論歐盟第二支付服務指令下之個人資料保護

Personal Data Protection Under the Legal Framework of the EU Second Payment Services Directive

石佳立(Chia-li Shih)

第三方支付服務 ； 歐盟第二支付服務指令 ； 歐盟一般資料保護規則 ； 資料可攜權 ； 開放銀行 ； third party payment services ； PSD2 ； GDPR ； data portability ； open banking

高大法學論叢

17卷2期（2022 / 03 / 01）

235 - 271

繁體中文

迅速成長的電子支付服務在全球金融科技發展中佔有一席之地，為加速歐盟單一電子支付市場，歐盟第二支付服務指令（PSD2）於2018年起落實於歐盟各國之國內法，持續加強歐元支付服務市場之整合，為開放銀行提供法律基礎，以平衡新支付服務機構與傳統支付機構之競爭及優勢，同時為了促進電子支付服務之發展，PSD2認知個人資料之流通在多元化的電子支付市場下更盛以往，結合GDPR之規範，以確保支付服務使用者之資料保護以及支付安全。對於PSD2之架構下應如何適用GDPR之相關個人資料保護規定，歐洲資料保護委員會（European Data Protection Board, EDPB）於2020年12月公布PSD2與GDPR交錯適用之指導原則（Guideline 06/2020 on the Interplay of the Second Payment Services Directive and the GDPR），針對PSD2與GDPR適用上之主要議題，如PSD2如何落實GDPR規範下之支付服務使用者之資料自主權及資料可攜權，並針對具體同意權的行使、個人資料保護原則在電子支付交易環境下之適用、以及沉默第三人之資料保護，均有相當之分析。鑑於我國在整合相關電子支付業者之監理而完成新修法之際，期本文能提供歐盟的立法設計為參考，重新檢視個人資料保護於我國電子支付環境下之適用，參酌PSD2與GDPR交錯適用建立在電子支付環境下之個人資料保護網，以增強消費者對於電子支付交易環境之信心及發展。

The global electronic payment services market has grown rapidly in the area of financial technologies, commonly known as ＂FinTech.＂ To facilitate the integration of the single payment market in Europe, the EU revised payment services directive (PSD2) has been implemented into EU members domestic laws since 2018. PSD2 provides a legal foundation for open banking in order to balance the competition between new payment services providers and conventional financial institutions. PSD2 also recognizes that personal data has been collected and used more aggressively during the transaction of electronic payment services. In addressing the significance of personal data protection, PSD2 ensures the payment services users' right to data portability and integrates with GDPR's legal framework. By defining the ＂explicit consent＂ and refining the application of the principles of data protection, PSD2 and GDPR have formed a protective net for personal data to ensure data protection and portability. Given that Taiwan has recently integrated and amended its laws governing electronic payment institutions, this research is intended to provide reference for Taiwan legislators in the consideration of examining the current personal data protection law and establish a legal framework of protecting personal data during the electronic payment process. Strengthening the personal data protection can significantly boost consumers' confidence on electronic payment services and therefore further the development of the electronic payment services industry.

1. 林玉書(2020)。歐盟發布政府機關資料保護規則（Regulation (EU) 2018/1725）關於控管者、處理者和共同控管者概念之指導方針。科技法務透析，32(9)，7-9。
   連結：
2. 孫鈺婷(2020)。數位經濟下的個人資料流通-以開放銀行為例。科技法律透析，32(12)，30-37。
   連結：
3. 謝國廉(2020)。論專利法對人工智慧之保護—歐美實務之觀點。高大法學論叢，15(2)，1-38。
   連結：
4. The Working Party on the Protection of Individuals with Regard to the Processing of Personal data, Article 29 Working Party Guidelines on Transparency under Regulation 2016/679, WP260 rev.01 (2018), available at https://ec.europa.eu/newsroom/article29/items/622227 (last visited 06/25/2021).
5. Besen, Stanley M.(2020).Competition, Privacy, and Big Data.Catholic University Journal of Law and Technology,28,63-88.
6. Deloitte UK, How to Flourish in an Uncertain Banking and PSD2 (2017), available at https://www2.deloitte.com/content/dam/Deloitte/cz/Documents/financial-services/cz-open-banking-and-psd2.pdf (last visited 04/20/2021).
7. European Data Protection Board, Guideline 2/2019 on the Processing Personal Data under Article 6(1)(b) GDPR in the Context of the Provision of Online Services to data subjects (2019), available at https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-22019-processing-personal-data-under-article-61b_en (last visited 06/25/2021).
8. European Data Protection Board (EDPB), Guidelines 06/2020 on the Interplay of the Second Payment Services Directive and the GDPR (2020), available at https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202006_psd2_afterpublicconsultation_en.pdf (last visited 06/21/2021).
9. European Data Protection Board (EDPB), Guidelines 07/2020 on the concepts of controller and processor in the GDPR (2020), available at https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf (last visited 06/26/2021).
10. Jackson, Brandon W.(2020).Cybersecurity, Privacy, and Artificial Intelligence: an Examination of Legal Issues Surrounding the European Union General Data Protection Regulation and Autonomous Network Defense.Minnesota Journal of Law, Science & Technology,21,169-207.
11. Maschek, Wolfgang A.(2016).EU Regulatory and Supervisory Trends for FinTech Operators in Europe - A Policy Perspective.FinTech Law Report NL 3,19,1-9.
12. Mezzacapo, Simone(2018).Competition Policy Issues in EU Retail Payment Business: the New PSD 2 Regulatory Principle of Open Online Access to Information from "Payment Accounts" and Associated "Payment transactions".European Competition Law Review,39,534-544.
13. Petersen, Kyle(2018).GDPR: What (And Why) You Need to Know About EU Data Protection Law.Utah's Business Journal,31,12-16.
14. Seventko, Lindsay A.(2019).GDPR: Navigating compliance as a United States Bank.North Carolina Banking Institute,23,201-229.
15. Voss, W. Gregory,Bouthinon-Dumas, Hugues(2020).EU General Data Protection Regulation Sanctions in Theory and in Practice.Santa Clara High Technology Law Journal,37,1-96.
16. Weaver, Lesley E.,Davis, Anne K.(2019).The Interplay of the European Union's General Data Protection Regulation and U.S. E-Discovery-One Year Later, the View Remains the Same.Competition: The Journal of the. Antitrust, UCL and Privacy Section,29,159-168.
17. 李沛宸(2019)。GDPR 當事人同意之實務採行建議。商業法律與財金期刊，2(1)，67-96。
18. 周伯翰(2017)。從台、美之法制分析電子商務商業方法之專利適格性。中正財經法學，14，47-164。
19. 林惠君(2020)。電子化支付逆勢成長。財金資訊季刊，98，11-15。
20. 張陳弘(2019)。GDPR 關於蒐用一般個人資料之合法事由規範。月旦法學雜誌，285，174-190。
21. 臧正運(2019)。從國際發展趨勢論我國推動開放銀行應有之思考。金融聯合徵信，34，4-12。
22. 蔣念祖,戴凡芹(2019)。電子支付機構管理條例修正草案評析。萬國法律，228，83-96。
23. 蔡昌憲,彭冠蓉(2021)。開放銀行之管制政策研究-以歐盟與英國的經驗為中心。月旦法學雜誌，313，76-96。