This site would like to set some non-essential temporary cookies. Some cookies we use are essential to make our site work.
Others such as Google Analytics help us to improve the site or provide additional but non-essential features to you.
No behavioural or tracking cookies are used.
To change your consent settings, read about the cookies we set and your privacy, please see our Privacy Policy

Payments & FinTech Lawyer

Dutch Data Protection Authority reiterates request to be designated regulator for PSD2 privacy issues

The Dutch Data Protection Authority (‘DPA’) provided its opinion on the draft Implementing Decree for the transposition of the revised Payment Services Directive (‘PSD2’) into national law in the Netherlands in a letter dated 20 December 2017 to the Minister of Finance and made public on 12 January 2018. The main concern expressed by the DPA, further to its opinion of 22 August 2017 on the earlier draft Implementing Act, is that the draft Implementing Decree does not sufficiently take into account the General Data Protection Regulation (‘GDPR’) and that the DPA should be the designated regulator for enforcing PSD2 in regards to data protection related issues.

The DPA states in its latest opinion that, even though the term ‘explicit consent’ contained within PSD2 diverts from the GDPR, the process of obtaining explicit consent should still be compliant with the GDPR and therefore the DPA should be the designated regulator to enforce Article 94(2) PSD2. This latest opinion from the DPA follows an earlier opinion on the draft Implementing Act published on 22 August 2017, in which the DPA asked for clarity on the relationship between PSD2 and the GDPR, and recommended emphasising in the legislative proposal that the DPA is not bound by a judgment of the Dutch Central Bank (‘DNB’), which will issue licences under PSD2, when such a judgment relates to data protection. One of the main issues of concern of the DPA relates to the enforcement of data protection rules for payment services, given that the draft Implementing Decree places the responsibility for its enforcement with the DNB, whilst the DPA will have responsibility for enforcement of the GDPR.

The DPA’s August 2017 opinion led to several adaptions of the explanatory memorandum accompanying the draft Implementing Act, dated 23 October 2017, for example, a paragraph was added about the necessity of carrying out a Data Protection Impact Assessment (Art. 35 GDPR) in the context of applications for a licence to provide payment services. However, no changes were made to the draft Act itself. The latter was then submitted to Parliament and many points made by the DPA included in the explanatory memorandum were rebuked. “For example, the DPA had argued that, in case of inconsistency, the GDPR takes precedence over PSD2,” explain Roelien van Neck and Shima Abbady of Bird & Bird. “The Dutch legislator, however, did not consider this to be the case and stated that there is no hierarchy between European regulations and directives. In addition, the legislator stated that the lack of hierarchy leads to the consequence that both the financial regulator and the DPA could have competencies with regard to the enforcement of the implementation of PSD2 and that, at points where PSD2 forms a lex specialis to the GDPR (for example on the meaning of ‘explicit consent’), the DNB is the appropriate regulator, not the DPA. However, the legislator also acknowledged that it was not completely clear how the GDPR and PSD2 relate to each other, noting that it is desirable that both PSD2 and the GDPR are applied and interpreted as uniformly as possible throughout Europe. Therefore, the legislator stated, it would address this when more information was available.”

In an interview with Dutch newspaper Het Financieele Dagblad published on 13 January 2018, Chairman of the Dutch DPA Aleid Wolfsen, commented that the Netherlands is the only European Member State that has not placed enforcement of the privacy controls within PSD2 with the competent national data protection regulator. Wolfsen went on to stress that the data protection authorities in Europe act in partnership and if such a link is removed the system will falter. “The law must not create misunderstandings,” said Wolfsen.

“The main point to be made is that there is still a lot of debate and ambiguity as to the applicable rules and competent regulator in the Netherlands, which means that FinTech companies will have some difficulty designing the operations of their products, as well as when trying to enter the Dutch market with existing products,” said van Neck and Abbady. “As the criticisms of the DPA are very similar to the advice given earlier in reaction to the draft Implementing Act, we do not consider it likely that the legislator will make any significant changes following the DPA’s latest criticisms.” Despite the entering into force of PSD2 on 13 January 2018, the Netherlands has yet to implement PSD2 due to a delay in the preparation of the legislation.

“All in all, as the implementation of PSD2 is not yet finalised, but is expected in Spring 2018, the financial market finds itself in a state of uncertainty - which may continue after finalisation if the existing lack of clarity with regard to the relationship between PSD2 and the GDPR is not properly addressed in the meantime. For example, as there is still discussion on which regime applies (for example with regard to obtaining ‘explicit consent’), it is not completely clear how payment service providers should design their operations and which penalties will apply in case of a breach of the implementation of PSD2,” conclude van Neck and Abbady.

Search Publication Archives

Our publication archives contain all of our articles, dating back to 2006.
Can’t find what you are looking for?
Try an Advanced Search

Log in to payments & fintech lawyer
Subscribe to payments & fintech lawyer
Register for a Free Trial to payments & fintech lawyer
payments & fintech lawyer Pricing

Social Media

Follow payments & fintech lawyer on TwitterView our LinkedIn Profilepayments & fintech lawyer RSS Feed