In February 2020, a report submitted to the French Minister of the Economy and Finance (available here – the Report) suggests that a data localisation requirement should be imposed on payments data, and that France takes this proposal to EU level.
The implementation of these recommendations would put in place a number of new requirements on payment industry players, as well as imposing numerous technical changes. We address below the background to the Report, the risks identified in the Report, the recommendations which have been put forward, and the next steps.
Background to the Report
The Report was commissioned in June 2019 by the French Minister of Economy, Mr Bruno Lemaire, following a series of interviews with various organisations including French banking associations, several French banks, FinTech companies, cloud service providers, technical service providers, large merchants, payment schemes, the French data protection authority (CNIL) and the Banque de France (ACPR).
In the official mission statement, Mr Lemaire asked the report drafters to align their recommendations with those of the Banque de France’s National Committee of Scriptural Payments and its 2019-2020 National Strategy, which for the first time had set the objective of data localisation for payments data.
The purpose of the Report was to assess the feasibility, consequences and limitations of the data localisation obligations that would be imposed on payment stakeholders, financial institutions, merchants and their sub-contractors. The assessment was based on discussions with a panel of experts active in France and representative of the broad range of stakeholders. According to the Report, only a small number of international players raised objections to it - and those objections were not insurmountable.
Key risks identified in the Report
The Report provides examples of different threats: the SWIFT case involving bulk access to transaction data by the US Department of the Treasury; the Snowden revelations; the case US v. Microsoft Corporation in 2017 and 2018, the Amazon AWS breakdown in 2017; and the Cambridge Analytica case in 2018. The main risks highlighted by the Report are as follows:
- Political risk where payment providers could be ordered to suspend services by their government;
- Non-EU governmental authorities accessing data based on court orders (subpoenas) outside of the rules of international law and the mutual legal assistance treaties;
- Risk of spying where a non-EU operator does not provide an adequate level of data protection regarding the payments data of its European customers, and notably where there is a legally binding request for disclosure from the intelligence services in the country where it is operating (e.g. US sanctions);
- Merchandising of payments data for purposes that are not in the EU's interest;
- Economic considerations including the risk of abuse of a dominant position by non-EU operators that would drive out local competitors through unfair means (e.g. price cutting);
- Governance risks in international payment systems, including the absence of EU players in the bodies that set international payment standards, which could lead to EU players being disadvantaged;
- Weakening the investigative powers of EEA-wide police and judicial authorities, where a non-EU operator might not respond to the requests of an authority.
Recommendations from the Report
The Report makes six recommendations:
- Impose strict data localisation at EEA level for intra-EEA payments within the GDPR framework (i.e. transactions where both the payer and the payee are located in the EEA) and the data can be linked directly or indirectly to a natural person. This covers all data attached to a payment transaction between a payer/consumer and a payee/merchant to the extent that the data is directly or indirectly related to an identifiable individual, through the individual’s account ID, card or any other payment means, and regardless of whether the account ID is masked or clearly stated. The Report provides examples including merchant details, geolocation information, IP address, and details of a purchase. Importantly, this obligation would be strict, i.e. payments data must not be transferred outside of the EEA, and it would apply to all players, whether or not they are regulated.
- Include data localisation in the next revision of the EEA Interchange Fee Regulation (IFR) to state that the processing organisation within the meaning of Article 7 IFR (which must be separated from the scheme organisation) is required to localise payment data in the EEA.
- Ensure that payment data is not transferred outside of the EEA in the context of X-Pay solutions on mobile device (e.g. Apple Pay, Google Pay).
- Ensure that when a co-badged card (i.e. a card combining two payment schemes) is being tokenised, for example on a mobile device, two payment tokens are generated, i.e. one for each scheme, in order to respect a strict equivalence between the two brands on the card. Further, the Report recommends this requirement is included in the forthcoming revision of the IFR.
- The European Data Protection Board (EDPB) should issue guidance on (i) the legal status of the parties in the payment chain as either data controller or data processor, alongside the consequences of this designation, (ii) the lawfulness of commercial exploitation of payments data, and (iii) the retention periods applicable to payment intermediaries.
- Ensure that EU financial institutions which outsource the storage or processing of payments data on the cloud are encouraged (i) to use an EEA-based cloud service provider, or (ii) at least require that non-EEA cloud service providers are contractually bound to localise the data in the EEA. Further, (iii) require that payments data is encrypted in such a way that the cloud service provider cannot reverse engineer the data.
As a next step, the Report recommends the inclusion of a data localisation requirement in the future revised version of the IFR, the consultation of the EDPB, the issuing of new guidelines from the EBA - and ultimately a revision of the GDPR itself.
Should you have any questions about the above, please do not hesitate to contact one of the members of the Bird & Bird global payments team.
If you would like to receive our regular Payments alerts in your inbox, click here.
If you would like to read Bird & Bird's previous alerts, please check out our Payments In Focus webpage here.