Watch out retailers - storing payment card details for future purchases just got a lot harder!
17 June 2021
We have all seen the switch to online shopping during the pandemic, when shops were closed for months on end. Irish retailers embraced this new opportunity and turned to the internet to get consumers back in their (virtual) shops. Some customers may never go back to “normal” shopping.
The new normal
Now recommendations issued by the European Data Protection Board (EDPB), the body made up of all the Member State data regulators (like the Data Protection Commission in Ireland) is about to make online selling a bit more burdensome for retailers.
On 19 May, the EDPB adopted Recommendations 02/2021 on the legal basis for the storage of credit card data for the sole purpose of facilitating further online transactions (Recommendations). Many believe these were issued, in part, in response to the increase in e-commerce fueled by the pandemic.
We are all too well aware of the increased risk of fraud when credit card data is unlawfully accessed. The Recommendations acknowledge that credit card data violation “clearly involves serious impacts in the data subject’s daily life”, as financial data can be used for “payment fraud.” We need only turn our mind to a number of high-profile data breaches which included access to credit card information and the damage and distress this caused, as well as the regulatory action taken, to see why these Recommendations came into being.
So, what are we talking about here?
The aim of the Recommendations is to ensure consistent protection of data subjects’ rights across the EEA under the General Data Protection Regulation (GDPR). Retailers, as controllers, need to have appropriate safeguards in place to decrease the risk of unlawful processing, ensure their customers have control over their personal data and to build trust in the digital economy.
“deal with the storing of credit card data by online providers of goods and services, for the sole and specific purpose of facilitating further purchases by data subjects. They cover the situation where a data subject buys product or pays for a service via a website or an application, and provides his/her credit card data, generally on a dedicated form, in order to conclude this unique transaction.”
The scope is clear - but the EDPB goes on to spell out who and what is not covered, i.e. public authorities, payment institutions operating in online stores, storage of credit card data when complying with a legal obligation or to establish a recurrent payment, e.g. for long-term subscription for a monthly book delivery or for a music or movie streaming service.
Why is consent the only appropriate legal basis?
Under Article 6 of the GDPR, any processing requires the controller to have a valid legal basis to process the data. For the purpose of storing payment card data, the EDPB works through the options in Article 6(1) discounting them all apart from Article 6(1)(a), i.e. the data subject’s consent. It is worth exploring the EDPB’s reasoning in arriving at this conclusion.
Setting aside Article 6(1)(a) for now, the EDPB quickly dismisses the bases contained in Article 6(1)(c), (d) and (e), stating that “in the case of storing credit card data following a transaction, in order to facilitate further purchases” it is not necessary for compliance with a legal obligation, to protect the vital interest of a natural person nor the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
That leaves us with Article 6(1)(b) - necessary for the performance of a contract. While processing the credit card data for the initial transaction is necessary to fulfil the contract, storing the data is only useful for potential future transactions, therefore the EDPB finds that such a purpose “cannot be considered as strictly necessary for the performance of the contract for the provision of the good or service that the data subject has already paid.” So, no relying on this basis either.
What about legitimate interest though? Turning our minds to Article 6(1)(f) the EDPB considers the three elements of legitimate interest:
1. identifying and qualifying the interest;
2. the need to process personal data for the purposes of the legitimate interest pursued; and
3. the balancing test between the legitimate interest of the controller v. the interests or fundamental rights and freedoms of the data subject.
Where we hit a stumbling block is with the second and third elements. The EDPB reasons it is not necessary to store credit card data to “facilitate future purchases” for a legitimate interest that has been identified and qualified under element one. While it might be convenient and persuasive, another purchase is down to consumer choice and is not determined by “the possibility to realize it in ‘one click’”.
The balancing test in the third element also fails. A data subject would not reasonably expect their details to be stored for longer than is necessary to pay for the goods or services they are purchasing. If this data was stored it increases the risk of harm to a data subject should a security breach occur. In these specific circumstances, the EDPB says the fundamental rights and freedoms of the data subject would likely take precedence over the controller’s commercial interest.
All that said there is still the option to store credit card data for future transactions if the data subject consents to the processing for this specific purpose (Article 6(1)(a) GDPR). It is essential the consent is free, specific, informed and unambiguous and most definitely not presumed or a pre-condition to provide the goods or services. It requires a “clear affirmative action” and not a pre-ticked check box (see the definition of “consent” in Article 4 GDPR and the EDPB Guidelines 05/2020 on consent under Regulation 2016/679).
What does this mean in practice?
The first thing to do is work out whether you are in scope. Have you deployed one-click technology and, if so, how does the process work? Do you request the specific consent of the data subject before you store their payment card data after a purchase? If so, how do you obtain the consent? Ask yourself can you demonstrate to the regulator the consent is not presumed, is free, specific and informed and unambiguous, that it is collected in a “user-friendly way” by clear, affirmative action and not a pre-ticked check box? Can you distinguish such consent from the consent for terms of service or sale? Can you show it is not a pre-condition to complete the transaction? How do you ensure a data subject has the right to withdraw their consent to the storing of credit card data for the purposes of facilitating further purchases as required under Article 7(3) GDPR? What is your process for deleting this data stored for this purpose? Is the process as “free, simple and as easy for the data subject, as it was to give consent?”
This list of questions is by no means exhaustive, rather it is designed to get you thinking about what it is you are or should be doing. It is essential to be clear what your legal basis is for data processing in these specific circumstances, i.e. to store credit card data for potential future transactions. If the legal basis was legitimate interest you will need to make some changes in order to comply with the Recommendations. You will need to work out firstly where you have (GDPR style) consent; and where you don’t already have that level of consent, consider how you will obtain it. Will it be more cost-effective and therefore efficient to contact your entire customer base, or are your records such that it will be easy to ascertain where you might need to do some remediation work? How will you obtain this consent? Industry practice is by a check box but remember it cannot be pre-populated! Do you need to update any processes for new customers or can you leverage what you will do for existing customers? Remember to minimise risk, and therefore encourage consent, by ensuring the integrity and security of the IT systems where such data will be held.
Answering the questions above will give you a clearer picture of where you are and what if anything you need to be doing in order to comply with the Recommendations, and of course if we can be of any assistance please contact Victor Timon in the first instance.
UK & Ireland
With offices in London, Oxford, Cardiff, Dublin and Belfast, we are recognised by clients and industry alike as being distinct for our unique culture, market-leading practice areas, sector focused approach and for providing solutions to complex, multijurisdictional business challenges, with a pragmatic and human touch.