Protecting personal data in financial and payment services: EDPS recommendations on the European Commission’s proposals
On 23 August 2023, the European Data Protection Supervisor (EDPS) issued two opinions regarding proposals aimed at regulating financial and payment services in the European Union, which were issued by the European Commission in June of this year.
These proposals, the first being for a regulation on a framework for financial data access and the second being a regulation and directive on payment services, aim to facilitate data sharing in the financial sector while giving individuals and organisations control over their financial data.
Under these proposals, individuals and organisations would manage access to their financial data through dashboards provided by financial institutions. This should enable them to monitor, restrict, or grant access to their financial information. In achieving this aim, the EDPS emphasised the importance of providing complete, clear, and accurate information about the requesting financial service provider, the purpose of data access, and the types of data requested.
The EDPS appreciates the efforts made by the European Commission to align their proposals with the General Data Protection Regulation (GDPR). It clarifies that the European Commission should specify that granting “permissions” for financial data access via the proposed dashboards should not be considered equivalent to “consent” or “explicit consent” under the strict definitions of the GDPR. Furthermore, all processing of personal data following a request for financial data access must have a valid legal basis under the GDPR.
The EDPS also makes specific recommendations for each proposal. For the financial data access framework, it suggests clearly defining the types of personal data that can be processed and excluding data obtained through individual profiling, as a way to minimise the risks to the rights and freedoms of individuals. The EDPS also welcomes the development of guidelines for processing personal data in financial services and recommends formal consultation with the European Data Protection Board to ensure compliance with the GDPR.
Regarding payment services, the EDPS recommends defining and limiting the categories of personal data processed for fraud prevention and specifying which payment services and providers can process special categories of personal data, given the likelihood of sensitive information being revealed by financial transactions.
As an advisor to the EU legislator on data protection matters, the EDPS confirms that it “will continue to monitor the development of these proposals and any additional, implementing measures envisaged”. The aim is to strike a balance between promoting data sharing in the financial sector and safeguarding individuals’ data privacy rights.
The EDPS’ press release can be found here.
Opinion on the proposal for a regulation on a financial data access framework can be accessed here.
Opinion on the proposal for a regulation and directive on payment services in the EU’s internal market can be found here.