(KF1) Privacy: undercutting existing systems

Central monitoring of all online digital euro transactions by the ECB threatens privacy even more than contemporary digital payment methods with segregated account databases.

The ECB compares the digital euro to cash and emphasizes privacy (Q9), matching clear consumer preference for payment privacy in recent surveys [1;2;3]. Unfortunately it fails to deliver: While the offline version indeed promises full transaction privacy with respect to the payment infrastructure, it remains unclear how an offline fraud incident (KF2) would be handled without any recorded transaction history (KF3). Given the convenience functions of the online version such as automatic deposit and withdrawal, and given that Internet is available in many situations, people are likely to stick to the online version of the digital euro, probably in the illusion that their transaction data is private there, too.

However, the online digital euro mirrors the design of typical digital payment systems (KF5) where all transactions are completely visible to the PSP, with at most organizational or legal, but no strong cryptographic safeguards against data misuse. And, even worse, the ECB will maintain a central database of all online digital euro transactions, where it, as they state, “would not be able to directly link (…) transactions to specific individuals” (Q9). Published documents solely reference pseudonymization of individuals, i.e., using unique identifiers instead of real names and personal identities for digital euro accounts. However, this still allows the creation of “patterns of life” and detailed insights into citizen’s private lives, where it is enough to relate a single transaction with a certain individual to obtain their whole transaction history— indeed not “directly”, but with little effort [4]. This will enable an unprecedented level of easy mass surveillance and represent a high-value target for cyberattacks (Q25) as payment data would no longer be siloed across thousands of organizations, databases, and incompatible formats [5].

The European Convention on Human Rights establishes privacy as a fundamental human right, which however is not absolute but subject to derogation [6]. Any privacy-intrusive measure must pass a number of tests derived from the wording and subsequent interpretation of Article 8: There needs to be a clear legal basis for the measure, remedies for breach of privacy must be established, and the measure must be both necessary and proportionate in a democratic society. The privacy-intrusive nature of the online digital euro, where PSPs provision digital euro accounts to verified identities and can thus relate every single transaction to an individual, is commonly justified by the necessity of Anti-Money Laundering (AML) legislation. This oversees the fact that alternative designs for digital payment systems exist, which provide KYC-compliant money inflow and income transparency through identifiable payees, to serve an equally good purpose in countering criminal activities, while offering anonymity on the payer’s side [7;8]; also referred to as “asymmetric privacy” [9]. But even if one were to accept that the two tests of legal basis and necessity have been met by the draft regulation [10], the digital euro would likely fail the test of proportionality. The privacy risks implied by a central database which is already discussed being in reach of intelligence services and police forces [11] are significantly disproportionate to the functionality or any other advantage gained for the citizen (KF5). It is unfortunately not a given that all intelligence services of all EU member states will forever be trustworthy to not misuse their access to such a huge database for nefarious purposes. Instead of “privacy by design”, at this moment in time, the digital euro is promising “less privacy through flawed design”.

  1. European Central Bank, Study on the payment attitudes of consumers in the euro area (SPACE) – 2024. https://www.ecb.europa.eu/stats/ecb_surveys/space/shared/pdf/ecb.space2024~19d46f0f17.en.pdf, 2024.
  2. European Central Bank, Study on the payment attitudes of consumers in the euro area (SPACE) – 2022. https://www.ecb.europa.eu/stats/ecb_surveys/space/shared/pdf/ecb.spacereport202212~783ffdf46e.en.pdf, 2022.
  3. European Central Bank, Eurosystem report on the public consultation on a digital euro, 2021.
  4. Y. De Montjoye, L. Radaelli, V. Singh, and A. Pentland, Unique in the shopping mall: On the reidentifiability of credit card metadata, Science, vol. 347, no. 6221, pp. 536–539, 2015. doi:10.1126/science.1256297
  5. A. Aligny, E. Benoist, F. Dold, C. Grothoff, Ö. Kesim, and M. Schanzenbach, Who comes after us? The correct mindset for designing a central bank digital currency, SUERF Policy Note, no. 279, pp. 1–9, 2022.
  6. Council of Europe, Convention for the protection of human rights and fundamental freedoms. Strasbourg: Council of Europe, 1950.
  7. K. Wüst, K. Kostiainen, N. Delius, and S. Capkun, Platypus: A central bank digital currency with unlinkable transactions and privacy-preserving regulation, In Proc. Proceedings of the 2022 ACM SIGSAC conference on computer and communications security, 2022, pp. 2947–2960. doi:10.1145/3548606.3560617
  8. C. Grothoff and T. Moser, How to issue a privacy-preserving central bank digital currency, SUERF Policy Briefs, no. 114, 2021.
  9. K. Tinn, A theory model of digital currency with asymmetric privacy, Management Science, vol. ahead of print, 2025. doi:10.1287/mnsc.2024.06830
  10. European Commission, Proposal for a regulation of the european parliament and of the council on the establishment of the digital euro, 2023. [Online]. Available: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:52023PC0369
  11. M. Henning, EU Council discusses digital euro: And how much privacy should it be?. https://netzpolitik.org/2024/eu-council-discusses-digital-euro-and-how-much-privacy-should-it-be/, 2024.