Any mobile payment this summer?
As you probably know, this is an ever growing market. According to a study of the Politecnico of Milan, the new “Mobile and App Economy” was worth 25.4 billion euro in 2013 and can reach 40 billion euro in the next years. A survey carried out in collaboration with Doxa (institute specialized in market research and statistical analysis) in 2014, shows that 67% of Italian citizens is aware of the opportunities offered by mobile remote payments and that 20% of the population has made a purchase through mobile phone. This confirms the trends that we addressed during our #Fashionline event.
And what about the current Italian regulations?
After a public consultation, the Italian Data Protection Authority (Garante per la protezione dei dati personali, the “Authority”) issued its decision on the processing of personal data related to mobile remote payments.
The regulation, as discussed during the consultation, is only addressed to electronic communication providers (the “providers”), hubs offering products and digital services (the “hubs”) and merchants offering digital contents and editorial services, multimedia products and games (the “merchants”).
Pursuant to the regulation, at the purchase of the prepaid card or at the subscription of a telephone contract, providers and merchants – in their capacity of data controllers – are required to provide the users with an adequate information notice which can be split in two, with a first summarized notice that includes a second and more complete notice (a solution that the Authority also adopted with regard to the cookies, as discussed here).
The information notice shall also be provided by hubs exclusively if they act as autonomous data controllers (directly offering the digital content to the user, guaranteeing assistance further to the sale, as well as managing promotional and marketing communications on digital contents). However, the Authority underlines that should hubs act as managers of the technical platforms used to offer the digital contents to users, they shall be appointed as external data processors. In such case, the information notice shall be provided by providers and merchants listing the hubs as data processors.
The regulation also underlines that consent is generally not required in order to provide the service; however as a general principle, a specific consent is required should providers, merchants or hubs carry out marketing activities or profiling the users.
The Authority urges providers, hubs and merchants to protect personal data collected through the mobile remote payments implementing adequate security measures, guaranteeing an adequate protection also for sensitive data.
Finally, while IP addresses must be erased by the merchants once the purchase procedure concerning the digital content is completed, other personal data cannot be retained for more than 6 months from the collection (with particular attention to the fact that should the purchase of the digital content be carried out by the user during the subscription of a telephone contract – instead of being a one-shot purchase – the data retention period shall be calculated from the expiry of the subscription).
There are still no sufficient precedents as to how providers, merchants and hubs will concretely addressed the new provisions, and how the DPA will enforce them.