Mobile payments - Designing for compliance
Globally, we are seeing some exciting developments in peer to peer payments, remote mobile web commerce payments and near field communication (NFC) payments – when users hold their device in close
Globally, we are seeing some exciting developments in peer to peer payments, remote mobile web commerce payments and near field communication (NFC) payments – when users hold their device in close proximity to a point-of-sale terminal. The growth of these new payment services will mean that organisations other than banks will have access to information held in bank accounts. In fact, there is likely to be a variety of new stakeholders across various jurisdictions involved in the retail payments industry, including mobile phone manufacturers, telecommunications providers, financial institutions, non-bank payment providers, mobile services infrastructure providers, customers and merchants. Inevitably, we will see telecoms providers "morph" into financial services providers and banks obtaining telecoms licences.
There is a race on and the prize is customer data and the ability to use that data in a way that goes far beyond facilitating a payment transaction. Of course, having a greater amount of data about customers and using it in innovative ways is not necessarily a bad thing for the customer. However, the argument runs that there are significant barriers to entry in the form of European data protection laws and regulations for companies who seek to use US payment products more globally.
Given the myriad of potential stakeholders involved in providing a mobile payments solution, a key issue is to determine who will be acting as a data controller for the relevant personal data since it is the data controller that will generally be responsible for compliance with data protection laws. In some scenarios, for example, where the mobile payments solution simply involves an extension of the current web-based payment solutions offered by financial institutions, it will usually be the financial institutions that will be acting as data controllers. However, in other mobile payment models, the position may be different and in some situations, more than one party may be acting as a data controller.
Nevertheless, it is in the interests of all of the relevant stakeholders to ensure that the mobile payments solution as a whole achieves compliance with EU data protection laws. As in many other areas of technology development, designing for privacy from the outset is fundamental to achieving cost-effective compliance in the long term and the importance of the 'privacy by design' concept has been recognised by its inclusion in the proposed new EU Data Protection Regulation.
But what does 'privacy by design' really mean? Too often in the context of technological developments, the issue of security tends to be touted as the main data protection risk that arises. However, while security is obviously very important, it is only one part of the whole picture and there are a range of other data protection challenges that should not be overlooked at design stage. For example, 'privacy by design' would also demand that the relevant data processing systems are designed a way that: (i) minimises the data collected (for example by limiting the 'data fields' to be completed); (ii) ensures that only users that have a 'need-to-know' can access detailed transaction information; and (iii) takes account of circumstances in which a banking customer's consent may be required and, if appropriate, provides an interface with the relevant consent mechanism.
In general, all of the relevant data protection principles should be factored into the design stage of a mobile payments solution, where it is possible to do so. Obviously, any design implementation would also need to take account of other laws and regulations (for example, telecommunications regulations and the rules in relation to the use of e-money).
Mobile payments are, and should be, the future for customers and merchants alike, and, as with Big Data, the law should not stand in the way. But by the same token, stakeholders cannot write themselves a blank cheque as regards what they can do with customer data and should be designing for compliance from the outset.
There is a race on and the prize is customer data and the ability to use that data in a way that goes far beyond facilitating a payment transaction. Of course, having a greater amount of data about customers and using it in innovative ways is not necessarily a bad thing for the customer. However, the argument runs that there are significant barriers to entry in the form of European data protection laws and regulations for companies who seek to use US payment products more globally.
Given the myriad of potential stakeholders involved in providing a mobile payments solution, a key issue is to determine who will be acting as a data controller for the relevant personal data since it is the data controller that will generally be responsible for compliance with data protection laws. In some scenarios, for example, where the mobile payments solution simply involves an extension of the current web-based payment solutions offered by financial institutions, it will usually be the financial institutions that will be acting as data controllers. However, in other mobile payment models, the position may be different and in some situations, more than one party may be acting as a data controller.
Nevertheless, it is in the interests of all of the relevant stakeholders to ensure that the mobile payments solution as a whole achieves compliance with EU data protection laws. As in many other areas of technology development, designing for privacy from the outset is fundamental to achieving cost-effective compliance in the long term and the importance of the 'privacy by design' concept has been recognised by its inclusion in the proposed new EU Data Protection Regulation.
But what does 'privacy by design' really mean? Too often in the context of technological developments, the issue of security tends to be touted as the main data protection risk that arises. However, while security is obviously very important, it is only one part of the whole picture and there are a range of other data protection challenges that should not be overlooked at design stage. For example, 'privacy by design' would also demand that the relevant data processing systems are designed a way that: (i) minimises the data collected (for example by limiting the 'data fields' to be completed); (ii) ensures that only users that have a 'need-to-know' can access detailed transaction information; and (iii) takes account of circumstances in which a banking customer's consent may be required and, if appropriate, provides an interface with the relevant consent mechanism.
In general, all of the relevant data protection principles should be factored into the design stage of a mobile payments solution, where it is possible to do so. Obviously, any design implementation would also need to take account of other laws and regulations (for example, telecommunications regulations and the rules in relation to the use of e-money).
Mobile payments are, and should be, the future for customers and merchants alike, and, as with Big Data, the law should not stand in the way. But by the same token, stakeholders cannot write themselves a blank cheque as regards what they can do with customer data and should be designing for compliance from the outset.