This chapter considers EU data protection law, most notably Regulation 2016/679, the General Data Protection Regulation (GDPR). The GDPR governs the processing of data that identifies an individual or makes her identifiable. It sets out circumstances when the process is lawful. The most notable of these is that the individual consented to it; processing is necessary to perform a task in the public interest or in the exercise of official authority; or the data is required for the pursuit of a party’s legitimate interests unless the fundamental rights of the individual overrides these interests. Individuals have a number of rights in respect of their personal data. These include the right to information about it and to access it, and to rectify inaccurate or incomplete personal data. Arguably, most contentiously, the individual can have the data erased if she withdraws her consent or the data is no longer necessary for the purposes for which it was processed. This right must be balanced against other interests, most notably the freedom of others to expression and information.

While mobile payments bring great benefits like convenience, flexibility and efficiency, they are not without risks. Among them, the data privacy risk is probably one of the most serious, which is largely caused and exacerbated by the involvement of multiple players and the extensive collection of personal information. China has been trying to consolidate and modernize its regulatory regime for data privacy to suit the needs of the new digital era. China has made great efforts to enact new laws and regulations to delineate the scope of personal information, introduce the obligations for data controllers and processors and incorporate the principles of the Fair Information Practices. However, there are some remaining concerns; the ineffective requirements of consent and disclosure, the ambiguous principle of purpose limitation and the limited applicability of the principle of data minimization. There is a need for China to enact a specific law for data protection, establish a unified law enforcement agency and enhance private and public enforcement. The issue of data privacy is not unique or limited to mobile payment and can apply to other sectors of Fintech and even beyond.