The payments industry is no stranger to the increasing reach of regulation. With the EU Regulation on interchange fees for card-based payment transactions coming into force earlier this year, together with near-term final approval of the EU’s revised Directive on Payment Services (PSD2), what was
once a lightly regulated industry is decidedly no longer so.
New regulatory impacts on the industry will likely continue, as the second half of 2015 is shaping up to
be a momentous period for European privacy and data protection regulation – writes Jon Filipek and Richard Willis, Alston & Bird LLP.
One of the most important EU legislative initiatives in recent years, the General Data Protection Regulation (GDPR) was proposed by the European Commission in January 2012 and endorsed with amendments by a majority of the European Parliament in March 2014.
Currently, the GDPR is immersed in the so called ‘trilogue’ between the Commission, the Parliament and the EU Council of Ministers to reach agreement on a final text. Those discussions appear to be moving forward with deliberate speed: the Parliament’s lead negotiator recently reported that the
institutions had reached agreement on a substantial portion of the legislation and that completion of the GDPR before the end of 2015 was “very realistically possible.”
Accordingly, it is a fitting moment for the payments industry to refocus attention on European privacy regulation, in view of the substantial changes the GDPR will introduce regarding compliance obligations, sanctions for non-compliance, and liability (including joint and several liability) for damages arising from the non-compliant processing of personal data.
Bird’s-eye view of the GDPR
The GDPR, if enacted, will replace the 1988 Data Protection Directive. This was intended to harmonise national privacy laws, but in practice resulted in a highly fragmented system where compliance requirements vary by Member State due to inconsistent implementation and interpretation.
The core concept of the Commission’s GDPR proposal was that EU privacy regulation should proceed from ‘a single set of rules’ which would be administered on the basis of a ‘one-stop-shop.’ A company, including a multinational, would be subject to the pan-EU rules of the GDPR and supervised by only one privacy regulator, the national data protection authority (DPA) of the Member State where it had its main establishment.
While this premise is likely to be diluted in the final text, the GDPR should nevertheless bring about a substantially more harmonised framework for EU data protection, and thus simplify, in certain respects, compliance for payment industry businesses that operate in multiple European jurisdictions.
And now for some bad news…
Clearly, however, harmonisation will come at the price of more stringent compliance. For example, businesses will be required to provide more information about how personal data will be processed,
including, potentially the third parties to whom data will be disclosed, third countries to which data will be transferred, information security measures, and data subject rights. To process personal data on the basis of consent, the data subject’s consent must be express and affirmative, rather than implicit or tacit. Consent to data processing must be distinguished, or set apart, from other contract terms. As a result, issuers, acquirers, merchants and other payment industry participants will need to review their customer materials and revise them accordingly, recognising that the industry has often relied on ‘deemed’ or ‘course of conduct’ consent.
More significantly, the GDPR will introduce requirements that are entirely new or were previously applied only in particular Member States or to particular industries. Central to the GDPR are new ‘accountability’ obligations requiring businesses to be able to demonstrate compliance with the GDPR.
These include the maintenance of documentation describing processing operations, and the conduct of privacy impact assessments for processing that poses specific risks. The GDPR will also require the appointment of a data protection officer (DPO), depending on factors such as the number of people employed by the business or the invasiveness of data processing.
Notification of security breaches
The GDPR’s most dramatic new obligation is an EU-wide breach notification requirement. Under current EU data protection rules, only providers of public ‘electronic communications services,’
such as telecommunications and internet service providers, are required to notify security breaches. Additionally, in some jurisdictions, national rules may require (e.g. Austria, Germany) or national data protection authorities (DPAs) may recommend that a wider range of breaches be notified (e.g. Belgium, France, Ireland, Italy, Spain, UK).
The GDPR’s breach notification requirement will apply across the EU to companies in all business sectors. Although they differ on particular points, the Commission, the Parliament and the Council all agree that national supervisory authorities and data subjects likely to be adversely affected should be notified of security breaches.
The payments industry will continue to be a target for hackers given the value of payment card details, and this threat seems to be ever-increasing in scope and sophistication. Accordingly, in addition to ensuring that appropriate information security measures are in place, all players in the industry will need to define and document an incident response plan in advance, where notification is one but not the only item addressed.
Fines proportionate to global turnover will inevitably elevate privacy on the corporate compliance agenda. Although the Commission will not have the power to sanction data protection infractions under the new regime, the DPAs will be empowe to impose fines set forth in the GDPR at extraordinarily high levels — currently proposed at up to €100 million or 5 percent
of worldwide turnover as per the Parliament’s proposed text — depending on the nature, gravity, duration, and intentional or negligent character of the infringement.
The adequacy of the information security measures protecting personal data against unauthorised access will also influence the penalties assessed.
A new regime for third-party processors?
Apart from introducing new compliance requirements, the GDPR also fundamentally
overhauls EU privacy regulation by creating new obligations and potential sanctions and other liabilities for data ‘processors’.
In general terms, ‘processors’ are outsourced service providers (e.g. merchant acquirers and other third-party processors) that process data on behalf of businesses, such as data storage, payroll administration or payments. Under the current Data Protection Directive, compliance is squarely the responsibility of the data controller which is the business that hires and uses the data processor.
In contrast, under the GDPR, the processor will have express responsibility, along with the controller, to ensure that appropriate information security measures are in place to address the risks presented by processing the data.
Furthermore, the GDPR will make processors directly liable for harm caused by processing. Although the EU institutions differ on the particulars, the GDPR will provide that compensation for damages caused by harmful or non-compliant processing may be sought from either the controller or the
Indeed, the Parliament’s text of the GDPR would establish joint and several liability, where more than one controller or processor is involved, subject to prior agreement by the parties on the allocation of liability. In principle, under this scenario, a processor (e.g. a merchant acquirer) could be liable for the entire amount of damage stemming from a security breach, even though the breach resulted entirely from the controller’s (e.g. a retailer’s) failure to implement adequate security measures with respect to its own premises, systems or POS devices.
Determining whether a party in a payment servicing relationship is a ‘controller’ or a ‘processor’ – or both — can be a complex exercise. Merchant-acquirers, for example, act in a service capacity when they complete payment transactions on behalf of merchants; in that respect, they can be considered to act as processors. However, merchant-acquirers also have a very substantial role in determining the specific means used to process payments, and they may also process transaction data to provide value-added services to merchants; in those respects, they may also act as controllers.
The GDPR may reduce the importance of this sort of parsing since both controllers and processors will be responsible for implementing appropriate information security measures, and both will potentially be liable in fines and damages for non-compliance.
Payment industry participants will need to analyse the disposition of these issues in the final GDPR. Controllers and processors will need to agree upon appropriate liability allocation and indemnity provisions in their service agreements.
And so, we are all on notice: while the GDPR is not yet a reality, it seems increasingly likely that the GDPR will become, along with the Interchange Regulation and PSD2, part of the regulatory landscape that payments industry participants must navigate