French Data Protection Authority’s instructions regarding NFC payment cards. On 19 May 2015, the French Data Protection Authority (“the CNIL”) published straightforward guidelines (“fiche pratique”) on near field communication ("NFC") payment cards. In the guidelines, the CNIL reaffirms some principles governing NFC payment cards. The guidelines state that NFC payment cards can only be used for payments of a sum lower than EUR 20. For any amount greater than EUR 20, the card holder will have to enter a confidential code. Furthermore, the code will also be necessary when the aggregated amount of payments exceed a certain fixed amount. The guidelines also state that banks must clearly and precisely inform cards holders of the NFC functionality and must provide them with an efficient, user-friendly means to oppose it. To respond to clients’ request not to have an NFC card, some banks have, for instance, offered an NFC-disable function on their website which will be taken into account at the next use of the card in an ATM machine. The CNIL expressly specifies that if a bank does not accept to disable free of charge and with no condition an NFC function upon a card holder’s request, then the card holder can submit a complaint to the CNIL, which will contact the bank if it has sufficient elements grounding the complaint. The CNIL also emphasizes the importance of NFC card security in these guidelines. The names of the card holders is not anymore readable through the NFC interface for all cards issued from September 2012. Furthermore, from June 2013, the transaction history is also not readable. Banks must constantly adapt their security measures to guarantee that data in cards are not collected and reused by third parties. The CNIL recommends the application of the recommendations issued by the payment cards security observatory in 2007 and 2009 and to encrypt all the data exchanges in order to prevent any access to the data. For more information, please contact Denise Lebeau-Marianna or Valérie da Costa.