Mobile remote payments: more protection for users’ personal data under Italian new regulation

The Italian Data Protection Authority (Garante della privacy) has issued new rules for processing the data of individuals who use so-called mobile remote payment services via smartphone, tablet or PC. The regulation (General order on the processing of personal data in the context of mobile remote payment services) was issued after a public consultation and was published in the Official Journal of the Italian Republic on 16 June 2014.

The purpose of the new regulation is to offer greater protection to users who choose to purchase digital goods and services (e.g. subscribe to online newspapers, buy e-books, videos and games, etc.) through the modern forms of remote payment while at the same time providing clear rules for all the market players without hindering the development of the digital market.

The regulation is particularly addressed to telecom operators, aggregators or hubs (companies that provide the technological platform) and merchants (companies that offer digital content and services), but it also applies to any other parties that are involved in the transaction.
The duties of the parties involved may be summarized as follows:

– Companies processing users’ data are not generally required to request the users’ consent to process personal data related to the transaction; however, they are not allowed to process users’ personal data for any other purposes without the users’ specific consent; specific consent is required, for example, for the disclosure of personal data to third parties or for carrying out marketing activities or profiling the users.

– Users must be adequately informed on how their personal data is processed, possibly by a “layered” approach, i.e. displaying an essential information notice containing a hyperlink to the complete version of the same.

– Telecom operators, aggregators and merchants must adopt appropriate security measures to ensure the confidentiality of personal data, such as strong authentication mechanisms for accessing information, procedures for tracking operations and cryptographic systems to protect data.

– Additional measures must be adopted to prevent the combination of the data used for the transaction with different sets of data available to telecom operators and thus avoid “cross” profiling users based on their habits and preferences, unless the user has given specific consent. Merchants can only disclose to telecom operators the category of the purchased product or service; they cannot disclose the specific item purchased, unless it is necessary for providing the services.

– Personal data processed by telecom operators, aggregators and merchants can be kept for a maximum of six months, while users’ IP addresses must be erased by the merchants once the purchase process is complete.

The measures and precautions specified in the Garante’s regulation must be adopted within 180 days of publication in the Official Journal.