Editor's note: The IAPP is policy neutral. We publish contributed opinion and analysis pieces to enable our members to hear a broad spectrum of views in our domains.
Much like the European rulebook for the online environment, the payment regulatory landscape is complex and intersects with digital responsibility topics at various junctures. It is also evolving at a rapid pace.
The European Report 2025 from Payments Europe, a trade association that represents the card-based payment industry, shows that against the decline of cash use across Europe, data privacy, trust and security considerations play a nonnegligible role in the shift toward enabling digital payments.
Looking at card and digital payments through a data privacy prism reveals several types of positive impacts:
- Stronger security frameworks. The combination of EU General Data Protection Regulation and Payment Services Directive requirements lead to a higher standard for data encryption, tokenization and fraud prevention.
- Consumer control and transparency. Digital payment platforms increasingly offer granular controls — like spending alerts and visibility into transactions — encouraging clearer data practices, such as opt-in consent and better user education, particularly around open banking.
- Data minimization through innovation. Innovations like tokenized payments, virtual cards and privacy-by-design wallets can reduce sensitive data exposure.
In its 2024 report on PSD2 implementation, the European Commission noted the directive helped improve fraud prevention and transparency for payment service users, though conceding it had not crossed all the boxes for success.
The European Commission published the draft PSD3 and Payment Services Regulation in 2023 under its financial data access and payments package. Building on the current directive's transparency and open banking provisions, the PSD3 will set further rules on efficiency and security of electronic and digital payments and financial services in the EU. It seeks to improve the authentication of payer identities and improve consumer protection through a new bespoke Payment Services Regulation. It will also introduce stricter rules on access to payment systems and account information.
At the time, an accompanying FAQ addressed the interaction between payments rules and the GDPR, underlining the importance of consistency between both instruments. The Commission explained PSD3 would clarify several key aspects that intersect with GDPR application:
- Purpose limitation — Payment services providers' permission to access and process personal data of their customers would be limited to the data necessary for the provision of the specific payment services which were contracted with the customers.
- Data minimization — Limiting the data which can be accessed by third-party providers to the minimum necessary for delivering the payment initiation or account information services required by the user and by requiring banks to provide a "dashboard" allowing users to visualize and manage all permissions they grant to third-party providers for accessing their payment account data.
- Special categories of data — Processing of payment transactions may necessitate that payment service providers be able to process personal data including special categories under the GDPR.
According to the current timeline, the PSD3 and PSR could become applicable in 2026 — the former after transition into national law, the latter directly applicable in member states.
Isabelle Roccia, CIPP/E, is the managing director, Europe, for the IAPP.
This article originally appeared in the Europe Data Protection Digest, a free weekly IAPP newsletter. Subscriptions to this and other IAPP newsletters can be found here.