In June 2020, the European Data Protection Board (EDPB) issued a set of guidelines designed to clarify how entities operating according to the principles set out in PSD2 should deal with their obligations under the General Data Protection Regulation (GDPR).
In principal, that’s a good thing. The clearer responsibilities and operating parameters are, the easier it is for everyone involved to serve customers and minimise risk. Unfortunately, in this case there is a significant gap between theory and practice.
Many of the guidelines seem to be based on a fundamental misunderstanding of TPP business models and how they operate. Part of the reason this has happened is that third-party providers (TPPs) were not part of the consultation exercise the EDPB used to shape the new guidelines.
From the bank’s perspective, the guidelines would also create significant issues, whereby many if not all payments could not be done anymore, neither with nor without the involvement of a TPP. That’s why, for the first time in their history, Europe’s banks and the European Third Party Providers Association (ETPPA) have joined forces to write a joint letter, addressed to the EDPB, asking it to restart the consultation process, including all relevant stakeholder and then to re-draft the guidelines.
“As well as being co-signed by the ETPPA and all three European bank associations, the letter is also endorsed by the Electronic Money Association, the European Payment Institutions Federation and other relevant industry bodies,” said Ralf Ohlhausen, vice-chair of the ETPPA and Executive Advisor at PPRO. “I don’t think I have ever seen such a broad alliance before, basically representing the whole of the European payments industry. That reflects how important it is to get these guidelines redrafted.”
Read the joint letter here.