Interchange fees for card-based payment transactions
2013/0265(COD) - 05/12/2013
Opinion of the European Data Protection Supervisor on a Proposal for a Directive of the European Parliament and of the Council on payment services in the internal market amending Directives 2002/65/EC, 2006/48/EC and 2009/110/EC and repealing Directive 2007/64/EC, and for a Regulation of the European Parliament and of the Council on interchange fees for card-based payment transactions.
The EDPS welcomes the introduction in Article 84 of a substantive provision stating that any processing of personal data taking place in the frame of the proposed Directive should be done in full respect of the national laws implementing Directive 95/46/EC and Directive 2002/58/EC, and of Regulation (EC) No 45/2001.
It recommends that:
- references to applicable data protection law should be specified in concrete safeguards that will apply to any situation in which personal data processing is envisaged;
- it should be clarified expressly in the proposed Directive that the processing of personal data may be carried out insofar that it is necessary for the performance of payment services;
- a substantive provision should be added stating the obligation that privacy by design/privacy by default be embedded in all data processing systems developed and used in the frame of the proposed Directive;
- regarding exchanges of information: (i) mentioning the purposes for which personal data can be processed by national competent authorities, the EU central bank, the national central banks and the other authorities, (ii) specifying the kind of personal information that can be processed under the proposed Directive and (iii) fixing a proportionate data retention period for the processing or at least introducing precise criteria for its establishment;
- a requirement should be introduced for competent authorities to request documents and information by formal decision, specifying the legal basis and the purpose of the request and what information is required should be introduced, as well as the time-limit within which the information is to be provided.
- in the case of the term availability of sufficient funds, it is made clear that the information transmitted to the third party should consist in a simple yes or no answer to the question if there are sufficient funds available not in for example a statement of the account balance;
- the processing of personal data, and their passing along through the various intermediaries, should respect the principles of confidentiality and security;
- a substantive provision should be added to the proposed Directive with the obligation that standards are developed on the basis of, and after having conducted, privacy impact assessments;
- a reference should be included as regards the need to consult the EDPS in so far as the EBA guidelines on state of the art customer authentication and any exemption of the use of strong customer authentication concern the processing of personal data.