In October 2021, the CNIL published a white paper on data and payment methods. Such a sectoral "focus" is rare and far from insignificant: the supervisory authority announces the creation of a working group with the objective of creating a sectoral code of conduct that is binding for the relevant actors. More frequent and in-depth controls are to be expected. The CNIL has already started to implement the guidelines of its white paper with a first sanction concerning a French fintech.

What are the specific points of attention for the sector?
Qualification of actors. The CNIL identifies several actors who may be involved in payment transactions: banks and credit card networks, merchants and e-merchants, and payment service providers (PSPs). The CNIL reminds us that under the GDPR, these actors can be qualified as data controller (DC), data processor (DP), or joint controllers (JC).

The CNIL does not rule on a "default" qualification of each of the actors in the payment chain and refers to a case-by-case analysis. However, the Commission notes that few of the actors involved in the payment area are in direct contact with the data subjects, which is an indication of whether they are considered to be DP or JC. In a recent decision, the Commission held that the same PSP could be qualified as both a DC and a DP depending on the processing carried out.

In any case, the processing of personal data relating to payment must pursue a specific, explicit and legitimate purpose and have a valid legal basis.


Legal basis: the legitimate interests increasingly questioned. Many actors currently use the legitimate interests to justify the lawfulness of their data processing. However, the CNIL warns actors about the use of such a basis, indicating that "given the complexity of the payment sector and the opacity of its functioning from the point of view of the data subjects, the reasonable expectations of individuals should be assessed with caution, particularly regarding actors who do not have a direct relationship with them”. It also indicates that, given the sensitivity of payment data, processing is often intrusive and limits the possibility of using such a database. However, the CNIL seems to accept this legal basis for processing "aimed at guaranteeing the security of the network and information" or for "fraud prevention".

The following bases and purposes can be given today as examples:
- Performance of the contract for the products and services purchased (pre-contractual and contractual measures);
- Compliance with legal and regulatory obligations: fight against money laundering and the financing of terrorism, fraud detection, answering to the control authorities, processing of complaints;
- To meet a legitimate interest: to ensure the security of the service, statistics;
- Ensuring the consent of the data subject for the receipt of commercial prospecting, etc.

Risks related to the reuse of data. One of the risks raised by the CNIL is that of the traceability of payment data, i.e. the potentially detailed knowledge by private entities of transactions and their reuse for private purposes. The CNIL reminds that DPs can only process data upon documented instruction from the DC. On the other hand, a DC will be able to define the purposes pursued and may consider further re-use of the data in a compatible way with the original purpose. In the payments area, the CNIL believes that compatible purposes must be assessed very strictly. The re-use of data for statistical purposes to improve the payment system implemented may be authorized. On the contrary, the re-use by a payment network of a transaction history to determine a consumer's consumption habits in order to generate a credit risk (for example) does not appear to be a compatible purpose. The CNIL also confirms the illegality of a practice sometimes used by merchants, that of using the email address communicated by the data subject for commercial prospecting purposes in order to send a receipt or a dematerialized payment.


Enhanced security obligation. The security of payment methods is a major issue for payment actors, both from a PSD 2 and GDPR perspective. As demonstrated by the recent CNIL decision (see below), it is a question of both the way in which data is stored (readable, freely accessible format) and the length of time it is made accessible.
While actors must be careful about the types of measures implemented, they must also keep in mind that data cannot be stored indefinitely. Setting an appropriate duration not only ensures compliance with applicable regulations, but above all limits the risk of data breach and fraud.


Data localization. The obligation of data security that weighs on the payment actors does not only result from the GDPR. The European Banking Authority recommends that data be stored in Europe when outsourcing to the cloud. In view of the sensitivity of the data and the particular challenges in terms of privacy, the French General Economic Council would even like to see payment data systematically located in Europe. The underlying issue is that of data transfers from Europe to the United States, which have become difficult, if not impossible, since the Schrems II ruling handed down by the CJEU on 16 July 2020. The CNIL invites the data subjects to ensure the necessity of such a transfer and, if necessary, to consider alternatives to minimize the risk of access that does not comply with European rules.

The CNIL has also included the use of the cloud by companies as one of its priority control themes in 2022, as some solutions involve massive data transfers outside the European Union and therefore entail risks for the protection of personal data. Payment providers can expect increased controls on this issue and decisions that will gradually lead to the relocation of data to the European territory.

On these security issues, the CNIL would like to work on a draft code of conduct that complies with the GDPR and is legally binding for payment service providers, and in this regard offers the industry associations the opportunity to take the lead in this project (with the participation, if necessary, of fintechs and banks).


• The CNIL decision of December 28, 2021 regarding a French PSP
All the previous remarks made by the CNIL are considered in the light of the decision issued by the CNIL's restricted formation on 28 December 2021. In the context of an internal research project on an anti-fraud mechanism, this particular PSP used personal data stored in its databases. However, at the end of the project in 2016, the data used remained stored on an open-access server which "was not subject to any particular security procedure".

This decision highlights the importance of the legal qualification of the parties. Indeed, although the PSP acts in principle as a DP in the context of the provision of its services to its customers, the CNIL nevertheless considered that by implementing such an anti-fraud system, the PSP acted, for this sole processing, as a DC.

The CNIL identifies non-compliances regarding these two qualifications since:
- the PSP as a DP did not implement an adequate legal framework in line with the requirements of Article 28 of the GDPR. The contracts entered into by the PSP with its service providers did not contain the necessary clauses to ensure that the processing of its customers' personal data complied with the regulatory requirements;
- the PSP as DC did not take adequate measures to ensure the security of the data regarding the anti-fraud processing. Consequently, the CNIL notes that the lack of security led to a personal data breach. The CNIL also states that "the absence of proof of fraudulent use of the data has no impact on the characterization of the breach of the security obligation" since this breach is characterized solely by the existence of a risk of fraudulent use of the data. Moreover, the PSP did not properly inform the data subject (more than 12 million) of the breach of their personal data (banking data).

This decision is the first concrete illustration of the points raised by the CNIL in its white paper and invites all players in the payment sector to question their legal qualification as well as the proportionality of the security measures implemented to address the risks.


• What are the next steps?
In conclusion of its white paper, the CNIL proposes a reference framework containing 8 key points to enable the use of personal data related to these payment methods in compliance with the applicable regulations.
- 1st point: preserve a space of anonymity of free choice of the means of payment.
- 2nd point: integrate data protection principles into all projects by design and by default (privacy by design).
- 3rd point: anticipate the widespread use of mobile payments and, in particular, the need to secure payment and purchase data.
- 4th point: the importance of making GDPR compliance a considerable competitive advantage and a differentiating factor for the payment actors.
- 5th point: the importance of ensuring GDPR compliance on the major principles of legal qualification, data minimization, purpose limitation or the implementation of security measures to prevent fraud.
- 6th point: the necessity to implement measures to ensure the security of payment data. In particular, the CNIL invites the actors to put in place a practice of tokenisation of data enabling the pseudonymisation and complication of the link with the cardholder. The CNIL has indicated that it will draw up practical recommendations on this subject.
- 7e point: the supervision of international data transfers and, in particular, the question of the location of payment data within the European Economic Area.
- 8e point: recommendations are also made on the so-called "EPI" project (European Payments Initiative), a project for a pan-European bank card network competing with the American networks Visa and Mastercard.

This white paper is a "first step of dialogue" that the CNIL wanted to offer to all payment actors on this subject. A public consultation, the results of which will not be published, will allow the supervisory authority to guide the next steps, publications and recommendations on the subject of payments. The CNIL should also develop its plans to create a binding code of conduct for the payment industry.