The French data protection supervisory authority (“CNIL“) has recently published a new white paper on payment data and means of payment (“White Paper“). The area of means of payment is experiencing significant transformations, which are reflected by increased use of contactless payment, emergence of cryptocurrencies as means of payment and a decline in the use of cash. According to the CNIL, these changes raise important questions relating to privacy and data protection. In its White Paper, the CNIL aims to shed light on the main economic, legal and societal issues relating to data processing and means of payment.

The White Paper, which is addressed both to the general public and to professional, addresses a wide range of issues, including the questions of anonymity, the risks arising from digitization of payment transactions, use of crypto currencies and the applications of the main principles of the General Data Protection Regulation (“GDPR“) in the field of payments. The White Paper presents the CNIL’s point of view in terms of the application of the GDPR and its interplay with the field of payments.

In its White Paper, the CNIL raised eight key messages for the ecosystem and for public debate:

1. the preservation of the anonymityof payments, the use of cash and the free choice of payment methods;
2. the importance of protecting the confidentiality of transactionsfrom the outset in the ongoing digital euro project, launched by the European Central Bank last July;
3. the forward-looking attention to mobile payments, which has considerable development potential;
4. the interest for innovative players to make their compliance with the GDPR an asset of confidence for customers who are led to entrust their data for new uses;
5. the main points of application of the GDPR on which the CNIL wishes to provide legal security;
6. the importance of the security of payment data, with work on the “tokenization” of this data as a good practice;
7. questioning of the location of payment data in Europe, as a contribution to the ongoing debate on European digital sovereignty; and
8. recommendations for the future European Payments Initiative (EPI) card network currently being created.

According to the White Paper, payment transactions are located at the crossroads of different regulations, which requires close cooperation between financial, competition and data protection regulatory authorities.

The CNIL is not the only European regulator to notice growing importance of the intersection between the GDPR and payments. Earlier this year, the European Data Protection Board (“EDPB“) has published its work program for 2021/2022, under which the EDPB is planning to specifically address the implications of innovative payment methods and Blockchain on data protection.

Please feel free to contact us if you have any questions regarding the intersection between payment regulations and the use of payment data with data protection regulations.