The French data pro­tec­tion regulator’s white paper

New infor­ma­ti­on on hand­ling bank and pay­ment data

In its new white paper published in Octo­ber 2021 (only in French), the French data pro­tec­tion super­vi­so­ry aut­ho­ri­ty, the Com­mis­si­on Natio­na­le de l’In­for­ma­tique et des Liber­tés (CNIL), addres­ses digi­tal pay­ments from a data pro­tec­tion per­spec­ti­ve under the title, When trust pays off – cur­rent and future means of pay­ment and the chal­lenges of data protection.

This publi­ca­ti­on was moti­va­ted by the ste­adi­ly incre­asing use of digi­ta­li­sed pay­ment methods, such as tra­di­tio­nal card use (debit and cre­dit cards), but espe­ci­al­ly digi­tal wal­lets such as Goog­le Pay, Apple Pay, and offers from various fin­tech com­pa­nies such as PayPal.

In its white paper, CNIL pres­ents the data pro­tec­tion chal­lenges of digi­tal pay­ment methods and then pro­vi­des gui­dance and prac­ti­cal recom­men­da­ti­ons for action for play­ers invol­ved in digi­tal payments.

What are pay­ment data?

Accor­ding to the CNIL, the term “pay­ment data” or “pay­ment infor­ma­ti­on” includes pay­ment data in the strict sen­se, such as the means of pay­ment used or the amount of the tran­sac­tion, plus data rela­ted to the purcha­se its­elf, such as the cha­rac­te­ristics of the pro­duct purcha­sed or the place and time of the purcha­se, as well as con­tex­tu­al or beha­viou­ral data, such as geo­lo­ca­ti­on or cha­rac­te­ristics of the ter­mi­nal used for an online purchase.

Pay­ment data can thus be sum­ma­ri­sed, from CNIL’s per­spec­ti­ve, as all per­so­nal data used in the pro­vi­si­on of a pay­ment ser­vice to a natu­ral per­son, inclu­ding ancil­la­ry data such as geo­lo­ca­ti­on, con­tex­tu­al data and, if rele­vant, details of the purcha­se itself.

Num­e­rous chal­lenges for data protection

The cha­rac­te­ristics of digi­tal pay­ment tran­sac­tions pose signi­fi­cant chal­lenges to the pro­tec­tion of the data coll­ec­ted and processed.

The first chall­enge is the lar­ge num­ber of peo­p­le affec­ted. A vast majo­ri­ty of the popu­la­ti­on regu­lar­ly uses cashl­ess pay­ment methods, whe­ther for card pay­ments at their local depart­ment store or for online shop­ping, which is beco­ming incre­asing­ly popu­lar, not least due to the coro­na pandemic.

Ano­ther chall­enge cited by the CNIL is the man­da­to­ry sto­rage and tracea­bi­li­ty of the data for each pay­ment tran­sac­tion. The­se data must be docu­men­ted in order to store accounts, cus­to­mers and cre­dit balan­ces. At the same time, they also con­tain a gre­at deal of infor­ma­ti­on about each person’s actions, cha­rac­te­ristics and inte­rests. The­re is a risk that the­se data can be com­bi­ned with other infor­ma­ti­on to form “sen­si­ti­ve” data as defi­ned in Artic­le 9 GDPR, such as infor­ma­ti­on on poli­ti­cal opi­ni­ons, reli­gious beliefs or sexu­al orientation.

In addi­ti­on to the govern­ment moni­to­ring of digi­tal pay­ment tran­sac­tions, which has been well known sin­ce the NSA scan­dal, pay­ment ser­vices also use the data they pro­cess for addi­tio­nal ser­vices such as veri­fy­ing the trust­wort­hi­ness of the cus­to­mer or impro­ving the user expe­ri­ence. In the view of the CNIL, both are not unpro­ble­ma­tic from a data pro­tec­tion perspective.

Final­ly, the CNIL sees the ongo­ing deve­lo­p­ment of con­nec­ted pro­ducts (so-called “Inter­net of Things”) as posing fur­ther chal­lenges to per­so­nal data within the frame­work of auto­ma­ted and auto­no­mous pay­ment tran­sac­tions by indi­vi­du­al devices.

Recom­men­da­ti­ons for action by the CNIL

To address the­se chal­lenges, CNIL belie­ves that strict com­pli­ance with the pro­vi­si­ons of the GDPR is essential.

First of all, this requi­res com­pli­ance with the prin­ci­ples for pro­ces­sing per­so­nal data based on Artic­le 5 GDPR, such as pur­po­se limi­ta­ti­on and data eco­no­my. Here, the CNIL recom­mends a pri­or spe­ci­fic limi­ta­ti­on and defi­ni­ti­on of this pur­po­se in a pro­ces­sing direc­to­ry that records all pro­ces­sed data. With regard to the pur­po­se limi­ta­ti­on, it must be ensu­red that the respec­ti­ve pur­po­se is actual­ly requi­red for pay­ment pro­ces­sing. From the CNIL’s point of view, during a pay­ment tran­sac­tion with a cre­dit card, only the respec­ti­ve card num­ber, expi­ra­ti­on date and, if appli­ca­ble, cryp­to­gram of the card are necessary.

In this con­text, the CNIL also empha­si­s­es that, in addi­ti­on to com­pli­ance with the lega­li­ty of pro­ces­sing under Artic­le 6 GDPR, it is essen­ti­al to assign the respec­ti­ve func­tion of con­trol­ler, pro­ces­sor or joint con­trol­ler to the respec­ti­ve actors invol­ved in a pay­ment tran­sac­tion in order to ensu­re a clear allo­ca­ti­on of roles and unam­bi­guous respon­si­bi­li­ties in this regard and also to docu­ment them.

To ans­wer the ques­ti­on in which cases a data pro­tec­tion impact assess­ment is requi­red pur­su­ant to Artic­le 35 GDPR, CNIL has drawn up a list of pro­ces­sing activities.

The CNIL also pro­vi­des con­cre­te recom­men­da­ti­ons for action regar­ding the dura­ti­on of the sto­rage of per­so­nal data in con­nec­tion with pay­ment transactions:

• The data coll­ec­ted for the rea­li­sa­ti­on of a pay­ment tran­sac­tion may only be stored until the com­ple­ti­on of the pay­ment or until receipt of the item or ser­vice; in the case of sub­scrip­ti­on, until after the last pay­ment installment.
• Accor­ding to the CNIL, the data coll­ec­ted for com­plaint manage­ment may be kept for 13 months from the date of debit (15 months in the case of debit cards with defer­red payment).
• Any cryp­to­gram on a pay­ment card, on the other hand, may be kept only until the tran­sac­tion is completed.

In addi­ti­on, the CNIL empha­si­s­es that any other use of the infor­ma­ti­on obtai­ned in the cour­se of a pay­ment tran­sac­tion, par­ti­cu­lar­ly for com­mer­cial pur­po­ses, is pro­hi­bi­ted. For exam­p­le, an email address coll­ec­ted for the pur­po­se of sen­ding a sales receipt or pay­ment may not be used for adver­ti­sing pur­po­ses wit­hout the customer’s con­sent. Also, bank data may not be stored by the mer­chant for sub­se­quent purcha­ses wit­hout the customer’s con­sent. The only excep­ti­on to this may be the legi­ti­ma­te inte­rest of the mer­chant in the case of a sub­scrip­ti­on by the cus­to­mer or in the case of a regu­lar busi­ness rela­ti­onship with the customer.

War­ning of rising crime rela­ted to pay­ment data

The gro­wing popu­la­ri­ty of digi­tal pay­ment tran­sac­tions is also having an impact on crime sta­tis­tics: In addi­ti­on to the chal­lenges descri­bed abo­ve, the CNIL warns of an ever-increasing level of crime invol­ving pay­ment data, par­ti­cu­lar­ly through ran­som­wa­re. The use of ran­som­wa­re allows cri­mi­nals to encrypt the hard dri­ves of tho­se affec­ted and only decrypt them again by pay­ing a ran­som. Pay­ment data of all kinds is the focus of extor­tio­nists due to the importance of the data for mer­chants and customers.

To com­bat this, the CNIL recom­mends the use of so-called “tokens”. In this pro­cess, sen­si­ti­ve pay­ment data, such as an account num­ber (IBAN) or a bank card num­ber, are repla­ced by a ran­dom­ly gene­ra­ted, single-use data ele­ment (token). In the event of a hacker attack, no par­ti­cu­lar­ly sen­si­ti­ve data will fall into the hands of cri­mi­nals in this way.

Sum­ma­ry

Ban­king and pay­ment data pose a data pro­tec­tion chall­enge. This makes it all the more important for com­pa­nies invol­ved in pay­ment tran­sac­tions to inform them­sel­ves in due time about their own obli­ga­ti­ons and to take appro­pria­te mea­su­res to pro­tect sen­si­ti­ve data. Fail­ure to do so can result in nega­ti­ve public press as well as hea­vy fines in the event of damage.