EU: EDPS issues opinion on proposed regulations and directive for payment services
On August 22, 2023, the European Data Protection Supervisor (EDPS) published its Opinion 39/2023 regarding the Proposal for a Regulation on payment services within the internal market (the PSR Proposal) and the Proposal for a Directive on payment services and electronic money services (the PSD3 Proposal), (together the Proposals).
The EDPS positively acknowledged the PSR Proposal's provision mandating account servicing payment service providers (ASPSPs) to equip users with a dashboard to oversee and control granted permissions. To further mitigate risks of unsanctioned personal data dissemination by ASPSPs, the EDPS advised:
- incorporating references in the dashboard to particular payment services that the user has permitted;
- restricting access requests to what is needed to provide the specific service;
- providing clear information regarding the legal basis for access requests; and
- allowing ASPSPs to verify permissions given by the payment service user or to implement suitable alternative protective measures in the PSR Proposal.
Notably, the EDPS recommended that the granting of 'permission' to access financial data in Recital 62 of the PSR Proposal, should not be equated to granting consent as defined in the GDPR. In conclusion, the EDPS highlighted that collaboration between authorities responsible under the Proposals and those overseeing data protection would align the Proposals' application and their enforcement with the EU data protection laws. As such, the EDPS suggested that authorities in charge of data protection law supervision and enforcement should be directly mentioned in Article 93(3) of the PSR Proposal.