The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) have issued a Joint Opinion on the proposed Regulation on the digital euro as a central bank digital currency. The digital euro aims to facilitate electronic payments by individuals, both online and offline, as an additional means of payment alongside cash.
The EDPB and EDPS acknowledge that the proposed Regulation addresses many data protection aspects of the digital euro. In particular, the EDPB and the EDPS strongly welcome that digital euro users will always have the choice to pay in digital euros or in cash. However, the EDPB and the EDPS make several recommendations aimed at ensuring the highest standards of personal data protection and privacy for the future digital euro.
Under the proposed Regulation, the European Central Bank and national central banks may establish a single access point to verify that the amount of digital euros held by each user does not exceed the maximum amount allowed, known as the holding limit. The EDPB and the EDPS understand that this verification will be done by processing identifiers of the digital euro users and their related holding limits. In their Joint Opinion, the EDPB and the EDPS call for clarification about the processing of these identifiers. Furthermore, the EDPB and the EDPS advise assessing whether the single access point is necessary and proportionate, emphasising that technical measures allowing for a decentralised storage of these identifiers are feasible as an alternative.
The EDPB and the EDPS consider that the fraud detection and prevention mechanism in the Regulation lacks foreseeability. In their view, the processing of personal data within the fraud detection and prevention mechanism by the European Central Bank and payment service providers is not clearly defined. The EDPB and the EDPS say that more needs to be done to demonstrate the fraud detection and prevention mechanism’s necessity. In the absence of this, the EDPB and the EDPS recommend considering less intrusive measures from a data protection perspective. In addition, the EDPB and the EDPS recommend that the role and tasks of the European Central Bank, national central banks and payment service providers are set out.
In addition, the EDPB and the EDPS recommend introducing a ‘privacy threshold’ for online transactions, under which neither offline nor online low-value transactions are traced for anti-money laundering and for combatting the financing of terrorism. To reduce the AML/CFT risk profile of low-value online digital euro transactions, the EDPB and the EDPS recommend including an obligation to implement appropriate technical measures during the design phase of the digital euro.
Finally, the EDPB and the EDPS highlight that the proposed Regulation should further clarify the data protection responsibilities of the European Central Bank and of the payment service providers. This includes the legal bases the ECB and payment service provider should rely upon, and the types of personal data they should process for the issuance, distribution and use of the digital euro.
The EDPB and the EDPS will continue to monitor and provide guidance on the developments of this proposed Regulation.