The ECB is currently working on introducing a digital currency – to exist alongside banknotes – that citizens and firms can use for everyday payments. A digital euro would be safer than bank deposits and inherently more stable than crypto assets such as Bitcoin. However, many are worrying: How will the ECB make sure that the digital euro respects users’ privacy?
Why privacy matters
In a public consultation on the digital euro, 43% of respondents declared that they want “a digital euro focused on privacy and the protection of data”. The reasons for this vary. Some see an intrinsic value in privacy; others are afraid that the digital currency could be misused for price discrimination or surveillance abuses. They argue that exploitation of the sensitive transaction data associated with the digital currency would have a chilling effect on personal liberty and public life.
Privacy and data protection are not only user demands, but also fundamental rights enshrined in Articles 7 and 8 of the Charter of Fundamental Rights of the European Union. The Court of Justice of the EU and the EU legislative bodies have developed various principles and legal frameworks to respect these rights, such as the General Data Protection Regulation (GDPR). As an EU institution, the ECB is bound by them.
Lastly, respecting privacy in the digital euro is important simply to prevent the digital euro from failing. If citizens won’t use a future digital euro because they do not trust that their transactions and identity are protected and private, there is little sense in issuing a digital euro in the first place.
Privacy from whom?
In the context of digital payments, privacy can be defined as the extent to which one’s identity and transaction data is protected from unintended disclosure and hidden from other actors. These actors could be (1) the issuer of the payment object, (2) the counterparty to your transaction, (3) other actors within the payment system’s environment, (4) other actors outside the payment system’s environment, and (5) the regulator.
With € banknotes, users enjoy the highest level of identity privacy, i.e., anonymity. Anybody can use cash notes without the issuer of these notes (i.e., the Eurosystem), the transaction counterparty, or anyone else knowing who you are. While the counterparty to your cash transaction naturally knows the size and content of the transaction, nobody else knows how much and what you use cash for. However, above a certain transaction amount, you are forced to reveal your identity (in Germany, this limit is €10,000). Other Eurozone countries are much more restrictive, forbidding the retail use of cash for transactions above a certain value.
With bank deposits, citizens already enjoy considerably less identity and transaction privacy. To use bank deposits, you require an account at a commercial bank that is tied to your name and was previously verified by showing your ID. When you transact with other commercial bank accounts, the identity of the counterparty is disclosed. While actors with whom you are not transacting cannot usually see the size and content of your transactions, the issuer of the bank deposits, i.e., your commercial bank, can. If you make a transaction above the amount of €15,000, your bank is obliged to conduct due diligence.
Against whom would users enjoy privacy with the digital euro?
Privacy in the digital euro
The ECB considers designing a digital euro that is partly anonymous. Through so-called anonymity vouchers, users can anonymously transfer a limited amount of digital euros over a defined period. However, this design option only allows anonymity for small transactions. Furthermore, the protection of the identity is only guaranteed vis-àvis the central bank and the regulator, not vis-à-vis the financial institution organising the digital euro transactions (e.g., a commercial bank). The content of the transaction is not kept private.
Why doesn’t the ECB go ‘full privacy’? As the ECB Executive Board Member Fabio Panetta frequently points out, the ECB is required to adhere to anti-money laundering and anti-terrorist financing regulations, which require some auditability of user identity and transaction content. Indeed, the task is to strike a balance between confidentiality and audibility. Yet, in doing so, it’s crucial that the importance of privacy and its status as a fundamental right is not forgotten.
Three messages for the ECB
1. Don’t undercut the importance of privacy
Central bankers sometimes give off the impression that compliance with anti-money laundering (AML) and combatting-the-financing-of-terrorism (CFT) regulation is somehow more stringent and necessary than compliance with the fundamental right and laws on privacy and data protection. This suggests that AML/CFT rules are the first regulatory constraint to abide by, and that privacy should only feature as a design consideration after compliance with AML/CFT regulation is technologically ensured. However, privacy – as a fundamental right and object of several EU laws such as the GDPR – is by no means less legally important than AML/CFT regulation.
A favourite point by ECB representatives is that the ECB has no commercial interest in the transaction data associated with the digital euro and that hence the digital euro poses a lesser threat to privacy than current private payment systems. While true, it is of course not enough to merely be better than firms like PayPal. Repeatedly making this point sets the benchmark for privacy too low, and hence rhetorically prepares the ground for undercutting it.
2. Treat physical cash as a benchmark
Physical cash should be the standard for evaluating how to strike a balance between ensuring privacy and adhering to AML and CTF rules. At a minimum, this implies allowing real anonymity and transaction privacy for daily life transactions up to limits that are similar to the current limits for cash. To realise this, technological solutions like “zero-knowledge proofs”, which offer anonymity vis-à-vis the counterparty, the central bank, the regulator and other third parties, could be implemented.
In addition to full anonymity for low-value transactions, a high level of pseudo-anonymity should be provided for all larger transactions to ensure a high level of identity protection. To do so, a different pseudonym could be assigned to users during each transaction, making it difficult for the recipients to link the numerous pseudonyms to the identity of the sender. Another option is signing a transaction with a private key (that is unique and can be obscured by the user) and a public key (that proves membership in a group without revealing the identity of the individual). At the transaction level, zero-knowledge proofs could enable third parties to verify information without participants disclosing the transaction content to any third party.
3. Prioritise dialogue and cooperation with citizens
Above all, the ECB should make privacy in digital payments a topic of public debate. The ECB should be open to external input on how privacy could be maximised, not only from business groups but also from civil society. Indeed, the only permanent dialogue forum established by the ECB – the Digital Euro Market Advisory Group, which will advise the ECB on privacy – consists only of employees from banks and payment associations. A more inclusive and democratic approach would go a long way towards figuring out how to respect the right to privacy.