8.2.2014   

EN

Official Journal of the European Union

C 38/14

1.

On 27 July 2013, the Commission adopted a draft proposal for a Directive of the European Parliament and of the Council on payment services in the internal market amending Directives 2002/65/EC, 2006/48/EC and 2009/110/EC and repealing Directive 2007/64/EC (the proposed Directive), and for a Regulation of the European Parliament and of the Council on interchange fees for card-based payment transactions (1). These proposals were sent to the EDPS for consultation on 28 July 2013.

2.

The EDPS welcomes the fact that he is consulted by the Commission and welcomes that a reference to this Opinion has been included in the preamble of the instruments.

3.

Before the adoption of the proposed Regulation, the EDPS was given the possibility to provide informal comments to the Commission. Some of these comments have been taken into account. As a result, the data protections safeguards in the proposed Regulation have been strengthened.

4.

As the proposal for a Regulation does not raise any issues from a data protection point of view, the EDPS will concentrate his comments on the proposed Directive.

5.

The aim of the proposed Directive is to help develop further an EU-wide market for electronic payments, which will enable consumers, retailers and other market players to enjoy the full benefits of the EU internal market, in line with Europe 2020 and the Digital Agenda. To achieve this and promote more competition, efficiency and innovation in the field of e-payments, the Commission states that there should be legal clarity and a level playing field, leading to downward convergence of costs and prices for payment services users, more choice and transparency of payment services, facilitating the provision of innovative payment services, and to ensure secure and transparent payment services.

6.

The Commission claims that these objectives will be achieved by updating and complementing the current framework on payments services, providing for rules that enhance transparency, innovation and security in the field of retail payments and improving consistency between national rules, with an emphasis on the legitimate needs of consumers.

—

references to applicable data protection law should be specified in concrete safeguards that will apply to any situation in which personal data processing is envisaged.

—

it should be made clear in the draft Directive that the provision of payment services might entail the processing of personal data.

—

it should be clarified expressly in the proposed Directive that the processing of personal data may be carried out insofar that it is necessary for the performance of payment services.

—

a substantive provision is added stating the obligation that ‘privacy by design/privacy by default’ be embedded in all data processing systems developed and used in the frame of the proposed Directive.

—

regarding exchanges of information: (i) mentioning the purposes for which personal data can be processed by national competent authorities, the EU central bank, the national central banks and the other authorities referred to in Article 25, (ii) specifying the kind of personal information that can be processed under the proposed Directive and (iii) fixing a proportionate data retention period for the processing or at least introducing precise criteria for its establishment.

—

a requirement should be introduced in Article 22 for competent authorities to request documents and information by formal decision, specifying the legal basis and the purpose of the request and what information is required should be introduced, as well as the time-limit within which the information is to be provided.

—

it is introduced in Article 31 that the modalities set forth as regards the provision of information to users also apply to the provision of information about the processing of personal data pursuant to Articles 10 and 11 of Directive 95/46/EC.

—

in the case of the term ‘availability of sufficient funds’ in Articles 58 and 59 it is made clear that the information transmitted to the third party should consist in a simple ‘yes’ or ‘no’ answer to the question if there are sufficient funds available — not in for example a statement of the account balance.

—

in the case of the term ‘sensitive payment data’ in Article 58 that the word ‘sensitive’ is deleted and that the term ‘payment data’ is used instead.

—

it should be clarified in a recital that the security incidents reporting obligations are without prejudice to other incident reporting obligations set forth in other legislation, in particular the personal data breaches requirements set forth under data protection law (in Directive 2002/58/EC and in the proposed General Data Protection Regulation) and the security incidents notification requirements planned under the proposed Directive on network and information security.

—

it must be ensured that the processing of personal data, and their passing along through the various intermediaries, respect the principles of confidentiality and security in compliance with Articles 16 and 17 of Directive 95/46/EC.

—

a substantive provision is added to the proposed Directive with the obligation that standards are developed on the basis of, and after having conducted, privacy impact assessments.

—

a reference should be included in the proposed Directive to the need to consult the EDPS in so far as the EBA guidelines on state of the art customer authentication and any exemption of the use of strong customer authentication concern the processing of personal data.