The CNIL warns against confidentiality issues with new payment methods


The increasing digitization of payment transactions, the development of contactless communications, the use of crypto-currencies, etc. The CNIL is concerned about the implementation of the General Data Protection Regulation in the field of payments, which, according to the Directorate General of Personal Data, raises important questions concerning privacy and data protection.

“Payment data (banking data, contextual data, and even purchase data) can indeed make it possible to track personal activities or determine the behavior of individuals., explains the Cnil in A white paper It was published on October 6. The anonymization of transactions and international data transfers are among the issues addressed in this very comprehensive document, which aims to highlight the key economic, legal and societal issues of data and means of payment.

A wealth of information for every process
The CNIL defines payment data as All personal data used when providing a payment service to a natural person. Concretely, this includes the identifiers of the means of payment, the amount of the transaction, the date and time of payment, the identity of the merchant, his IBAN, the characteristics of the products purchased, the place of purchase, and the identifiers. . Map, geographical location, characteristics of the device used for online purchase, products expected before purchase, etc.

“These data are personal data because they relate to an identified or identified natural person (the customer), directly or indirectly. Some of them are considered personal data when taken individually, others because of their joint collection with other data for identification purposes (e.g. browser properties) or because they can be verified with others for the purpose of inferring a person (such as the amount of a transaction) “explains the Cnil. They are valuable because they can be used to track buyer activity and commit fraud.

The CNIL, wishing to develop a reference framework in terms of GDPR compliance for all players in the payments sector, has chosen to fuel public debate and reflection around eight priorities, including maintaining “the anonymity of payments” , and the importance of protecting the confidentiality of transactions from the design of the European Central Bank’s digital euro project, development of mobile payment, promotion of the development of “tokenization” to secure transactions by bank card, payment data site in Europe.


Comments are closed.