‘Pay with your Privacy!’ How the digital euro could threaten the right to privacy and data protection of the European citizens

(1)

‘Pay with your Privacy!’

How the digital euro could threaten the right to privacy and data protection of the European citizens

Master thesis Florian Seitz (13818457) florian.seitz@student.uva.nl Master Track European Union Law Supervisor: Dr. T.A.J.A. Vandamme

Date Of Submission: 30.06.2022

(2)

Abstract

In 2021, the ECB announced that it intends to issue banknotes in digital form as an additional alternative to cash. This so-called ‘digital euro’ is so far in its investigation phase until the end of 2023, but the ECB has already published an extensive report in which it describes the project and sets out how it intends to protect the payment data of its users. The aim of this master thesis is to find out to what extent this proposed approach would be compatible with the right to privacy (Art 7) and data protection (Art 8) as laid out in the Charter of Fundamental Rights.

To answer this question, qualitative research methods were applied by analyzing both primary sources and a wide variety of literature. The core of the analysis consisted of a case law analysis of four key ECJ judgements. A limitation of this thesis is the fact that certain assumptions had to be made since there is no legislation or proposal on the digital euro yet.

The analysis reveals two main findings. Firstly, the ECB’s intention to practically rule out anonymity in the context of data retention does in most cases, where there is no serious threat to national security, not comply with Art 7 and 8 of the Charter. Secondly, when it comes to data access by national authorities during criminal proceedings, the ECB’s immunity from enforcement represents a significant obstacle to the digital euro infrastructure. This will inevitably require that commercial banks act as intermediaries between the user and the ECB by storing payment data.

(3)

Table of Contents

1 Introduction ... 4

1.1 General Introduction ... 4

1.2 Research question and methodology ... 5

2 The digital euro ... 7

2.1 What is the digital euro? ... 7

2.2 Delimitations and key actors ... 8

2.2.1 General reasons and the obligation to accept cash ... 9

2.2.2 Privacy, inclusivity and effects on the private banking system ... 11

2.3 Competence and Legal basis ... 13

3 Privacy and Data Protection ... 15

3.1 General Scope and Limitations of the Charter ... 15

3.1.1 Scope and Limitations of Art 7 and 8 of the Charter ... 16

3.2 Implications of key ECJ judgements on the digital Euro ... 18

3.2.1 Digital Rights Ireland ... 18

3.2.2 Tele 2 ... 22

3.2.3 La Quadrature and Privacy International ... 25

4 Conclusion ... 30

5 Bibliography ... 33

(4)

1 Introduction

1.1 General Introduction

‚A digital euro would increase privacy in digital payments thanks to the involvement of the central bank, which -unlike private suppliers of payment services- has no commercial interest related to consumer data. Ensuring privacy is an essential element of modern democracies and part of our European values’¹ These were the concluding words by the ECB Executive Board member Fabio Panetta when presenting the ECB report on the digital euro to the ECON Committee of the Parliament. Also, when put into the broader context (the declining usage of cash, the rise of crypto and the accelerating speed of innovation in the Fintech sector) the question is no longer if the EU will launch a digital euro, but when and how. Roughly speaking the digital Euro can be understood as a digital form of cash that can be accessed through hardware and software solutions (see Chapter 2.1 for a detailed explanation).

While numerous technical issues² will need to be considered to launch this revolutionary project, the legal aspects play an essential role in its successful implementation. This is especially true regarding the protection of the right to privacy (Art 7) and data protection (Art 8) as laid down in the EU Charter of Fundamental Rights. An indication of the importance of privacy for European citizens is clearly visible in the results of the latest public consultation, which the ECB conducted as part of the digital euro project³. When asked about the most essential features, a digital euro should offer, more than 40% of the respondents considered the protection of privacy to be the most important one, followed by security (11%), usability across the euro area (11%), the absence of additional costs (9%) and offline use (8%)⁴.

1 Panetta, 'Speech: A digital euro for the digital era'

(Https://wwwecbeuropaeu/press/key/date/2020/html/ecbsp201012_1~1d14637163enhtml, 12 October 2020)

<https://www.ecb.europa.eu/press/key/date/2020/html/ecb.sp201012_1~1d14637163.en.html> accessed 15 March 2022

2 The main issues in that regard are the design features in the following areas: 1) The digital euro ledger (whether it should be built on the existing Target Instant Payment Settlement System (TIPS) or by using a distributed ledger technology (DLT) which is common in the crypto space, or a combination of both) 2) Privacy and AML (in essence the ECB has to find out whether users should be provided with an ‘anonymity card’ which could be used as an extra account for anonymous payments, or with one-time pseudonyms for each individual transaction) 3) End user-access (e.g. mobile applications, cards, point-of-interaction/point-of-sale integrations)

For more details see: European central bank, Digital euro experimentation scope and key learnings (Eurosystem 2021), Phillipp Sandner and others, 'The Digital Programmable Euro, Libra and CBDC: Implications for European Banks' [2020] 1(1) SSRN <https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3663142> accessed 29 March 2022

3 European central bank Eurosystem report on the public consultation on a digital euro (Eurosystem 2021)

4 Ibid 10

(5)

Since cash is the only means of payment that is still anonymous, many also feared that the digital euro could represent the first step of its abolishment and regarded the commitment of the ECB to keep cash available as ‘a key ingredient to foster trust in a digital euro (…)’ ⁵. In response to this concern, the ECB also assured that the digital euro will not replace cash in the future. Therefore, it will still be issued without limitations and made available for consumers to make anonymous payments. In fact, the digital euro should merely represent another cheap, secure, risk-free, easy-to- use, and efficient alternative that protects its users. Additionally, the ECB has assured that privacy will be a key priority, so that ‘the digital euro can help maintain trust in payments in the digital age’⁶. While these claims might sound promising, the reality is far more complicated, and many factors need to be considered. On the one hand, recent judgements like Dietrich/Häring v Hessischer Rundfunk⁷ illustrated that the obligation to accept cash is not limitless. This could potentially provoke a further decline in the usage of cash.

On the other hand, cases like Digital Rights Ireland⁸, La Quadrature⁹, Privacy International¹⁰ and Tele 2¹¹ show that matters of privacy and data protection are not just a matter of commercial interests of private companies, but a difficult balancing act between the interests of private parties and state authorities.

This master thesis serves to bridge the gap between the digital euro as a new Central Bank Digital Currency of the EU and the challenges it might pose to the right to privacy and data protection under the Charter of Fundamental Rights.

1.2 Research question and methodology

Currently, there are detailed studies about the technical aspects of the digital euro in the field of Data Science and Fin-Tech (see footnote number 3 for examples). Additionally, some research has already been done about the competence of the ECB, the legal basis to issue the digital euro (which will be addressed in Chapter 2.3) and questions about its legal tender status in the EU¹². The connection

5 Ibid 12

6 Heike Mai, 'The digital euro: Political ambitions and economic realities' (EU Monitor Global financial markets, 12th July) <shorturl.at/oEHR5> accessed 27 March 2022

7 Cases C-422/19 and C-423/19 Dietrich v Hessischer Rundfunk [2021] ECLI:EU:C:2021:63

8 Cases C-293/12 and C-594/12 Digital Rights Ireland Ltd [2014] ECLI:EU:C:2014:238

9 Cases C-511/18, C-512/18 and C-520/18 La Quadrature [2020] ECLI:EU:C:2020:791

10 Case C-623/17 Privacy International [2020] ECLI:EU:C:2020:790

11 Cases C‑203/15 and C‑698/15 Tele 2 [2016] ECLI:EU:C:2016:970

12 For example: Corinne Zellweger-Gutknecht and others, 'The ECB and € E-Banknotes' [2020] 1(1) SSRN

<shorturl.at/fvyBV> accessed 28 March 2022

(6)

between privacy and Central Bank Digital Currencies has also been analyzed from a more general point of view by several international banks and scholars¹³. However, so far, the connection between the digital euro and the protection of the fundamental rights of its future users has not been studied.

To fill this gap, the present master thesis will answer the following research question: ‘To what extent would a digital euro be compatible with the right to privacy and the protection of personal data under the Charter of Fundamental Rights?’

To structure my findings and clearly outline the aspects to be addressed, I will answer the following sub-questions during my analysis:

1. What is the digital euro and why does the ECB want to issue it (Chapter 2.1 and 2.2)?

2. Based on which legal basis can the ECB issue the digital euro (Chapter 2.3)?

3. What is entailed by Articles 7 and 8 CFR (core rights and possible limitations) (Chapter 3.1)?

In order to answer the just mentioned research question and sub-questions, I will make use of qualitative research methods by analyzing primary sources (EU legislation and judgements from the ECJ) and by collecting a wide variety of literature (e.g. topic related books, on-topic blogs (by legal experts) and law journals).

13 For example: Sriram Darbha, 'Privacy in CBDC technology' (Bank of Canada, September 2020)

<https://www.bankofcanada.ca/2020/06/staff-analytical-note-2020-

9/?utm_source=jerrybrito&utm_medium=email&utm_campaign=stablecoin-follow-up-plus-occ-guidance-central>

accessed 27 March 2022, Pangyue Cheng, 'Decoding the rise of Central Bank Digital Currency in China: designs, problems, and prospects' [2022] 1(1) Journal of Banking Regulation, Ellie Rennie and Stacey Steele, 'Privacy and Emergency Payments in a Pandemic: How to Think about Privacy and a Central Bank Digital Currency' [2021] 3(1) Law Technology and Humans 6-17

(7)

2 The digital euro

2.1 What is the digital euro?

At the very outset, the digital euro can be understood as a ‘central bank liability offered in digital form for use by citizens and businesses for their retail payments’¹⁴. According to the ECB, it should have cash-like features, meaning that he should be accessible to everyone, while also protecting the privacy of all his users¹⁵.

Although the ECB has not yet decided which technical approach and organizational infrastructure she will use to provide payment services, she presents several possible options. Regarding the technical design, the ECB will likely provide hardware and software solutions for its users. For instance, payments could possibly be made using a smart card, which is commonly being used by credit card companies¹⁶. Additionally, end-users could access their digital euro accounts both via an online application or a digital wallet in a mobile app¹⁷.

Regarding the organizational approach to storing and accessing payment data, the ECB has developed two possible alternatives but has so far not decided which one she will ultimately use.

The first option is the ‘direct model’, under which all transactions (and payment data) would directly be stored at the ECB in her central bank ledger¹⁸. The other possibility is the ‘intermediated model’, which would use commercial banks as intermediaries (and settlement agents), that would also store the payment data for the ECB¹⁹.

Lastly and most importantly, the ECB notes in the context of privacy that anonymity will practically have to be ruled out. To justify this different treatment between cash banknotes (which allow anonymous payments) and the digital euro (which does not), the ECB refers to its duty to comply with relevant legislation (such as the AML-Directive²⁰).

14 European Central Bank, Report on a digital Euro (Eurosystem October 2020) 3

15 Ibid, 48

16 Ibid, 42

17 Ibid, 43

18 Ibid, 36

19 Ibid

20 Directive 2015/849 of the European Parliament and of the Council of 20 May 2015 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing [2015] OJ L 141/73

(8)

2.2 Delimitations and key actors

To fully understand who might be in charge of protecting the privacy and personal data of the users of the digital euro and the potential risks that could be involved it is necessary to present the key actors of the EU financial system. Additionally, it is crucial to understand that the digital euro is neither a ‘crypto-asset’ nor a ‘stablecoin’. Lastly, it is also necessary to illustrate the connection between public confidence in the Eurosystem and privacy.

The Eurosystem, ‘which comprises the ECB and the national central banks of the Member States whose currency is the euro, is the monetary authority of the euro area’²¹. As laid down in Art 127 TFEU the main objective of the Eurosystem (in the Treaty referred to as the European System of Central Banks or ESCB) is ‘to maintain price stability²²’. In essence, this means that the Eurosystem is ‘accountable to the European citizens for ensuring that the ‘purchasing power’ of money issued by the central bank (…) does not fluctuate beyond a predefined threshold`²³. Currently, this inflation target is set to two per-cent by the ECB²⁴.

Apart from the Eurosystem, private entities (namely commercial banks) are involved in the financial system. In contrast to central bank money, ‘commercial bank money and electronic money (…) are liabilities of supervised private entities’²⁵. As regards crypto assets and stablecoins the ECB expressively states on numerous occasions that the digital euro cannot be compared to those options in any way²⁶. To begin with, a crypto asset can be understood as an asset ‘which can only and exclusively be transmitted by using blockchain technology, including but not limited to digital coins and tokens (…)’²⁷. A stablecoin on the other hand represents a ‘cryptocurrency whose value is tied to an outside asset’²⁸ (e.g Tether, which provides tokens that are pecked at 1-1 with the US dollar²⁹).

21 European Central Bank, 'Eurosystem mission' (Eurosystem, 1 January 2022)

<https://www.ecb.europa.eu/ecb/orga/escb/eurosystem-mission/html/index.en.html> accessed 1 April 2022

22 Art 127 (1) Treaty on the Functioning of the European Union [2016] OJ 1 202/47ff.

24 European Central Bank, 'Inflation in the near-term and the medium-term' (Eurosystem, 17 February 2022)

<https://www.ecb.europa.eu/press/key/date/2022/html/ecb.sp220217_1~592ac6ec12.en.html> accessed 1 April 2022

25 Supra note 18

26 See for example: European Central Bank, 'Why would a digital Euro not be a crypto asset' (Eurosystem, 1 January 2022) <https://www.ecb.europa.eu/paym/digital_euro/html/index.en.html> accessed 2 April 2022, European central bank, 'The present and future of money in the digital age' (Eurosystem, 10 December 2021)

<https://www.ecb.europa.eu/press/key/date/2021/html/ecb.sp211210~09b6887f8b.en.html> accessed 3 April 2022

27 Law insider, 'Crypto Assets definition' (Dictionary, 19 January 2020) <https://www.lawinsider.com/dictionary/crypto- assets> accessed 3 April 2022

28 Alyssa Hertig, 'Technology: What is a Stablecoin?' (CoinDesk, 29 December 2020)

<https://www.coindesk.com/learn/what-is-a-stablecoin/> accessed 3 April 2022

29 Tether, 'Why use Tether?' (Tether, 1 January 2022) <https://tether.to/en/why-tether> accessed 3 April 2022

(9)

The main difference between a crypto-asset and the digital euro is that the former is decentralized, which has the consequence that it does not represent a liability of an identifiable entity³⁰.

While it is true that there are fundamental differences between crypto assets, stablecoins and the digital euro, I believe there is one underlying factor that is often overlooked. Central bank money in all forms is based on trust, meaning that it requires the maintenance of public confidence in the Eurosystem. In my opinion, the volatility of crypto assets, and their limited ability to serve as a means of payment, is leading to more confidence in the central banking system. However, while the Eurosystem might be trusted to maintain price stability, a different question is whether the European citizens would entrust central banks with their private payment data. There are several reasons why the ECB believes this step would benefit both the environment and the EU.

2.2.1 General reasons and the obligation to accept cash

On a more general level, the ECB outlines a few reasons why it deems it necessary to issue a digital euro. In essence, he could be used to ‘(i) support the digitalization of the European economy and the strategic independence of the European Union; (ii) in response to a significant decline in the role of cash as a means of payment, (iii) if there is significant potential for foreign Central Bank Digital currencies or private digital payments to become widely used in the euro area, (iii) as a new monetary policy transmission channel, (iv) to mitigate risks to the normal provision of payment services, (v) to foster the international role of the euro, and (vi) to support improvements in the overall costs and ecological footprint of the monetary and payment systems’³¹.

Particularly interesting in that regard is the second argument that addresses the declining popularity of cash. As already described above, the ECB guaranteed that the digital euro will not replace cash and that physical money will continue to be issued in the future. However, a different question is to what extent cash must still be accepted as a means of payment? In Dietrich/Häring v Hessischer Rundfunk the Court dealt with this very question³². To briefly summarize the facts: Mr Dietrich and Mr Häring wanted to pay their radio and television license fee in cash, but the German broadcasting service refused this option by referring to a national provision, which provides that the fee ‘must be paid by direct debit, bank transfer or standing order’³³. Dietrich and Häring disagreed and argued

30 ECB crypto-assets task force, 'Crypto-Assets: Implications for financial stability, monetary policy, and payments and market infrastructures' [2019] 1(223) Occasional Paper Series 3

32 Cases C-422/19 and C-423/19 Dietrich and Häring v Hessischer Rundfunk [2021] ECLI:EU:C:2021:63

33 Ibid, par 16

(10)

based on a provision in German banking law (Art 14 (1) BBankG) and the third sentence of Art 128 (1) TFEU that the obligation to accept cash ‘may be limited only by a contractual agreement between the parties or on the basis of an authorization provided for under federal or EU law’³⁴. Eventually, the ECJ held that the status of legal tenders of euro banknotes ‘calls only for acceptance in principle (…) as a means of payment, not for absolute acceptance’³⁵ Additionally, the Court stated that the EU legislator is not obliged to lay out exhaustively the exceptions to this principle³⁶. As a result, the ECJ concluded that the obligation to accept cash ‘may in, principle, be restricted by the Member States for reasons of public interest’³⁷ (in the present case the ‘fulfillment of a statutorily imposed payment obligation‘ was accepted as a public interest and a proportionate restriction). In my opinion, by allowing limitations to the general obligation to accept cash, the ECJ is walking on thin ice.

While a restriction in the present case, due to the rather extreme circumstances (46 million license fee payers in Germany) is understandable, the question is where the ECJ will draw the line in the future? For instance, it is getting more common for retailers to only accept digital payments or mainly provide self-checkouts, which only accept credit cards. This approach might save business owners money and time and ensures greater security since less cash is stored in the store. Suppose one of those reasons (for example security) could be accepted as a public interest based on the Courts decision in Dietrich/Häring in the future. In that case, cash would slowly but surely decline even more in usage. While the ECB will not officially abolish cash, further limitations of its acceptance as a means of payment could indirectly lead to a similar result. This fear seems to be shared many Europeans. For instance, in the official FAQ³⁸ on the digital Euro, the ECB was asked whether retailers are allowed to reject cash as a means of payment. In its response, the ECB did not directly answer the question but referred to a recommendation of the Commission, where the Commission proposed that the acceptance of euro banknotes and coins as a means of payment should be the rule.

A refusal should be possible only if grounded on reasons related to the ‘good faith principle’³⁹. Astonishingly the recommendation does not explicitly define this principle, but merely provides two examples where retailers can refuse to accept payment in cash. Namely, if the retailer ‘has no change

34 Ibid, par 18

35 Ibid, par 55

36 Ibid

37 Ibid, par 67

38 European Central Bank, 'FAQ on cash' (Eurosystem, 1 January 2022)

<https://www.ecb.europa.eu/euro/cash_strategy/html/cash-faq.en.html> accessed 12 April 2022

39 Commission Recommendation of 22 March 2010 on the scope and effects of legal tender of euro banknotes and coins, L 83/70

(11)

available’⁴⁰ or if the ‘face value of the banknote tendered is disproportionate to the amount owed (…)’⁴¹.

The recommendation was based on an extensive report of the Euro Legal Tender Expert Group, which had the main goal to set a ‘common understanding of what (…) legal tender means and how it must be protected’⁴². However, the recommendation is neither binding nor has the Commission ever since made a proposal to adopt legislation on the matter. As a result, it is still not clear in which cases retailers are allowed to refuse cash as a means of payment, which leaves them free rein to develop their own rules. In my opinion, this legal uncertainty is unacceptable.

2.2.2 Privacy, inclusivity and effects on the private banking system

The ECB also mentions (among other factors) the protection of privacy, inclusivity and the potential impact on the private banking system as important factors that need to be taken into consideration⁴³. As regards the protection of privacy, the ECB states in its report that a fair balance has to be struck between the rights of the users of the digital euro and the public interest, but that anonymity will practically have to be ruled out⁴⁴. This statement implies that the interpretation of Art 7 and 8 of the CFR will play an essential role in this context (see Chapter 3 for an extensive analysis). Additionally, to justify the different treatment between cash banknotes (which allow anonymous payments) and the digital euro (which does not) the ECB refers to its duty to comply with relevant legislation (such as the AML-Directive⁴⁵). Since the provision of payment services in the EU is mainly regulated by the ‘PSD 2 Directive⁴⁶’, the ‘AML-Directive⁴⁷’ and the ‘GDPR⁴⁸’ (which does not apply to the ECB,

40 Ibid, par. 2

41 Ibid, par. 3

42 Euro legal tender expert group, 'Paying with euro cash in the euro area: Commission recommendation on the legal tender of the euro' (Economic and Financial Affairs, 16 December 2010)

<https://ec.europa.eu/economy_finance/articles/euro/2010-03-22-legal-tender-euro_en.htm> accessed 12 April 2022

43 European Central Bank, Report on a digital Euro (Eurosystem October 2020), 16ff

44 Ibid, 27

46 Directive 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, [2015] OJ L 337/35

47 Supra note 34

48 Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the processing of personal data and on the free movement of such data, [2016] OJ L 119/1

(12)

but is replaced by a specific Regulation for the EU institution’s ⁴⁹) the ECB seems to set a high bar when it comes to the protection of privacy and personal data in the context of the digital euro⁵⁰. Besides privacy and data protection, the digital euro could also significantly affect the private banking system. This can be illustrated by using a short scenario. To begin with, in February 2022 the interest rate for deposits from corporations was negative and amounted to -0,28%⁵¹. Therefore, just keeping the money in the bank account for a longer period of time would cost companies a considerable amount of money. To prevent this, corporations could simply convert their deposits from their private bank into digital euros. As a result, they would now have central bank liabilities and could keep their money free of charge at the central bank. However, the ECB does not intend to challenge the private banking system. Accordingly, the ECB will likely limit the amount of digital euro holdings that each user can store at the central bank⁵². The reason being that the digital euro

‘should be an attractive means of payment, but should be designed so as to avoid (…) the risk of large shifts from private money (…) to digital euro’⁵³. However, in my opinion caping digital euro holdings might represent another privacy issue. Namely, because it would require the ECB to constantly monitor the amount of money that every user is converting from their private bank account to their digital euro account at the central bank. This issue has so far not been addressed by the ECB in her report.

Lastly, the final aspect that should not be overlooked is the importance of inclusivity. Unlike any other form of digital payment, cash is the most accessible alternative and can be used by anyone, regardless of age, educational standard, or physical condition. For instance, the involvement of the European Blind Union⁵⁴ during the design process of the euro in the 1990s ‘led to the development of euro banknotes and coins with features that visually impaired people can handle with confidence (…) (banknotes: the higher the value, the bigger the banknote, coins: different sizes, weights and

49 Regulation 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, [2018] OJ L 295/39

50 For instance, both the PSD 2 Directive (Recital 46) and the AML-Directive (Recital 24) require that the rights to privacy and data protection are respected

51 European Central Bank, 'Euro area bank interest rate statistics: February 2022' (Eurosystem, 31 March 2022)

<https://www.ecb.europa.eu/press/pr/stats/mfi/html/ecb.mir2202~a0d5927207.en.html> accessed 8 April 2022

52 Supra note 35, 17

53 Ibid, 18

54 European Blind Union, 'Campaigns and Activities' (The voice of blind and partially sighted people in Europe, 1 January 2022) <https://www.euroblind.org/> accessed 10 April 2022

(13)

shapes depending on the value)’⁵⁵. As already mentioned above the digital euro should have ‘cash- like features (…) and should be easy for vulnerable groups to use’⁵⁶. In my opinion, it will be difficult to match the simplicity of cash banknotes and coins in a digital context. Similar concerns have also been raised in the past by the European Blind Union in response to the green paper⁵⁷ of the Commission. In its response, the Blind Union concluded that ‘card, internet and mobile payments all currently present features that make them inaccessible to blind and partially sighted people’⁵⁸. It is safe to say that the actual design of the digital euro will therefore require a careful balancing act between the interests of numerous stakeholders to make sure that it is both efficient and accessible.

2.3 Competence and Legal basis

Although the ECB does not explicilty address the basic question of whether the EU has the competence to issue a digital euro, it can be assumed that its issuance would form part of ‘monetary policy’, which is an exclusive competence of the EU⁵⁹. An indication of this is the Courts judgement in Gauweiler, where the ECJ held that the ECB has a wide margin of discretion concerning monetary policy, since she has ‘to make choices of a technical nature (…) forecasts and complex assessments’⁶⁰ However, the Court, has also defined an exception to this rule where the project in question is ‘vitiated by a manifest error of assessment’⁶¹ Based on the fact that the ECB provides numerous reasons to issue the digital (see Chapter 2.2 above) and supports its arguments with evidence in its report, I doubt that the ECJ would conclude that a manifest error of assessment has taken place. This opinion is also shared by Mooji, who concluded in her extensive report on the legal framework of the digital euro ‘that the introduction of a Central Bank Digital Currency (CBDC) using the monetary mandate is legally possible’ and therefore within the exclusive competence of the EU⁶².

55 European Central Bank, 'For the visually impaired' (Eurosystem, 1 January 2022)

<https://www.ecb.europa.eu/euro/visually/html/index.en.html> accessed 10 April 2022

57 Green Paper: Towards and integrated market for card, internet and mobile payments, COM (2011) 941 final

58 European blind union, 'EBU response to European Commission Green Paper 'Towards an Integrated European market for card, internet and mobile payments' ' (The voice of blind and partially sighted people in Europe, 1 April 2012)

<https://www.euroblind.org/publications-and-resources/guidelines> accessed 11 April 2022

59 see Art 3 (1) c TFEU Treaty on the Functioning of the European Union [2016] OJ 1 202/47ff.

60 Cases C-62/14 Gauweiler [2015] ECLI:EU:C:2015:400, par 68

61 Ibid, par 74

62 A Mooji, 'What design of the digital euro is possible within the European Central Bank’s legal framework?' [2021]

14(1) Bridge Working Paper 18

(14)

A different and more complex question is, based on which legal basis the ECB can issue the digital euro. There are essentially two possibilities. His issuance could either be based on Art 127 or Art 128 of the TFEU in combination with the statute of the ESCB⁶³ (e.g Art 16) or on secondary EU law (like in 1998 when a regulation initially introduced the euro⁶⁴) which could be adopted based on Art 133 TFEU. I will focus on the first option in my analysis since this seems to be the one the ECB is most likely to make use of ⁶⁵.

In my opinion, Art 127 TFEU can effectively be ruled out as a realistic legal basis since he could only be invoked in limited cases, where the digital euro would only be used as an instrument of monetary policy (like open market operations and standing facilities⁶⁶) and would not represent digital banknotes for citizens.

There are several reasons why Art 128 (1) TFEU in conjunction with Art 16 ESCB might be the most suitable legal basis to issue the digital euro. Firstly, both provisions use the word ‘banknotes’

‘without specifying the material or format in which banknotes are to be issued’⁶⁷. Moreover, the term

‘issuing’ only refers to ‘the appearance as a liability on the central bank’s balance sheet and does not imply that the euro must necessarily be expressed in tangible banknotes’⁶⁸. Secondly, from a historical perspective, it is understandable that the original working group that analyzed the legal aspects of banknotes in 1999 only referred to ‘paper money’ in its report, since digital money was not imaginable at that time⁶⁹. According to Zellweger-Gutknecht also the drafters of the Treaties

‘simply did not have a digital euro on their radars’ and they ‘neither explicitly provided for the issuance of a digital euro nor explicitly – even silently – excluded it from the scope of Art 128 (1) TFEU and Art 16 ESCB’⁷⁰. However, Mooji disagrees with that line of reasoning and believes that a lack of an explicit prohibition does not allow the conclusion that digital euro notes could be issued based on Art 128 TFEU⁷¹. In my opinion, a teleological interpretation, which was also used by

63 Protocol (No 4) on the Statute of the European System of Central Banks and of the European Central Bank [2016] OJ C 202/230

64 Council Regulation 974/98 of 3 May 1998 on the introduction of the euro, [1998] OJ L 139

65 European Central Bank, Report on a digital Euro (Eurosystem October 2020), 24f

66 European Central Bank, 'The Eurosystem’s instruments' (Eurosystem, 1 January 2022)

<https://www.ecb.europa.eu/mopo/implement/html/index.en.html> accessed 14 April 2022

67 C Zellweger‐Gutknecht and others, 'Digital Euro and ECB Powers' [2021] 58(4) Common Market Law Review 5

68 Ibid

69 European Central Bank, 'Report on the legal protection of banknotes in the European Union Member States' [1999]

1(1) European Central Bank Report 41

70 Supra note 70, 6

71 A Mooji, 'What design of the digital euro is possible within the European Central Bank’s legal framework?' [2021]

14(1) Bridge Working Paper 5

(15)

Zellweger-Gutknecht (and is often used by the Court⁷²) leads to the clearest solution. A purposive reading of Art 128 TFEU could lead to the conclusion that, like the European Monetary Union, the concept of banknotes is also in a constant state of development. Although the medium might have changed since information does not necessarily need to be recorded on paper anymore, the functionality of the banknote has remained unchanged. Zellweger-Gutknecht, therefore, believe that similar to physical cash the digital euro should serve as ‘a credit risk-free and trusted means of payment and store of value that is accessible to the general public’⁷³.

However, in my opinion it is doubtful whether the digital euro is indeed fully accessible to everyone and therefore equal to physical cash. For instance, as already briefly mentioned above (see chapter 2.3.2), the European Blind Union noted that existing card and digital payment systems are currently inaccessible to blind and partially sighted people⁷⁴. As a result, I believe that Article 128(1) TFEU, in conjunction with Article 16 ESCB, can only serve as the appropriate legal basis provided that the ECB succeeds in designing the digital euro in a fully accessible manner. Should this not be the case, a Treaty amendment might be necessary.

After having illustrated the definition of the digital euro, both the reasons and potential risks of his issuance, the competence of the EU and the choice of the legal basis, I will now put these findings in the context of the right to privacy and data protection of its future users.

3 Privacy and Data Protection

3.1 General Scope and Limitations of the Charter

While the main part of the upcoming chapters will consist of a case law analysis and the possible implications for the protection of privacy (Art 7) and personal data (Art 8) it is necessary to first briefly lay out the general field of application and the limitations of both the Charter and the specific rights I am going to address. To begin with, Art 51 (1) CFR states that the provisions of the Charter apply to ‘the institutions, bodies, offices and agencies of the Union (…) and to the Member States when they are implementing Union Law’⁷⁵. However, the protection of the rights and principles laid

72 see for example Case C-283/81 CILFIT [1982] ECLI:EU:C:1982:335 par 20

73 Supra note 70, 7

74 European blind union, 'EBU response to European Commission Green Paper 'Towards an Integrated European market for card, internet and mobile payments' ' (The voice of blind and partially sighted people in Europe, 1 April 2012)

<https://www.euroblind.org/publications-and-resources/guidelines> accessed 11 April 2022

75 Charter of Fundamental Rights of the European Union [2012] OJ C 326/391 Art 51

(16)

out in the Charter are, in principle, not absolute. Apart from the rights that are mentioned in the first chapter of the Charter⁷⁶ ‘neither the Union institution nor the Member States (…) will be bound by the Charter once the limitation provided under Art 52 (1) CFR comes into play’⁷⁷.

In essence, Art 52 (1) comprises three elements, namely ‘a procedural rule (limitations of rights

‘must be provided for by law’); a rule on the justifications of limiting rights (‘objectives of general interests recognized by the Union or the need to protect the rights and freedoms of other’), and (…) interlinked rules on the balancing test to be applied as between rights and limitations (the obligation to ‘respect the essence of’ the rights; the ‘principle of proportionality’; and the requirement of necessity)’⁷⁸. The meaning of each of these elements is widely discussed in the literature, as this provision is frequently applied in the case law of the ECJ⁷⁹. At this point, I will not lay out the details of the discussion, but the limitations provided for by Art 52 (1) CFR will play an important role in my case law analysis (see Chapter 3.2).

3.1.1 Scope and Limitations of Art 7 and 8 of the Charter

The first right at the heart of questions on privacy is Art 7 of the Charter. Prima facie, the provision has a wide scope of application since she demands respect for everyone’s ‘private and family life, home and communications’⁸⁰. I will specifically focus on the application of Art 7 with regard to the protection of private life and communications. However, it should be borne in mind that although

‘private life’ represents an ‘autonomous concept (…) of fundamental rights law it is related to the concepts of family life, home and communications⁸¹. Moreover, inspiration can also be drawn from the interpretation of Art 8 ECHR by the ECtHR, since ‘private life’ can be considered an

76 see Art 1 to Art 5

77 A Ward, Field of Application of Article 51. In Peers, S et al., The EU Charter of Fundamental Rights (Hart Publishing 2014) 1418

78 S Peers and S Prechal, Field of Application of Article 52. In Peers, S et al., The EU Charter of Fundamental Rights (Hart Publishing 2014) 1470

79 For instance: as regards the first element, an essential question is whether ‘provided by law’ also refers to the national law of the Member States, or exclusively to EU law, see D Triantafyllou, 'The European Charter of Fundamental Rights and the 'Rule of Law': Restricting Fundamental Rights by Reference' [2002] 39(1) Common Market Law Review 53, as regards the justification test to limit rights some authors criticize the fact that the Court often applies different proportionality tests, depending on the right at issue without explaining its reasoning or consistently sticking to that interpretation, S Peers and S Prechal, Field of Application of Article 52. In Peers, S et al., The EU Charter of Fundamental Rights (Hart Publishing 2014) 1485

80 Charter of Fundamental Rights of the European Union [2012] OJ C 326/391 Art 7

81 J Vedsted-Hansen, Field of Application of Article 7. In Peers, S et al., The EU Charter of Fundamental Rights (Hart Publishing 2014) 155

(17)

‘overarching concept’⁸². Therefore, in accordance with Art 52 (3) CFR Art 7 CFR must also be interpreted in conformity with Art 8 ECHR⁸³.

The meaning of ‘private life’ is interpreted broadly by the ECtHR, ‘it includes a right to establish and develop relationships with other human beings, including business relationships’⁸⁴. Additionally, it guarantees ‘various aspects of personal identity, including respect for one’s gender identity, access to information regarding one’s origin, the right to one’s image and respect for as one’s name’⁸⁵. Contrary to Art 8 (2) ECHR, Art 8 CFR does not explicitly mention the requirement to limit its protection. As a result, recourse must be taken to the elements set out in Art 52 (1) CFR (see Chapter 3.1).

When asked about the connection between private life and data protection (Art 8), the ECJ concluded that the ‘right to respect for private life with regard to the processing of personal data (…) concerns any information relating to an identified or identifiable individual’⁸⁶. Additionally, as exemplified by the ECJ’s interpretation of ‘communications’, the line between data protection as laid down in Art 8 CFR and Art 7 CFR is blurring. For instance, in Ministero Fiscal when interpreting the E- Privacy Directive the Court held that the term ‘communications’ also ‘governs all processing of personal data in connection with electronic communication services’⁸⁷. The fact that ‘information technologies convey data along with their communications’⁸⁸ also played a key role in Digital Rights Ireland⁸⁹ and Tele 2⁹⁰, where the Court analyzed an interference with regards to both Art 7 and 8 CFR⁹¹ (a detailed case analysis will follow shortly).

The scope of application of Art 8 CFR covers the fair processing of personal data for ‘specified purposes on the basis of the consent of the person concerned or some other legitimate basis laid down by law’. Personal data can be understood as ‘any information relating to an identified or identifiable

82 Ibid, 156

83 T Lock, Art 7 CFR Respect for private and family life. in Kellerbauer and others (eds), Commentary on the EU Treaties and the Charter of Fundamental Rights (Oxford University Press 2019) 2116

84 Ibid

85 Ibid

86 Cases C-92/09 and C-93/09 Volker, Schecke and Eifert[2010] ECLI:EU:C:2010:662, par 52

87 Case C-2017/16 Ministero Fiscal [2018] ECLI:EU:C:2018:788, par 41

88 D Mongan, Art 7 Private Life, Home and Communications. In Peers, S et al., The EU Charter of Fundamental Rights (Hart Publishing 2021) 162

90 Cases C‑203/15 and C‑698/15 Tele 2 [2016] ECLI:EU:C:2016:970

91 Charter of Fundamental Rights of the European Union [2012] OJ C 326/391 Art

(18)

individual'⁹². The meaning of the term ‘processing’ is broadly defined in the GDPR and includes

‘any operation or set of operation which is performed upon personal data, whether or not by automatic means (…) or otherwise making available, alignment or combination, blocking erasure or destruction’⁹³.

A limitation of the right to data protection requires informed consent, meaning that ‘it cannot be inferred from legislative requirements as to the publication or the collection of data pertaining to a scheme in which the person concerned wishes to take part even if the persons concerned is aware of that requirement’⁹⁴. In other words, the person concerned must have the option of not consenting to the processing of its data. Moreover, the alternative requirement of a ‘legitimate basis laid downy by law’ corresponds to the required ‘objectives of general interest’ as described in Art 52 (1) CFR. The term ’fair processing’ was defined in the preceding regulation of the GDPR as meaning that ‘the data must be adequate, relevant and not excessive in relation to the purposes for which they are processed’

and that ‘the subject must be in a position to learn of the existence of a processing operation and, where data are collected from him, must be given accurate and full information, bearing in mind the circumstances of the collection’⁹⁵.

After having outlined both the scope and limitations of Art 7 and 8 CFR I will now take a closer look at the case law of the ECJ whilst illustrating the possible implications for the digital euro and the rights of his future users.

3.2 Implications of key ECJ judgements on the digital Euro 3.2.1 Digital Rights Ireland

The present case represents a landmark ruling for the protection of personal data and privacy in the EU. To begin with, it is necessary to briefly summarize the facts of the case to critically reflect on the decision of the ECJ and its implications.

The joined cases C-293/12 and C-594/12 both represented preliminary reference procedures, the former having been submitted by the Irish High Court and the latter by the Austrian

92 Cases C-92/09 and C-93/09 Volker, Schecke and Eifert [2010] ECLI:EU:C:2010:662, par 52

93 Regulation 2016/79 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, [2016] OJ L 119/1 Art 4 (2)

94 T Lock, Art 8 CFR Protection of personal data. in Kellerbauer and others (eds), Commentary on the EU Treaties and the Charter of Fundamental Rights (Oxford University Press 2019) 2124

95 Directive 95/46/EC of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, [1995] OJ L 281/31, Preamble paras 28 and 38

(19)

Verfassungsgerichtshof⁹⁶. Both Courts questioned the compatibility of the Data Retention Directive⁹⁷ with (among other provisions⁹⁸) Art 7 and 8 of the Charter. The Data Retention Directive aimed to harmonize national provisions that laid down ‘the obligation of the providers of publicly available electronic communications services or of public communications networks with respect to the retention of certain data, which are generated or processed by them, in order to ensure that the data are available for the purpose of the investigation, detection and prosecution of serious crime (…)’⁹⁹.

In essence, the providers were required to store ‘data necessary to trace and identify the source of a communication and its destination, to identify the date, time duration and type of a communication, to identify the user’s communication equipment (…) and to identify data which consist (…) of the name and address of the subscriber or registered user, the calling telephone number, the number called and an IP address for internet services’¹⁰⁰. Moreover, the Directive applied to all users of electronic communication services in the EU, for a duration of at least 6 to 24 months, without objective criteria having to be taken into account for determining said duration¹⁰¹.

Already at this point, the question arises as to how the present decision of the ECJ could be related to the digital euro. While it is true that, as of today, there is no secondary legislation that would regulate the digital euro, the report of the ECB already allows some assumptions to be made with regard to its possible content.

Firstly, the ECB admits that, unlike cash transactions, payments with the digital euro will not be anonymous in order to comply with AML and anti-terrorist financing regulations (see Chapter 2.2.2)¹⁰². Since the ECB has stated that anonymity will have to be ruled out (see Chapter 2.1), it can be assumed that the data of most payments will need to be gathered. Comparable to the present case, the data could potentially comprise the identity of both the payer and the payee, their IP addresses, the volume of the transaction, their location, the time and the date. In the present case, the Court concluded that the data that was required to be stored by the communication providers ‘may allow

97 Directive 2016/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of the publicly available electronic communications services or of public communications networks, [2006] OJ L 105/54

98 such as Art 21 TFEU and Art 11 CFR

99 Supra note 99, Art 1 (1)

100 Supra note 98, par 26

101 Cases C-293/12 and C-594/12 Digital Rights Ireland Ltd [2014] ECLI:EU:C:2014:238, paras 56 and 64

(20)

very precise conclusions to be drawn concerning the private lives of the persons whose data has been retained, such as the habits of everyday life, permanent or temporary places of residence, daily or other movements, the activities carried out, the social relationships (…) and the social environments frequented by them’¹⁰³. In my opinion, the same conclusion could potentially apply to payment data.

We leave traces in all our digital transactions, be it by buying a train ticket, our groceries, or by paying a debt to a friend. In addition, even certain perfectly legal transactions can leave us vulnerable, such as purchases that indicate a high net worth, or certain medications¹⁰⁴. I would argue that gathering payment data of transactions allows precise conclusions to be made about our private lives.

Secondly, similar to the present case, the gathering of payment data could potentially represent an interference with the ‘fundamental rights of practically the entire European population¹⁰⁵’ since the acceptance of cash will likely continue to decrease¹⁰⁶ and the digital euro can be deposited interest- free with the ECB.

To begin with, the Court held that the Data Retention Directive constituted an interreference with both Art 7 and 8 of the Charter¹⁰⁷. Subsequently, the Court analyzed whether these interferences were justified based on Art 52 (1) CFR. The ECJ accepted ‘public security’ as an objective of general interest¹⁰⁸. After that, the Court proceeded to establish whether the interferences satisfied the principle of proportionality. In my opinion, two vital aspects in the ECJ's reasoning could be decisive for future legislation on the digital euro.

In the first place, the ECJ heavily criticized the fact that the Data Retention Directive, failed to lay down objective criteria or clear and precise rules with regard to the extent of the interference with Art 7 and Art 8 CFR¹⁰⁹, meaning that the data would also be collected from people with no evidence or even a remote link to criminal undertakings. As already mentioned above, the ECB plans to collect the personal data of most transactions whilst only excluding certain types of transactions. However, the ECB only notes in its report that full privacy must be ruled out, based on its legal obligations (e.g

103 Cases C-293/12 and C-594/12 Digital Rights Ireland Ltd [2014] ECLI:EU:C:2014:238, par 27

104 C Kahn, 'Payment Systems and Privacy' [2018] 100(4) Federal Reserve Bank of St Louis Review 338

106 see for instance my arguments on Dietrich/Heering v Hessischer Rundfunk in Chapter 2.2.2

107 Supra note 109, paras 34 and 36

108 Ibid, paras 41 and 44

109 Ibid, paras 60 and 65

(21)

the AML¹¹⁰ Directive) and that the level of protection will depend on the ‘preferred balance between individual rights and public interest’¹¹¹. To avoid the risk that future legislation on the digital euro could be considered disproportionate, I believe that the ECB will have to clearly define in which cases interferences will be necessary. For instance, the AML-Directive only demands customer due diligence under specific circumstances (e.g. occasional transactions which amount to more than EUR 15 000, or transactions of more than EUR 2000 from gambling service providers)¹¹². As a result, contrary to the ECB, I believe that anonymity should be the rule and the collection of data the exception. Especially since the ECB explicitly mentions in its report that it aims to equip the digital euro with ‘cash like-features’¹¹³.

Furthermore, the Court concluded that the Data Retention Directive went beyond what is necessary to achieve its public objective since she did not make the retention of data ‘dependent on a prior review of a court or by an administrative body’¹¹⁴ and did not provide sufficient safeguards ‘against abuse and (…) unlawful access to that data’¹¹⁵. The ECB has not explicitly addressed this issue in her report, but merely stated that the operator (meaning the private bank) should guarantee full data protection¹¹⁶. In my opinion, however, it will be crucial to set out the conditions under which the payment data of a subject can be shared with public authorities. For instance, the question could arise as to wheter tax authorities or criminal authorities could access data even without suspicion of a crime.

I believe it is vital that the ECB takes the possible implications of the present judgement into account since the Court concluded that the Data Retention Directive was disproportionate and declared invalid¹¹⁷. The legislator will have to face the same difficult task of protecting the privacy and data of digital euro holders while pursuing public policy objectives.

111 European Central Bank, Report on a digital Euro (Eurosystem October 2020), 27

112 Directive 2015/849 of the European Parliament and of the Council of 20 May 2015 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing [2015] OJ L 141/73, Art 11

114 Cases C-293/12 and C-594/12 Digital Rights Ireland Ltd [2014] ECLI:EU:C:2014:238, par 62

115 Ibid, par 66

(22)

3.2.2 Tele 2

The present judgement of the Court seeks to provide further clarification on the ECJ’s ruling in Digital Rights Ireland (from now on, referred to as DRI). Before starting my analysis, it is important to note that the judgement was delivered in the context of the E-Privacy Directive, however, as noted by Lynksey ‘the Court’s reasoning could equally apply to other EU secondary legislation or programs interpreted in light of the Charter¹¹⁸’.

The case is based on two preliminary reference procedures initiated by a Swedish and a British court.

The former asked the Court to give an ‘unequivocal ruling on whether (…) a general obligation to retain traffic data covering all persons, all means of communication and traffic data without any distinction, limitations or exceptions for the purpose of fighting crime was compatible with Art 15 (1) of Directive 2002/58/EC, taking account of Art 7 and 8 and 52 (1) of the Charter’¹¹⁹. The reference of the Swedish court is based on the refusal of a Swedish electronic communications provider (Tele 2) ‘to continue to retain electronic communications data following the finding in DRI that the Data Retention Directive was invalid’¹²⁰. The Swedish Minister of Justice disagreed with the measure of Tele 2 and commissioned a report arguing that DRI ‘could not be interpreted as meaning that the general and indiscriminate retention of data was to be condemned as a matter of principle’¹²¹. However, Tele 2 kept refusing to comply with the Swedish legislation on data retention.

The second procedure is rooted in the fact that the British ‘Data Retention and Investigatory Powers Act’ (DRIPA) was deemed to be incompatible with the CFR and the ECHR. The national court of first instance argued that the Courts judgement in DRI was confined to legislation that governs data retention (since the case dealt with the Data Retention Directive) while provisions on access to data would be excluded from the decision. The British Courts of Appeal, however, was unsure and wanted to ascertain whether the Courts judgement in DRI had laid down mandatory requirements of EU law that would also be applicable to national legislation that governs access to retained data¹²².

118 O Lynskey, 'Tele2 Sverige AB and Watson et al: Continuity and Radical Change' (European Law Blog, 12th January)

<https://europeanlawblog.eu/2017/01/12/tele2-sverige-ab-and-watson-et-al-continuity-and-radical-change/> accessed 2 May 2022

119 Cases C‑203/15 and C‑698/15 Tele 2 [2016] ECLI:EU:C:2016:970, par 51

120 Supra note 124

122 Ibid, par 59 (1)

(23)

First and foremost, the Court reiterated the importance of Art 7 and 8 of the Charter regarding the question of whether retained data should be made accessible to the national authorities¹²³. Additionally, the Court held that limitations to these rights must be strictly proportionate, meaning that an interference should only be limited to a certain timeframe and to the pursuit of the intended purpose ¹²⁴. Subsequently, the Court concluded in analogy to its judgement in DRI that ‘only the objective of fighting serious crime¹²⁵’ could justify national legislation on data retention. Moreover, the ECJ stated that this objective alone is not capable to justify ‘national legislation for the general and indiscriminate retention of all traffic and location data (…)’¹²⁶. Most importantly, however, the Court held (in analogy to DRI) that in order to be proportionate, national legislation should indicate

‘in what circumstances and under which conditions a data retention measure may, as a preventive measure, be adopted ‘¹²⁷. The ECJ, therefore, requires the legislator to take an evidence-based approach, meaning that ‘objective evidence should make it possible to identify a public whose data is likely to reveal a link, at least an indirect one with serious criminal offences’¹²⁸.

Previously, I concluded that contrary to the proposed concept of the ECB, I believe that anonymity should be the rule and not the exception (see Chapter 3.2.1). The present judgement seems to support this argument. For instance, in its report the ECB only mentions its legal obligations (especially compliance with the AML Directive) as a justification to rule out anonymity¹²⁹ (see also Chapter 2.2.2). The AML Directive has the objective of preventing and detecting money laundering and terrorist financing, which serves to protect public policy¹³⁰. However, based on the present judgement pursuing this public objective alone will not be enough to justify the general rule to gather payment data and rule out anonymity. In analogy to the Courts arguments in the present case, I believe that legislation on the digital euro should therefore also be established on the basis of an evidence-based approach, meaning that payment data should only be retained where there is at least an indirect link to possible criminal behavior. In my opinion, this design would also better reflect the

123 Cases C‑203/15 and C‑698/15 Tele 2 [2016] ECLI:EU:C:2016:970, par 92, 93

124 Ibid, par 95

125 Ibid, par 102

126 Ibid, par 103

127 Ibid, par. 109

128 O Lynskey, 'Tele2 Sverige AB and Watson et al: Continuity and Radical Change' (European Law Blog, 12th January)

<https://europeanlawblog.eu/2017/01/12/tele2-sverige-ab-and-watson-et-al-continuity-and-radical-change/> accessed 2 May 2022

130 Directive 2015/849 of the European Parliament and of the Council of 20 May 2015 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing [2015] OJ L 141/73, Recital 64

(24)

due diligence requirements of the AML Directive. For example, the Directive only demands customer due diligence when a new business relationship is being established, when certain thresholds are met (e.g. occasional transactions of EUR 15 000 or more), or if there is at least a suspicion of money laundering¹³¹. In addition, the Directive requires entities that retain data of their customers or to provide ‘the supporting evidence and records of transactions’¹³² to the competent authority.

This leads to the second question of the present judgment, namely, whether the mandatory requirements established by DRI also apply to cases involving access to stored data by national authorities. The Court answered in the affirmative and held that in analogy to DRI ‘access of the competent national authorities to retained data should (…) be subject to a prior review carried out either by a court or by an independent administrative body (…) following a reasoned request by those authorities ¹³³’. Moreover, the national authorities must notify the person concerned, if said notification does no more risk jeopardizing the investigations¹³⁴. Lastly, the Court pointed out the vital role of the Charter and held that based on Art 8 (3) CFR the Member States ‘must ensure review, by an independent authority, of compliance with (…) EU law with respect to the protection of individuals in relation to the processing of personal data (…)’¹³⁵.

As mentioned above (see 3.2.1), the ECB has not yet addressed the issue of how to safeguard the right to privacy and data protection when sharing payment data with national authorities. The ECB only mentioned that the operator should guarantee full data protection¹³⁶,however as exemplified by the present judgement this will be more difficult to accomplish than the ECB might suggest in its report. Essentially respecting Art 8 CFR will require the operators of the digital euro infrastructure (in effect the private banks) to cooperate with national authorities. However, this should be done with caution since the banks can only grant access to the payment data provided that a prior review has taken place following a reasoned request by the concerned national authority. Otherwise, they could risk infringing the right to data protection of the affected user.

131 Directive 2015/849 of the European Parliament and of the Council of 20 May 2015 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing [2015] OJ L 141/73, Art 11

132 Ibid, Art 40 (b)

133 Cases C‑203/15 and C‑698/15 Tele 2 [2016] ECLI:EU:C:2016:970, par 120

134 Ibid, par 121

135 Ibid, par 123