Brussels, 18 October – The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) issued a Joint Opinion on the proposed Regulation on the digital euro as a central bank digital currency. The digital euro aims to provide individuals with the possibility to make payments electronically, both online and offline, as an additional means of payment alongside cash.
The EDPB and the EDPS acknowledge that the proposed Regulation addresses many data protection aspects of the digital euro, notably by addressing an offline modality to minimise the processing of personal data. In particular, the EDPB and the EDPS strongly welcome that digital euro users will always have the choice to pay in digital euros or in cash. At the same time, the EDPB and the EDPS make several recommendations to better ensure the highest standards of personal data protection and privacy for the future digital euro.
EDPS Supervisor Wojciech Wiewiórowski said: “We welcome and support the commitment in the proposed Regulation to ensure high levels of data privacy for the use of the online digital euro, and an even higher level of protection for the use of the offline digital euro. In our Joint Opinion, we suggest further improvements to ensure that the rights to privacy and to the protection of personal data are effectively preserved. In particular, we make recommendations to ensure that only the necessary personal data of users of the digital euro is processed, and to avoid excessive centralisation of personal data by the European Central Bank (ECB) or national central banks.”
EDPB Deputy Chair Irene Loizidou Nicolaidou said: “A high standard of privacy and data protection is instrumental in gaining citizens’ trust in this new digital currency. With this Joint Opinion, we aim to ensure that data protection is embedded early on in the design phase of the digital euro when used both online and offline and that the data protection responsibilities of each of the actors taking part in the issuance of digital euro are clearly specified in the Regulation.”
According to the proposed Regulation, the ECB and national central banks may establish a single access point to verify that the amount of digital euros held by each user does not exceed the maximum amount allowed, known as the holding limit. The EDPB and the EDPS understand that this verification will be done by processing identifiers of the digital euro users and their related holding limits. In their Joint Opinion, the EDPB and the EDPS call for clarifications on the processing of these identifiers. Furthermore, the EDPB and the EDPS advise assessing whether the single access point is necessary and proportionate, underscoring that technical measures allowing for a decentralised storage of these identifiers are feasible, as an alternative.
Addressing the fraud detection and prevention mechanism (FDPM) included in the proposed Regulation, the EDPB and the EDPS consider that it lacks foreseeability. In their view, the processing of personal data within the FDPM by the ECB and payment service providers (PSPs) is not clearly defined. The EDPB and the EDPS recommend to further demonstrate the FDPM’s necessity. In the absence of such demonstration, the EDPB and the EDPS recommend considering less intrusive measures from a data protection perspective. In addition, the EDPB and the EDPS recommend to define the role and tasks of the ECB, national central banks and PSPs in this context, according to key data protection principles.
In addition, the EDPB and the EDPS strongly recommend to introduce a ‘privacy threshold’ for online transactions, under which neither offline nor online low-value transactions are traced for purposes of anti-money laundering (AML) and for combatting the financing of terrorism (CFT). To reduce the AML/CFT risk profile of low-value online digital euro transactions, the EDPB and the EDPS recommend including an obligation to implement appropriate technical measures during the design phase of the digital euro.
Finally, the EDPB and the EDPS highlight that the proposed Regulation should further clarify the data protection responsibilities of the ECB and of the PSPs. This includes the legal bases the ECB and PSP should rely upon, and the types of personal data they should process for the issuance, distribution and use of the digital euro.
The EDPB and the EDPS will continue to monitor and provide guidance on the developments of this proposed Regulation according to their respective responsibilities.