Client Update – Privacy In Advanced Means of Payment
28 April 2021
Dear client and friends,
We would like to draw your attention that on April 22, 2021, the Israeli Protection of Privacy Authority
(the “PPA“) has published its final form policy document regarding privacy in advanced means of payment for the transfer of funds and for payments in businesses (the “Policy“). The Policy includes recommendations for managing the use of advanced means of payments in term of privacy, consent and data security. It should be noted that the Policy does not apply to or deal with websites and applications managed by banks through which customers perform various financial transactions online.
Nowadays, the main advanced means of payment active in Israel operate in two main configurations:
(1) means of payment for the transfer of funds – transfer of funds between individuals (P2P) or collection of payments within a group; and (2) Payment in a business – payments are transferred directly to the business via smartphones and/or other smart device using NFC technology.
In general, the PPA notes that the use of advanced means of payment has many advantages, however, while using these means, significant questions of privacy and data security arise, in light of the fact that, according to a review conducted by the PPA, these advanced means collect sensitive data about users which allows the data collector to analyze the behavior (both general and economic) of the users in a way that may attest to the personalities of the users, their preferences and lifestyle, while sometimes doing so for commercial purposes and, in some occasions, passing such data to third-parties.
In light of the above, the PPA notes that it must be ensured that the use of advanced means of payment is done in a way that will protect the privacy of the users, and which allows the users to control such data.
To this end, the PPA draws up a series of recommendations, which, in the PPA’s opinion, express the best way to implement the provisions of the Protection of Privacy Law, 1981 (the “Law“), and to give due importance to the issue of the privacy of the users of the advanced means of payment.
The following are the main recommendations of the PPA:
- Consent to data collection as part of granting access permissions – the PPA is in the opinion that there is no justification principally, that users will be required, by default, to give consent to access permissions to components and sources of data contained in smartphones, which are not generally necessary for the purpose of using the means of payment, without requesting the users for their active consent to grant access to these details. The PPA recommends that: (a) the privacy policy and terms of use of the advanced means of payment shall include details regarding all of the access permissions requested in the registration process and use of the said means, all alongside a succinct and understandable explanation regarding the meaning of granting each of the access permissions and the degree of necessity for operating the service in its basic format. It is recommended that these explanations be presented in the course of downloading the relevant applications to the smartphone; and (b) it will be clarified to users that these access permissions are not mandatory for the actual use of the advanced means of payment, and that the consent procedure for granting access to these permissions will be done by active choice and not by default (i.e., opt-in instead of opt-out).
- Collection and process of data within the framework of “cookies” files – the procedure for requesting consent for the use of cookies that are not essential for the use of advanced means of payment, will be done separately while providing an explanation regarding the consequences of consent to use these type of files, and obtaining active consent in the opt-in model.
- Consent to use other technologies – any material change in the type or identity of the technologies used in the advanced means of payment, will be presented to users in order to obtain a renewed active consent on their behalf, including detailing the possible meanings and implications of the said changes on their privacy.
- Details of the rights of the objects of data – the privacy policy documents and terms of use of the advanced means of payment will include details regarding the rights of users in the data collected about them, such as the right to review and correct the collected data.
- Termination of the engagement and retention of data – the privacy policy and terms of use of the advanced means of payment will include details regarding the format for the disconnection from the various services, the consequences of such disconnection in terms of the retention of personal data collected and the uses of such data after said disconnection. A request to disconnect or terminate the engagement with these various services and the deletion of the applications will also result in the termination of the use of the data and its processing for commercial purposes, and the retention of the personal data will be made only for necessary needs to provide services, whose vitality is not diminished even after the disconnection from it, or for legitimate and specific purpose such as defense in legal proceedings initiated by the client. The termination of the use of an operator’s advanced means of payment by a user, does not necessarily affect the continued retention of the collected data in connection with other means of payment of that operator that are still in use by the user.
To read the policy in its full form (in Hebrew) >> click here
Please do not hesitate to contact us if you have any questions or require any clarification regarding the above.
Kind Regards,
Herzog Fox and Neeman