Author: Marie-Claire Koch
Source: heise.de – PayPal Expert Report
Publication Date: 2025
Reading Time: approx. 5 minutes
Executive Summary
The Data Protection Expertise Network attests to PayPal systematic and serious violations of the GDPR and the Payment Services Supervision Act (ZAG). Particularly critical: the unauthorized misuse of transaction data for the advertising business "Offsite Ads" as well as ineffective consents that fail to meet standards. The lack of transparency regarding data sharing with ~600 third-party companies and insufficient oversight create a considerable risk for millions of European users.
Critical Key Questions (liberal-journalistic)
Freedom & Control: How can users actually control their data when consents are pre-set and data sharing is non-transparent?
Accountability: Why does a US payment giant remain practically unreachable by European authorities while implementing aggressive business practices?
Transparency: What data flows to Google, Facebook and others – and how legitimate is an English-language, hidden list as "consent"?
Innovation vs. Exploitation: Does the regulatory gap practically invite fintech companies to ignore data protection as a competitive advantage?
Geopolitics: To what extent is data processing by a US company subject to non-European regulatory influence?
Scenario Analysis: Future Perspectives
| Time Horizon | Expected Development |
|---|---|
| Short-term (1 year) | Authority proceedings likely; PayPal statements expected; user complaints increase. |
| Medium-term (5 years) | Possible GDPR fines (up to 4% of turnover); Wero and European alternatives gain attraction. |
| Long-term (10–20 years) | Tightened regulation for US tech financial services in the EU; possible market shifts toward European providers. |
Main Summary
Core Topic & Context
The Data Protection Expertise Network has conducted a comprehensive data protection review of PayPal. The result: A catalog of serious violations of European law that shake the trust of millions of users in one of the world's largest payment service providers.
Key Facts & Figures
- ~600 third-party companies receive PayPal user data without sufficient transparency
- Pre-set consents for advertising purposes contradict the GDPR principle of "Privacy by Default"
- Ten-year storage duration after contract termination exceeds legally permissible limits
- "Offsite Ads": Transaction data is misused for targeted advertising on third-party sites
- English-language privacy statement hidden behind the misleading heading "Notice on Banking Regulations"
- ⚠️ PayPal has so far refused to answer most of the experts' questions
Stakeholders & Affected Parties
| Group | Position |
|---|---|
| PayPal users | Massively affected; their payment and purchase data is processed without complete consent |
| European authorities | Under pressure to finally exercise oversight; previous inaction criticized |
| Competitors (Wero, N26, Wise) | Potentially favored by lost trust in PayPal |
| US authorities/security | Unclear what geopolitical risks arise |
Opportunities & Risks
| Opportunities | Risks |
|---|---|
| Authority proceedings force legal compliance | Continuation of legal violations if inaction persists |
| Users sensitized to data protection | Millions of potential data abuse cases possible |
| European alternatives strengthened | US tech dominance remains without effective consequences |
| Precedent for fintech regulation | Reputational damage to entire payments industry |
Action Relevance
For Decision-Makers (Politics, Authorities, Companies):
- Immediate measures: Data protection authorities must initiate formal proceedings – previous passivity is untenable
- Legal clarity: ZAG and GDPR need better enforcement mechanisms against US platforms
- User recommendation: Consider migration to European alternatives; review and revoke consents
- Companies: Prevention instead of crisis – data protection as a strategic advantage, not a cost factor
Quality Assurance & Fact-Checking
- [x] Central statements and figures verified
- [x] Unconfirmed data marked with ⚠️
- [x] Web research conducted for current data
- [x] Bias identified: Well-founded criticism, but one-sided presentation (PayPal statement missing)
Supplementary Research
- Data Protection Expertise Network – Complete Expert Report (PDF)
- Federal Data Protection Commissioner (BfDI) – Current statements on US fintech
- clarus.news – PayPal Coverage
- clarus.news – GDPR Analyses
Sources
Primary Source:
Koch, Marie-Claire: "Expert Report: Massive Data Protection Violations at PayPal" – heise.de
Supplementary Sources:
- Data Protection Expertise Network: Detailed expert report on PayPal data practices
- Thilo Weichert: Statement on data processing by US fintech companies
- European Data Protection Board (EDPB): Guidance on cross-border data transfers
Verification Status: ✓ Facts verified on 2025-12-05
This text was created with support from Claude (Anthropic).
Editorial responsibility: clarus.news | Fact-checking: 2025-12-05