28.9.2011   

EN

Official Journal of the European Union

C 284/1

1.

On 16 December 2010, the Commission adopted a proposal for a Regulation of the European Parliament and of the Council establishing technical requirements for credit transfers and direct debits in euros and amending Regulation (EC) No 924/2009 (hereinafter ‘the Proposal’).

2.

The Proposal was sent by the Commission to the EDPS on 3 January 2011. The EDPS understands this communication as a request to advise Community institutions and bodies, as foreseen in Article 28(2) of Regulation (EC) No 45/2001 of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data (hereinafter ‘Regulation (EC) No 45/2001’). Previously (3), before the adoption of the Proposal, the EDPS was given the possibility by the Commission to provide informal comments. The EDPS welcomes the openness of the process, which has helped to improve the text from a data protection point of view at an early stage. Some of those comments have been taken into account in the Proposal. The EDPS would welcome an explicit reference to the present consultation in the preamble of the Proposal.

3.

Since the establishment of the European Economic Community there has been a progressive movement towards a more integrated European financial market. In the field of payments, the most evident steps were the launch of the euro as common currency in 1999 and the entering into circulation of euro banknotes and coins in 2002.

4.

However, to date, low-value non-cash euro payments (up to EUR 50 000) are still handled and processed in many different ways across the EU. As a result, fees for making cross-border payments within the EU are on average higher in comparison with those for domestic payments. A European regulation on cross-border payments in euro (Regulation (EC) No 2560/2001) stipulated, among other things, that payment fees could no longer be higher for cross-border euro payments within the EU than for corresponding domestic euro payments. As a reaction to this Regulation, in 2002 the European banking industry created the European Payments Council (‘EPC’), which constituted the coordination and decision-making body for payment issues, and launched the project of the Single Euro Payments Area (‘SEPA’). In 2009, Regulation (EC) No 924/2009 replaced Regulation (EC) No 2560/2001 and extended the principle of equality of charges to direct debit payments, which became available on a cross-border basis as from November 2009.

5.

Furthermore, Directive 2007/64/EC (the ‘Payment Services Directive’) aims at harmonising national laws related to payments in the European Union. The target is to establish standardised conditions and rights for payment services and to make cross-border payments as easy, efficient and secure as ‘national’ payments within a Member State. The Payment Services Directive also seeks to improve competition by opening up payment markets to new entrants.

6.

SEPA aims at establishing a single market for retail euro payments by overcoming the technical, legal and market barriers stemming from the period prior to the introduction of the single currency. Once SEPA has been completed, there will be no difference between national and cross-border euro payments: they will all be domestic. SEPA covers not only the euro area, but the whole of the European Union (EU), as well as Iceland, Liechtenstein, Monaco, Norway and Switzerland. This means that communities outside the euro area can adopt SEPA standards and practices for their euro payments.

7.

The Proposal applies to credit transfers and direct debits. Credit transfer is a payment initiated by the payer, who sends an instruction to his or her bank. Accordingly, the bank moves the funds to the payee's bank. This can happen via several intermediaries. In case of direct debits, the payer pre-authorises the payee to collect funds from his or her bank account. The payer therefore provides a ‘mandate’ to his or her bank to transfer funds to the payees' account. Direct debits are often used for recurring payments, such as utility bills, but can also be used for one-off payments. In this case, the payer authorises an individual payment.

8.

The introduction and development of SEPA involves several data processing operations: names, bank account numbers, content of contracts need to be exchanged directly between payers and payees and indirectly through their respective payment service providers in order to guarantee a smooth functioning of the transfers. With this purpose, the Proposal also includes an Article on ‘Interoperability’, which supports the creation of standard rules for national and cross-border transactions, and explicitly declares that no technical obstacles should hinder the processing of credit transfers and direct debits. The various economic operators involved in the activities covered by the Proposal are subject to the different national laws implementing Directive 95/46/EC.

9.

The EDPS highlights that exchange and processing of personal data related to payers and payees and with the various payment services providers must respect the principles of necessity, proportionality and purpose limitation. The passing along of the data through the various intermediaries must also respect the principles of confidentiality and security of the processing, in compliance with Articles 16 and 17 of Directive 95/46/EC.

10.

The Proposal also introduces a new role for national authorities competent to monitor compliance with the Regulation and take all necessary measures to ensure such compliance. While this role is fundamental to guarantee an effective implementation of SEPA, it also might involve broad powers to further process personal data of individuals by the authorities. Also in this area, access by the national competent authorities to personal data must respect the principles of necessity, proportionality and purpose limitation.

11.

Although the Proposal should not introduce too detailed provisions on the respect of the data protection principles, which is guaranteed by the applicability to any of the processing operations of the national laws implementing Directive 95/46/EC, the EDPS suggests some improvements in the text with the aim of clarifying it.

12.

The EDPS welcomes the mentioning of Directive 95/46/EC in recital 26 of the Proposal. However, in order to reflect the fact that the various national laws implementing such Directive are the appropriate references, and to emphasise that any data processing operation must be carried out in accordance with the implementing rules, the text of the recital could be modified as follows: ‘Any processing of personal data performed pursuant to this Regulation shall be in conformity with the relevant national laws implementing Directive 95/46/EC’.

13.

Article 6 of the Proposal introduces a prohibition of the introduction of multilateral interchange fees (4) per direct debit transaction or other remuneration with an equivalent object or effect. Furthermore, for direct debit transactions which cannot be properly executed by a payment service provider (rejected, refused, returned or reversed operations, the so-called ‘R-transactions’), a multilateral interchange fee may be applied provided that a number of conditions are respected.

14.

Article 8 of the Proposal introduces obligations for the payer using credit transfer and a payee using direct debits. A payer cannot refuse to make credit transfer to payment accounts with payment service providers which are located in another Member State and which are reachable (5) according to the requirement of Article 3. A payee who receives funds on his or her payment account from other accounts with payment service providers located in the same Member State cannot refuse to receive direct debits from payment accounts with payment service providers located in another Member State.

15.

Article 9 of the Proposal requires Member States to designate the competent authorities responsible for ensuring compliance with the Regulation. These authorities shall have all the powers necessary to perform their duties, and shall monitor compliance and take all necessary measures to ensure such compliance. Furthermore, Article 9(3) provides that, when more than one authority is competent for matters covered by the Regulation on its territory, Member States should ensure that those authorities cooperate closely in order to discharge their duties effectively. Article 10 introduces an obligation for Member States to lay down rules on penalties applicable to infringements of the Regulation and to ensure their implementation. Penalties shall be effective, proportionate and dissuasive.

16.

On the basis of these Articles, national authorities will have the power to monitor possible infringements of all the obligations included in the Proposal, and to apply penalties, including penalties connected to the obligation of Articles 6 and 8. This power has a potentially broad impact on the privacy of individuals from the perspective of data protection: the authorities might have generalised access to information on any transfer (whether by credit transfer or by direct debit) of funds between individuals to check whether multilateral interchange fees are unlawfully charged or any refusal is opposed, contrary to the obligations of Articles 6 and 8. Such power involves processing of personal data (names of the natural persons involved, their bank account numbers and the amounts of the funds to be received or transferred).

17.

Although any such processing of personal data should be in conformity with the national rules implementing Directive 95/46/EC, the EDPS wishes to emphasise that the monitoring obligation should already be assessed in the Proposal in light of the proportionality and necessity principle enshrined in Directive 95/46/EC (Article 6(1)(c)). In this respect, when considering in particular Articles 6 and 8, in the EDPS' view it would be more proportionate to introduce a system by which the competent authorities' processing of personal data is triggered only on a case-by-case basis. This would mean that the intervention of the authority — and therefore the processing of personal data of a certain payer and/or payee — would be mainly activated when there is a specific reason, such as in case a complaint against an infringement of Articles 6 or 8 is submitted by a payer or payee, or in the context of a targeted own initiative enquiry, possibly on the basis of information provided by a third party.

18.

The effectiveness of the control on compliance would be guaranteed by putting in place a mechanism which allows a complainant to submit the complaint or a third party to submit information and quickly obtain the authority's reaction, possibly an order to the other party to abide by the obligations of Articles 6 and 8. In fact, the Proposal already introduces in Article 11 rules on adequate and effective out-of-court complaint and redress procedures for the settlement of disputes between payment service users and their payment service providers (which covers the case of Article 6). In order to encourage compliance with the obligations of Article 8 without introducing broad generalised access to personal data by national authorities, the EDPS suggests that the provision of Article 11 also covers disputes between payers and payees.

19.

The EDPS also notes that the monitoring activities can involve transfers of personal data between competent national authorities of different Member States in the context of the ‘close cooperation’ mentioned in Article 9(3). Given the broad powers attributed to the national authorities for the purpose of monitoring the compliance with the Regulation (and even in case the limitations related to Articles 6 and 8 suggested above were introduced), the EDPS suggests that the text explicitly mentions that any transfer of personal data between them must respect relevant data protection principles. In particular, such transfers should not be carried out in bulk, but only in relation to specific cases where there is already a prima facie suspicion of a possible infringement of the Regulation. Therefore, the following sentence could be added to Article 9(3): ‘Transfers of personal data between competent authorities in the context of such close cooperation shall only take place on a case-by-case basis when there is a reasonable suspicion of an infringement of the Regulation and respecting the principles of necessity, proportionality and purpose limitation’.

20.

The Annex to the Proposal establishes the technical requirements that have to be respected for credit transfers and direct debits pursuant to Article 5 of the Proposal. The aim of introducing these requirements is to have harmonised identification and communication formats to guarantee the interoperability of the credit transfer and direct debit operations among Member States.

21.

In this context, processing of personal data by the intermediaries (the payment service providers) occurs in various occasions (6):

22.

Although any processing of personal data has to respect the relevant national laws implementing Directive 95/46/EC, the draft Proposal only mentions that transfers in relation to situation a) above shall be provided ‘in accordance with the obligations laid down in the national law implementing Directive 95/46/EC’. To avoid any misinterpretation, the EDPS suggests that such reference to the Directive should be included also in relation to Articles 3(b) and 3(g). Alternatively, should the text of recital 26 be modified according to the suggestion indicated above, the wording of Article 2(b) could exclude the reference to Directive 95/46/EC.

23.

The EDPS welcomes the specific reference in the Proposal to Directive 95/46/EC. However, he suggests some minor modifications in the text in order to clarify the applicability of the data protection principles to the processing operations covered by the Proposal. In particular: