European data board recommends reforming legal framework for introduction of digital Euro

EU

On 10 October 2022, the European Data Protection Board (EDPB) adopted a statement on the design choices for a digital euro from the privacy and data protection perspective, stating that its shares the view of the Commission that the current legal framework on electronic payments does not seem to be appropriate for a tool like the digital euro. (The European Commission announced it will propose a draft EU legislative instrument supporting the introduction of the digital euro into EU law in 2023).

Specific regulatory framework needed

According to the EDPB statement, a new legal framework should specifically address data protection and anti-money laundering and counter financing of terrorism (AML/CFT), along with the development of other legal issues. In order to achieve this, the EDPB recommends that mutually related privacy and AML/CFT risk assessments must be run together in order to comprehensively assess and mitigate both risks, before proposing specific design options.

Privacy and data protection by design and by default

The digital payment landscape is already competitive and efficient. The EDPB notes that the distinctive value proposal for a digital euro should be its high level of privacy, which would also be a decisive factor in its adoption by EU citizens. In this context, the proposal should be based on a documented impact assessment of all risks concerned. In addition, innovative, privacy enhancing technologies (e.g. e-cash, Zero Knowledge Proof, etc.) should be privileged.

Avoid systematic transaction validation and tracing

The EDPB also pointed out that the validation of all transactions in digital euros might not be in line with the data protection principles of necessity and proportionality, as interpreted by CJEU case-law. Hence, as a general rule, regulatory checks should be run ex post and on a targeted basis in the presence of a specific AML/CFT risk.

A privacy threshold, both offline and online

To provide trust to citizens on the privacy of day-to-day payments in digital euros and to reflect their low-risk nature in terms of AML/CFT, a “privacy threshold” should be introduced, as a value of transaction under which no tracing of the transactions may occur. This absence of tracing means that low-value transactions are not subject to checks and are not recorded in the accounts of the intermediary, allowing full anonymity of daily transactions.

Furthermore, the EDPB recommends the digital euro to be modelled as closely as possible on a peer-to-peer modality, available both offline and online, as opposed to an account-based model. In an account-based model, the interconnections with banks or electronic money accounts should be reduced to the time when users deposit from or refill their digital euro wallet.

Encourage public democratic debate

Finally, the EDPB calls on to the Commission to enhance public debate on the initiative, and benefit from additional external input from civil society and academia on how, in practice, the digital euro project could meet the highest privacy and data protection standards.

This is not the first time that the EDPB has provided insights on privacy and data protection for a digital euro. In a 2021 letter addressed to all European institutions, the EDPB highlighted the crucial challenges and the fundamental principles that need to be considered during the high-level planning of the initiative. Earlier this year, the EDPB also provided a detailed response to the Commission’s targeted consultation on a digital euro.

We will keep you updated on the developments of the digital euro. For more information on the status of this initiative and how it could affect your business, contact your CMS client partner or CMS legal experts.

Article co-authored by János Bálint.