New information on handling bank and payment data
In its new white paper published in October 2021 (only in French), the French data protection supervisory authority, the Commission Nationale de l’Informatique et des Libertés (CNIL), addresses digital payments from a data protection perspective under the title, When trust pays off – current and future means of payment and the challenges of data protection.
This publication was motivated by the steadily increasing use of digitalised payment methods, such as traditional card use (debit and credit cards), but especially digital wallets such as Google Pay, Apple Pay, and offers from various fintech companies such as PayPal.
In its white paper, CNIL presents the data protection challenges of digital payment methods and then provides guidance and practical recommendations for action for players involved in digital payments.
What are payment data?
According to the CNIL, the term “payment data” or “payment information” includes payment data in the strict sense, such as the means of payment used or the amount of the transaction, plus data related to the purchase itself, such as the characteristics of the product purchased or the place and time of the purchase, as well as contextual or behavioural data, such as geolocation or characteristics of the terminal used for an online purchase.
Payment data can thus be summarised, from CNIL’s perspective, as all personal data used in the provision of a payment service to a natural person, including ancillary data such as geolocation, contextual data and, if relevant, details of the purchase itself.
Numerous challenges for data protection
The characteristics of digital payment transactions pose significant challenges to the protection of the data collected and processed.
The first challenge is the large number of people affected. A vast majority of the population regularly uses cashless payment methods, whether for card payments at their local department store or for online shopping, which is becoming increasingly popular, not least due to the corona pandemic.
Another challenge cited by the CNIL is the mandatory storage and traceability of the data for each payment transaction. These data must be documented in order to store accounts, customers and credit balances. At the same time, they also contain a great deal of information about each person’s actions, characteristics and interests. There is a risk that these data can be combined with other information to form “sensitive” data as defined in Article 9 GDPR, such as information on political opinions, religious beliefs or sexual orientation.
In addition to the government monitoring of digital payment transactions, which has been well known since the NSA scandal, payment services also use the data they process for additional services such as verifying the trustworthiness of the customer or improving the user experience. In the view of the CNIL, both are not unproblematic from a data protection perspective.
Finally, the CNIL sees the ongoing development of connected products (so-called “Internet of Things”) as posing further challenges to personal data within the framework of automated and autonomous payment transactions by individual devices.
Recommendations for action by the CNIL
To address these challenges, CNIL believes that strict compliance with the provisions of the GDPR is essential.
First of all, this requires compliance with the principles for processing personal data based on Article 5 GDPR, such as purpose limitation and data economy. Here, the CNIL recommends a prior specific limitation and definition of this purpose in a processing directory that records all processed data. With regard to the purpose limitation, it must be ensured that the respective purpose is actually required for payment processing. From the CNIL’s point of view, during a payment transaction with a credit card, only the respective card number, expiration date and, if applicable, cryptogram of the card are necessary.
In this context, the CNIL also emphasises that, in addition to compliance with the legality of processing under Article 6 GDPR, it is essential to assign the respective function of controller, processor or joint controller to the respective actors involved in a payment transaction in order to ensure a clear allocation of roles and unambiguous responsibilities in this regard and also to document them.
To answer the question in which cases a data protection impact assessment is required pursuant to Article 35 GDPR, CNIL has drawn up a list of processing activities.
The CNIL also provides concrete recommendations for action regarding the duration of the storage of personal data in connection with payment transactions:
- The data collected for the realisation of a payment transaction may only be stored until the completion of the payment or until receipt of the item or service; in the case of subscription, until after the last payment installment.
- According to the CNIL, the data collected for complaint management may be kept for 13 months from the date of debit (15 months in the case of debit cards with deferred payment).
- Any cryptogram on a payment card, on the other hand, may be kept only until the transaction is completed.
In addition, the CNIL emphasises that any other use of the information obtained in the course of a payment transaction, particularly for commercial purposes, is prohibited. For example, an email address collected for the purpose of sending a sales receipt or payment may not be used for advertising purposes without the customer’s consent. Also, bank data may not be stored by the merchant for subsequent purchases without the customer’s consent. The only exception to this may be the legitimate interest of the merchant in the case of a subscription by the customer or in the case of a regular business relationship with the customer.
Warning of rising crime related to payment data
The growing popularity of digital payment transactions is also having an impact on crime statistics: In addition to the challenges described above, the CNIL warns of an ever-increasing level of crime involving payment data, particularly through ransomware. The use of ransomware allows criminals to encrypt the hard drives of those affected and only decrypt them again by paying a ransom. Payment data of all kinds is the focus of extortionists due to the importance of the data for merchants and customers.
To combat this, the CNIL recommends the use of so-called “tokens”. In this process, sensitive payment data, such as an account number (IBAN) or a bank card number, are replaced by a randomly generated, single-use data element (token). In the event of a hacker attack, no particularly sensitive data will fall into the hands of criminals in this way.
Banking and payment data pose a data protection challenge. This makes it all the more important for companies involved in payment transactions to inform themselves in due time about their own obligations and to take appropriate measures to protect sensitive data. Failure to do so can result in negative public press as well as heavy fines in the event of damage.back