The rise of mobile wallets in recent years has resulted in increased privacy risks. The objective of this article is to analyse how the European legal framework deals with these risks. The article will give an overview of PSD2 and point at the relevant changes in the light of the legal vacuum where mobile wallet issuers were operating before. The obligations to apply enhanced security measures and strong consumer authentication ought to result in increased security of mobile payments, but conflicts with GDPR on data protection issues in PSD2 are arising too. In this context, examples will be given, and possible solutions will be examined. The layered approach of the EU legislator makes it challenging to predict whether the mobile wallet users’ data are sufficiently protected now. While the RTS came into effect on 14 September 2019, the interaction with GDPR will only become more apparent in the following years.
Keywords: PSD2; GDPR; mobile wallets; third-party providers; lawful processing; data minimisation