EURO DIGITAL CURRENCY
By Mugurel Olariu, RPD protectie date
In October, the EDPB – the European Data Protection Board and the EDPS – the European Data Protection Supervisor issued a joint opinion on the proposal for a Regulation on the digital euro as a central bank digital currency*1.
The proposal for the Regulation defines the generic currency, namely that “digital euro” means the digital form of the single currency available to natural and legal persons*2.
On a general note, recalling that the added value of a digital euro in a highly competitive payment landscape would mainly reside in its privacy, the EDPB and the EDPS strongly welcome the fact that digital users will always have the possibility to pay in euros digital or cash, and that the digital euro would not be “programmable money”.
The joint opinion also welcomes the fact that the proposal aims to provide a high standard of privacy and data protection for the digital euro and recognizes the efforts made in the proposal in this regard, in particular by introducing an “offline mode”, to minimize data processing personal in relation to the digital euro, as well as to incorporate data protection by design and by default.
However, the EDPB and EDPS, following a “privacy and data protection by design” approach, draw the co-legislators’ attention to a number of concerns related to the protection of personal data which, if not addressed in the proposal, could undermine citizens’ trust in the future of the digital euro and, finally, its assimilation in society.
In this sense, we summarize the approaches of the two bodies specialized in data protection from Joint Opinion 2/2023, as follows:
✔ welcomes the fact that the distribution of the digital euro currency would be carried out in a “decentralized manner“, i.e. by financial intermediaries, rather than directly by the Eurosystem, but appreciates that further clarification is needed on the modalities of the distribution of the euro currency digital that should be included in the legislative text.
✔ more clarification should be provided on the necessity and proportionality of the single point of access of digital euro unique identifiers, as well as how data protection by design and by default should be implemented in this respect.
✔ the legislative text should include clarifications on how personal data should be processed by the PSP*3 to apply retention limits in practice.
✔ more clarity is requested regarding the processing of personal data carried out for the application of the tax limits possibly requested by the PSP.
✔ With regard to the settlement infrastructure to be provided and managed by the ECB*4, the EDPB and the EDPS are of the opinion that the provisions of the proposal should include a mandatory measure to ensure the pseudonymisation of all transaction data against the ECB and national central banks.
✔ also, the provisions regarding the general fraud detection and prevention mechanism (FDPM) that the ECB may choose to put in place to facilitate the detection and prevention of fraud by PSPs are not predictable, thus undermining legal certainty and the ability to to assess the necessity of establishing such a mechanism. It is not clear, in particular, which tasks would be carried out by the ECB (as possible supervisors of the anti-fraud work carried out by PSPs) on the one hand, and which tasks (and related data processing) would be carried out by PSPs on the other hand. The co-legislators are therefore invited to further demonstrate the need for such a mechanism and to provide for clear and precise rules governing the scope and application of the envisaged FDPM, including the nature of the PSP support to be provided by the ECB. If no such need is demonstrated, the EDPB and the EDPS recommend the introduction of less intrusive measures from a data protection perspective, together with the implementation of appropriate safeguards.
✔ The joint opinion recognizes the potential risks that the digital euro could face from an IT and cyber security perspective and recommends including an explicit reference to the applicable legal framework in the field of cyber security in the preamble of the proposal.
✔ For the privacy and data protection aspects of the digital euro currency, the efforts made in Chapter VIII and the corresponding annexes to establish the purposes and categories of personal data for the processing to be carried out by each of the actors involved are positively noted in issuing and using the digital euro currency. However, the co-legislators should provide further clarification regarding, in particular, the legal bases applicable to these processing operations, the allocation of responsibilities, as well as the types of personal data to be processed by each of these actors.
✔ Finally, the EDPB and the EDPS regret that the proposal has abandoned the adoption of a “selective contemporaneity” approach to low-value online payments. In this respect, it should be noted that the level of AML/CFT risk [*5] for the digital euro online will depend on the technology used and the design choices made during the conception phase. Taking into account the possible mitigating measures that could be implemented to reduce such a risk, the EDPS and the EDPS therefore strongly recommend the co-legislators to extend the specific regime applicable to the offline modality to the online modality for low-value transactions, with a threshold below that there would be no transaction tracking for AML/CFT purposes.
✔ The obligation for all digital euro operators and associated operators to carry out an DPIA*6 is recalled, to the extent that the requirements of Article 35 GDPR or Article 39 EUDPR are met.
✔ Furthermore, the proposal should recall the obligation of confidentiality and data protection from conception and by default when establishing operational design and technological choices.
––––––––––––––––––––
*1 https://edpb.europa.eu/ourwork-tools/our-documents/edpbedpsjoint-opinion/edpb-edps-joint-opinion-022023-proposal_ro
*2 Art 2 point 1 of the Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the establishment of the digital euro currency COM (2023) 369 final.
*3 PSP = Payment Service Provider.
*4 ECB = European Central Bank.
*5 AML/CFT = Anti Money Laundering/Combating the Financing of Terrorism.
*6 DPIA = Data Protection Impact Assessment.
