2021 started with Brexit, what regulatory impact on the digital payment path or not?
After long months of negotiations, the European Union and the United Kingdom finally agreed on a new draft trade and cooperation agreement on December 24. On the British side, it was validated by Prime Minister Boris Johnson and then by and then by the British Parliament and the House of Lords, before being approved by Queen Elizabeth II on December 31, 2020. On the European side, it has already been approved by the 27 member countries of the EU but its final ratification will require debate and vote in the European Parliament. Nevertheless, pending this vote, the agreement will come into force for a transitional period until February 28, 2021.
This proposed agreement endorses the end of equivalence of financial services (SERVIN articles starting on page 108) even though it still allows an establishment of one of the parties to establish in the territory of the other party, with respect to the principle of non-discrimination in authorization/approval procedures and access to financial systems of the other party. Some articles (Articles LAW.AML from page 343 onwards) of principle are provided for compliance with internationally defined standards and good practices to combat terrorism and money laundering and for the exchange of data in this framework. But this very voluminous draft agreement of 1259 pages includes other articles that will also impact all payment service providers, whether they are established in Great Britain or in Europe: articles related to the protection of personal data and for the maintenance of a facilitated digital market without restrictive barriers.
A holy free circulation of digital data :
The articles dedicated to the digital market (DIGIT articles starting on page 117) devote the free circulation of data without customs duties, whereas for goods it is quite different. There is no doubt that some of these articles will be the subject of intense debate because the current draft would prohibit Europe from imposing a European location for both data storage and data processing, but would also prevent it from requiring certification or approval requirements for the computer facilities or networks used for processing.
As for the eIDAS regulation, it can no longer apply to Great Britain in its entirety but remains applicable but with certain limitations.
- The UK electronic identification scheme GOv.UK notified in 2019 at a substantial level is coming out of the interoperable federation of eIDAS nodes and UK Trusted Service Providers can no longer be on the European EU TSL list of Qualified Trusted Services Providers (QTSPs). However, the UK ECA 2000 Act, will continue to recognize the eligibility of services provided by European QTPS such as Qualified Signatures. Conversely, a UK provider is no longer able to provide a signature of equal value in France to a handwritten signature in France, even if it was previously recognized as qualified in Europe.
- However, irrespective of any qualification criteria, the principle of non-discrimination of legal value introduced by the eIDAS Regulation for digital contractualization with electronic signature or seal, electronic timestamping would continue to apply ,in general in both directions, except for certain specific services. However, we note, that the definition of electronic signature introduced by the Brexit agreement is closer to the eIDAS definition of signature at the advanced level, by requiring, in addition to the consent of the person, that any subsequent modification of the data in electronic form be made detectable. This legal uncertainty related to the basic definition of electronic signature and raised by experts could introduce a risk of non-compliance for signature on the fly (neither advanced nor qualified) which may require an amendment of the agreement between Europe and Great Britain.
- Nonetheless, each party may require, for certain types of transactions,that the trusted service be certified/qualified with the requirements defined by it, due to legal constraints or objective standards. Thus the non-discrimination agreement excludes, among other things, legal services, the services of notaries or other professions delegated to provide a public service. Therefore Europeans could require (or continue to require as in France for notarial deeds or for one of the two requirements of the Financial Monetary Code for the level of enhanced vigilance) a qualified level of signature, registered or qualified remote identification service.
- Indeed, the new Brexit agreement explicitly provides for the exclusion from the principle of non-discrimination of contracts requiring witnessing in person, and thus intuitively of identification services requiring face-to-face or face-to-face equivalent such as remote account opening.
This free circulation of digital data is framed by the guarantee of consumer and personal data protection.
In addition to the PSD2, which waives the requirement for strong authentication for all online purchases, as soon as at least one payment service provider (issuer or acquirer) is non-European, the agreement explicitly provides that suppliers of goods or services must always provide clear and complete information on their identity and contact details (or, if they are acting as an intermediary, to designate this intermediary), the characteristics of the products purchased, the total price including all taxes and charges, and consumer rights, including how to access claims for compensation.
What new guarantees for the protection of personal data?
As a preliminary, this draft Brexit agreement recognizes the right of both sides to the protection of personal data with high requirements to ensure confidence in the digital economy.
But in any case, Brexit also means that eventually Great Britain will no longer be subject to the GDPR. Eventually, because the stay granted during the year 2020, will be extended for a transitional period until July 1st 2021 at the latest (Article FINPROV.10A from page 414) on the basis of the British legislation in force on December 31, 2020 and the express condition that Great Britain does not exercise its powers of authority to amend its legislative framework in this matter. The British authority in charge of personal data protection, ICO, (which is very active in publishing guides but also in issuing sanctions: sanction in October 2020 against Bristish Airways of £20 million for personal and bank data breaches in 2018 and sanction in November 2020 against Ticketsaster UK of £1.25 million for bank card data breaches) will no longer be able to serve as a one-stop shop. As of January 1st 2021, data controllers and processors established solely in the UK will be required to designate a representative in the European Union, where the authority in charge of the GDPR can serve as a one-stop shop.
This 6-month respite of temporary adequacy could be reduced to 4 months if one of the parties were to oppose it, an unlikely hypothesis since even the CNIL does not even envisage it in its communication. This reprieve could also fall if the transfer of personal data was authorized by a decision of permanent adequacy.
According to the New York Times, this adequacy process would be well on the way to being completed in February to allow the continued transfer of personal data such as bank data. However, this political position of the European Commission, which is favorable to market expectations, should irritate the European Data ProtectionBoard (EDPB). Indeed, Andrea Jenilek, president of the EDPB, had declared last June, a very unfavorable position because of the existing agreement between the US and Great Britain for the transfer of data for monitoring.
Largely for this reason, the adequacy agreement between the US and the EU, called Privacy Shield, was invalidated by a decision of the Court of Justice of the European Union (CJEU) on July 16 (case #Schrem2), following the action of the association NOYB brought by Max Schrem (the same who had invalidated the previous agreement Safe Harbour case #Schrem1), against Facebook. In addition to the reason of lack of power/independence of the “ombudsman” to respond to a request from a European on the basis of these laws that require an American judicial body, this European court decision is in fact essentially motivated by the American laws and surveillance programs (FISA, PRISM …), laws that allow the American authorities to collect massive amounts of data, in an inappropriate and disproportionate manner.
Despite official communications of continued negotiations between the European Union and the US, the US administration (until then Trumpist) seemed reluctant to change these supervisory laws. Thus, data (contacts, social network information, photos, videos) from the cell phones of European travelers can still be collected with new, highly intrusive DHS tools (Department of Homeland Security) and kept for 75 years.
But the CJEU’s decision of July 16, 2020 has a much broader scope than the invalidity of the adequacy agreement with the US alone. This decision invalidates any adequacy agreement with other countries and all data transfer tools to third parties, (Standard Contractual Clauses (SCC) between two separate legal entities or Binding Corporate Rules (BCR) for the protection of intra-group data) if they cannot provide sufficient appropriate guarantees. Not only guarantees must be provided for the exercise by Europeans of enforceable rights and effective legal remedies, in accordance with Article 46 of the GDPR, but also for data protection. Thus, according to justice and the European authorities in charge of personal data protection, all mass surveillance laws contravene any transfer, to these third countries, of data that would not have been subject to complementary technical measures such as efficient data encryption to prevent access to the data in clear text by this third country.
So what can be done to achieve GDPR compliance for data exchanges with the UK? To avoid any legal risk, the payment actors, like all other actors, should continue to take advantage of the last 4 to 6 months reprieve, to quickly comply for data transfer while still considering Great Britain as a third country without adequacy.