Privacy Advisor

ITALY—M-Payment and Privacy by Design

May 1, 2013


Massimiliano Pappalardo

According to a recent press release of the Garante, mobile payment in 2012 has been one of the sectors under the spotlight of the Italian Data Protection Authority, and the same will be for 2013.

Although it is not deniable that the mobile ecosystem—as conspicuously outlined in the opinion issued by the European Data Protection Article 29 Working Party about apps on smart devices—involves for the privacy of the users critical issues, the focus of the Garante on these new means of payment, whose development in Italy is still in an embryonic phase, could sound surprising. Pursuant to a recent study of the School of Management of the Politecnico di Milano, in 2012 the overall m-payment transaction value did not exceed 900 million euros. However, we have to consider that, on one hand, the market is rapidly growing: By the end of 2013 the number of users with a near field communication (NFC) smartphone is expected to be six million, and by 2016 the transaction value is expected to reach 12 billion euros. On the other hand, such payment method will dramatically increase the flow in the mobile environment of transactional data, with a significant impact on the private lives of the users.

As stressed by Assistant European Data Protection Supervisor Giovanni Buttarelli with a position paper submitted to the European Commission, m-payment “will increase the number of transactions and therefore the amount of collected and exchanged data. Furthermore, new categories of data such as location data may enter in the financial circuit.” In addition, if we do not limit the overview on the only transactional profiles, considering the further complementary services that could be hosted in the digital wallet, including couponing and loyalty programmes, the possible risks that the virtualisation of the “old” traditional wallet may involve are clearly disclosed. A single tap could be sufficient to trigger various functions and the exchange of a number of personal information between the user and a number of different stakeholders. Indeed, one of the main differences with the traditional cards—payment cards or loyalty cards—is represented by the fact that a smartphone allows a bidirectional sharing of information with the users.

In addition, the collected data might allow a detailed profiling of our behaviours, not solely online where cookies and similar technologies allow a broad traceability, but—in case of mobile proximity payments; i.e., NFC—even with regard to our habits in the real world; the picture of the consumer is now complete!

Moreover, an m-payment platform may involve several players in the data processing: telcos, banks, mobile manufacturers, platform providers, apps developers and, in particular, a wide range of merchants. In particular for small merchants—today usually excluded from the networks of the loyalty programmes reserved to big players—the mobile payment may represent an opportunity to better know the customers and to be able to target them with personalised offers. And the access to the personal data of the customers may represent one of the leverage to promote the acceptance by the merchants of the new modalities of payment and to bear the relevant burdens. According to the mentioned study of the Politecnico di Milano, in Italy the contactless PoS terminals, at the end of 2012, were only 30,000 and are expected to grow up to 170,000 by the end of 2013.

In any case, such a sharing of personal data, in order to comply with the European legal framework, shall have to grant the users’ right to full information and a meaningful selection of the subjects whose access to their personal data will be authorised, also considering the different data processing purposes. The data processing carried out by the different stakeholders cannot leave out of consideration the core principles of the EU data protection directive: necessity, proportionality—also in respect of the data retention—and purpose limitation.

In such circumstances, the implementation of an m-payment system able to create a right balance between the interest of the stakeholders to know their customers and the interest of the latter to be in control of their personal data may represent a crucial factor for the success of the initiative. A central role will be played by Privacy by Design. As outlined by the European Data Protection Article 29 Working Party, in the mentioned opinion on apps, “The concept of Privacy by Design requires from the manufacturers of a device or an application to embed data protection from the very beginning of its design. Privacy by Design is explicitly required for the design of telecom equipment, as provided under the radio and telecom terminal equipment directive.” As well in the U.S., the Federal Trade Commission, in the report "Protecting Consumer Privacy in an Era of Rapid Change," recommended that “companies should build in consumers' privacy protections at every stage in developing their products. These include reasonable security for consumer data, limited collection and retention of such data, and reasonable procedures to promote data accuracy.”

Data security and transparency shall have to be at the center of the project. In particular, from the outset of a new m-payment platform, the data flows among the different players shall have to be clearly tracked, as well as the modalities to provide the customers with comprehensive information. A lack of transparency or a careless management of the users’ data may, on the contrary, be fatal errors, with an irreversible impact on the confidence of the consumers.

Massimiliano Pappalardo is founding partner of D&P—Legal Support for Ideas. He is a lawyer admitted to the Italian Bar, Court of Appeal of Milan, with expertise in intellectual property, new technologies and data protection law. In such areas of practice, Pappalardo advises on a regular basis in favor of national and international companies. He is also the IAPP’s Italy KnowledgeNet Chair.