CNIL publishes a new White paper on payment data and means of payment

23 February 2022

What are the data protection challenges when making a payment? In order to raise awareness of the public, support professionals and anticipate future transformations, CNIL has published a new White paper which now can be read in its English version: "When trust pays off: today's and tomorrow's means of payment methods facing the challenge of data protection".

Economic transformations and challenges to privacy

Increasing use of contactless payment, decline in the use of cash, transfers between individuals, digital euro, etc. Significant changes are taking place in the area of payments, witnessing a triple upheaval: technological, competitive, and regulatory.

While the economic stakes are significant, the use of a particular means of payment raises important questions about privacy and personal data protection. The associated data (payment data, contextual data, even purchase data) may indeed make it possible to trace personal activities or identify individual behaviour. The anonymity of transactions, international data transfers, legal certainty in the application of the General Data Protection Regulation (GDPR), are all key issues in this field.

Payments and related operations are not well known to the general public. This is a complex field, not quite transparent, involving multiple players, and yet, a good understanding of it is a prerequisite for establishing a relationship of trust between individuals and innovative uses.

A new White paper to understand, support and anticipate

Faced with these challenges, the CNIL wanted to shed light on the main economic, legal and societal issues relating to data and means of payment, in the form of a White paper providing for perspectives, analyses and a roadmap for future work. This White paper is intended for:

  • the general public: for a better understanding of the privacy issues relating to data and means of payment;
  • professionals: for developments on the CNIL's points of vigilance in this area, as well as the priorities it foresees in terms of support.

It addresses a wide range of issues: from the variety of players with new competitive dynamics, to the international circulation of payment data - a sovereignty issue for Europe - via the question of anonymity and the use of cash, the new risks arising from the increasing digitalisation of payment operations, the use of "crypto-currencies", the practical application of the main principles of GDPR in the field of payments, etc.

The White paper reviews the CNIL's points of vigilance regarding the application of GDPR in the field of payments and it outlines the work to be done to support professionals in this field. By providing legal certainty, the CNIL will contribute to level the playing field between actors as well as to a perfect compliance of these players with GDPR.

It develops eight key messages for the ecosystem and the public debate:

  1. the preservation of the anonymity of payments, by the use of cash and the free choice of means of payment;
  2. the importance of protecting the privacy of transactions by design (from the outset) in the ongoing digital euro project, launched by the European Central Bank in July 2021;
  3. the prospective attention to pay to mobile payment, which has considerable development potential on the French market;
  4. the interest for innovative players to make their compliance with GDPR a factor of trust for customers who are led to entrust their data for new uses;
  5. the main points of application of GDPR on which CNIL wishes to provide legal certainty;
  6. the importance of security of payment data, with the "tokenisation" of this data as a good practice;
  7. questions on the localisation of payment data in Europe, as a contribution to the ongoing debate on European digital autonomy;
  8. recommendations for the future European card network, which is currently being created: EPI (European Payments Initiative).

As regards the legal points of vigilance, the CNIL will focus its attention on the status of actors in the payment chain, minimisation and purpose definition, data sharing and reuse, security, and fraud prevention. A compliance roadmap at national and EU level with the European data protection board (EDPB) will provide advice on the qualification of actors, the trend to enrichment of payment data, and mutualisation of data between players,

Finally, payment operations are located at the crossroads of different regulations, which requires close cooperation between the financial, competition and data protection regulatory authorities. It is worth making the voice of privacy protection issues raised by the CNIL heard in the national and European debates: deployment of instant payment, revision of the PSD2 directive, creation of the European financial data space.

Read the White paper


White paper : key messages