The aim of this master thesis was to bridge the gap between the digital euro as the new Central Bank Digital Currency of the EU and the challenges it might pose for the right to privacy and data protection. Essentially, I wanted to answer the following research question: ‘To what extent would a digital euro be compatible with Art 7 and 8 of the Charter of Fundamental Rights?’
At the outset, it is important to point out that as of now the only means of payment that is capable of fully protecting our privacy is cash. However, shops are neither obliged to accept it based on a legal binding instrument nor is the Court of Justice protecting its unlimited legal tender status anymore.
Namely, in Dietrich/Häring the Court significantly weakened the role of cash by opening the door for restrictions to the general obligation to accept cash based on reasons of public interest. While I doubt that physical banknotes will be abolished in the near future, I believe that their usage will drastically decline. The ECB’s plan to introduce the digital euro as another alternative to cash, represents another nail in the coffin. When it comes to the question of whether the digital euro complies with the right to privacy and data protection, a distinction must be made between the retention of and access to payment data. Regarding the former, the implications of the ECJ’s case law reveal, that the current legal design of the digital euro would ,in most situations, not be compatible with Art 7 and Art 8 of the Charter.
To begin with, in DRI and Tele 2 the Court stated that it is crucial that the extent of the interference is governed by clear and precise rules. In essence, data should only be collected from individuals
168Case C-1/94 SA Dupret SA in liquidation v Commission [1995] ECR I-1, par. 3
when there is evidence, or at least a remote link, to criminal proceedings based on objective criteria.
The ECB’s current approach does not fulfill these criteria. Firstly, the ECB is planning to collect the personal data of most transactions while only excluding certain types of transactions. However, she only refers to her legal obligations (e.g., the AML Directive) as a justification for this widespread data retention without laying down clear, precise, and objective criteria. For instance, the AML Directive only requires customer due diligence under very specific circumstance. This does not justify the retention of most payment data. As a result, contrary to the ECB, I believe that anonymity should be the rule and not the exception in order to comply with Art 7 and 8 of the Charter.
By contrast, the Court’s judgement in La Quadrature revealed that the ECB’s current approach could theoretically comply with Art 7 and 8 CFR, provided that the Member States are experiencing a serious threat to national security and specific criteria are met. Namely, if the general rule that payment data should be retained would be limited in time to what is strictly necessary, subject to limitations, and strict safeguards, and would not be systematic in nature. In other words, I believe that the Member States could theoretically retain digital euro payment data in bulk through their national banks under very special circumstances. Put in the broader context, however, I believe that the ECB’s intention to practically rule out anonymity and collect most payment data (either directly or indirectly through commercial banks) without any evidence or a remote link to criminal behavior does in most cases not comply with Art 7 and 8 CFR.
Based on the ECJ’s judgement in Tele 2 it can be concluded that access to payment data must also comply with the right to privacy and data protection. Regarding data access, the ECB merely states in her report that operators of the digital euro infrastructure (meaning the commercial banks) should guarantee full data protection. However, achieving this result is much more difficult than the ECB suggests. Firstly, in order to comply with the Charter, the ECB will have to make sure that access to payment data is dependent on a prior review by an independent administrative body, following a reasoned request by the national authorities. Secondly, it must be made clear that payment data is stored at the commercial banks of the member states and not at the ECB. This is due to the fact that the ECB enjoys immunity from enforcement. As a result, as soon as the ECB would receive data from her national intermediaries, the data would become part of the ECB’s archive and would therefore be shielded from administrative requests of national law enforcement authorities. Although the ECB could in exceptional cases wave her immunity for a specific measure without the authorization of the ECJ, continuous and efficient data access by national authorities would be practically impossible. To conclude, I believe that in order to comply with Art 7 and 8 CFR, the ECB
will have to make data access conditional upon on the approval of an administrative body. Moreover, to enable effective criminal proceedings payment data, should only be stored at commercial banks of the Member States and not directly at the ECB.
While I believe that my research led to several promising results and represents the first contribution that deals with the digital euro in connection with Art 7 and 8 CFR, there is one major limitation.
Most of my research is based on an extensive report of the ECB, implications of relevant ECJ judgements and literature on privacy and digital payments. However, I had to make several assumptions and analogies along the way since the digital euro is still in its investigation phase until the end of 2023. Therefore, there is so far neither legislation nor a proposal by the Commission on the digital euro.
There are still many open questions when it comes to the digital euro, and I believe that Digital Central Bank Currencies in general, will lead to many exciting challenges in the future. I think there is a need for further research regarding the impact of the digital euro on the private banking system, the new possibilities it offers as a potential monetary policy tool and the inclusiveness of digital payment systems in general. However, these questions would have gone beyond the scope of the present thesis.
5 Bibliography