Upcoming European open finance and payment services laws close to passing their first privacy test
By Anne-Sophie Morvan (Chief Commercial Officer, LUXHUB) and Sigrid Heirbrant (Senior Associate, NautaDutilh Avocats Luxembourg).
Open Finance can be defined as “the sharing, access and reuse of personal and non-personal data for the purposes of providing a wide range of financial services”. To ensure the success of Open Finance, public trust in providing access to data is thus of the utmost importance, particularly when it comes to personal data. This is the reason why the European Commission has been taking specific precautions when drafting its recently released PSD2 review and FiDA frameworks proposals. These precautions have been scrutinised by the European Data Protection Supervisor (“EDPS”), which concludes that the proposals are heading in the right direction, even though some amendments are suggested.
Open Banking, a component of Open Finance, was already officially introduced in the European Union (EU) with the 2nd Payment Services Directive (PSD2) and its Regulatory Technical Standards (RTS), which entered into force in 2019. Based on this framework, payment account holders can request a regulated third party to initiate a payment or access data from their payment accounts held at a bank. Existing and new Open Banking related service providers have been offering their services over the past few years and various limitations of the PSD2 framework have been encountered. The European Commission assessed the impact of PSD2 and decided to review this framework. On 28 June 2023, the Commission introduced both a payment services’ directive (“PSD3”) and a regulation (Payment Services Regulation or “PSR”) proposals, as well as a regulation proposal extending the financial data sharing to data beyond payment accounts (“FiDA”) (together the “Proposals”).
As the data protection advisor of the EU institutions and bodies, the European Data Protection Supervisor (“EDPS”) has been consulted to offer its opinion on the Proposals. Although the EDPS’s consultation is mandatory for legislative proposals that may impact the protection of personal data, the opinion of the EDPS is, strictly speaking, not legally binding for European legislators.