Cashback is the decoy of privacy 

The use of electronic payment instruments: cashback

(by Giuseppe Gorga, Aidr partner) The Covid-19 pandemic has given a strong acceleration to the digitization of mobility services, a revolution that plays a priority role in industrial strategies and in new business models that involve PAs and companies. The constant growth of electronic payment solutions has confirmed the trend, already supported in the transport sector before the crisis, which goes towards the principle of "mobility as a service" Considering the increasingly active role of users in smart mobility, several companies have felt the need to adopt a single simple infrastructure that allows citizens direct access to all mobility services.

      Among the “minor” examples, the platform developed by SIA, a company controlled by CDP Equity, should be noted. The digital tool includes a complete suite of services to pay for bus, metro and parking tickets directly by card or smartphone, with the guarantee of the best rate. The innovative service allows you to pay the metro and railway network ticket directly at the turnstile using contactless credit and debit cards (Mastercard, VISA and American Express), even virtualized on smartphones and wearable devices, in an easy, fast and secure way. It is possible to use your credit card as if it were a monthly pass: a method available to users who, after purchasing the pass online with a contactless credit card, can use the same card to move around the entire public transport network citizen.

The phenomenon has assumed considerable importance and therefore, as a massive phenomenon, it could not fail to fall into the meshes of privacy regulation as a widespread phenomenon of cashback. In this regard, the regulation scheme - under scrutiny by the Privacy Guarantor - of the Ministry of Economy and Finance, containing the conditions and criteria for the allocation of reward measures for the use of electronic payment instruments, so-called cashback, adopted pursuant to article 1, paragraphs from 288 to 290, of law no. 27, provisions modified and integrated by the decree-law 2019 August 160, n. 14 to art. 2020 which added two paragraphs 104-bis and 73-ter, (Law of the State Budget for the financial year 289 and multi-year budget for the three-year period) is part of the strategy, which has long been propagated by the Italian Government, which wants to discourage the use of cash in transactions between economic operators and consumers, I also provide for a cash refund on payments made using electronic means, the so-called. “Lottery” of the receipts contained in the latter budget law.

       In the specific case, the new paragraph 289-bis of the regulatory text in question provides that for the implementation of the reward measure the Ministry of Economy and Finance must use the technological platform for interconnection and interoperability between public administrations and authorized payment service providers, pursuant to article 5, paragraph 2, of legislative decree n. 7, managed by the company PagoPA SpA. It is then specified that the Ministry will have to entrust the company PagoPA SpA with the design, implementation and management of the information system instrumental to the calculation of the reimbursement. Furthermore, with paragraph 2005-ter it is envisaged that the same dicastery entrusts Consap - Concessionaria Servizi Assicurativi Pubblici SpA - with all the services inherent to the operations of disbursement of the reimbursement and the additional ancillary and instrumental activities including the management of the dispute. 

The cashback settlement

The regulation - which is made up of 12 articles - which is examined here, in an essential and timely manner, establishes the discipline of the conditions, cases, criteria and methods of implementation for the allocation of a cash refund in favor of individuals. individuals of legal age, residing in the State, who, outside the exercise of a business, art or profession, make purchases from merchants, with electronic payment instruments (Article 2). As is evident, from the choice of subjects, the legislator has been concerned first of all to prevent minors from participating in this kind of "lottery" and secondly that adults of age can participate in the exercise of a business activity, art or profession.

As anticipated, the reimbursement program, created through the "Cashback System", was prepared and is managed by the company PagoPA Spa as part of the technological platform - envisaged and governed by article 5, paragraph 2, of the CAD - which collects data, for the purposes of participating in the Program, of the "members" and "merchants", and that once the ranking has been defined, transmits the related information to the APP IO and to the systems made available by the so-called "affiliated issuers" and, for the purposes of the disbursement of the reimbursement, to the Consap-Concessionariaublic insurance services SpA.

Article 3 details the methods of joining the reimbursement program, and emphasizes, in particular, the voluntary nature of participation in the program itself, which involves the release of personal data ranging from very invasive ones, such as tax code to bank ones. The rule, in fact, provides that the "adherent" subject is required to register in the APP IO, or in the systems made available by an affiliated issuer, his tax code and one or more electronic tools that he intends to use to make payments , declaring, at the time of registration, to use the registered payment instruments exclusively for purchases made outside the exercise of business activity, art or profession (Article 3, paragraphs 1, 2 and 3).

In fact, article 4 of the regulation specifies in particular the technical methods of adhering to the system by the so-called "Affiliated acquirers" and, that is, by subjects who have concluded an agreement with the "merchant" for the acceptance of payment instruments through physical devices, holders of an agreement with PagoPA SpA for participation in the Program, or Bancomat SpA, on the assumption of the signing of the agreement with PagoPA SpA itself. Article 5 provides for specific agreements between the Ministry of the Economy and Finance and PagoPA SpA and between the aforementioned department and Consap SpA for the functioning of the Program. In particular, paragraph 1 of article 5 regulates the agreement between the Ministry and PagoPA SpA, for the design, implementation and management of specific functions within the Cashback System, such as the collection of data relating to members and payments and, therefore, a considerable amount of data at high risk for the very freedom and dignity of the subjects participating in the program. Paragraph 2, on the other hand, governs the MEF-Consap SpA agreement, for the management of refunds and complaints, where there will be additional personal data that may also be received in court. The detailed cashback discipline can be found in Article 6 where the measures and reference periods are also established, while Article 7 provides for a temporary experimental phase, valid from 1 December 2020 to 31 December 2020, aimed at allowing a anticipation of the implementation of the reimbursement program, exclusively for members who have carried out a certain number of transactions. Article 8, on the other hand, establishes a special refund for the first one hundred thousand members who have totaled the largest number of transactions with electronic payment instruments.

    They are specified in art. 9 the methods of disbursement of the reimbursement, which takes place by crediting by means of the IBAN code communicated by the member at the time of joining the Program, or at a later time, while article 10 governs the methods of handling complaints. In particular, paragraph 1 provides that PagoPA SpA, make available a Help Desk service dedicated to assisting members for all aspects relating to the management of the user profile and the services provided through the APP IO, including any disputes in this regard. the registration of the transactions carried out. Finally, article 12 - entitled "Treatment of personal data" - regulates some important aspects of data protection. First of all, it identifies the roles, functions and responsibilities of the various subjects involved in the system, i.e. the Ministry of Economy and Finance, PagoPA SpA, Consap SpA and the issuers and acquirers under agreement - ownership, responsibility and sub-responsibility of the treatment; paragraphs 1-5-. It is then envisaged that the Ministry will carry out, prior to the processing, the impact assessment pursuant to Article 35 of the Regulation and submit it to the prior verification of the Guarantor; it is envisaged that the technical and organizational measures set up and used to guarantee a level of security adequate to the risk must also be indicated for the assessment, and the times and methods of cancellation from the Program must be regulated (paragraphs 6 and 7). In compliance with the principle of the purposes of the processing, the personal data collected may be processed exclusively for the execution of the Program and for the realization of the expected reimbursement, limiting the processing of the data relating to the identifier of the merchant for the sole purpose of verifying the transactions involved. of complaint (paragraph 8). Finally, paragraph 9 of the article authorizes the Ministry to carry out statistics on the implementation of the Program, also processing the personal data of the members, relating to participation in the Program, the number and value of transactions carried out, as well as the reimbursements paid, in compliance with the relevant deontological rules (Deontological rules for treatments for statistical or scientific research purposes carried out within the National Statistical System, referred to in Annex A to the Code, which should be mentioned in full in the scheme).

It should be noted here that it is quite clear that the processing of data underlying the functioning of the Program presents high risks for the rights and freedoms of the interested parties deriving from the massive and generalized collection of detailed information, potentially referable to every aspect of life. of the entire population, which require specific assessments regarding the proportionality of the processing and the identification of the measures to be adopted in order to comply with the requirements of the Regulation. On the text, in fact, the observations and suggestions of the Privacy Guarantor Authority were precise and pertinent. So in summary it is to be considered that the legal basis that authorizes it should be proportionate with respect to the purposes pursued and contain the other lawfulness requirements provided for by European and national legislation on data protection (Article 6, paragraph 3, Regulation). From this point of view, the regulation presents, in fact, evident criticalities as it is not specified that the IT system in question - Cashback System - does not coincide with the technological platform referred to in Article 5, paragraph 2, of the CAD, but operates in the of the same. Furthermore, the roles and responsibilities of the various subjects involved by the system in terms of data protection have not been explicitly identified (Article 12, paragraphs 1-5). The regulatory legislation should, therefore, be aimed at the need to circumscribe the purposes of creating the cd. cashback the treatments carried out in compliance with the purpose limitation principle, and to introduce an additional specific guarantee in relation to the processing of the identifiers of the merchants with whom the transactions transmitted to the Cashback System will be carried out (Article 12, paragraph 8).

Furthermore, measures should be introduced to ensure that purchasers only transmit to the system the data relating to transactions carried out through the payment instruments indicated by the parties participating in the initiative (Articles 4, paragraphs 1 and 2, and 5, paragraph 1) and this also to better define the ways in which the APP IO, or the systems made available by the issuers, make available to members, in compliance with the principle of minimization, the amounts of the reimbursements due and the position in the ranking (Article 5, paragraphs 1, letter e). It will also be necessary to identify the methods and times for storing data and the measures necessary to ensure that the information is processed for the time strictly necessary to achieve the specific purposes and subsequently deleted (articles 4, paragraph 5, and 12, paragraphs 7 and 9 ), as well as defining, with a view to greater guarantee, some security measures to be adopted in the processing of data, with particular reference to the protection, through non-reversible cryptographic functions, of the identifiers of the electronic payment instruments (PAN, Primary Account Number) in use to subjects that adhere to the initiative, also in compliance with the PCI DSS (Payment Card Industry Data Security Standard) (Article 4, paragraph 1). It will also be necessary to specify the guarantees to be applied to the processing of personal data carried out by the Ministry for statistical purposes in the context of the National Statistical System, limiting the types of data that can be processed (Article 12, paragraph 9) and carrying out an evaluation impact of the processing, in the face of the high risk encountered in it, in order to identify the technical and organizational measures suitable to guarantee an adequate level of security (Article 12, paragraphs 6 and 7).  

Finally, as part of the verification of the impact assessment it should be examined the characteristics of the APP IO in particular, the intended use of push notifications, the automatic activation of services not expressly requested by the user, as well as the transfer of personal data to Third countries, however, to be updated in the light of the recent judgment of the Court of Justice in the Schrems II case (16 July 2020, case C-311/18).   

3 The security of cashback

As regards the cashback security profiles, it should be borne in mind that the owner of the processing of personal data is the Ministry of Economy and Finance (MEF), which makes use of PagoPA SpA and Consap SpA, companies owned by the State, as Responsible for the processing of personal data pursuant to art. 28 of the RGPD) for carrying out the activities necessary to guarantee the participation of the Members in the Program and the timely disbursement of reimbursements in their favor, as well as to allow the management of any complaints and / or disputes deriving from participation in the Program.

Therefore, a problem of data security arises, in public hands, as in the specific matter, personal and particular data are granted through the IO app regarding the quality and category of the goods that are purchased in addition to the IBANs of bank current accounts.

In relation to the delirium of the so-called "receipt lottery", a huge flow of data running on the Internet will be constantly exposed to the possibility of being intercepted, since the registration procedure started has already posed so many problems that it is not difficult to predict a vulnus in current accounts with consequent profiles of responsibility between MEF, Banks and network operators.

It should also be noted that the company PagoPA Spa in turn declares itself to be the Data Controller where the MEF qualifies them, on the other hand, as data processors. PagoPA declares itself the owner but only for the use of the computer systems and software procedures used to operate the site and the data that are acquired during their normal transmission exercise which involve the use of Internet communication protocols. Now it is known that the cashback is on a voluntary basis as the user must then activate to be able to have it and insert it, always on a voluntary basis such as cards, debit cards or credit cards with IBAN to activate on which to make the payments of the "premium" all remitted to the action and responsibility of the users. However, it is bitter to report that after the bankruptcy IMMUNI app whose fate was marked by the danger to privacy with the IO app, that is with a cd operation. “State cashback” for Italians, privacy is worth only 150 euros.

Cashback is the decoy of privacy

| OPINIONS |