Expert Report: Massive Data Protection Violations at PayPal

An expert report by the Netzwerk Datenschutzexpertise (Data Protection Expertise Network) paints a grim picture of how the payment service provider PayPal handles user data. The experts list a multitude of violations against the GDPR and the Payment Services Supervision Act (ZAG). The central accusations concern impermissible data processing for advertising purposes and invalid consents.

The Netzwerk Datenschutzexpertise also bases its investigation on PayPal's status as a US company, whose data practices could potentially be subject to political influence. A main point of criticism from the appraisers is the use of transaction data for the new advertising business "Offsite Ads". PayPal, which has struggled with disruptions in the recent past and is expected to face competition from the more data protection-friendly European wallet Wero, analyzes "purchase data from its network" to display targeted advertising on third-party websites and in apps.

According to the expert report (PDF), this constitutes a legally impermissible change of purpose. The ZAG clearly stipulates that payment service providers may only "access, process and store personal data necessary for the provision of their payment services with the explicit consent of the payment service users." According to the experts, PayPal does not effectively obtain this consent. For example, consent for advertising is pre-selected when setting up an account, which contradicts the principle of "Privacy by Default" (Art. 25 GDPR). However, effective consent requires an active action. The authors state: "When setting up a PayPal account, the customer receives no information about the significance of the pre-checked consent. This does not meet the requirements for informed (explicit) consent."

The experts are particularly critical of the disclosure of data to third parties. In its privacy policy, PayPal links to a list of around 600 companies from "many countries around the world" to whom data may be disclosed – including credit bureaus, marketing firms, and US companies like Google and Facebook. It is impossible for users to track which data flows to whom. The expert report criticizes that the list is "not understandable for many users" as it is currently only available in English and hidden behind a link with the "misleading heading 'Notice on Banking Regulations'".

A long list of legal violations

The list of violations identified in the expert report is long and affects almost all aspects of data processing. For example, "information to data subjects about purposes, legal bases, data recipients, intra-group cooperation, and automated decision-making procedures used" is insufficient. Intra-group data exchange is criticized as being intransparent, and PayPal denies its "joint data protection responsibility" with merchants and banks, contrary to the requirements of the GDPR.

Furthermore, the consents obtained are also legally invalid in other aspects, which applies in particular to the legally required "explicit consent" for the processing of sensitive data or for advertising purposes. The protection of health data or professional secrets is also "not guaranteed." The storage period, which at a flat rate of ten years after the end of the contract "exceeds the legally permissible limit," is also criticized. Finally, the appraisers raise "many open questions" regarding cross-border data processing and express doubts that the rules used for this (Binding Corporate Rules) meet the requirements of the GDPR.

Thilo Weichert from Netzwerk Datenschutzexpertise sharply comments on the findings: "US BigTechs are rightly facing public criticism for their aggressive and illegal data processing. It is shocking that PayPal has remained under the public radar so far. This must change, especially after the financial service provider has massively entered the advertising business since spring 2025 and is misusing sensitive payment data from consumers for this purpose." Supervisory authorities have not taken sufficient action so far. PayPal has not yet responded to a request for a statement. The authors had confronted PayPal with a comprehensive list of questions, but – despite further inquiries – only a few questions were answered.

(mack)