The French Data Protection Authority’s white paper discusses how companies can comply with data privacy and security obligations.

The use of card, contactless, and innovative digital payment solutions has significantly increased in recent years, fueled by the immediate impacts of the ongoing COVID-19 pandemic and the longer-term growth of e-commerce and open banking. In this context, the legal and regulatory environment around payment data is no longer limited to traditional actors in the banking sector or the long-established ambit of banking secrecy rules. As such, stakeholders from fintech startups to established technology giants face an increasing patchwork of compliance obligations.

In recognition of the rapid innovation in the digital payment sector and the complexity of the payment ecosystem, the French Data Protection Authority (CNIL) has published a white paper that provides an overview of the digital payment landscape and the applicable legal framework, with a focus on how companies can comply with data privacy and security obligations.

Mindful of the current debate at the European level regarding digital sovereignty and the development of initiatives such as the digital euro project and the European Payments Initiative (EPI), the CNIL focuses on the following key topics in its white paper:

• GDPR: GDPR compliance as a customer trust factor; guidance on GDPR compliance for payment service providers; security measures such as “tokenization”; location of payment data storage; and international data transfers

• Industry insights: the potential of mobile payments and the importance of maintaining payment options allowing for the preservation of anonymity of payments (in particular through the use of cash)

• European projects: ensuring confidentiality of transactions in the digital euro project (launched by the European Central Bank in July) and recommendations for the EPI, which will create a European bank card network

Payment data, broadly defined

 The CNIL adopts a broad definition of payment data encompassing three categories of personal data:

1. Payment data: Traditionally collected by banks, this data relates directly to the payment method and system. This category includes payment identifiers, transaction amounts, date and time of payment, merchant and beneficiary identities, buyers’ bank account number, and AML score.
2. Purchase data: Traditionally collected by merchants, this data is generated at the time of purchase. This category includes characteristics of products purchased, date and place of purchase, and loyalty card identifiers.
3. Contextual or behavioral data: Often controlled by digital payment actors, this data can be collected when an online purchase takes place. This category includes customer profile information, geolocation, terminals used for online purchase, products considered before the purchase, and time spent browsing.

The CNIL highlights the privacy risks of large-scale payment data, going as far as comparing it to the extensive data commonly generated from communications surveillance. In a quote extracted from the CJEU, in relation to privacy and communications surveillance, the CNIL notes that large-scale payment data “may allow very precise conclusions to be drawn concerning the private lives of the persons”.

The CNIL notes the following specific concerns:

• Silent party data: The CNIL reiterates the EDPB’s approach on the thorny problem of silent party data (as discussed in more detail in Latham’s blog post Privacy and Payments: New Draft EU Advice for Financial Institutions), but without providing additional guidance on the open issues of transparency and a legal basis for processing silent party data.

• Sensitive personal data: The CNIL identifies the problem of the potential inclusion of sensitive personal data (e.g., health data or political opinions) in a payment transaction, which is more tightly controlled under data protection laws.

• “Highly personal nature”: The CNIL notes the “highly personal nature” of certain payment data, for the purposes of data protection impact assessments.[i]

Key data protection compliance issues

 As the CNIL explains, data protection is only part of the regulatory framework applicable to payment data. The sector is subject to a complex regulatory landscape, including, at the EU level alone, the GDPR, the Payment Services Directive, the Anti-Money Laundering Directive, and the Network Information Security Directive. National legislation implementing these European-level regimes and imposing additional or divergent obligations, such as banking secrecy or outsourcing controls, and private sector norms and standards such as the PCI Data Security Standard further complicate this already challenging environment.

In its white paper, the CNIL sets out its expectations and guidance on several key data protection issues, including:

• Qualifying the actors: Under the GDPR, actors participating in personal data processing may be qualified as data controllers, data processors, or joint controllers, and must comply with their respective obligations depending on that categorization. The CNIL recommends stakeholders pay particular attention to these qualifications, considering, in particular, the diversity of actors and the complexity inherent in frequent subsequent data processing (which is common in the payments realm). Criteria such as direct contact with the data subject to subsequent re-use of data for their own account can be used in determining whether an actor should be considered a data controller or data processor.
• Proportionality and data minimization: Fundamental data protection principles applicable under the GDPR such as proportionality and data minimization remain key for effective compliance. The CNIL underscores the importance of determining a specific purpose for each data processing activity, and recommends careful consideration of whether any subsequent uses of that personal data fall within or outside the scope of that original purpose; if outside the scope, further analysis and a specific basis for that subsequent processing would be required. Due to the inherent difficulty in anonymizing payment data as well as the data’s potentially sensitive nature, the CNIL also recommends focusing on data pseudonymization, data minimization, the determination of appropriate retention periods, and the careful selection of third party recipients in order to comply with the principles of the GDPR, including obligations to ensure privacy by design and by default.
• Identification and biometric data: The CNIL underscores the distinction between identification (verification of an “official” identity of a user, to answer the question “Who are you?” via a unique identifier) and authentication (verification that the user is the identified person, to answer the question “Are you really this person?”). The CNIL considers that only authentication, and not identification, is necessary for merchants and other payment recipients. The use of biometric data for identification purposes should also be subject to particular vigilance, as processing biometric data for the purpose of uniquely identifying a natural person is considered processing of special categories of data and therefore cannot, under the GDPR, be based on the commonly used legal bases of “contractual performance” or “legitimate interest.” In this light, the CNIL reiterates its recommendation regarding the use of biometric hash locally stored with the user.
• Applicable legal bases: Given the widespread sharing and subsequent processing of payment data, the CNIL highlights the importance of ensuring that an appropriate legal basis exists for each processing activity. The CNIL considers that contractual performance cannot act as a blanket legal basis, as any processing that is merely stipulated in, but not necessary for the execution of, the contract must have a separate legal basis. Depending on the processing, it may be feasible to rely on legitimate interest (e.g., for security or fraud prevention) or legal obligations (e.g., for compliance with anti-money laundering laws). The CNIL also issues a reminder that consent must be freely given, and interprets this to mean that refusal of consent must not impact the provision of payment services. Finally, for any subsequent processing that is neither based on a legal obligation nor compatible with the original purpose, consent of the user must be obtained, in accordance with the requirements of the GDPR.
• Security of payment data: Due to the attractiveness of payment data to cyber criminals, particular attention must be paid to both minimization of payment data and data security. The CNIL encourages the use of “tokenization,” referring to the method of substituting payment data with randomly generated, single-use tokens, on which it intends to publish additional practical recommendations.

To transfer or not — where to store payment data?

The international nature of payments infrastructures, and the wide reach of certain payments regulatory regimes, can present challenges to actors in the payments processes from a data protection perspective. Although the CNIL does not require that payment data be stored exclusively in the EU, it does highlight the specific requirements that apply to international transfers of personal data, as well as the additional requirements resulting from recent legal developments in the EU (for more information, see Latham’s blog posts The EDPB’s Draft Data Transfer Guidance Following Schrems II — A Close Look, and New Standard Contractual Clauses and Final EDPB Recommendations — Next Steps).

In particular, the CNIL recommends that payments operators:

• Ensure they identify personal data transfers outside the EU, and implement appropriate data transfer mechanisms for such transfers, pursuant to the GDPR requirements (such as adequacy decisions, binding corporate rules, codes of conduct or standard contractual clauses)
• Conduct a case-by-base analysis of each data transfer and the adequacy of the relevant data transfer mechanism, which requires an analysis of the legislation of destination countries
• Consider whether the transfers are actually necessary to provide the services and, if not, consider alternatives in order to minimize compliance requirements and risk
• Provide information regarding transfers outside the EU to individuals (e.g., in relevant privacy policies)

What next?

In light of the regulatory and technological complexities inherent in the digital payment sector, the CNIL highlights the importance of regulatory cooperation, raising public awareness, and, last but not least, continued dialogue with stakeholders. The white paper is presented as a first step in a series of public-facing actions by the CNIL on the topic of payment data, including the publication of action plans for awareness-raising and continued support for businesses and service providers. To this end, and to facilitate the development of a GDPR compliance framework for all stakeholders, the CNIL has launched a public consultation open until December 15, 2021. Considering the rapid business and technological innovations of the sector, the emphasis on stakeholder participation in the regulatory process is encouraging, though how actively the industry will respond to the consultation remains to be seen.

In the meantime, operators in the payment sector should:

• Take the opportunity to consider and minimize their use of personal data where feasible.
• Ensure that they have identified and documented an appropriate legal basis for their personal data processing, and that any subsequent processing is properly identified and carried out in accordance with the GDPR.
• Review their information security practices in relation to payment data and seek to align to the CNIL’s recommendations on pseudonymization and tokenization.
• Identify international data transfers and ensure appropriate data transfer mechanisms are in place and adequate to safeguard the transferred data.

Endnotes

[i]   Article 29 Working Party, Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679, 7 October 2017, pp. 9 et seq.