Today, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) have issued a Joint Opinion on the proposed Regulation of the digital euro, which is intended to be the new European Central Bank digital currency. The digital euro will be a secondary payment method to cash, and aims to give people the option of making payments electronically, both online and offline.
The EDPB and the EDPS have raised some concerns regarding privacy with the digital currency, especially in its offline mode, as the principle of data minimisation must be respected. Therefore, the two European bodies, in their Joint Opinion, have made some recommendations, following a “privacy and data protection by design” approach, to ensure that the highest standards of personal data protection are respected throughout the implementation of the new legislation.
The EDPS’ Supervisor, Wojciech Wiewiórowski, has stated: “We welcome and support the commitment in the proposed Regulation to ensure high levels of data privacy for the use of the online digital euro, and an even higher level of protection for the use of the offline digital euro. In our Joint Opinion, we suggest further improvements to ensure that the rights to privacy and to the protection of personal data are effectively preserved. In particular, we make recommendations to ensure that only the necessary personal data of users of the digital euro is processed, and to avoid excessive centralization of personal data by the European Central Bank (ECB) or national central banks.”
One of the key elements that the new Regulation will introduce will be the “holding limit”, which is a single access point to verify that users do not exceed the maximum digital euros amount. The EDPB and the EDPS want the regulators to clarify how the identifiers work, in order to access the holding limit of a user, and as such some sort of identification will be needed. Following this decision, the EDPB and the EDPS call for balancing to assess whether this measure is necessary and proportionate, and proposing some technical measures regarding – for example – decentralized storage of these identifiers, in order to minimise access to users’ personal data granted to the Payment Service Providers (PSPs).
The EDPB and the EDPS also believe that the proposed Regulation’s fraud detection and prevention mechanism (FDPM) lacks predictability. They contend that there is ambiguity surrounding how the ECB and payment service providers (PSPs) process personal data under the FDPM. To further establish the FDPM’s necessity, the EDPB and the EDPS advise taking into consideration less intrusive measures in the absence of such a demonstration. Additionally, the ECB, national central banks, and PSPs should be defined in this context in accordance with fundamental data protection standards, according to the EDPB and EDPS recommendations.
Regarding the need to comply with anti-money laundering (AML) and combating the financing of terrorism (CFT) legislations, the Joint Opinion tackles the need to introduce a ‘privacy threshold’ for transitions made online, which means that low-value online payments could be exempted to be traced for AML/CFT purposes. Such ‘selective privacy’ shall be ensured by adopting mitigation measures to reduce the risk that certain technology made to identify suspected AML/CFT transactions can mean to low-value online payments.
As of the state of the proposed Regulation today, it seems there is no clarity on the data protection obligations that the European Central Bank (ECB) and PSPs shall have. In this regard, the EDPB and the EDPS argue that there is no mention to the legal bases that the processing of data will be based upon, and thus the legislative bodies shall clarify it for the issuance, distribution and use of the digital euro.
Finally, once the legislation is passed, the EDPB and EDPS recall all digital euro controllers and joint controllers to perform a DPIA, regarding articles 35 GDPR and 39 EUDPR.
