On December 12, 2013, the Italian Data Protection Authority (Garante) issued a draft general provision on the processing of personal data in the context of mobile remote payment services. This new provision sets the rules for the processing of information about users who purchase digital services and products and pay for them remotely via their phone bills. Before issuing the final version of the provision, the Garante submitted it to a public consultation, which ended on March 4.
As indicated by the authority, this initiative aims to protect those who use smartphones and tablets to buy services, to subscribe to online newspapers, to buy e-books or to download movies or games. It is a new form of payment, which is expected to achieve, in a short time, a remarkable expansion, emphasizing the dematerialization of money transfers.
The Garante’s provision addresses the three main actors of the mobile payment environment:
- The telco operators that provide customers with an electronic payment service via their mobile phone, through the use of a prepaid telephone card or through the telephone bill;
- The aggregators or hubs that provide the technological platform for the delivery of digital products and services, and
- The merchants who offer and sell digital services, online newspapers, e-books, games and other services.
These economic operators are required to provide a detailed notice in order to explain to customers what personal data will be processed and for what purposes. Marketing activities, profiling or disclosure of data to third parties may be carried out only with the consent of the customer. Specific consent is also necessary in the case of processing of sensitive data, for example, in relation to services intended for adults.
Telco operators, aggregators and merchants are also required to adopt security measures to ensure the confidentiality of the data, such as strong authentication mechanisms for accessing information systems, logging procedures for tracking the data-processing operations and cryptographic systems to protect data confidentiality.
As such, technical and organizational measures should be put in place to control database queries and to avoid the possibility of cross-referencing the different types of data available to the telephone operator, notably in the context of customer profiling programs. Users should also be given an easy option to disable the services intended for an adult audience.
User data processed by the operators, aggregators and merchants must be deleted after six months.
Stefano Tagliabue, CIPP/E, CISSP, CISA, works in Telecom Italia’s Privacy Department and has years of experience in managing privacy and information-security issues in the telecommunication industry. Stefano co-chairs the IAPP KnowledgeNet in Milan, Italy.