On November 11th the CJEU delivered a judgment in C-287/19 DenizBank AG v Verein für Konsumenteninformation on
the interpretation of Directive 2015/2366 on Payment Services (PSD2).
The facts
VKI an Austrian consumer protection organization brought proceeding for
a prohibitory injunction infront of Handelsgericht Wien asking the court to
prohibit DenizBank from using several clauses in their standard terms with
consumers on grounds that they are null and void. The validity of these clauses were questions in relation
to the card’s NFC (Near Field Communication) functionality that enables customers to use contactless
payment for low value transactions. The case provided an opportunity to the
CJEU to provide interpretation on several aspects of PSD2.
Validity of
tacit consent to contract variation
With the first question the Austrian Supreme Court asked whether Article 52(6)(a)
of Directive 2015/2366, read in conjunction with Article 54(1), should be interpreted
to mean that the payment service providers may agree with the payment service
users (who are in this case also consumers) in the framework contract to include
a presumption that when the conditions laid down in the contract are satisfied,
the payment service users tacitly consented to contract variation.
The CJEU reminded that the tacit consent that is provided for and
thus agreed between the parties in advance at the point of contract conclusion
of the framework contract is only valid if the change in terms and conditions
is of minor importance to the contract. The court emphasized that in case of changing
any of the essential terms that would result in a new contract, tacit consent
would not be enough. Although the CJEU does not specify, it might be important
to note that a framework contract here should be the contract that provides the
card, in case of debit cards, this would be the bank account.
The CJEU confirmed that the provision indeed provide for a freedom
of payment service providers and users to include these kind of clauses into
their contracts, because PSD2 does not lay down restrictions regarding the
status of the user or the type of contractual terms that may be the subject of
such tacit consent. In principle therefore the validity of tacit consent could
not be ruled out. However, in transactions with consumers, the clause should
also be subject to an independent review under the Directive 1993/13/EC on
unfair terms and may thus be removed from the contract for being unfair.
Meaning of a ‘payment instrument’
With the second question the referring national court asked for clarifying
meaning of payment instrument in Article 4(14). More specifically, whether the NFC
functionality of personalised multifunctional bank cards by means of which
low-value payments are debited from the bank account associated with that card
constitutes a ‘payment instrument’.
Under Article 4(14) a ‘payment instrument’ is ‘a personalised
device(s) and/or set of procedures agreed between the payment service user and
the payment service provider and used in order to initiate a payment order’.
According to the CJEU, the NFC functionality of a multifunctional
bank card associated with a specific bank account does not constitute a
‘personalised device’, since the use of that function, in itself, does not
allow the payment service provider to verify that the payment order was
initiated by a user authorised for that purpose, unlike the other functions of
that card which require the use of personalised security data, such as a PIN
code or a signature. However, the NFC functionality is capable of constituting,
in itself, a non-personalised ‘set of procedures’, within the definition and
can thus be considered a ‘payment instrument’ for the purposes of the
application of PDS2.
Meaning of ‘anonymous’ use
Further on, the CJEU also had an opportunity in this case to
interpret the meaning of ‘anonymous’ within Article 63(1)(b), specifically,
whether contactless low-value payment using the NFC functionality of a
personalised multifunctional bank card constitutes ‘anonymous’ use of the
payment instrument.
Article 63 allows for contracting parties to agree to several
important derogations from the protective framework of PDS2 for low value individual
payment transactions not exceeding EUR 30 or which either have a spending limit
of EUR 150, or store funds which do not exceed EUR 150 at any time. These include
derogation from Article 72 which requires the provider to prove the
authentication and execution of payment transactions; from Article 73
which establishes the principle that the service provider is liable for
unauthorised payment transactions; and from Article 74(1) and (3) which
enables the parties to confer some responsibility for unauthorised payments on
the payer for up to EUR 50. These derogations are only possible under Article
63(1)(b) where ‘the payment instrument is used anonymously’ or where ‘the
payment service provider is not in a position for other reasons which are
intrinsic to the payment instrument to prove that a payment transaction was
authorised’.
The CJEU held that despite the facts that the card itself is
personalized, connected to a bank account of a particular customer, the use of
the NFC functionality for the purpose of making low-value payments constitutes
‘anonymous’ use, within the meaning of Article 63(1)(b). The payment
service provider is objectively unable to identify the person who paid using
that functionality and thus unable to verify, or even prove, that the
transaction was duly authorised by the account holder.
Consequently, contactless low-value payment using the NFC
functionality of a personalised multifunctional bank card constitutes
‘anonymous’ use of the payment instrument in question, within the meaning of Article
63(1)(b).
The ways to prove impossibility to block or prevention of future
use of payment instrument
Article 63(1)(a) allows the payment service provider and the
user to agree on further derogations from the protecting framework of PDS2,
that is, from Article 69(1)(b) which requires the user to inform the
provider without delay of the loss, theft, misappropriation or any unauthorised
use of the payment instrument concerned; from Article 70(1)(c) and (d) of which
requires the provider to make available to the user means to make that
notification free of charge or to request unblocking of that instrument; and from
Article 74(3) which relieves the payer, except where he or she has acted
fraudulently, from the financial consequences of any use of the lost, stolen or
misappropriated instrument that takes place after that notification.
These derogations are possible to achieve if the payment instrument does
not allow its blocking or prevention of its further use. So the question
infront of the CJEU was whether payment service providers may simply declare
that it is
impossible to block the payment instrument concerned or to prevent its
continued use, where, in the light of the objective state of available
technical knowledge, that impossibility cannot be established.
The CJEU concluded that this is not the case. The ‘payment service
provider wishing to exercise the option provided for in Article 63(1)(a) …
may not, in order to relieve itself from its own obligations, simply state, in
the framework contract relating to the payment instrument concerned, that it is
unable to block that instrument or to prevent its further use. That service
provider must establish, with the burden of proof being on that provider in the
event of a dispute, that that instrument in no way allows, on account of
technical reasons, its blocking or prevention of its further use. If the court
hearing those proceedings considers that it would have been physically possible
to carry out such blocking or to prevent such use, having regard to the
objective state of available technical knowledge, but that the provider did not
make use of that knowledge, Article 63(1)(a) may not be applied to the
benefit of that provider’ (para 98).
