What are the challenges for data protection during a payment? In order to enlighten the public, support professionals and anticipate future transformations, the French Data Protection Authority (CNIL) publishes its new white paper “When trust pays off: today’s and tomorrow’s payment methods facing the challenge of data protection”.

Economic transformations in the face of privacy issues

Increased use of contactless payment, decline in the use of cash, digital euro, transfers between individuals… In the world of means of payment, significant transformations are taking place.

While the economic stakes are considerable, the usage of a particular payment method raises important questions about privacy and personal data protection. Payment data (banking data, contextual data, even purchase data) may indeed make it possible to trace personal activities or identify individual behavior. The anonymity of transactions, international data transfers, legal security in the application of the General Data Protection Regulation (GDPR), are all key issues in this field.

Payments and related transactions are not well known to the general public. A complex field, involving multiple players, its proper understanding is nevertheless a prerequisite for establishing a relationship of trust in innovative uses.

A new white paper to understand, support and anticipate

Faced with these challenges, the CNIL wanted to shed light on the main economic, legal and societal issues relating to data and means of payment, in the form of a white paper entitled “When trust pays: the means of payment of today and tomorrow in the face of the challenge of data protection, providing perspective, summaries and avenues of work”. This white paper is intended for:

• the general public: for a better understanding of the privacy issues relating to data and means of payment;
• professionals: for developments on the CNIL’s points of vigilance in this area, as well as the priorities it wishes to set in terms of support.

It addresses a wide range of current issues: from the interplay of players with new competitive dynamics, to the international circulation of payment data – a sovereignty issue for Europe – via the question of anonymity and the use of cash, the new risks arising from the increasing digitization of payment transactions, the use of “crypto-currencies”, the concrete application of the main principles of the GDPR in the field of payments, etc.

The white paper reviews the CNIL’s legal points of vigilance regarding the application of the RGPD in the field of payments and outlines the work to be done to support professionals in this field. By providing legal security, the CNIL will contribute to the competitive equality between players as well as to a perfect compliance of these players with the GDPR.

It develops eight key messages for the ecosystem and the public debate:

1. the preservation of the anonymity of payments, the use of cash and the free choice of payment methods;
2. the importance of protecting the confidentiality of transactions from the outset in the ongoing digital euro project, launched by the European Central Bank in July
3. the forward-looking attention to be paid to mobile payment, which has considerable development potential
4. the interest for innovative players to make their compliance with the GDPR an asset of confidence for customers who are led to entrust their data for new uses;
5. the main points of application of the RGPD on which the CNIL wishes to provide legal security;
6. the importance of the security of payment data, with work on the “tokenisation” of this data as a good practice;
7. a questioning of the location of payment data in Europe, as a contribution to the ongoing debate on European digital sovereignty;
8. recommendations for the future European Payments Initiative (EPI) card network currently being created.

Finally, payment transactions are at the crossroads of different regulations, which requires close cooperation between financial, competition and data protection regulators, but also to make the voice of privacy protection issues carried by the CNIL heard in the national and European debate.

A public consultation to deepen the dialogue

The White Paper is only the first step in the dialogue that the CNIL wanted to open with stakeholders on the subject of payments. A roadmap for educational solutions (for individuals) and support (for professionals) is proposed. It will structure the CNIL’s national and European work in this area for the years to come.

The CNIL wishes to develop a reference framework for compliance with the RGPD for all players in the field. It wishes to do so in a partnership manner and by adapting to the needs of the field: to this end, the White Paper is accompanied by an online public consultation, open until 15 December.

The aim of this consultation is to gather reactions to the White Paper, as well as the positions, testimonies and needs of all stakeholders (general public, professionals, interest groups, researchers, other regulators, etc.) in order to refine the next steps and contribute to the CNIL’s reflection.

SOURCE: FRENCH DATA PROTECTION AUTHORITY – CNIL