The need for higher privacy — an opinion piece by Atakan Kavuklu
The European Data Protection Board and EDPS — European Data Protection Supervisor have commented on the current status of the digital euro project and its legislative draft. First and foremost, I am thankful for everyone contributing to this essential topic. Insufficient payment privacy measures can lead to serious harm such as identity theft, data exploitation, threats to personal security and harassment. In today’s digital age, privacy of personal data is as crucial as ever since certain companies use personal information of individuals to predict and monetize their future behavior (if interested, I recommend reading The Age of Surveillance Capitalism by Shoshana Zuboff).
While fully anonymizing payments oppose AML and CFT frameworks, no anonymity at all could drive end users to refuse adopting the Digital euro (official page) for lack of privacy. With rising mistrust in government bodies (varying from country to country; see Pew Research Center), a number of individuals are concerned about the possibility of turning CBDCs into a mass surveillance tool. The BIS (2022) rightfully states that “[p]rotecting an individual’s privacy from both commercial providers and governments has the attributes of a basic right”.
The current draft of the Digital Euro legislation foresees increased privacy for offline payments — something I welcome warm-heartedly. This decision is based on the impact assessment provided alongside the legislative proposal. The European Commission argues that offline low-value payments (Option 2d) are “consistent with the risk-based approach underpinning the Union’s AML/CFT framework”. A threshold must be determined and “justified on the basis of an AML/CFT risk assessment, conducted by the EU AML Authority (AMLA)”. Proximity is given by default since offline payments are restricted in range, with cards or devices usually communicating via NFC or Bluetooth channels.
In line with Option 2e of the impact assessment document, the EDPB and EDPS suggest increased privacy for low-value online payments too. However, the assessment of Option 2e concludes that AML/CFT “risks would be higher [since] online low value payments would not be limited to proximity (face-to-face) payments“, resulting in a potentially attractive model for criminals. Subsequently, online payments are excluded from the higher privacy setting in the legislative draft due to its pan-European outreach.
The EDPB and EDPS request further clarity on the rejection of Option 2e and recommend implementing a threshold approach by introducing (i) holding limits, (ii) a specific threshold for low-value online transactions, above which complete checks can occur and (iii) the possibility to re-identify the user account in case of suspicion. Additionally, limitations on the number of transactions per day with the same unique digital euro payment account number or monitoring funding-defunding patterns could prevent abusive use of such an approach. They also highlight three launched CBDC projects that make use of such tiered selection of wallets with different levels of thresholds.
Under the assumption that a specific transaction amount and the proximity of payer and payee are the two pivotal aspects to provide transaction anonymity, I suggest introducing the higher privacy setting to online low-value proximity payments. High-privacy online payments could be limited in proximity by determining the payment communication channel. The limited range of NFC and Bluetooth makes these payments close-proximity in nature and ensures that payer and payee are in close range. Ultimately, one would have the same properties as the privacy enhanced offline payments except for the payment processing connectivity.
As discovered by the ECB’s “SPACE” study, the PoS use case represents a huge portion of the addressable payments for digital euro, because of all non-recurring payment transactions in 2022, 80% were PoS, 17% online and 4% P2P. Consequently, some online payments could also comprise this higher degree of privacy. Incorporating a higher degree of privacy without undermining the AML/CFT framework will substantially add value for the end users. Additionally, online payments are reliably protected against double spending threats. Unlike offline payments, the validity of digital euro can be verified in real-time decreasing the risk of fraud. Moreover, digital euros’ privacy model would be much easier to understand for the public, if the transaction amount limits were identical for offline and online privacy, i.e. all digital euro payments below a determined limit will be private, given proximity — no matter if online or offline. I believe that this extension can substantially benefit the overall acceptance and success of the digital euro.
To understand how this could be implemented for the digital euro, I recommend reading IBM’s whitepaper (co-authored by yours truly). Link to the paper: https://www.ibm.com/blogs/digitale-perspektive/2023/08/implementation-of-the-digital-euro/
Note: This is my personal opinion and does not represent the views of the company I work for.
