Google doesn’t sell data about Australians’ online purchases but does use it internally, a company executive has asserted during a Parliamentary committee hearing in which a “very concerned” senior senator questioned cloud giants’ practice of storing customer data overseas.

“I am very concerned to hear that Australians’ data with regard to their banking is actually not being held onshore,” Senator Deborah O’Neill said during testimony about whether storing data on cloud servers in other countries could threaten Australia’s digital payments systems.

Speaking during a hearing of the Parliamentary Corporations and Financial Services Committee’s enquiry into mobile payment and digital wallet financial services, O’Neill said she was “worried about the two dominant platforms actually being subject to malware” or compromise by malicious foreign governments.

Data from Google Pay and other services is transmitted from Australia and around the world to centralised servers in the United States for processing and storage.

This data is often processed by third-party intermediaries before being archived overseas, raising questions about exactly what companies might see the details of an Australian customer’s purchases – and whether payment providers might be selling that data on the side.

Cloud platforms provide scale and global reach for payment systems from Google, Apple, and other new competitors – such as eftpos, which this month announced a “game changer” Australian payment platform – and that, said Lance Blockley, managing director of payment-systems consultancy The Initiatives Group, means “it’s hard to say where your data is being held and… getting even harder.”

That made it difficult to protect the data against “fairly significant harm”, said O’Neill, worried that storing data outside of Australian jurisdictions could expose it to malicious nation-state cybercriminals that “wanted to mess with our financial system”.

Yet even if cybercriminals were able to access payments data, Blockley said, they were more likely to engage in conventional fraud than directed malicious disruption.

“Disruption would come more from somehow interfering with the payment network,” he explained. “Clearly transaction data is very powerful – so it’s more [about] stopping the transmission of the messages and thereby stopping people from being able to pay.”

The price of free

Like a growing number of ‘digital wallets’ that store payment card details and other sensitive information – including store loyalty cards, travel tickets and more recently COVID-19 vaccination certificates – the committee spent considerable time evaluating Google Pay’s free model against the rival Apple Pay.

Apple Pay, which provides similar services to users of Apple’s iPhones, has long been locked down to prevent just any app from accessing its payment capabilities – something that Apple has attributed to security concerns but Google says is just a way of blocking innovation.

Google Pay was itself relaunched late last year as a personal finance assistant that scrapes data from across the Google network of cloud services.

Yet if Google doesn’t charge for its payment infrastructure, committee members asked, what benefit does it get in return for providing the services?

“Google does not monetise data from Google Pay in Australia,” Google vice president of product management and partnerships Diana Layfield told the committee.

That is not to say, however, that Google does not use the data for other purposes – such as improving the usability of Google Pay: “it enhances the Android experience for us,” she explained.

And while the company’s advertising business “does not receive that data from Google Pay”, Layfield said, “our whole ecosystem is directly benefited when we see more online activity.”

“Things that encourage users to go online to use their phones and to shop in an online environment indirectly help our businesses, like our ads business.”

With billions of transactions processed through Google Pay every month, regulators will have to continue balancing the lure of massive volumes of consumer purchasing data with the need for privacy and security.

Google was recently said to be rolling out an opt-in service that would customise Google advertising based on users’ Google Pay activity in India – where the national UPI payments gateway carried 972.26m Google Pay transactions in June alone.

“The data business globally is now very, very large business,” testified Mark Britt, CEO of eftpos subsidiary Beem It.

“It is not only directly monetised in the sale of data or the targeting of advertising [but] it also powers innovation in other businesses, so it allows you to personalise and better understand your customer.”

“In those scenarios you have a better experience for local customers and you have local merchants that can provide payment scenarios and merchandising scenarios uniquely for Australia – [but] none of those things are possible where data is held offshore on a global basis.”