Language of document : ECLI:EU:C:2020:897

JUDGMENT OF THE COURT (First Chamber)

11 November 2020 (*)

(Reference for a preliminary ruling – Consumer protection – Directive (EU) 2015/2366 – Payment services in the internal market – Article 4(14) – Concept of ‘payment instrument’ – Personalised multifunctional bank cards – Near-field communication (NFC) functionality – Article 52(6)(a) and Article 54(1) – Information to be provided to users – Change in the conditions of a framework contract – Tacit consent – Article 63(1)(a) and (b) – Rights and obligations related to payment services – Derogation for low-value payment instruments – Conditions under which applicable – Payment instrument that does not allow its blocking – Payment instrument used anonymously – Limitation of the temporal effects of the judgment)

In Case C‑287/19,

REQUEST for a preliminary ruling under Article 267 TFEU from the Oberster Gerichtshof (Supreme Court, Austria), made by decision of 25 January 2019, received at the Court on 5 April 2019, in the proceedings

DenizBank AG

v

Verein für Konsumenteninformation,

THE COURT (First Chamber),

composed of J.-C. Bonichot, President of the Chamber, L. Bay Larsen, C. Toader, M. Safjan and N. Jääskinen (Rapporteur), Judges,

Advocate General: M. Campos Sánchez-Bordona,

Registrar: M. Krausenböck, Administrator,

having regard to the written procedure and further to the hearing on 13 February 2020,

after considering the observations submitted on behalf of:

–        DenizBank AG, by G. Ganzger and A. Egger, Rechtsanwälte,

–        the Verein für Konsumenteninformation, by S. Langer, Rechtsanwalt,

–        the Czech Government, by M. Smolek, J. Vláčil and S. Šindelková, acting as Agents,

–        the Portuguese Government, by L. Inez Fernandes, P. Barros da Costa, S. Jaulino and G. Fonseca, acting as Agents,

–        the European Commission, by G. Braun, T. Scharf and H. Tserepa-Lacombe, acting as Agents,

after hearing the Opinion of the Advocate General at the sitting on 30 April 2020,

gives the following

Judgment

1        This request for a preliminary ruling concerns the interpretation of Article 4(14), Article 52(6)(a), read in conjunction with Article 54(1), and Article 63(1)(a) and (b) of Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC (OJ 2015 L 337, p. 35, and corrigendum OJ 2018 L 102, p. 97).

2        The request has been made in proceedings between DenizBank AG, a company incorporated under Austrian law, and the Verein für Konsumenteninformation (Association for Consumer Information, Austria, ‘the VKI’), concerning the validity of contractual terms relating to the use of personalised multifunctional bank cards that are equipped, in particular, with near-field communication (NFC) functionality (‘NFC functionality’), commonly known as the ‘contactless payment’ function.

 The legal context

 Directive 93/13/EEC

3        Article 2 of Council Directive 93/13/EEC of 5 April 1993 on unfair terms in consumer contracts (OJ 1993 L 95, p. 29) provides:

‘For the purposes of this Directive:

(a)      “unfair terms” means the contractual terms defined in Article 3;

(b)      “consumer” means any natural person who, in contracts covered by this Directive, is acting for purposes which are outside his trade, business or profession;

(c)      “seller or supplier” means any natural or legal person who, in contracts covered by this Directive, is acting for purposes relating to his trade, business or profession, whether publicly owned or privately owned.’

4        Article 3 of that directive states:

‘1.      A contractual term which has not been individually negotiated shall be regarded as unfair if, contrary to the requirement of good faith, it causes a significant imbalance in the parties’ rights and obligations arising under the contract, to the detriment of the consumer.

3.      The annex shall contain an indicative and non-exhaustive list of the terms which may be regarded as unfair.’

5        Article 6(1) of that directive provides:

‘Member States shall lay down that unfair terms used in a contract concluded with a consumer by a seller or supplier shall, as provided for under their national law, not be binding on the consumer and that the contract shall continue to bind the parties upon those terms if it is capable of continuing in existence without the unfair terms.’

6        Article 8 of that directive provides that ‘Member States may adopt or retain the most stringent provisions compatible with the Treaty in the area covered by this Directive, to ensure a maximum degree of protection for the consumer’.

7        The Annex to Directive 93/13, which contains an indicative and non-exhaustive list of the ‘terms referred to in Article 3(3)’ of that directive, mentions, in point 1(j) thereof, ‘terms which have the object or effect of authorising the trader to alter unilaterally the terms of the contract without a valid reason specified in the contract’. Point 2 of that annex specifies the scope of point 1(j).

 Directive (EU) 2015/2366

8        Directive (EU) 2015/2366 repealed Directive 2007/64/EC of the European Parliament and of the Council of 13 November 2007 on payment services in the internal market amending Directives 97/7/EC, 2002/65/EC, 2005/60/EC and 2006/48/EC and repealing Directive 97/5/EC (OJ 2007 L 319, p. 1) with effect from 13 January 2018.

9        According to recitals 6, 53 to 55, 63, 81, 91 and 96 of Directive 2015/2366:

‘(6)      … Equivalent operating conditions should be guaranteed to … players on the market, facilitating new means of payment to reach a broader market and ensuring a high level of consumer protection in the use of these payment services across the whole of the Union. This should generate efficiencies in the payment system as a whole and lead to more choice and more transparency of payment services while strengthening the trust of consumers in a harmonised payments market.

(53)      As consumers and undertakings are not in the same position, they do not need the same level of protection. While it is important to guarantee consumer rights by provisions from which it is not possible to derogate by contract, it is reasonable to let undertakings and organisations agree otherwise when they are not dealing with consumers. …

(54)      This Directive should specify the obligations on payment service providers as regards the provision of information to the payment service users who should receive the same high level of clear information about payment services in order to make well-informed choices and be able to choose freely within the Union. …

(55)      Consumers should be protected against unfair and misleading practices in accordance with Directive 2005/29/EC of the European Parliament and the Council [of 11 May 2005 concerning unfair business-to-consumer commercial practices in the internal market and amending Council Directive 84/450/EEC, Directives 97/7/EC, 98/27/EC and 2002/65/EC of the European Parliament and of the Council and Regulation (EC) No 2006/2004 of the European Parliament and of the Council (OJ 2005 L 149, p. 22)] as well as with Directives 2000/31/EC [of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (OJ 2000 L 178, p. 1)], 2002/65/EC [of 23 September 2002 concerning the distance marketing of consumer financial services and amending Council Directive 90/619/EEC and Directives 97/7/EC and 98/27/EC (OJ 2002 L 271, p. 16)], 2008/48/EC [of 23 April 2008 on credit agreements for consumers and repealing Council Directive 87/102/EEC (OJ 2008 L 133, p. 66)], 2011/83/EU [of 25 October 2011 on consumer rights, amending Council Directive 93/13/EEC and Directive 1999/44/EC of the European Parliament and of the Council and repealing Council Directive 85/577/EEC and Directive 97/7/EC of the European Parliament and of the Council (OJ 2011 L 304, p. 64)] and 2014/92/EU [of 23 July 2014 on the comparability of fees related to payment accounts, payment account switching and access to payment accounts with basic features (OJ 2014 L 257, p. 214)]. The provisions of those Directives continue to apply. However, the relationship between the pre-contractual information requirements laid down in this Directive and Directive 2002/65/EC should, in particular, be clarified.

(63)      In order to ensure a high level of consumer protection, Member States should, in the interests of the consumer, be able to maintain or introduce restrictions or prohibitions on unilateral changes in the conditions of a framework contract, for instance if there is no justified reason for such a change.

(81)      Low value payment instruments should be a cheap and easy-to-use alternative in the case of low-priced goods and services and should not be overburdened by excessive requirements. … Despite the lighter regime, payment service users should have adequate protection, having regard to the limited risks posed by those payment instruments, especially with regard to prepaid payment instruments.

(91)      Payment service providers are responsible for security measures. Those measures need to be proportionate to the security risks concerned. Payment service providers should establish a framework to mitigate risks and maintain effective incident management procedures. … Furthermore, in order to ensure that damage to users … is kept to a minimum, it is essential that payment service providers be required to report major security incidents without undue delay to the competent authorities …

(96)      The security measures should be compatible with the level of risk involved in the payment service. In order to allow the development of user-friendly and accessible means of payment for low-risk payments, such as low value contactless payments at the point of sale, whether or not they are based on mobile phone, the exemptions to the application of security requirements should be specified in regulatory technical standards. …’

10      Article 4 of that directive, entitled ‘Definitions’, is worded as follows:

‘For the purposes of this Directive, the following definitions apply:

(8)      “payer” means a natural or legal person who holds a payment account and allows a payment order from that payment account, or, where there is no payment account, a natural or legal person who gives a payment order;

(9)      “payee” means a natural or legal person who is the intended recipient of funds which have been the subject of a payment transaction;

(10)      “payment service user” means a natural or legal person making use of a payment service in the capacity of payer, payee, or both;

(14)      “payment instrument” means a personalised device(s) and/or set of procedures agreed between the payment service user and the payment service provider and used in order to initiate a payment order;

(20)      “consumer” means a natural person who, in payment service contracts covered by this Directive, is acting for purposes other than his or her trade, business or profession;

(21)      “framework contract” means a payment service contract which governs the future execution of individual and successive payment transactions and which may contain the obligation and conditions for setting up a payment account;

(29)      “authentication” means a procedure which allows the payment service provider to verify the identity of a payment service user or the validity of the use of a specific payment instrument, including the use of the user’s personalised security credentials;

(30)      “strong customer authentication” means an authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data;

(31)      “personalised security credentials” means personalised features provided by the payment service provider to a payment service user for the purposes of authentication;

…’

11      Title III of Directive 2015/2366, entitled ‘Transparency of conditions and information requirements for payment services’, includes Chapter 1, entitled ‘General rules’, which comprises Articles 38 to 42 of that directive.

12      Article 38 of that directive, entitled ‘Scope’, states in paragraph 1:

‘This Title applies to single payment transactions, framework contracts and payment transactions covered by them. The parties may agree that it shall not apply in whole or in part when the payment service user is not a consumer.’

13      Article 42 of that directive, entitled ‘Derogation from information requirements for low-value payment instruments and electronic money’, provides:

‘1.      In cases of payment instruments which, according to the relevant framework contract, concern only individual payment transactions that do not exceed EUR 30 or that either have a spending limit of EUR 150 or store funds that do not exceed EUR 150 at any time:

(a)      by way of derogation from Articles 51, 52 and 56, the payment service provider shall provide the payer only with information on the main characteristics of the payment service, including the way in which the payment instrument can be used, liability, charges levied and other material information needed to take an informed decision as well as an indication of where any other information and conditions specified in Article 52 are made available in an easily accessible manner;

(b)      it may be agreed that, by way of derogation from Article 54, the payment service provider is not required to propose changes to the conditions of the framework contract in the same way as provided for in Article 51(1);

…’

14      Title III of Directive 2015/2366 contains Chapter 3 on ‘Framework contracts’, which comprises Articles 50 to 58 of that directive.

15      Article 51 of the directive, entitled ‘Prior general information’, provides in paragraph 1:

‘Member States shall require that, in good time before the payment service user is bound by any framework contract or offer, the payment service provider provide the payment service user on paper or on another durable medium with the information and conditions specified in Article 52. The information and conditions shall be given in easily understandable words and in a clear and comprehensible form, in an official language of the Member State where the payment service is offered or in any other language agreed between the parties.’

16      Article 52 of that directive, entitled ‘Information and conditions’, states:

‘Member States shall ensure that the following information and conditions are provided to the payment service user:

6.      on changes to, and termination of, the framework contract:

(a)      if agreed, information that the payment service user will be deemed to have accepted changes in the conditions in accordance with Article 54, unless the payment service user notifies the payment service provider before the date of their proposed date of entry into force that they are not accepted;

…’

17      Article 54 of that directive, entitled ‘Changes in conditions of the framework contract’, states in paragraph 1:

‘Any changes in the framework contract or in the information and conditions specified in Article 52 shall be proposed by the payment service provider in the same way as provided for in Article 51(1) and no later than two months before their proposed date of application. The payment service user can either accept or reject the changes before the date of their proposed date of entry into force.

Where applicable in accordance with point (6)(a) of Article 52, the payment service provider shall inform the payment service user that it is to be deemed to have accepted those changes if it does not notify the payment service provider before the proposed date of their entry into force that they are not accepted. The payment service provider shall also inform the payment service user that, in the event that the payment service user rejects those changes, the payment service user has the right to terminate the framework contract free of charge and with effect at any time until the date when the changes would have applied.’

18      Title IV of Directive 2015/2366, entitled ‘Rights and obligations in relation to the provision and use of payment services’, contains Chapter 1 on ‘Common provisions’, which comprises Articles 61 to 63 of that directive.

19      Article 63 of that directive, entitled ‘Derogation for low value payment instruments and electronic money’, states in paragraph 1:

‘In the case of payment instruments which, according to the framework contract, solely concern individual payment transactions not exceeding EUR 30 or which either have a spending limit of EUR 150, or store funds which do not exceed EUR 150 at any time, payment service providers may agree with their payment service users that:

(a)      point (b) of Article 69(1), points (c) and (d) of Article 70(1) and Article 74(3) do not apply if the payment instrument does not allow its blocking or prevention of its further use;

(b)      Articles 72 and 73 and Article 74(1) and (3) do not apply if the payment instrument is used anonymously or the payment service provider is not in a position for other reasons which are intrinsic to the payment instrument to prove that a payment transaction was authorised;

…’

20      Title IV of Directive 2015/2366 also contains Chapter 2 on ‘Authorisation of payment transactions’, which comprises Articles 64 to 77 of that directive.

21      Article 69 of that directive, entitled ‘Obligations of the payment service user in relation to payment instruments and personalised security credentials’, provides in paragraph 1:

‘The payment service user entitled to use a payment instrument shall:

(b)      notify the payment service provider, or the entity specified by the latter, without undue delay on becoming aware of the loss, theft, misappropriation or unauthorised use of the payment instrument.’

22      Article 70 of that directive, entitled ‘Obligations of the payment service provider in relation to payment instruments’, states in paragraph 1:

‘The payment service provider issuing a payment instrument shall:

(c)      ensure that appropriate means are available at all times to enable the payment service user to make a notification pursuant to point (b) of Article 69(1) or to request unblocking of the payment instrument pursuant to Article 68(4); on request, the payment service provider shall provide the payment service user with the means to prove, for 18 months after notification, that the payment service user made such a notification;

(d)      provide the payment service user with an option to make a notification pursuant to point (b) of Article 69(1) free of charge and to charge, if at all, only replacement costs directly attributed to the payment instrument;

…’

23      Article 72 of that directive, entitled ‘Evidence on authentication and execution of payment transactions’, provides:

‘1.      Member States shall require that, where a payment service user denies having authorised an executed payment transaction or claims that the payment transaction was not correctly executed, it is for the payment service provider to prove that the payment transaction was authenticated, accurately recorded, entered in the accounts and not affected by a technical breakdown or some other deficiency of the service provided by the payment service provider.

If the payment transaction is initiated through a payment initiation service provider, the burden shall be on the payment initiation service provider to prove that within its sphere of competence, the payment transaction was authenticated, accurately recorded and not affected by a technical breakdown or other deficiency linked to the payment service of which it is in charge.

2.      Where a payment service user denies having authorised an executed payment transaction, the use of a payment instrument recorded by the payment service provider, including the payment initiation service provider as appropriate, shall in itself not necessarily be sufficient to prove either that the payment transaction was authorised by the payer or that the payer acted fraudulently or failed with intent or gross negligence to fulfil one or more of the obligations under Article 69. The payment service provider, including, where appropriate, the payment initiation service provider, shall provide supporting evidence to prove fraud or gross negligence on part of the payment service user.’

24      Article 73 of Directive 2015/2366, entitled ‘Payment service provider’s liability for unauthorised payment transactions’, reads as follows:

‘1.      Member States shall ensure that, without prejudice to Article 71, in the case of an unauthorised payment transaction, the payer’s payment service provider refunds the payer the amount of the unauthorised payment transaction immediately, and in any event no later than by the end of the following business day, after noting or being notified of the transaction, except where the payer’s payment service provider has reasonable grounds for suspecting fraud and communicates those grounds to the relevant national authority in writing. Where applicable, the payer’s payment service provider shall restore the debited payment account to the state in which it would have been had the unauthorised payment transaction not taken place. This shall also ensure that the credit value date for the payer’s payment account shall be no later than the date the amount had been debited.

2.      Where the payment transaction is initiated through a payment initiation service provider, the account servicing payment service provider shall refund immediately, and in any event no later than by the end of the following business day the amount of the unauthorised payment transaction and, where applicable, restore the debited payment account to the state in which it would have been had the unauthorised payment transaction not taken place.

If the payment initiation service provider is liable for the unauthorised payment transaction, it shall immediately compensate the account servicing payment service provider at its request for the losses incurred or sums paid as a result of the refund to the payer, including the amount of the unauthorised payment transaction. In accordance with Article 72(1), the burden shall be on the payment initiation service provider to prove that, within its sphere of competence, the payment transaction was authenticated, accurately recorded and not affected by a technical breakdown or other deficiency linked to the payment service of which it is in charge.

3.      Further financial compensation may be determined in accordance with the law applicable to the contract concluded between the payer and the payment service provider or the contract concluded between the payer and the payment initiation service provider if applicable.’

25      Article 74 of that directive, entitled ‘Payer’s liability for unauthorised payment transactions’, read as follows in paragraphs 1 and 3:

‘1.      By way of derogation from Article 73, the payer may be obliged to bear the losses relating to any unauthorised payment transactions, up to a maximum of EUR 50, resulting from the use of a lost or stolen payment instrument or from the misappropriation of a payment instrument.

The first subparagraph shall not apply if:

(a)      the loss, theft or misappropriation of a payment instrument was not detectable to the payer prior to a payment, except where the payer has acted fraudulently; or

(b)      the loss was caused by acts or lack of action of an employee, agent or branch of a payment service provider or of an entity to which its activities were outsourced.

The payer shall bear all of the losses relating to any unauthorised payment transactions if they were incurred by the payer acting fraudulently or failing to fulfil one or more of the obligations set out in Article 69 with intent or gross negligence. In such cases, the maximum amount referred to in the first subparagraph shall not apply.

Where the payer has neither acted fraudulently nor intentionally failed to fulfil its obligations under Article 69, Member States may reduce the liability referred to in this paragraph, taking into account, in particular, the nature of the personalised security credentials and the specific circumstances under which the payment instrument was lost, stolen or misappropriated.

3.      The payer shall not bear any financial consequences resulting from use of the lost, stolen or misappropriated payment instrument after notification in accordance with point (b) of Article 69(1), except where the payer has acted fraudulently.

If the payment service provider does not provide appropriate means for the notification at all times of a lost, stolen or misappropriated payment instrument, as required under point (c) of Article 70(1), the payer shall not be liable for the financial consequences resulting from use of that payment instrument, except where the payer has acted fraudulently.’

26      Title VI of Directive 2015/2366, entitled ‘Final provisions’, includes Article 107, entitled ‘Full harmonisation’, which states:

‘1.      Without prejudice to Article 2, Article 8(3), Article 32, Article 38(2), Article 42(2), Article 55(6), Article 57(3), Article 58(3), Article 61(2) and (3), Article 62(5), Article 63(2) and (3), the second subparagraph of Article 74(1) and Article 86, in so far as this Directive contains harmonised provisions, Member States shall not maintain or introduce provisions other than those laid down in this Directive.

3.      Member States shall ensure that payment service providers do not derogate, to the detriment of payment service users, from the provisions of national law transposing this Directive except where explicitly provided for therein.

However, payment service providers may decide to grant more favourable terms to payment service users.’

 Delegated Regulation (EU) 2018/389

27      According to recitals 9 and 11 of Commission Delegated Regulation (EU) 2018/389 of 27 November 2017 supplementing Directive (EU) 2015/2366 of the European Parliament and of the Council with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication (OJ 2018 L 69, p. 23):

‘(9)      In accordance with Directive (EU) 2015/2366, exemptions to the principle of strong customer authentication have been defined based on the level of risk, amount, recurrence and the payment channel used for the execution of the payment transaction.

(11)      Exemptions for low-value contactless payments at points of sale, which also take into account a maximum number of consecutive transactions or a certain fixed maximum value of consecutive transactions without applying strong customer authentication, allow for the development of user-friendly and low-risk payment services and should therefore be provided for. …’

28      Article 1 of Delegated Regulation 2018/389, entitled ‘Subject matter’, states:

‘This Regulation establishes the requirements to be complied with by payment service providers for the purpose of implementing security measures which enable them to do the following:

(a)      apply the procedure of strong customer authentication in accordance with Article 97 of Directive (EU) 2015/2366;

(b)      exempt the application of the security requirements of strong customer authentication, subject to specified and limited conditions based on the level of risk, the amount and the recurrence of the payment transaction and of the payment channel used for its execution;

…’

29      The first subparagraph of Article 2(1) of that delegated regulation, that article being entitled ‘General authentication requirements’, provides:

‘Payment service providers shall have transaction monitoring mechanisms in place that enable them to detect unauthorised or fraudulent payment transactions for the purpose of the implementation of the security measures referred to in points (a) and (b) of Article 1.’

30      Article 11 of that delegated regulation, entitled ‘Contactless payments at point of sale’, is worded as follows:

‘Payment service providers shall be allowed not to apply strong customer authentication, subject to compliance with the requirements laid down in Article 2, where the payer initiates a contactless electronic payment transaction provided that the following conditions are met:

(a)      the individual amount of the contactless electronic payment transaction does not exceed EUR 50; and

(b)      the cumulative amount of previous contactless electronic payment transactions initiated by means of a payment instrument with a contactless functionality from the date of the last application of strong customer authentication does not exceed EUR 150; or

(c)      the number of consecutive contactless electronic payment transactions initiated via the payment instrument offering a contactless functionality since the last application of strong customer authentication does not exceed five.’

 The dispute in the main proceedings and the questions referred for a preliminary ruling

31      The VKI is an association established in Austria which, under Austrian law, has standing to bring proceedings to protect the interests of consumers.

32      DenizBank is a banking institution operating in Austria. In its dealings with customers, that company employs general terms and conditions in connection with, inter alia, the use of bank cards equipped with NFC functionality. That functionality, which is automatically activated the first time the customer uses the card, allows the customer to pay small amounts, up to a value of EUR 25 per purchase, without inserting the card into a payment terminal and without having to enter a personal identification number (‘PIN’), at points of sale equipped with the appropriate equipment. In contrast, the payment of higher amounts is subject to authentication with the PIN code.

33      The content of the clauses of those general terms and conditions that are relevant in the present case can be summarised as follows:

–        Clause 14 provides, inter alia, that changes to the general terms and conditions relating to debit cards are to be proposed to the customer no later than two months before the planned date of their entry into force and that the customer is to be deemed to have accepted those changes unless he or she expressly objects before that date. The customer, who is a consumer, is to be offered the possibility to terminate the contract free of charge and must be informed of that possibility in the change proposal sent to him or her by DenizBank;

–        Clause 15 states that DenizBank is not required to prove that payments of small amounts made without entering the PIN code, that is to say, using the NFC functionality, were authorised, nor that those transactions were not affected by a technical breakdown or some other deficiency;

–        Clause 16 relieves DenizBank of its liability and of any reimbursement obligation, in the event that such payment transactions were not authorised by the cardholder;

–        Clause 17 stipulates that the bank account holder bears the risk of any misuse of his or her card for payments of that type;

–        Clause 18 provides that, in the event of disappearance of the debit card, for example due to loss or theft, it is technically impossible to block the card for low-value payments and that, even after blocking, such payments may still be made, up to a total of EUR 75, without being refundable by DenizBank;

–        Clause 19 states that the provisions relating to card services are, in principle, also applicable to law-value payments.

34      By act of 9 August 2016, VKI brought proceedings for a prohibitory injunction before the Handelsgericht Wien (Commercial Court, Vienna, Austria), seeking that DenizBank be prohibited from using the six abovementioned clauses on the ground that they were null and void. In its defence, DenizBank contended that Clause 14 was lawful and that the various payment functions of cards equipped with NFC functionality should be assessed distinctly.

35      The court at first instance upheld VKI’s claim in a judgment of 28 April 2017. It held that Clause 14 was grossly prejudicial and that the NFC functionality was not covered by the derogations for low-value payment instruments, on the ground that the card could also be used for other types of payment and that the NFC functionality could not in itself be regarded as a payment instrument.

36      By judgment of 20 November 2017, the Oberlandesgericht Wien (Higher Regional Court, Vienna, Austria), in an appeal on the merits, upheld in part the judgment delivered at first instance. In particular, that court held that use of the NFC functionality did not constitute use of a payment instrument, but was rather comparable to credit card transactions made by mail or telephone. In that regard, it noted that the NFC functionality was activated automatically, unlike the ‘electronic purse’, and that a card equipped with that functionality was not anonymous, but rather both personalised and secured by means of a code.

37      VKI and DenizBank brought appeals on a point of law before the referring court, the Oberster Gerichtshof (Supreme Court, Austria), against the judgment thus delivered in the appeal on the merits.

38      The referring court states, first, that it has repeatedly held that extensive changes to conditions of the framework contract, by the payment service provider, may not be agreed by way of tacit consent by the customer, such as that resulting from Clause 14 of the general terms and conditions at issue in the main proceedings. It considers that such changes would be contrary to Article 52(6)(a) and Article 54(1) of Directive 2015/2366, which was transposed into Austrian law, using identical wording, by the Zahlungsdienstegesetz 2018 (Law on payment services of 2018) (BGBl. I, 17/2018), as well as to the objective of consumer protection set out in recital 63 of that directive. It adds that, in its view, Clause 14 should be subject to further scrutiny under Directive 93/13. It states that its abovementioned case-law has, however, been criticised by some Austrian legal writers, who have argued, inter alia, that the interests of undertakings should be weighed up against those of consumers, who could also benefit from a change of that nature.

39      Secondly, referring to the case-law of the Court, in particular paragraphs 33 and 35 of the judgment of 9 April 2014, T-Mobile Austria (Case C‑616/11, EU:C:2014:242), the referring court takes the view that the triggering of a payment order by the use of the NFC functionality of a bank card associated with a particular bank account could constitute a non-personalised ‘set of procedures’, and therefore a ‘payment instrument’, within the meaning of Article 4(14) of that directive.

40      Should that be the case, it asks, thirdly, whether a payment made by means of the NFC functionality of such a personalised card may be regarded as an ‘anonymous’ use of a payment instrument within the meaning of Article 63(1)(b) of Directive 2015/2366, or whether such a qualification may be applied only where the payment was made by means of a card not associated with an individualised account and without any other authentication element, such as those defined in Article 4(29) and (30) of that directive.

41      Fourthly, the referring court asks, in essence, whether a payment service provider wishing to rely on the derogation provided for in Article 63(1)(a) of Directive 2015/2366 is required to prove that, having regard to the latest available scientific knowledge, the payment instrument cannot be blocked or that its continued use cannot be prevented. That court states that it is in favour of an affirmative answer, with a view to consumer protection and taking account of the fact that that service provider is responsible for security measures according to recital 91 of Directive 2015/2366. It notes that, in the present case, DenizBank has not disputed VKI’s claim that blocking a card in such a manner is technically feasible.

42      In those circumstances, the Oberster Gerichtshof (Supreme Court) decided to stay the proceedings and to refer the following questions to the Court of Justice for a preliminary ruling:

‘(1)      Is point (6)(a) of Article 52 in conjunction with Article 54(1) of Directive [2015/2366], pursuant to which the payment service user will be deemed to have accepted proposed changes in the conditions unless the payment service user notifies the payment service provider before the date of their proposed date of entry into force that they are not accepted, to be interpreted as meaning that tacit consent can also be agreed with the consumer for any conceivable contractual conditions without any restriction?

(2)      (a)      Is point (14) of Article 4 of Directive [2015/2366] to be interpreted as meaning that the NFC function of a personalised multifunctional bank card by means of which low-value payments are debited from the associated customer account constitutes a payment instrument?

(b)      If Question 2(a) is answered in the affirmative:

Is Article 63(1)(b) of Directive [2015/2366] regarding the derogations for low-value payments and electronic money to be interpreted as meaning that a contactless low-value payment using the NFC function of a personalised multifunctional bank card [is] to be regarded as anonymous use of the payment instrument within the meaning of the derogation?

(3)      Is Article 63(1)(b) of Directive [2015/2366] to be interpreted as meaning that a payment service provider can rely on that derogation only if it can be established, according to the objective state of technical knowledge, that the payment instrument does not allow its blocking or prevention of its further use?’

43      On 26 November 2019, pursuant to Article 101 of its Rules of Procedure, the Court sent the referring court a request for clarification, asking it to state the reasons why Directive 2015/2366 and the Austrian legislation transposing it should be regarded as applicable ratione temporis to the main proceedings, even though the action initiating the proceedings was brought by VKI on 9 August 2016, at which time Directive 2007/64 was still in force since it was repealed on 13 January 2018.

44      In its answer, received at the Court Registry on 24 January 2020, the referring court stated that, since it is hearing a case where an injunction is being sought to prohibit future use of the contractual clauses at issue, it must assess the lawfulness of those clauses in the light, not only of the provisions in force when the proceedings were initiated, but also of the provisions applicable after the repeal of Directive 2007/64.

 Consideration of the questions referred

 Question 1

45      By its first question, the national court asks, in essence, whether Article 52(6)(a) of Directive 2015/2366, read in conjunction with Article 54(1) thereof, must be interpreted as meaning that a payment service provider who has concluded a framework contract with a user of its services may agree with the latter that that user will be presumed to have accepted a change to their framework contract, under the conditions laid down in those change provisions, even where the user is a consumer and irrespective of the contractual terms subject to that presumption.

46      Under Article 52(6)(a) of Directive 2015/2366, Member States must ensure that the payment service user is informed that, if the parties to the framework contract so agree, he or she is deemed to have accepted the changes to the conditions of the contract proposed by the payment service provider in accordance with Article 54(1) of that directive, unless the user notifies the service provider that the change in question is not accepted before the proposed date of entry into force of that change.

47      It is important to note that the presumption of tacit consent by the payment service user, the application of which has been agreed with the provider of those services, relates only, as stated in those provisions, to ‘changes’ to the conditions of the framework contract, that is to say, changes that do not affect the conditions of the framework contract to such an extent that the proposal from the service provider would in reality consist in the conclusion of a new contract. It is for the national court, when hearing a dispute concerning such tacit consent, to ascertain whether that rule has been implemented correctly.

48      In contrast, the wording of Article 52(6)(a) of Directive 2015/2366, read in conjunction with Article 54(1) thereof, does not contain any specification relating to the status of the payment service user, as referred to in the first question. Where the status of ‘consumer’, within the meaning of Article 4(20) of that directive, is a decisive factor, the provisions of the directive state so expressly, as is the case, inter alia, in Article 38 thereof.

49      It follows that Article 52(6)(a) of Directive 2015/2366 applies both to users of payment services who are consumers and to users who are not consumers.

50      Moreover, it is apparent from the wording of Article 52(6)(a), read in conjunction with the second subparagraph of Article 54(1), that the first provision is solely intended to lay down requirements relating to prior information, and not to determine the content of changes to a framework contract which may be tacitly accepted, since those provisions simply provide for the possibility of such changes and for the requirement of full transparency in that regard, without defining their substance.

51      That analysis is supported by a contextual interpretation of Article 52(6)(a) of Directive 2015/2366, read in conjunction with Article 54(1) thereof.

52      Article 52, entitled ‘Information and conditions’, and Article 54, entitled ‘Changes in conditions of the framework contract’, are included in Chapter 3 of Directive 2015/2366 on payment transactions covered by a framework contract, which is in Title III of that directive, entitled ‘Transparency of conditions and information requirements for payment services’. It follows that Articles 52 and 54 of that directive are intended to regulate only the conditions and information that a payment service provider is required to communicate to the user of its services, and not to define the content of the reciprocal commitments that those persons may enter into contractually. Such content is governed by the provisions of Title IV of that directive, entitled ‘Rights and obligations in relation to the provision and use of payment services’.

53      Furthermore, Article 42 of Directive 2015/2366, which is also included in Title III thereof and is entitled ‘Derogation from information requirements for low-value payment instruments and electronic money’, states clearly that Articles 52 and 54 of that directive relate to information concerning payment services which, unless there is an express derogation, must be provided by the payment service provider.

54      Furthermore, Article 51 of that directive states that the payment service provider must provide the information and conditions stated in Article 52 of that directive on a durable medium and in a clear and comprehensible form, in good time before the payment service user is bound by any framework contract or offer, in order to enable the user to make an informed choice, as is apparent from recital 54 of that directive.

55      All of the foregoing considerations are not contradicted by the teleological interpretation of Article 52(6)(a) of Directive 2015/2366, read in conjunction with Article 54(1) thereof.

56      Admittedly, as noted by the referring court and VKI, recital 63 of that directive states that ‘in order to ensure a high level of consumer protection, Member States should, in the interests of the consumer, be able to maintain or introduce restrictions or prohibitions on unilateral changes in the conditions of a framework contract, for instance if there is no justified reason for such a change’.

57      Nevertheless, it follows from Article 107 of Directive 2015/2366 that Article 52(6)(a) and Article 54(1) thereof are intended to achieve total harmonisation in the field governed by those provisions, namely, in the light of their wording, prior information concerning the tacit consent of changes to a framework contract in the event of the parties’ agreement to that effect, and that neither the Member States nor the providers of such services may derogate from them, except where those service providers decide to grant more favourable conditions to the users of their services.

58      Accordingly, Article 52(6)(a), read in conjunction with Article 54(1) of Directive 2015/2366, may not be interpreted, in the light of recital 63 of that directive, as laying down restrictions relating either to the status of the user or to the type of contractual terms that may be the subject of such agreements relating to changes accepted by means of tacit consent.

59      At the same time, according to settled case‑law, in the procedure laid down by Article 267 TFEU providing for cooperation between national courts and the Court of Justice, it is for the latter to provide the referring court with an answer which will be of use to it and enable it to determine the case before it. In that context, the Court may extract from all the information provided by the referring court, in particular from the grounds of the order for reference, the legislation and the principles of EU law that require interpretation in view of the subject matter of the dispute in the main proceedings, even if those provisions are not expressly indicated in the questions referred (see, inter alia, judgments of 19 December 2019, Airbnb Ireland, C‑390/18, EU:C:2019:1112, paragraph 36, and of 12 March 2020, Caisse d’assurance retraite et de la santé au travail d’Alsace-Moselle, C‑769/18, EU:C:2020:203, paragraphs 39 and 40).

60      In the present case, in the grounds for its decision, the referring court correctly established a link between Clause 14 of the general terms and conditions at issue in the main proceedings, the content of which is set out in paragraph 33 above, and the provisions of Directive 93/13 on unfair terms in consumer contracts. Furthermore, that court considers that the disputed clause is, in practice, liable to lead to unilateral change of the framework contract by means of the presumption of acceptance provided for therein, since payment service users would not sufficiently analyse the implications of such clauses.

61      In that regard, it should be noted that, as regards users of payment services who are ‘consumers’ within the meaning of Article 2 of Directive 93/13, the review of unfairness of a term relating to the tacit consent of changes to a framework contract such as that at issue in the main proceedings is governed by the provisions of that directive.

62      It is clear from the provisions of Directive 2015/2366, in particular in the light of recital 55 thereof, that other EU legislation relating to consumer protection, such as, inter alia, Directive 2011/83, remain applicable. Consequently, where the payment service user has the status of consumer, Directive 2015/2366 may apply in conjunction with Directive 93/13, as amended by Directive 2011/83, and therefore without prejudice to the measures taken by the Member States to transpose the latter, which, in the area it governs, achieves only minimum harmonisation and therefore allows the adoption or maintenance of stricter national measures, compatible with the Treaty, to ensure a higher level of consumer protection (see, to that effect, judgment of 2 April 2020, Condominio di Milano, via Meda, C‑329/19, EU:C:2020:263, paragraph 33).

63      Thus, Article 3(1) of Directive 93/13 defines when a term contained in a contract concluded between a consumer and a seller or supplier may be declared unfair. Article 3(3) of that directive refers to the Annex thereof, which contains an indicative list of such terms, including, in point 1(j) of that annex, ‘terms which have the object or effect of … enabling the seller or supplier to alter the terms of the contract unilaterally without a valid reason which is specified in the contract’. Furthermore, Article 6(1) of Directive 93/13 provides that an unfair term, within the meaning of that directive, is not binding on the consumer, in accordance with such provisions as are laid down under their national law. Article 8 of that directive provides that Member States may adopt or retain, in the area covered by that directive, consumer-protection provisions that are more stringent than those contained in the directive, provided that they are compatible with the Treaty.

64      It is therefore for the referring court to examine whether or not clause 14 of the general terms and conditions relating to tacit consent to changes in the framework contract concluded with consumers, which is at issue in the main proceedings, is unfair and, if so, draw the appropriate conclusions from the unlawfulness of that clause, having regard to the provisions of Directive 93/13, and not Article 52(6)(a) of Directive 2015/2366, read in conjunction with Article 54(1) thereof.

65      In that respect, it should be borne in mind that, as regards standard terms allowing a unilateral adjustment of contracts, the Court has ruled that such terms must meet the requirements of good faith, balance and transparency laid down in Directive 93/13 (see, to that effect, judgment of 21 March 2013, RWE Vertrieb, C‑92/11, EU:C:2013:180, paragraph 47).

66      Consequently, the answer to the first question is that Article 52(6)(a) of Directive 2015/2366, read in conjunction with Article 54(1) thereof, must be interpreted to the effect that it governs the information and conditions to be provided by a payment service provider wishing to agree, with a user of its services, on tacit consent with regard to changes, in accordance with the detailed rules laid down in those provisions, of the framework contract that they have concluded, but does not lay down restrictions regarding the status of the user or the type of contractual terms that may be the subject of such tacit consent, without prejudice, however, where the user is a consumer, to a possible review of the unfairness of those terms in the light of the provisions of Directive 93/13.

 Question 2(a)

67      By question 2(a), the referring court seeks to ascertain whether Article 4(14) of Directive 2015/2366 must be interpreted as meaning that the NFC functionality of a personalised multifunctional bank card by means of which low-value payments are debited from the bank account associated with that card constitutes a ‘payment instrument’, as defined in that provision.

68      Article 4(14) of Directive 2015/2366 defines ‘payment instrument’, for the purposes of the application of that directive, as ‘a personalised device(s) and/or set of procedures agreed between the payment service user and the payment service provider and used in order to initiate a payment order’.

69      Worded in equivalent terms, Article 4(23) of Directive 2007/64 defines ‘payment instrument’, for the purposes of the application of that directive, as ‘any personalised device(s) and/or set of procedures agreed between the payment service user and the payment service provider and used by the payment service user in order to initiate a payment order’.

70      In that regard, it should be noted that, in paragraph 31 of the judgment of 9 April 2014, T-Mobile Austria (Case C‑616/11, EU:C:2014:242), concerning the interpretation of Article 4(23) of Directive 2007/64, the Court, first of all, noted that there was some divergence between the different language versions of that provision, as regards the use of the adjective ‘personalised’ to describe the phrase ‘any … device’ and/or the phrase ‘set of procedures’ according to those versions. The Court then recalled, in paragraph 32 of that judgment, the settled case-law according to which, first, the provisions of EU law must be interpreted and applied in a uniform manner, in the light of the versions drawn up in all EU languages, and, secondly, that where there is divergence between the language versions of an EU legal text, the provision in question must be interpreted by reference to the general scheme and purpose of the rules of which it forms part. Lastly, in paragraph 33 of that judgment, the Court held that, in order to be considered as ‘personalised’, within the meaning of that provision, a payment instrument must allow the payment service provider to verify that the payment order was initiated by a user authorised to do so.

71      The Court thus held, in paragraphs 34 and 35 of that same judgment, that it necessarily followed from the existence of non-personalised payment instruments, such as those expressly referred to in Article 53 of that directive, now Article 63 of Directive 2015/2366, that the concept of ‘payment instrument’, defined in the abovementioned Article 4(23), is capable of covering a non-personalised set of procedures, agreed between the user and the payment service provider, and used by the user in order to initiate a payment order.

72      It is in the light of that definition of ‘payment instrument’, within the meaning of Article 4(23) of Directive 2007/64, now Article 4(14) of Directive 2015/2366, that it is appropriate to answer question 2(a) posed by the referring court in the present case.

73      In the present instance, that court considers, correctly, that it follows from the case-law cited in paragraphs 70 and 71 above that the NFC functionality of a multifunctional bank card associated with a specific bank account, such as that at issue in the main proceedings, does not constitute a ‘personalised device’, within the meaning of the first situation referred to in Article 4(14) of Directive 2015/2366, since the use of that function, in itself, does not allow the payment service provider to verify that the payment order was initiated by a user authorised for that purpose, unlike the other functions of that card which require the use of personalised security data, such as a PIN code or a signature.

74      Accordingly, the referring court asks whether use of the NFC functionality is capable of constituting, in itself, a non-personalised ‘set of procedures’, within the meaning of the second situation referred to in Article 4(14) of Directive 2015/2366, and, therefore, a ‘payment instrument’ for the purposes of the application of that directive.

75      As the Advocate General notes in points 37 to 40 of his Opinion, use of the NFC functionality of a bank card associated with a specific bank account represents a non-personalised set of procedures that must have been agreed between the user and the payment service provider and which is used to initiate a payment order. Accordingly, that functionality constitutes a ‘payment instrument’ within the meaning of the second situation in Article 4(14) of Directive 2015/2366.

76      It is apparent from the documents before the Court that the NFC functionality, after being activated by the holder of the bank account associated with such a card, may, under the contract concluded between the payment service provider and that user, be used by any individual in possession of the card to make low-value payments debited from that account, subject to the maximum threshold authorised by that contract, without having to make use of personalised security data, which would be specific to the account holder concerned, for the purposes of ‘authentication’, or even ‘strong authentication’, of the payment order, within the meaning of Article 4(29) to (31) of that directive.

77      It should be noted that the NFC functionality is, having regard to its specific features, legally separable from the other functions of the associated bank card, which require the use of personal security data, in particular in order to pay an amount above the threshold set for use of the NFC functionality. Therefore, the NFC functionality, taken in isolation, may be regarded as a payment instrument, within the meaning of Article 4(14) of Directive 2015/2366, and thus fall within the material scope of that directive.

78      That interpretation is such as to contribute to attainment of the objectives pursued by Directive 2015/2366, since the fact that the NFC functionality is thus directly subject to the requirements laid down by that directive not only promotes the development of that new means of payment in the context of fair competition between payment service providers, but also the protection of users of those services, in particular those who are consumers, in accordance with the guidelines set out in the preamble to that directive, and in particular in recital 6 thereof.

79      Consequently, the answer to question 2(a) is that Article 4(14) of Directive 2015/2366 must be interpreted as meaning that the NFC functionality of a personalised multifunctional bank card, by means of which low-value payments are debited from the associated bank account, constitutes a ‘payment instrument’, as defined in that provision.

 Question 2(b)

80      By question 2(b), the referring court asks whether Article 63(1)(b) of Directive 2015/2366 must be interpreted as meaning that a contactless low-value payment using the NFC functionality of a personalised multifunctional bank card constitutes ‘anonymous’ use of the payment instrument in question, within the meaning of that derogation provision.

81      Under Article 63(1)(b) of Directive 2015/2366, in respect of low-value payment instruments, as defined in the introductory part of that paragraph, a payment service provider may agree with the user of its services that they will derogate from the provisions listed in Article 63(1)(b), where ‘the payment instrument is used anonymously’ or where ‘the payment service provider is not in a position for other reasons which are intrinsic to the payment instrument to prove that a payment transaction was authorised’.

82      The Court has pointed out that it follows from Article 53(1)(b) of Directive 2007/64, now Article 63(1)(b) of Directive 2015/2366, that certain payment instruments are used anonymously, in which case payment service providers are not required to provide proof of the authentication of the transaction in question in the situation referred to in Article 59 of that first directive, now Article 72 of the second directive (judgment of 9 April 2014, T-Mobile Austria, C‑616/11, EU:C:2014:242, paragraph 34).

83      More specifically, Article 63(1)(b) of Directive 2015/2366 allows the payment service provider and the user of its services to derogate, by way of agreement, first, from Article 72 of that directive, which requires the provider to prove the authentication and execution of payment transactions, secondly, from Article 73 thereof, which establishes the principle that the service provider is liable for unauthorised payment transactions and, thirdly, from Article 74(1) and (3) of that directive, which partially derogates from that principle by providing to which extent the payer may be required to bear, up to EUR 50, losses resulting from such transactions, except after notification to the provider of the loss, theft or misappropriation of the payment instrument.

84      It should be emphasised that Article 63(1)(b) of that directive must be interpreted strictly because it constitutes a derogation.

85      As the referring court and the Commission have noted, it follows from the wording of Article 63(1)(b), read in the light of the provisions to which it refers, that the feature common to the two situations in which the derogation provided for therein may be used is the objective inability of the payment service provider to establish that a payment transaction has been duly authorised, either because of the ‘anonymous’ use of the payment instrument concerned, or ‘other reasons which are intrinsic to [that instrument]’.

86      In the present case, as regards the question whether a payment made by means of the NFC functionality of a personalised multifunctional bank card may be regarded as ‘anonymous’ use, within the meaning of Article 63(1)(b) of Directive 2015/2366, account must be taken of the following circumstances.

87      First, the card in question is deemed to be ‘personalised’ when it is associated with the bank account of a specific customer, namely the ‘payer’ as defined in Article 4(8) of that directive, and that account is debited after a payment made by means of the NFC functionality. Secondly, a payment of that type, which is limited to low-value payments, only requires possession of that card, once that function has been activated by the customer, and not authentication through the use of personal security data, such as a PIN code or signature. Accordingly, any individual with access to that card may make such a payment, up to the authorised threshold, even without the consent of the account holder, in the event of loss, theft or misappropriation of the card.

88      In that context, it is important to draw a distinction between the identification of the holder of the debited account, which follows directly from the personalisation of the card concerned, and a payment authorisation potentially given by that holder, which cannot be established by the mere use of the card when the payment in question is made using the NFC functionality. The cardholder’s agreement to such a payment cannot be inferred from mere physical possession of the card equipped with that functionality.

89      Accordingly, the use of the NFC functionality for the purpose of making low-value payments constitutes ‘anonymous’ use, within the meaning of Article 63(1)(b) of that directive, even where the card equipped with that functionality is associated with the bank account of a particular customer. In such a situation, the payment service provider is objectively unable to identify the person who paid using that functionality and thus unable to verify, or even prove, that the transaction was duly authorised by the account holder.

90      As DenizBank has submitted, that interpretation is supported by the objectives of Directive 2015/2366, namely to ‘allow the development of user-friendly and accessible means of payment for low-risk payments, such as low value contactless payments at the point of sale’, as set out in recital 96 of that directive, and ‘facilitating new means of payment to reach a broader market and ensuring a high level of consumer protection in the use of these payment services’, as set out in recital 6 of that directive. Similarly, recital 81 of that directive states that ‘low value payment instruments should be a cheap and easy-to-use alternative in the case of low-priced goods and services and should not be overburdened by excessive requirements’ and specifies that ‘payment service users should benefit from adequate protection’. It is in the interest not only of the payment service provider but also of its customer to have, provided that the latter so wishes and remains sufficiently protected, innovative, quick and simple means of payment, such as the NFC functionality.

91      Furthermore, that interpretation of Article 63(1)(b) of Directive 2015/2366 is consistent with the general scheme of that directive, in so far as, in the light of the rules laid down by that directive, a customer who has chosen to benefit from a simplified payment instrument without the need for identification for low-value payments, such as the NFC functionality, must be regarded as having agreed to potentially being exposed to the consequences of the conventional limitations on the liability of the provider, as permitted under that provision.

92      By limiting, as is apparent from the introductory part of that paragraph 1, the amount of financial losses that a customer might potentially have to bear, the EU legislature, in accordance with the articles of that directive read in the light of the recitals referred to in paragraph 90 above, ensures a balance between the advantages and risks posed by such an instrument, in particular for customers that have the status of consumers.

93      Consequently, the answer to Question 2(b) is that Article 63(1)(b) of Directive 2015/2366 must be interpreted as meaning that a contactless low-value payment using the NFC functionality of a personalised multifunctional bank card constitutes ‘anonymous’ use of the payment instrument in question, within the meaning of that derogation provision.

 Question 3

94      By its third question, the referring court asks essentially whether Article 63(1)(a) of Directive 2015/2366 must be interpreted as meaning that a payment service provider who intends to rely on the derogation provided for in that provision may simply assert that it is impossible to block the payment instrument concerned or to prevent its continued use, where, in the light of the objective state of available technical knowledge, that impossibility cannot be established.

95      Under Article 63(1)(a) of Directive 2015/2366, in respect of low-value payment instruments, as defined in the introductory part of that paragraph, a payment service provider may agree with a user of its services that they will be exempted from certain of their mutual obligations, namely those resulting from the provisions under Article 63(1)(a), ‘if the payment instrument’ which is the subject of the framework contract they have concluded ‘does not allow its blocking’ or ‘prevention of its further use’.

96      It is clear from the wording of Article 63(1)(a) that the implementation of the derogations provided for in that provision is subject to the condition that it is impossible, for a reason that is intrinsic to the payment instrument in question, to block it or prevent its further use.

97      Similarly, Article 53(1)(a) of Directive 2007/64, which corresponds to Article 63(1)(a) of Directive 2015/2366, provided that the derogation therein applied specifically where ‘the payment instrument [did] not allow its blocking or prevention of its further use’.

98      Therefore, a payment service provider wishing to exercise the option provided for in Article 63(1)(a) of Directive 2015/2366 may not, in order to relieve itself from its own obligations, simply state, in the framework contract relating to the payment instrument concerned, that it is unable to block that instrument or to prevent its further use. That service provider must establish, with the burden of proof being on that provider in the event of a dispute, that that instrument in no way allows, on account of technical reasons, its blocking or prevention of its further use. If the court hearing those proceedings considers that it would have been physically possible to carry out such blocking or to prevent such use, having regard to the objective state of available technical knowledge, but that the provider did not make use of that knowledge, Article 63(1)(a) may not be applied to the benefit of that provider.

99      That interpretation of the wording of Article 63(1)(a) of Directive 2015/2366 is supported both by a systematic interpretation and a teleological interpretation of that provision.

100    As regards the general scheme of Directive 2015/2366, it should be recalled that Article 63(1)(a) thereof allows the payment service provider and the user of its services to derogate, by agreement, from the application of the obligations arising from, first, Article 69(1)(b) of that directive, which requires the user to inform the provider without delay of the loss, theft, misappropriation or any unauthorised use of the payment instrument concerned, secondly, Article 70(1)(c) and (d) of that directive, which requires the provider to make available to the user means to make that notification free of charge or to request unblocking of that instrument, and, thirdly, Article 74(3) of that directive, which relieves the payer, except where he or she has acted fraudulently, from the financial consequences of any use of the lost, stolen or misappropriated instrument that takes place after that notification.

101    Given that it introduces an exception to the rules laid down in the other provisions referred to in the preceding paragraph of the present judgment, Article 63(1)(a) of Directive 2015/2366 must be interpreted strictly. Accordingly, the conditions for the application of that provision may not be construed in such a way as to remove the burden of proof which must be carried by the person relying on that exception and, consequently, to exempt that person from the detrimental consequences that might result from the application of those rules.

102    As regards the objectives of Directive 2015/2366, it follows, inter alia, from recitals 6, 53 and 63 thereof that the directive aims to protect users of payment services and, in particular, to offer a high level of protection to those who are consumers (see, as regards Directive 2007/64, judgments of 25 January 2017, BAWAG, C‑375/15, EU:C:2017:38, paragraph 45, and of 2 April 2020, PrivatBank, C‑480/18, EU:C:2020:274, paragraph 66).

103    Furthermore, according to recital 91 of Directive 2015/2366, providers of such services are responsible for security measures, which must be proportionate to the risks associated with those services, and they are required, in particular, to establish a framework to mitigate risks and maintain effective incident management procedures, in accordance with Article 95 of that directive. Although recital 96 of that directive appears to qualify those obligations somewhat with regard to ‘low-value contactless payments at the point of sale’, it does not call into question the principle of the payment service providers’ responsibility for technical security since it states that ‘the exemptions to the application of security requirements should be specified in regulatory technical standards’, as provided for in Article 98 of that directive. Thus, Articles 2 and 11 of Delegated Regulation 2018/389, read in the light of recitals 9 and 11 thereof, lay down the extent to which such providers may derogate from the rule of strong authentication for such contactless payments.

104    As the Advocate General notes in points 60 and 61 of his Opinion, if a payment service provider could avoid liability by simply alleging that it is impossible to block the payment instrument or prevent its further use, it could then easily, by offering mediocre technology, place the risk associated with unauthorised payments on the user of its services. Such a transfer of those risks and associated detrimental consequences would not be consistent with the objective of protecting users of payment services, in particular consumers, nor with the rule that payment service providers assume responsibility for taking appropriate security measures, both of which underpin the regime established by Directive 2015/2366.

105    The interpretation thus adopted of Article 63(1)(a) of Directive 2015/2366 cannot be called into question by DenizBank’s arguments that that analysis would harm the development of new business models in the field of low-value payment services and would undermine the freedom of service providers to offer a payment card which they simply declared could not be blocked, whatever the reason may be. Those arguments conflict not only with the wording of that provision, but also with the general scheme of the directive and the objectives of the legislation of which that provision forms part.

106    Accordingly, the answer to the third question is that Article 63(1)(a) of Directive 2015/2366 must be interpreted as meaning that a payment service provider who intends to rely on the derogation provided for in that provision may not simply assert that it is impossible to block the payment instrument concerned or to prevent its continued use, where, in the light of the objective state of available technical knowledge, that impossibility cannot be established.

 The limitation of the temporal effects of the present judgment

107    In its written observations, DenizBank requested, in essence, that the Court limit the temporal effects of its judgment, in particular, in the event that the Court were to rule that the NFC functionality of a personalised multifunctional bank card does not constitute a ‘payment instrument’ within the meaning of Article 4(14) of Directive 2015/2366. In support of that request, it referred to the significant financial effects that that judgment might produce and the fact that the undertakings concerned could legitimately expect a different interpretation.

108    In that regard, it should be noted that, according to settled case-law, it is only quite exceptionally that the Court may, in application of the general principle of legal certainty inherent in the EU legal order, be moved to restrict, for any person concerned, the opportunity of relying on a provision which it has interpreted with a view to calling into question legal relationships established in good faith. Two essential criteria must be fulfilled before such a limitation can be imposed, namely that those concerned should have acted in good faith and that there should be a risk of serious difficulties (see, inter alia, judgments of 10 July 2019, WESTbahn Management, C‑210/18, EU:C:2019:586, paragraph 45, and of 3 October 2019, Schuch-Ghannadan, C‑274/18, EU:C:2019:828, paragraph 61 and the case-law cited).

109    Moreover, it should be noted that DenizBank’s request appears to have been made only in the event that the Court were to provide a negative answer to Question 2(a), which is not the case. In any event, DenizBank has not provided any concrete and detailed evidence capable of demonstrating that its request is well founded since it has merely put forward general arguments.

110    Accordingly, there is no need to limit the temporal effects of the present judgment.

 Costs

111    Since these proceedings are, for the parties to the main proceedings, a step in the action pending before the referring court, the decision on costs is a matter for that court. Costs incurred in submitting observations to the Court, other than the costs of those parties, are not recoverable.

On those grounds, the Court (First Chamber) hereby rules:

1.      Article 52(6)(a) of Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC, read in conjunction with Article 54(1) thereof, must be interpreted to the effect that it governs the information and conditions to be provided by a payment service provider wishing to agree, with a user of its services, on tacit consent with regard to changes, in accordance with the detailed rules laid down in those provisions, of the framework contract that they have concluded, but does not lay down restrictions regarding the status of the user or the type of contractual terms that may be the subject of such tacit consent, without prejudice, however, where the user is a consumer, to a possible review of the unfairness of those terms in the light of the provisions of Council Directive 93/13/EEC of 5 April 1993 on unfair terms in consumer contracts.

2.      Article 4(14) of Directive 2015/2366 must be interpreted as meaning that the near-field communication (NFC) functionality of a personalised multifunctional bank card, by means of which low-value payments are debited from the associated bank account, constitutes a ‘payment instrument’, as defined in that provision.

3.      Article 63(1)(b) of Directive 2015/2366 must be interpreted as meaning that a contactless low-value payment using the near-field communication (NFC) functionality of a personalised multifunctional bank card constitutes ‘anonymous’ use of the payment instrument in question, within the meaning of that derogation provision.

4.      Article 63(1)(a) of Directive 2015/2366 must be interpreted as meaning that a payment service provider who intends to rely on the derogation provided for in that provision may not simply assert that it is impossible to block the payment instrument concerned or to prevent its continued use, where, in the light of the objective state of available technical knowledge, that impossibility cannot be established.

[Signatures]


*      Language of the case: German.