According to a recent press release of the Garante, mobile payment in 2012 has been one of the sectors under the spotlight of the Italian Data Protection Authority, and the same will be for 2013.

Although it is not deniable that the mobile ecosystem—as conspicuously outlined in the opinion issued by the European Data Protection Article 29 Working Party about apps on smart devices—involves for the privacy of the users critical issues, the focus of the Garante on these new means of payment, whose development in Italy is still in an embryonic phase, could sound surprising. Pursuant to a recent study of the School of Management of the Politecnico di Milano, in 2012 the overall m-payment transaction value did not exceed 900 million euros. However, we have to consider that, on one hand, the market is rapidly growing: By the end of 2013 the number of users with a near field communication (NFC) smartphone is expected to be six million, and by 2016 the transaction value is expected to reach 12 billion euros. On the other hand, such payment method will dramatically increase the flow in the mobile environment of transactional data, with a significant impact on the private lives of the users.

As stressed by Assistant European Data Protection Supervisor Giovanni Buttarelli with a position paper submitted to the European Commission, m-payment “will increase the number of transactions and therefore the amount of collected and exchanged data. Furthermore, new categories of data such as location data may enter in the financial circuit.” In addition, if we do not limit the overview on the only transactional profiles, considering the further complementary services that could be hosted in the digital wallet, including couponing and loyalty programmes, the possible risks that the virtualisation of the “old” traditional wallet may involve are clearly disclosed. A single tap could be sufficient to trigger various functions and the exchange of a number of personal information between the user and a number of different stakeholders. Indeed, one of the main differences with the traditional cards—payment cards or loyalty cards—is represented by the fact that a smartphone allows a bidirectional sharing of information with the users.

In addition, the collected data might allow a detailed profiling of our behaviours, not solely online where cookies and similar technologies allow a broad traceability, but—in case of mobile proximity payments; i.e., NFC—even with regard to our habits in the real world; the picture of the consumer is now complete!

Moreover, an m-payment platform may involve several players in the data processing: telcos, banks, mobile manufacturers, platform providers, apps developers and, in particular, a wide range of merchants. In particular for small merchants—today usually excluded from the networks of the loyalty programmes reserved to big players—the mobile payment may represent an opportunity to better know the customers and to be able to target them with personalised offers. And the access to the personal data of the customers may represent one of the leverage to promote the acceptance by the merchants of the new modalities of payment and to bear the relevant burdens. According to the mentioned study of the Politecnico di Milano, in Italy the contactless PoS terminals, at the end of 2012, were only 30,000 and are expected to grow up to 170,000 by the end of 2013.

In any case, such a sharing of personal data, in order to comply with the European legal framework, shall have to grant the users’ right to full information and a meaningful selection of the subjects whose access to their personal data will be authorised, also considering the different data processing purposes. The data processing carried out by the different stakeholders cannot leave out of consideration the core principles of the EU data protection directive: necessity, proportionality—also in respect of the data retention—and purpose limitation.

In such circumstances, the implementation of an m-payment system able to create a right balance between the interest of the stakeholders to know their customers and the interest of the latter to be in control of their personal data may represent a crucial factor for the success of the initiative. A central role will be played by Privacy by Design. As outlined by the European Data Protection Article 29 Working Party, in the mentioned opinion on apps, “The concept of Privacy by Design requires from the manufacturers of a device or an application to embed data protection from the very beginning of its design. Privacy by Design is explicitly required for the design of telecom equipment, as provided under the radio and telecom terminal equipment directive.” As well in the U.S., the Federal Trade Commission, in the report "Protecting Consumer Privacy in an Era of Rapid Change," recommended that “companies should build in consumers' privacy protections at every stage in developing their products. These include reasonable security for consumer data, limited collection and retention of such data, and reasonable procedures to promote data accuracy.”

Data security and transparency shall have to be at the center of the project. In particular, from the outset of a new m-payment platform, the data flows among the different players shall have to be clearly tracked, as well as the modalities to provide the customers with comprehensive information. A lack of transparency or a careless management of the users’ data may, on the contrary, be fatal errors, with an irreversible impact on the confidence of the consumers.

Written By

Massimiliano Pappalardo, CIPP/E


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Advertise in IAPP Publications

Find out how to get your message in front the people you want to reach. Download a media kit now.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Registration Open

New! Intensive two-day GDPR training led by the sharpest minds in the field. It's a can't-miss event.

The Congress Is Cancelled

The IAPP Europe Data Protection Congress 2015 is cancelled. Click through to learn more.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»