go.eIDAS eIDAS Blog News

Strong Customer Authentication and use of eID Wallet

You mentioned interoperability of the eID wallet with elements of secure customer authentication (due to specific sector requirements).

Can you explain how the data protection aspects of this will negotiate with adjacent legal frames such as GDPR?

Certain regulatory instruments such as PSD2 (and indeed AMLD5) do not seem to bestow similar data protection rights, which ultimately creates regulatory tension with regards to personal and sensitive data - ultimately posing risks to the goal of “user controlled data” that you have mentioned. There seems no way to marry SCA requirements and GDPR requirements currently. Is there some indication how this will be discussed moving forward?

Even if the GDPR is not explicitly referenced in PSD2 and AMLD5 does not mean that it would not apply.
Where do you see a real conflict between Strong Customer Authentication (SCA), which can be pseudonymous, and GDPR?

Thank you for the reply.

I can refer to the recent guidance from the EDPB on fraud prevention in the financial services sector and the interplay between PSD2 and GDPR. The guidance states:

2.3 Fraud prevention
Article 94 (1) PSD2 states that Member States shall permit processing of personal data by payment systems and payment service providers when necessary to safeguard the prevention, investigation and detection of payment fraud. The processing of personal data strictly necessary for the purposes of preventing fraud could constitute a legitimate interest of the payment service provider concerned, provided that such interests are not overridden by the interests or fundamental rights and freedoms of the data subject. Processing activities for the purpose of fraud prevention should be based on a careful case by case evaluation by the controller, in accordance with the accountability principle. In addition, to prevent fraud, controllers may also be subject to specific legal obligations that necessitate the processing of personal data.

The above provides little clarity, especially as fraud prevention techniques often use explicit device fingerprinting methods to ensure a robust link between identity holder and mobile device is created (and indeed shared across service providers to maintain system integrity). These binding methods (it seems) are being ported to applicable sectors, including where wallets are used for identity verification and authentication. This is especially concerning as fraud prevention mechanisms are directly tied to identity verification and authentication processes.

Thank you for the clarification. I agree that there is not a clear and straight forward rule, which gives a clear yes/no answer. Any lawyers around, who could provide more clarity here?