Invalidation of the Privacy Shield, what impact on our payment methods ?

Source: Pixabay

A few weeks ago, the decision of the Court of Justice of the European Union (CJEU) invalidated the Privacy Shield, which was a legal framework for data exchanges between the United States and Europe (CNIL). I already had the opportunity to deal with this subject in a previous article

However, I would like to mention here the potential impacts that this decision could have on our current means of payment…


Les moyens de paiements

When we talk about means of payment, we think of bank cards, bank transfers, Paypal, etc…

What you have to understand is that at present in Europe, payment methods such as bank cards (Mastercard and Visa) are American companies, and therefore also subject to American laws. This raises a real question about the management of personal and sensitive data, which are our banking data.

For bank transfers, most, if not all, banks use the interbank SWIFT system, which is the product of a European banking cooperative based in Brussels. This leads one to reasonably believe that it does not depend on US law. On the other hand, it is impacted by the invalidation of the Privacy Shield, given the necessary operations with the United States.

With the explosion of online e-commerce platforms, new payment methods have emerged, mainly American, such as PayPal, Google Pay and Apple Pay, again American companies subject to American law.

In recent years, however, French FinTechs have come to the forefront and new means of payment are being offered, some with the aim of securing and protecting our data. As non-exhaustive examples, we have BizoverBiz  and the payment infrastructure Chain4Wallet, or Lydia and monisnap in the field of dematerialized payment.

What is at stake?

For many, the fact that our financial transactions or personal financial data may be used is not a problem. The famous, “I have nothing to hide”, or “whether it’s the US or Europe, what a difference, it’s all the same”… However these data are critical, they say a lot about you, your consumption habits, your hobbies, your financial health, your sexual, political and religious leanings…

This information can therefore be used by U.S. digital giants to improve their advertising targeting and the resale of aggregate data. Think about the knowledge it is possible to accumulate about you, when we can aggregate banking data with your activities on social networks… It also allows us to know you better and potentially influence your spending habits, but also by integrating this data with those collected on social networks, it allows us to get a better picture of your positioning as a citizen and who knows how to influence you to destabilize your country’s politics

Moreover, the fact of being dependent on European law is more protective for users, in particular thanks to the RGPD, in contrast to American law. This is also a significant difference to take into account.

Why am I focusing on the American digital giants and not on the Chinese? Because to date they have the best penetration on the European market and this is completely in line with their business model.

But whether it is for them or for the Chinese, the danger is just as important for our freedom of thought and politics given the incestuous links between the Chinese digital giants and the leaders of the party or former military and the legal environment for the American side, and the Chinese side of the assumed subordination of the actors to their state..

What does change the Privacy Shield invalidation?

Here we refocus on the American digital giants, or any player who needs to exchange data with the US. If many people think that the standard contractual clauses that sometimes exist can protect them, they forget the fundamental reasons for the invalidation of the Privacy Shield. The CJEU specifies with regard to data processing for reasons of public security, defense or state security that: “such processing of data by the authorities of a third country cannot exclude such a transfer from the scope of the DPSR”. In other words, it is sufficient for Americans to invoke a problem of public security, defense or state security to escape the protection of personal data provided by the GRDP..

And in view of U.S. laws (Patriot Act and Cloud Act), it is clear that no guarantee can be given as to how your personal data will be processed if they are used by U.S. companies, or by European companies transferring data to the U.S.

It is therefore interesting to look at the companies managing our bank cards, such as Visa or Mastercard. I will follow up on this subject as I have entered their DPO ( / in order to understand what personal data they have, where it is stored and if it is transferred to the US.

And I am looking forward to the implementation of the European Payment Initiative (EPI) which should enable us to break free from the American hegemony in this area.

Following next episode…

scroll to top