Data Protection Explicit Consent vs Payment Service Explicit Consent

When you’re providing payment services, you’ll need to get the customer’s explicit consent - it means different things for data protection and payment services and can get confusing.

I've broken it down for Payment Initiation Services (PISPs) below, into plain English and in less than 500 words!

If you need legal support when building your open banking products - contact me at frances@turtlelaw.com, I’d love to chat!

Data Protection

1. Applicable law

Companies must use personal data in compliance with the General Data Protection Regulation (2016/679, known as GDPR) for the EU, and the UK GDPR and the Data Protection Act 2018 for the UK. 

Consent is one of the six lawful grounds for processing customer data. The six grounds are; 1) consent, 2) contract, 3) legal obligation, 4) vital interests, 5) public task and 6) legitimate interest. Payment Initiation Providers (PISP’s) process personal data under the legal ground of 2) contract when they only use the data to provide their initiation service.

2. Explicit Consent

The threshold for valid consent is high. Consent must be freely given, specific, fully informed, unambiguous, and capable of being withdrawn. Explicit consent is not defined in legislation but generally refers to the way consent is expressed- it must be a very clear and specific statement.

Explicit consent can be used to process special category data, automate decision-making and transfer data overseas.

3. EU and UK Guidance

The European Data Protection Board’s view is that explicit consent under the GDPR refers to the way consent is expressed and individuals should give an express statement of consent for specific processing purposes. 

The Information Commissioner Office’s view is that explicit consent must be expressly confirmed in words.

4. In-App Text Example

“By ticking the box below I consent to you using data (x) for reason (y).”

Payment Services - Payment Initiation Services (PISPs)

1. Applicable law

In the EU, payment activities must be provided in compliance with the revised Payment Services Directive (2015/2366, known as PSD2). PSD2 was implemented into UK law through the UK Payment Services Regulations 2017 (UK Payments Regulations). 

PSD2 introduced and regulates Payment Initiation Services (PISPs)- they initiate payments from a customer’s payment account held at another payment service provider (e.g. their bank).

2. Explicit Consent

The UK Payments Regulations provide that PISPs should; 

• initiate payments with explicit consent

• only share customer information with the payee, and only with explicit consent

• only process personal data that is necessary to provide their services, and only with explicit consent.

3. EU and UK Guidance

The European Data Protection Board’s view is that explicit consent referred to in PSD2 is a contractual consent, distinct from and additional to “consent” under the GDPR. Individuals should be fully aware of the personal data processed and the purpose. These clauses should be clearly distinguishable and explicitly accepted. 

The FCA’s view is that customers should have the information needed to make an informed decision, understand what they are consenting to, and the consent should be clear and specific.

4. In-App Text Example

“by tapping “pay”’ I agree to the (PISP) terms and conditions, including how my data will be used in section (x).”