Introduction

With the new GDPR regulations soon to be enforced, many of us are reflecting on our providers and those we use elsewhere. We are now partially responsible, as Data Controllers, that the services we use are also compliant with GDPR - we can no longer say, "That was our supplier who lost the data".

Firstly, most people don't seem to know that the GDPR regulations are already law! The 25th May is not a release date, it is the date that the EU set when enforcement can start. In other words, serious companies could and should already have these principles in place.

Of course, what actually happened, was that it revealed some widespread abuses of personal data and many companies putting it off until the last minute to avoid restricting what they do - after all, knowledge is power! PayPal is a case in point, a large, well-known payment provider who you would expect to treat your data with respect and be at the front of the queue to be compliant.

But NO. Almost no information anywhere about what they have done and why and a new Privacy Policy that is effective from 25th May - Yes, effective at the last possible date, even though it appears to be finished. Why? It is the first of several stinks, the only reasons would be either they think that 25th May is the start date of the regulations (we would expect highly paid lawyers at a large company would not be so stupid) or otherwise, they are currently not in the spirit of the GDPR and want to delay these new regulations as long as they can get away with.

Currently, PayPal, when processing credit card payments, even for Guest Payments, require you tick a box to agree to terms that include marketing, even though you are not dealing with PayPal, you are dealing with the shop that you want to pay. That in itself is unclear and underhanded!

But OK, PayPal are not breaking any laws until the 25th (well actually they are, but this will not be enforced until the 25th May). Let us look instead to their new Privacy Policy to see whether this looks like it is compliant with both the letter and the spirit of GDPR:

tldr; It isn't, you should stop using them!

First Impressions

One of the main principles of GDPR is that the documents should be plain, easy-to-read and obvious. However, this document has a generally readable language but with too many abstract or blanket terms that seem to hide an intention to other things. For example, the statement, "To operate the Sites and provide the Services, including to...communicate with you about your Account, the Sites, the Services, or PayPal". Communicate with me about PayPal? That sounds like, "we will communicate to you about anything we feel like" and this is under the heading "To operate the Sites and provide the Services". In other words, they are saying it is legitimate business to communicate with me about PayPal! Of course, they might mean "about PayPal being unavailable" or "about PayPal changing its name" but these need to be explicit.

The layout is otherwise OK, the headings understandable, although the contact info is a little spread out.

Why Do We Retain Personal Data

This section is quite small and contains a few iffy statements. Firstly, saying that they keep data for their legitimate business purposes is not helpful if they think that this includes marketing, selling data, advertising tracking etc. They might consider these legitimate but that doesn't mean that it is a proportional, reasonable or expected use of the data. Also, it is not helpful to write an unbounded statement like, "We may retain Personal Data for longer periods...if it is in our legitimate business interests". It is a 'nothing' sentence because everyone is obviously allowed to keep data as long as is reasonable for business interests and not prohibited. Sentences like this have a smell of someone trying to hold onto retention rights that wouldn't stack up if they were explicit. 

Of course, it might also be poor quality copy, but that would be unfortunate for a company who must pay millions for legal advice!

How Do We Process Personal Data

This is really where the rubber hits the road since it exposes the heart of most companies for data, control and power and PayPal is no exception.

The sub-headings are fine and understandable. So they process data to operate the service, basically. Great! What does this include?

I already mentioned "communicate with you about your Account, the Sites, the Services, or PayPal", which might be innocent but also sounds a bit too blanket for my liking. "create an account connection between your Account and a third-party account or platform" is another abstract statement. Obviously, if there is a link between me and, for example, my card provider, that would be reasonable and expected. If it was a link to an advertising platform or external data analysis company, it wouldn't (necessarily).

"To manage our business needs", again the problem here is that you can read things in two ways, "improving the services" could mean surveys and unwanted emails from PayPal but it could also just mean watching the system stats to find out if e.g. there is problem for users from the Far East.

They mention "enforce the terms of our Sites and Services" twice - nothing like proof-reading!

The consent part will always be generally OK because now that consent has to be explicit, it is up to the user to consent to whatever they want. As long, of course, that PayPal actually implement this properly. There are still plenty of sites that automatically opt you in to marketing!

PayPal should clarify some of these. If they are thinking of something specific, provide an example, don't try and abstract the principle so much that it is not clear what they are saying.

Do We Share Personal Data

This is now more to do with whether we trust third-parties and/or consider their use reasonable and expected. The opt-out of these needs to be more clear.

"With other members of the PayPal corporate family" Who? This could be a separate legal entity (expected) or some other random service (not expected).

"With other companies that provide services to us". Mostly OK until we get to "send you advertisements for our products..." Are we only talking about if you have opted in? If we opt-out, does this data get removed from those other companies or will it be more Data Rubble that lingers on the web?

"With other financial institutions that we have partnered with..." I don't think so. The wording of this suggests that consent is not involved, in which case this is completely unacceptable! You cannot share data unless it is reasonable, expected or consented to. If I haven't asked to get marketing, then you can't share my data with a company that is selling something.

"With other third parties...". Some very worrying statements here:

  • "If we believe, in our sole discretion, that the disclosure is necessary...". Sorry, that is completely unlawful. You cannot disclose any personal data except for legal reasons and those reasons need to involve a legal entity like the police, not some random person at PayPal.
  • "To protect the vital interests of a person". What? By giving my data away, you will protect me? Someone else? Another very smelly term that needs to be qualified or removed.
  • "To investigate violations..". Again, this needs to be lawful, you cannot disclose someone's data to a third-party purely for your convenience.
  • "To protect our property, Services and legal rights" What?
  • "To facilitate a purchase or sale of all or part of PayPal's business" Completely illegal. Even if PayPal was bought by someone else, the new owner would not automatically inherit access to the data! 
  • "To help assess and manage risk...". Not to third-parties. Maybe in the 1950s but you need a lawful reason to process data and if there is a legal concern, no-one outside PayPal should be given anyone's data without legal intervention.
  • "To companies that we plan to merge with or be acquired by". Again, not sure this automatically lawful.
  • "To support our audit, compliance and governance functions". Nope. Audit and compliance are not lawful basis for someone having access to personal data and since they are not legal requirements (generally), cannot override the GDPR regulations.

Conclusion

There are other parts that are not great but don't raise alarm bells but it is also a shame that they do not use the phrase Data Controller anywhere although they do provide contact details for their Data Protection Officer and a way to both check FAQs and contact them with any other questions.

Personally, I won't use PayPal until they start seeming like someone on the side of Privacy. They make tonnes of money from payment commissions and have no reason to do all the other stuff on the side unless they are just greedy. If the writing is simply poor and they are not doing anything nefarious, then they need to make some massive changes to the web form for payments and make the wording much more transparent.

Currently for my money, I don't trust them and will wait for some test cases against them.