PSD2 and GDPR, a watershed moment for digital regulation
In Europe, 2018 has been off to a busy start in terms of regulation, with major changes that affect a broad range of industries, including the financial sector. First, in January, the second payments services directive came into force, while the new general data protection regulation (GDPR) will kick into force in May 25. Although the connection between both regulatory initiatives may not be evident, they pursue common goals: To allow citizens to control their personal data and increase security.
What are the essential differences between both regulations?
- PSD2 is a directive and GDPR a regulation. Directives are binding legal acts establishing goals that all EU countries must meet. Directives need to be transposed to national regulations. Regulations, on the other hand, are binding legal acts that must be applied in their entirety, without local interpretations. Regulations apply become immediately enforceable as law in all member states as soon as they enter into force (in some cases with transition periods).
- PSD2 requires banks to grant access to third-party payment service providers, while with GDPR, the portability of the data is from any business to the user, or whichever company he/she designates. PSD2 will require banks to allow payment service providers registered with the Bank of Spain, including banks, to access to information on customer payment accounts, subject to authorization by the pertinent account holder. On the other hand, thanks to GDPR customers can freely chose to share (i.e. port) their personal data collected and stored by other institutions with which they are linked with any company they choose. In both cases, it is upon request by the owner of the data, the individual.
- PSD2 applies to the financial sector and GDPR to all sectors. PSD2 regulates third-party access to payment transaction data collected and stored by banks. GDPR affects transaction-related data across all industries. In the banking sector, for example, it will affect data on all product-related transactions; for telcos, it will affect all data stored on calls, SMS, traffic or geolocation; and for merchants, detailed shopping-related data.
- Under PSD2 data controllers need to provide access to data in real time; with GDPR, on a deferred basis. Under GDPR, companies have one month from the time the request is submitted to turn in the data in a structured, commonly-used, machine-readable format. GDPR regulates the so-called right of data portability, one of the key amendments introduced by this regulation, along with the right of access and the right to be forgotten.
Both have something in common: Customers have to explicitly grant their consent (regulated by GDPR) to authorize third parties to access the data (PSD2) or request their portability (GDPR).