Making the digital euro truly private. How is the Eurosystem going to protect your data?

an article written by Maarten G.A. Daman – Data Protection Officer at European Central Bank

Many people appreciate privacy when paying, and want their data protected. Current electronic means of payment are not optimal in this regard. We are designing the digital euro to be the most private electronic payment option. The ECB Blog explains.

Paying is a private affair for many people. The idea that tech companies, banks, governments or employers might track payments is not particularly appealing. Cash provides a solution to avoid such tracing, but it can be inconvenient or simply impossible to use in certain situations (for example when buying online). Privacy is therefore an important factor when we think about current and future means of payment. As we design the digital euro, the ECB and the euro area central banks are making sure that our new digital money comes with a high level of privacy and robust data protection. The ECB Blog explains what future users of the digital euro can expect.

Will it be as private as cash? Not quite, but close. The digital euro promises you better privacy and data protection than other current electronic means of payment.

What is the digital euro? 

The digital euro is an important project of the European Union: a central bank digital currency meant to complement cash as a day-to-day means of payment. Anyone could use it in shops, online or between individuals. Best of all, you will be able to use it wherever digital payments are accepted throughout the euro area. Of course you want your name, the recipient of your transaction, the amount of the payment and all other associated data to be protected. So do we. 

Privacy will be guaranteed by the regulation for the digital euro, to be adopted by the European Union legislator via the usual democratic process. Ultimately, it will be up to European legislators to decide on the appropriate balance between privacy and other public policy objectives, like countering money laundering and other illicit activities. The digital euro will be implemented in line with this regulation. Our desire to ensure a high level of privacy has driven us to pioneer innovative technical solutions surpassing those typically offered by existing digital payment methods.

But how is the Eurosystem going to protect your data?

Using the digital euro offline: close to cash 

Choosing to pay with an “offline digital euro” would allow you to maintain a level of privacy that is close to cash. For example, you could pay a friend for your share of a dinner and only you and your friend would know the payment information. How? You would simply both have the digital euro app on your smartphones and hold them next to each other to transfer the money.

That might sound familiar because some commercial payment solutions allow for digital transfers among friends. But the digital euro has a huge advantage in terms of privacy. Nobody else would see your personal transaction details when paying offline. So, you would first fund your digital euro account with your money from your regular bank account, using your smartphone for example. This is similar to withdrawing cash at an ATM and putting banknotes into your wallet. Now you can transfer digital euro and use the offline function. This way the digital euro personal payment data stays solely between the two phones. Neither your bank, your friend’s bank, nor the Eurosystem will be able to see the personal payments data.

This offline function of the digital euro will also work if you are not connected to the internet, e.g. while hiking in the mountains. And the digital euro will work across borders, for instance if your friend has an account in a different euro area country.

The digital euro online offers more privacy than commercial solutions

Today most payment methods allow the provider to collect a significant amount of information on who is making a payment and for what. Many people feel uncomfortable about the use of their payment data for commercial purposes. That is why the Eurosystem is implementing strong data protection into the digital euro design. We are doing so in several ways:

. Technology: Your digital euro identity will be separated from your payment data so that the Eurosystem will process a very limited amount of data. Your bank will pseudonymise your data, which means that your name is not visible to the Eurosystem and is replaced by a random identification number.

. Rules: The Eurosystem will hold only very limited data. In addition, we will ensure that our service providers comply with high standards. We will enforce the same privacy and data protection rules that apply to the Eurosystem, impose our robust IT security and cyber rules, and include strong contractual safeguards such as audit rights and penalties for contract breaches.

. Organisational measures: The digital euro will benefit from the same organisational measures that apply to all our staff, such as security clearances (i.e. background checks) and segregation between business areas. These measures will help prevent issues like conflicts of interest.

What is perhaps even more important than the technical details is that the digital euro is a public project. Why is that important? Public institutions like the ECB have no interest in making money with payment data. We will only have a small amount of data and we would not be allowed to sell your payment information or use it for marketing purposes. Compared with most payment providers today, this is one of the core differences from a privacy perspective.

Data protection compliance

Design is one thing, but it is as important that the rules of data protection are audited and enforced. We plan to establish a data protection compliance and audit framework. An independent group, composed of data protection officers, will assess the implementation of data protection safeguards. The group will be independent from the digital euro operations, IT, risk management and other entities involved in the digital euro.

The independent group will further enhance the transparency and reliability of the digital euro project and comes on top of the already existing assurance by the European Data Protection Supervisor and our internal auditors.² Not only must privacy be done, it must be seen to be done.

Conclusion 

We will protect your payment data using a strong legal framework, technological innovation, and rigorous compliance. Ensuring state-of-the-art privacy and data protection is an essential part of the digital euro project.

Comments:

Patrick Schueffel: „The issue is that nobody can truly promise this. There will be no repercussions for the ones in charge today if the ECB or governments decide to do differently tomorrow. Remember: „Nobody has the intention to build a wall”.

Leon Schumacher: „Maarten Daman Dear Maarten Daman, I quote: Will it be as private as cash? Not quite, but close. The digital euro promises you better privacy and data protection than other current electronic means of payment. A digital euro ….. would offer the highest privacy standards of any electronic payment option.

_______

Unfortunately this is INCORRECT. The online digital euro is equivalent to current solutions and offers ZERO privacy in the full Digital Euro ecosystem. It may even be worse because it additionally duplicates part of the payment data in 5 central ECB systems (checking each transaction in real time and deferred for example). Commercial solutions do exist (and I gladly introduce you) that offer mathematically guaranteed one-sided ANONYMITY – that is the highest privacy standard, offering compliance too. Making the above statement FAKE NEWS unfortunately. I wish it wasn’t so.

A few worrisome things about offline too. Why would the ECB as an organisation that represents trust above all risk its reputation with these statements that are simply wrong and easy to prove so? Shouldn’t you be the fact checker that prevents such blunders from being published by your marketing department and actually protects the data of us citizens?„

Amnon Samid – „Since offline is mentioned, – here one important comment:
ALL known prevailing offline solutions (hardware-based or software-based), that are being tested – (1) require trade-offs between crucial elements, and MORE important – (2) rely on a cryptographic dialogue to convinces the payee, while any such cryptographic dialogue that convinces a payee offline may be emulated by a resourceful counterfeiter.

The risk of distribution of counterfeit CBDC coins, taking advantage of the offline mode, CANNOT be mitigated by using robust cryptographic protocols, no matter how “robust” are such protocols.

New thinking around offline is now required If you wish to have finality of payment, with no risk of double spending and no risk of counterfeit in offline mode. It requires sender and receiver to authenticate their hard wallets by physical touch (touch & authenticate/ touch & pay). Until such ultimate solutions are feasible – it’s strongly recommended to avoid offline scenario of CBDC, although to prepare the core infrastructure and the regulatory framework in advance.