The Netherlands tackles uncertainties around PSD2 consent and GDPR

Third party service providers seeking access to account information
held by banks cannot include requests to process customer data inside
broader requests for acceptance of the terms and conditions for their
payment services, according to the Dutch data protection authority.

The Dutch Personal Data Authority provided guidance that explicit
consent for the processing of personal data must be gathered
“separately”. Banks are required to enable account information service
providers (AISPs) and payment initiation service providers (PISPs) to
access account information under certain circumstances under the
EU’s revised Payment Services Directive (PSD2).

The European Banking Authority (EBA) confirmed that banks do not need
to double-check that consent has been given to third parties to access
data before allowing access. The European Data Protection Board (EDPB)
confirmed this, explaining that consent will not always be needed by
payment service providers to process data.

The Dutch Personal Data Authority commented on the consent issue
“Tacit consent or questions to agree to the terms and conditions of
your payment service do not suffice. In any case, it is necessary to
ensure that the consumer expressly agrees with the access to his or
her personal data separately from the other parts of the agreement.
For example, in a digital environment this can take the form of a
separate window … such as a pop-up or a checkbox in a dialogue. The
consumer can then indicate that he or she gives permission for access
to his or her personal data”.

In October, Dutch Personal Data Authority guidance on PSD2 pointed out
that the required consent is an additional protection imposed by 
PSD2 and not a legal basis for the processing of personal data under
the EU’s General Data Protection Regulation (“GDPR”). Under GDPR
data processing is not just based on consent, but also on principles
such as necessity, compliance and legitimacy. The Dutch parliament has
highlighted seeming overlaps or even contradictions between PSD2 and
GDPR. Months of debate occurred on the question of whether the
National Bank or Dutch Personal Data Authority would have authority
over banking data processing. Ultimately it was decided that banking
data protection authority would rest with the Dutch Personal Data
Authority at least for Article 94 of PSD2 and be conducted in
coordination with the National Bank.

PSD2 was debated in September by the Dutch parliament. During the
chamber discussion lawmakers proposed the idea of a consent dashboard
to help customers manage assess permissions given to 3rd-party
providers. Erik Ronnes of the Christian Democratic Appeal Party
enquired if banks could be obliged to provide a dashboard for online
and mobile banking that shows all of the 3rd-party access permissions
given by the customer. Finance Minister Wopke Hoekstra commented that
mandating banks to implement a dashboard went beyond the scope of PSD2
but suggested the idea could indeed be beneficial for banks and their
customers. Hoekstra also pointed out that there has been much effort
by regulators to prevent any basis to obstruct customers from giving
permissions to 3rd-party providers and banks should not intervene
negatively in the consent process.

Previously Dutch retail bank Volksbank reportedly suggested it would
create a consent “switch” which consumers would need to turn on before
giving access to any 3rd party applications. Such a provision may not
be in line with the provisions of PSD2 designed to encourage the
development of external apps for customer use.