Storing Payment card details - what is the lawful grounds for processing?
In an interesting court decision on the 20th December 2020, the use of Legitimate Interest as a lawful ground for processing data has come under further scrutiny. The case further explained how such data might be retained and which of the lawful grounds might apply. We would suggest that any form of payment information processed that is applicable to purchases would also apply to charitable donations.
The French Supreme Administrative Court (Conseil d’Etat) held that the French Data Protection Authority (CNIL) lawfully issued a guideline ("recommendation") on consent to the storage of customer's credit card data by e-commerce websites. The Court also found that said organisations do not have a legitimate interest to store credit card data under Article 6(1)(f) of the GDPR.
On 6 September 2018, the CNIL issued a Recommendation on the processing of credit card data in the context of online purchase of goods and services. The recommendation provides that:
(1) Credit card data can only be processed in order to complete a transaction in connection with the performance of a contract, and;
(2) The storage of such data in order to facilitate subsequent payments is only possible if:
· (a) The data subject has expressed prior and explicit consent; or
· (b) Has taken a subscription offering access to additional services, thus intending to enter in a regular commercial relationship.
Cdiscount, a marketplace website, requested the CNIL to modify those rules. It argued that websites should also be able to store credit card data of customers who can reasonably foresee their data will be stored, on the basis of their purchasing frequency. The CNIL did not meet the demand. Cdiscount is thus seeking the annulment of the decision before the French Administrative Supreme Court.
Did the CNIL exceed its remit when interpreting Article 6 of the GDPR in its Recommendation?
Did the CNIL, by requiring prior and explicit consent, wrongly considered credit card data as a special category of personal data (Article 9 of the GDPR)?
Does the data controller have a legitimate interest to process credit card data of recurring purchasers under Article 6(1)(f) of the GDPR?
Can the recommendation be annulled on the ground that it creates a distortion of competition with foreign economic operators that are not subject to similar legislation?
The Supreme Administrative Court dismisses the appeal, on the following grounds.
On the CNIL's competence to interpret Article 6 of the GDPR
The Court holds that the CNIL acted within its power when interpreting Article 6 of the GDPR. This power is derived from Article 11(I) and I(2°)(a bis) of the French data protection law (Loi n° 78-17 du 6 janvier 1978 relative à l'informatique, aux fichiers et aux libertés). These provisions designate the CNIL as Supervisory authority for France under Article 51 of the GDPR. They also expressly grant the CNIL power to issue guidelines and recommendations in order to help to achieve compliance with the GDPR.
On the legitimate interest to process credit card data of regular customers (or supporters)
The French Supreme Administrative Court balances the possible legitimate interest of organisations to process such data against the fundamental rights and freedom of data subjects. Relevant elements in this test are the nature of collected data, the purpose and methods of the data processing and the data subject reasonable expectation that its data are not subsequently processed.
Firstly, the Court notes that the storage of credit/payment card data does not stem from any legal obligation. It is not necessary to protect vital interests or the performance of a task carried out in the public interest. Likewise, it is not necessary for the performance of a contract.
Secondly, the Court holds that the storage of credit card data in order to ease future payments does not prevail on customers’ interest in the protection of their data. This conclusion takes into account the sensitivity of this category of data in regard to the damage that would cause any leak. Furthermore, the Court considers that customers cannot reasonably foresee that such data will be stored.
In conclusion, unless the payment is a regular commitment or a subscription, there is no Legitimate Interest to store the payment details despite the perceived convenience of such a decision. Instead, such information may only be stored with the informed consent of the individual. This may require a policy update. As consent requires a degree of management, there may need to be some consideration of how such information is processed and how long it is retained.