Means of payment: CNIL warns about data protection

On Wednesday October 6, the French Data Protection Authority (CNIL) published a white paper on payment data and payment methods. It aims to enlighten consumers on how to manage the protection of their payment data, an area in which the CNIL intends to assert itself. An overview of the subject.

Digitization of transactions and payment data

The CNIL's new white paper, entitled "When trust pays", focuses on the management of payment data, at a time when payment methods are undergoing major change.

" Increased use of contactless payment, declining use of cash, the digital euro, transfers between individuals... In the world of means of payment, significant transformations are at work ", explains the Commission nationale de l'informatique et des libertés, which also points to the issue of the popularization of cryptocurrencies.

According to the latest annual report from the Observatoire de la sécurité des moyens de paiement, published on July 6, 2021, online bankcard transactions rose by 13.2% in 2020, and contactless payments, boosted by the Covid-19 pandemic, recorded a 37% increase.

These developments are not without consequences for consumer payment data, whether it be purchase data, banking data or " contextual " data, all of which can " make it possible to trace personal activities or identify individual behaviors ".

The CNIL white paper on payment data and means of payment therefore looks at various issues, such as " transaction anonymity, international data transfers ", or " legal certainty in the application of the General Data Protection Regulation (GDPR )".

From GAFA to the European Central Bank's digital euro

The GAFAs, fully aware of the economic stakes behind this personal data, have entered the payment sector, and most of the companies innovating in this field are fintechs, which calls into question the role of banks.

The CNIL is also taking a close interest in the European Central Bank's digital euro project, and would like to be involved in the work to ensure payment data protection.

The organization focuses on several points in its white paper, starting with the preservation of " free choice of payment methods " and the anonymity of payments.

In the CNIL's view, particular attention needs to be paid to mobile payment, which is set to develop further, and to the protection of payment data, notably via "tokenization", which protects bank card numbers.

The Commission nationale de l'informatique et des libertés also wants to " develop a reference framework, in terms of RGPD compliance, for all players in the field ". However, the second European Payment Services Directive (PSD2), in force since 2018, has already addressed the issue of payment data, and made possibleopen banking, whose foundations are based on consumer consent. The CNIL's desire to regulate is therefore likely to clash with the regulations already in force.