Strong Customer Authentication in Online Payments Under GDPR and PSD2: A Case of Cumulative Application

Authentication is the process of confirming the user’s identity before the payment can be performed. It contributes to cybersecurity by preventing access by unauthorised parties. However, in e-payments the authentication differs from traditional identity checks since it is performed online and remotely. This paper explores the relationship between two important legal instruments on authentication in payment services: General data protection regulation (Regulation 679/2016) and the Second payment services directive (Directive 2015/2366). This paper shows that while the relationship between the two instruments can be considered unclear, previous research and European soft law favour cumulative application, and not a lex specialis and lex generalis relationship. These findings are then discussed in the context of implementing authentication procedures in compliance with the rules of the GDPR, with a focus on the identity of the controller, legal basis for implementing authentication, and the security requirements under art. 32 of the GDPR. Based on the “means reasonably likely" test from the Breyer judgment, we assume that PSPs could be considered controllers even when processing pseudonymised credentials. Legal grounds to process personal data in an authentication procedure are either performance of a contract or legitimate interests of the controller, insofar as the necessity criterion is met. Relying on legal obligation is, however, more doubtful. Finally, exceptions to strong customer authentication bring their own cybersecurity considerations, since complexity of security systems can lead to more vulnerabilities. When PSD2 and GDPR are both applied, it may mean that compliance with the higher standard is required, which is enabled by the optional nature of art. 18(1) of the RTS.