The digital euro: prelude to mass surveillance at European level?
Earlier this year, the Privacy First Foundation published a number of fundamental questions and concerns on the digital euro. Below is our current further commentary.
Central Bank Digital Currency
So far, people can pay with money in two ways: cash (coins and banknotes) or electronically (giro or digital). Coins and banknotes are issued by the central bank. Giro money is a claim on a commercial bank. If a commercial bank fails, you may lose your bank balance. Therefore, to reduce the risk of bank runs, savings are guaranteed up to €100,000 per person (per bank).
On 28 June 2023, the European Commission came up with a legislative proposal for a Central Bank Digital Currency (CBDC), the digital euro. This is digital money from the central bank rather than a commercial bank.
According to the European Commission, online commerce and public payment preferences mean that payments are increasingly made electronically and thus less in cash. Trust in electronic money from commercial banks depends on the ability to convert commercial money into central bank money. Without a digital euro, the European Commission foresees a problem in this. Apparently, this assumes that digital central bank money will enjoy as much trust as cash.
There are several countries that have already introduced a CBDC, such as Nigeria and the Bahamas. Adoption rates in both countries are quite low. The European Commission's legislative proposal seems to circumvent that problem by providing that payment in digital euros cannot be refused, subject to some exceptions (see Articles 7 and 9 of the Proposal for a Regulation of the European Parliament and of the Council on the establishment of the digital euro, hereafter: Digital Euro Regulation).
The digital euro allows you to make payments both online and offline. The online version resembles a regular checking account, while the offline version has features of the former chipknip. The digital euro is not meant for saving, which is why there will be a retention limit and no interest will be paid on the balance. Offline payments are likely to be limited to small amounts.
From a privacy perspective, there are three key developments: the displacement of cash by digital payment options, the programmability of digital payment options, and the increasingly large-scale data processing for public interest reasons, which involves more and more monitoring, information gathering and cross-referencing at the expense of citizens' privacy in the context of preventing and detecting fraud, combating money laundering and terrorist financing, and countering tax evasion.
Dispelling cash, the most privacy-friendly means of payment
The displacement of cash by electronic payment options, including a digital euro, involves both laws and regulations and how they are implemented in practice. For instance, cash is a legal tender, which means that in principle it should be accepted as payment. In the fight against money laundering, terrorist financing, etc., the Dutch government wants to make cash payments above €3,000 prohibit and would prefer to see it regulated at European level. There is also pressure from the banks on entrepreneurs to accept less cash, i.e. to get customers to pay electronically. Banks are using the threat of breaking the banking relationship with the customer as leverage (FD, 31 July 2023). It is becoming increasingly difficult and expensive for entrepreneurs to deposit cash, and private individuals are also being monitored on how much cash they withdraw.
This pressure to reduce cash payments is playing out in more European countries. In France, for example, cash payments over €1,000 are banned and in Spain, the no more cash rent be paid. This makes the justification for a digital euro, namely the decrease in cash payments relative to electronic payments, somewhat hypocritical.
The simultaneously submitted digital euro proposal on euro banknotes and coins as legal tender which states that cash payments should in principle not be refused, is a drop in the ocean in this regard, as there is a lot of scope to severely restrict the mandatory acceptance of cash for reasons of public interest.
The offline digital euro should rival cash in terms of privacy. However, one is still busy figuring out how to achieve that, set against the requirements of reliability, security and fraud prevention. In addition, the European Commission will have the power to set transaction and arrest limits for the offline variant (Article 37 of the Digital Euro Regulation), which will severely restrict the possibilities for offline payments.
So at the moment, we cannot assess the extent to which citizens' privacy will really be guaranteed in an offline variant.
Programmability of digital payment means
According to the proposal, the digital euro itself is not programmable. However, it is possible to programme conditional payment transactions. In that case, the payment transaction only takes place when pre-agreed conditions are met (Article 24 of the Digital Euro Regulation).
In addition, as indicated above, the European Commission may set retention and transaction limits for offline payments to counter money laundering etc.
So there may be conditions attached to receiving the digital euro. Now this is not very special, but it would be if it were fully automatic. For example, if through a fully automated process, the periodic unemployment benefit is transferred after uploading supporting documents of sufficient job application activities.
How this will affect citizens' privacy is still completely unclear. It seems inevitable that personal data will be affected by this kind of conditional transaction will end up with more parties than is currently the case.
Once received, the digital euro could be spent without restrictions, subject to any transaction limit. However, the 'wallet' would have to be programmable from a central point to set and change a transaction limit. And if the wallet is programmable, then it is possible to programme further restrictions beyond just a transaction limit in the future. How will this be prevented from happening?
Future mass surveillance?
Where within the Netherlands there is much debate about mass surveillance by banks (monitoring all bank transactions for unusualness), the digital euro, like other banking initiatives, will potentially lead to mass surveillance at European level. In doing so, it does not matter if the ECB and national central banks will only have pseudonymised data and mass surveillance is automated. What matters is that ultimately transactions can be traced back to individuals and people based on an algorithm access to their money can be denied, also to the digital euro. Banks and other payment service providers will also have to check transactions paid with the digital euro.
The banks' proposal for joint transaction monitoring has now been declared controversial due to the fall of the cabinet. As the Privacy First Foundation, we have always opposed any form of mass surveillance. As we await the new cabinet, we are therefore curious to see where this will go. Vigilance is called for, after all, transaction monitoring in its current form (by banks individually) is also a far-reaching invasion of citizens' privacy.
The allowances affair, the UWV which digitally tracked benefit recipients without consent in the context of fraud prevention and DUO with their dubious fraud system show that fighting fraud at all levels narrows the view, putting pressure on a fair balance of interests. With potentially far-reaching consequences for the individual.
Furthermore, of course, any system can also be abused. For example, does someone have a political view that does not agree with the government's view or the bank's view? An unusual transaction can always be found to pressure someone by temporarily denying access to the bank account. Even with the digital euro.
We trust that will not happen in the Netherlands. However in Britain, a bank has already terminated its banking relationship with politician Nigel Farage, partly because of his political views. An official research to how often that happens. In recent years, because of the anti-money-laundering directive, the number of bank accounts closed is said to have increased sharply. The investigation should reveal the extent to which the bank accounts were closed for reasons other than fraud, money laundering or terrorist financing, such as political stance.
An additional risk is the provision that front-end services must be interoperable with or integrated into European digital identity wallets (Article 25 of the Digital Euro Regulation). These European 'identity wallets' are also controversial from a privacy perspective. To what extent might users of the digital euro feel compelled to use the European identity wallet to use because there are no alternatives?
As long as the technology behind the digital euro is still under development, it is impossible to make a proper judgement on the extent to which the privacy of digital euro users is guaranteed. In doing so, it is also important to look to the future: how will function creep (goal shifting) occur, other than that the proposal states that something is not allowed?
Privacy First will continue to critically monitor developments around the digital euro.