論歐盟第二支付服務指令下之個人資料保護


石佳立

中文摘要

迅速成長的電子支付服務在全球金融科技發展中佔有一席之地,為加速歐盟單一電子支付市場,歐盟第二支付服務指令(PSD2)於2018年起落實於歐盟各國之國內法,持續加強歐元支付服務市場之整合,為開放銀行提供法律基礎,以平衡新支付服務機構與傳統支付機構之競爭及優勢,同時為了促進電子支付服務之發展,PSD2認知個人資料之流通在多元化的電子支付市場下更盛以往,結合GDPR之規範,以確保支付服務使用者之資料保護以及支付安全。對於PSD2之架構下應如何適用GDPR之相關個人資料保護規定,歐洲資料保護委員會(European Data Protection Board, EDPB)於2020年12月公布PSD2與GDPR交錯適用之指導原則(Guideline 06/2020 on the Interplay of the Second Payment Services Directive and the GDPR),針對PSD2與GDPR適用上之主要議題,如PSD2如何落實GDPR規範下之支付服務使用者之資料自主權及資料可攜權,並針對具體同意權的行使、個人資料保護原則在電子支付交易環境下之適用、以及沉默第三人之資料保護,均有相當之分析。 鑑於我國在整合相關電子支付業者之監理而完成新修法之際,期本文能提供歐盟的立法設計為參考,重新檢視個人資料保護於我國電子支付環境下之適用,參酌PSD2與GDPR交錯適用建立在電子支付環境下之個人資料保護網,以增強消費者對於電子支付交易環境之信心及發展。

 

Personal Data Protection Under the Legal Framework of the EU Second Payment Services Directive

Chia-li Shih

abstract

The global electronic payment services market has grown rapidly in the area of financial technologies, commonly known as “FinTech.” To facilitate the integration of the single payment market in Europe, the EU revised payment services directive (PSD2) has been implemented into EU members domestic laws since 2018. PSD2 provides a legal foundation for open banking in order to balance the competition between new payment services providers and conventional financial institutions. PSD2 also recognizes that personal data has been collected and used more aggressively during the transaction of electronic payment services. In addressing the significance of personal data protection, PSD2 ensures the payment services users’ right to data portability and integrates with GDPR’s legal framework. By defining the “explicit consent” and refining the application of the principles of data protection, PSD2 and GDPR have formed a protective net for personal data to ensure data protection and portability. Given that Taiwan has recently integrated and amended its laws governing electronic payment institutions, this research is intended to provide reference for Taiwan legislators in the consideration of examining the current personal data protection law and establish a legal framework of protecting personal data during the electronic payment process. Strengthening the personal data protection can significantly boost consumers’ confidence on electronic payment services and therefore further the development of the electronic payment services industry.