French Council of State confirms the retention of payment card data is subject to the prior consent of the cardholder

CNIL guidance - 2018

In a deliberation on September 6, 2018, n°2018-303 on the retention of banking data, the CNIL stated that customers' banking data can only be kept by a merchant in order to facilitate their subsequent purchases with the explicit consent of the customer.

The only exception applies to customers registered for a subscription reflecting their desire to enter into a regular business relationship.

Decision of the President of the CNIL

In this case, Cdiscount, an online retailer selling primarily electric and household appliances, applied to the President of the CNIL for an amendment to the decision of September 6, 2018, to authorise the retention of payment card credentials for customers who are not subscribers, but whose recurring purchases suggest that they can reasonably expect their payment card data to be retained in order to simplify their subsequent purchases.

The company argued that the retention of customers' data in order to facilitate their subsequent purchases was a legitimate interest of the merchant (as a data controller) on the basis of Article 6 and Recital 47 of the Regulation (EU) 2016/679 of the European Parliament and of the Council, General Data Protection Regulation (GDPR).

However, the President of the CNIL refused to modify the CNIL’s guidance.

Council of State

CDiscount appealed the decision to the President of the CNIL to the French Highest Administrative Court: The Council of State.

In its judgment of December 10, 2020, the French Council of State dismissed CDiscount’s appeal.

The Council considered that the legitimate interest of the data controller must be counterbalanced with the interest or fundamental rights and freedoms of data subjects. The nature of the data processed, the purpose, the processing methods and expectations that individuals may reasonably have regarding the absence of further processing of their personal data must be considered.

On this basis, considering that there was no need to refer the matter to the European Court of Justice, the French Council of State stated that the interest pursued by a controller cannot prevail over the interest of customers to protect this data. Customers’ interest must prevail due to the sensitivity of banking information and the prejudice that may result in the event of fraudulent use, especially since many customers making one-off purchases on these sites cannot reasonably expect that this data will be kept without their consent.  

Link with PSD2 strong customer authentication (SCA)

The judgment of the Council of State does not deal with SCA related issues. However. we believe that the judgment and the provisions on SCA must be read together.

PSD2 requires that SCA be applied when a payer initiates an electronic payment, and a cardholder using a card to make a payment is considered a payment initiated “by the payer through the payee”, rather than a payment initiated by the payee, and therefore in principle subject to SCA – unless the issuer or the acquirer can apply an exemption (we assume that both the issuer and the acquirer are located within the EEA and that the transaction is not MOTO (mail order telephone order)).

The fact that the transaction is initiated on the basis of card details that are stored “on file” by the merchant does not change the fact that the card payment is considered as initiated by the payer (through the payee). Pursuant to the CNIL guidance and the Council’s judgment, the explicit consent of the cardholder is needed for the merchant to store the card credentials on file.

However, card transactions are considered as initiated by the payee (e.g. by the merchant), and therefore fall outside the SCA requirements (so called merchant initiated transactions or MIT) when the cardholder (1) has given a mandate authorising the payee to initiate a transaction or a series of transactions, (2) that mandate is based on an agreement between the payer and that payee for the provision of products or services, and (3) those transactions do not need to be preceded by a specific action of the payer to trigger their initiation by the payee. Setting up of the card mandate is however subject to a one-off SCA - but we would add, by analogy with what the European Banking Authority (EBA) has stated in relation to direct debit mandates, only if a PSP is involved in the setting up of the mandate. In this scenario, the merchant does not need the explicit consent from the cardholder in order to store the card credentials on file.   

Should you have any questions about the above, please do not hesitate to contact one of the members of the Bird & Bird global payments team.

If you would like to receive our regular Payments alerts in your inbox, click here.

If you would like to read Bird & Bird's previous alerts, please check out our Payments In Focus webpage here.