversion of the directive, the Dutch legislator must allow the payment system and service providers to process personal data where this is necessary for the prevention of, the investigation into and the detection of payment fraud. Payment service providers may only obtain access to the personal data required for the offering of their payment services, and process and store these, with the express permission of the payment service user.
The Dutch conversion of this article is based on the Financial Supervision Act (‘Wft’), meaning (briefly) that De Nederlandsche Bank (DNB) is charged with the supervision of the processing of personal data under PSD2. In a response to the minister on 20 December 2017, the Dutch Data Protection Authority (‘AP’) indicated that this is contrary to the divisions of powers under the General Data Protection Regulation (GDPR). On the basis of the GDPR, the AP is the appointed supervisory authority.
The AP thus argues for a consistent application of the rules on data protection in the context of payment services. According to the AP, in view of European harmonisation, the supervision should be allocated to them. The minister hopes to address this issue in the near future.
Update 19 June 2018: DNB and AP have come to an agreement. Privacy supervision under PSD2 will become the responsibility of the AP. DNB was assigned this responsibility in the original proposal.
Discussions relating to PSD2
It is clear that the implementation of PSD2 will require some tidying up. The privacy issue is not the only matter that is, or has been, a topic of discussion. For instance, the following other ‘issues’ occurred:
- In the relationship between PSD2 and the GDPR, how is the sharing of payment details of third parties (who have not given explicit permission) dealt with? Read more on this from page 16 of Samenspraak (April 2018).
- When obtaining payment details, must payment services use protected environments or can they use ‘screen scraping’? On this issue, the European supervisory body has stated that screen scraping is not permitted. Read more on this in the FD.
By Rick Sanders