Skip to content
Guidance · EDPB ·edps-joint-opinion-022023-on-the-proposal-for-a-regulation-of EN LLM context A cited markdown file you can paste into your AI assistant (ChatGPT, Claude, a RAG or project knowledge base) to ground it in this document. Contains: this document’s text, its sections with their topics, and the full text of every law provision it applies. Everything links back to its source on overview.legal — legal information, not advice.

EDPB-EDPS Joint Opinion 02/2023 on the Proposal for a Regulation of the European Parliament and of the Council on the establishment of the digital euro

Summary

Adopted 2 Adopted 3 Executive summary Two years after the launch of the investigation phase on the issuance of a digital euro by the European Central Bank (ECB), the European Parliament and the Council of the European Union will, in the coming months, examine the Proposal for a Regulation establishing the digital euro as central bank digital currency. Having regard to the particular importance of the digital euro for the fundamental rights to privacy and to the protection of personal data, the…

How it connects

Full text

Adopted 2 Adopted 3 Executive summary Two years after the launch of the investigation phase on the issuance of a digital euro by the European Central Bank (ECB), the European Parliament and the Council of the European Union will, in the coming months, examine the Proposal for a Regulation establishing the digital euro as central bank digital currency. Having regard to the particular importance of the digital euro for the fundamental rights to privacy and to the protection of personal data, the European Commission requested that the EDPB and the EDPS issue a Joint Opinion on this Proposal. On a general note, recalling that the value added of a digital euro in a highly competitive payments landscape would reside mainly in its confidentiality, the EDPB and the EDPS strongly welcome that digital users will always have the choice to pay in digital euros or in cash, as well as that the digital euro would not be “programmable money”. This Joint Opinion also welcome that the Proposal aims to provide a high standard of privacy and data protection for the digital euro and acknowledge the efforts made in the Proposal to this effect, notably by introducing an ‘’offline modality’’, to minimise the processing of personal data in relation to the digital euro, as well as to embed data protection by design and data protection by default. However, the EDPB and the EDPS, following a “privacy and data protection by design” approach, draw the attention of the co-legislators to a number of personal data protection concerns, which, if not addressed in the Proposal, could undermine the trust of citizens in the future digital euro and, in fine, its societal uptake. In this respect, the EDPB and the EDPS elaborate on their positions already adopted since 2021. Firstly, whereas the EDPB and the EDPS welcome that the distribution of the digital euro would be carried out in a ‘’decentralised manner’’, i.e. by financial intermediaries, rather than by the Eurosystem directly, they consider that further clarifications on the modalities of distribution of the digital euro should be included in the legislative text. Moreover, the EDPB and the EDPS consider that more clarifications should be provided on the necessity and proportionality of the single access point of digital euro unique identifiers, as well as to how data protection by design and by default is to be implemented in this respect. In addition, the legislative text should include clarifications as to how personal data would need to be processed by PSPs to enforce the holding limits in practice. More clarity is also called for the processing of personal data carried out for the enforcement of limits on fees possibly asked by PSPs. As regard the settlement infrastructure to be provided and managed by the ECB, the EDPB and the EDPS are of the opinion that the enacting terms of the Proposal should include a binding obligation that would ensure pseudonymisation of all transaction data vis-à-vis the ECB and the national central banks. Importantly, the EDPB and the EDPS also consider that the provisions relating to the general fraud detection and prevention mechanism (FDPM) that the ECB may choose to establish to facilitate the fraud detection and prevention by PSPs lack foreseeability, thereby undermining legal certainty and the ability to assess the necessity of establishing such mechanism. It is unclear, in particular, which tasks would be performed by the ECB (as possible supervisors of the antifraud performed by PSPs), on the one hand, and which tasks (and related data processing) would be performed by PSPs, on the other hand. The co-legislators are therefore invited to further demonstrate the necessity of such mechanism and provide for clear and precise rules governing the scope and application of the envisaged FDPM, including with regard to the nature of the support to be provided by the ECB to PSPs. Should such necessity not be demonstrated, the EDPB and the EDPS recommend to introduce less intrusive measures from a data protection perspective, together with the implementation of appropriate safeguards. In addition, the EDPB and the EDPS recognise in this Joint Opinion the potential risks that digital euro could face from an IT and cybersecurity perspective and recommend including an explicit reference to the applicable cybersecurity legal framework in the preamble of the Proposal. Adopted 4 With regard to the privacy and data protection aspects of the digital euro, the EDPS and the EDPB positively note the efforts made in Chapter VIII and the corresponding Annexes to establish the purposes and categories of personal data for the processing to be carried out by each of the actors involved in the issuance and use of the digital euro. However, further clarifications should be provided by the co-legislators regarding, in particular, the legal bases applicable to these processing operations, the allocation of responsibilities, as well as to the types of personal data to be processed by each of these actors. Finally, the EDPB and the EDPS regret the fact that the Proposal discarded the adoption of a ‘selective privacy’ approach for low-value online payments. In this regard, it should be noted that the level of AML/CFT risk for the online digital euro will depend on the technology used and design choices made during the conception phase. Taking into account the possible mitigating measures that could be implemented to reduce such risk, the EDPB and the EDPS therefore strongly recommend the co-legislators to extend the specific regime applicable to the offline modality to the online modality for low-value transactions, with a threshold below which there would be no tracing of transactions for AML/CFT purposes. Considering that the ECB’s work on the digital euro is ongoing in parallel with the work of the co-legislators, the EDPB and the EDPS recall the obligation for all digital euro controllers and joint controllers to perform a DPIA, to the extent that the requirements of Article 35 GDPR or Article 39 EUDPR are met. In addition, the Proposal should recall the obligation of privacy and data protection by design and by default when establishing the operational design and technological choices. Following the adoption of legislation for the digital euro, the EDPB and the EDPS, each within their respective responsibilities, will continue to monitor the deployment and stand ready to provide guidance to the co-legislators and the ECB on the personal data protection aspects of the digital euro. Adopted 5 The European Data Protection Board and the European Data Protection Supervisor Having regard to Article 42(2) of the Regulation 2018/1725 of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC 1 , Having regard to the EEA Agreement and in particular to Annex XI and Protocol 37 thereof, as amended by the Decision of the EEA joint Committee No 154/2018 of 6 July 2018 2 , Having regard to the European Commission’s request for a joint opinion of the European Data Protection Board and the European Data Protection Supervisor of 29 June 2023, on the Proposal for a Regulation on the establishment of the digital euro 3 and on the Proposal for a Regulation on the provision of digital euro services by payment services providers incorporated in Member States whose currency is not the euro and amending Regulation(EU) 2021/1230 of the European Parliament and the Council 4 . HAVE ADOPTED THE FOLLOWING JOINT OPINION 1 BACKGROUND 1. On 28 June 2023, the European Commission adopted a legislative package 5 on a digital euro, which included a Proposal establishing the legal framework for a possible digital euro 6 . This proposal aims to establish and regulate the essential aspects of a digital euro, the issuance of which is the prerogative of the European Central Bank (hereafter the ‘ECB’). The digital euro project started before the adoption of the digital euro legislative package. Below, the EDPB and the EDPS recall the chronology of the key events that led to the adoption of the digital euro legislative package, including the views expressed by the EDPB on the matter. 2. In October 2020, in the context of a growing interest for central bank digital currencies around the world, the ECB launched a public consultation on a possible digital euro, a new form of central bank digital currency for use in retail payments which aims at complementing the 1 OJ L 295, 21.11.2018, p. 39. 2 References to ‘Member States’ made throughout this document should be understood as references to ‘EEA Member States’. 3 Proposal for a Regulation of the European Parliament and of the Council on the establishment of the digital euro, COM/2023/369 final. 4 Proposal for a Regulation of the European Parliament and of the Council on the provision of digital euro services by payment services providers incorporated in Member States whose currency is not the euro and amending Regulation (EU) 2021/1230 of the European Parliament and the Council, COM/2023/368 final. 5 https://ec.europa.eu/commission/presscorner/detail/en/ip 23 3501 6 Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the establishment of the digital euro (COM/2023/369 final) Adopted 6 physical euro cash 7 . The policy objectives of the establishment of the digital euro are to ensure the continued access of EU citizens to central bank currency in the context of a declining use of physical cash, to support financial inclusion, as well as to promote innovation and strategic autonomy of the EU with regard to payments. In April 2021, the ECB published a report on the feedbacks provided during the public consultation 8 . The report showed that confidentiality was considered the most important feature for a digital euro by 43% of the respondents, both citizens and professionals. 3. On 18 June 2021, the EDPB sent a letter to the European institutions on the privacy and data protection aspects of a possible digital euro 9 . In this letter, the EDPB underlined the need, for the European institutions to work on a digital euro that would fully embrace “ privacy and data protection by design and by default” , in line with the results of the public consultation launched by the ECB the year before. In addition, the EDPB highlighted the risks for privacy and fundamental rights and freedoms of such a project if the digital euro would not be properly designed. In particular, the EDPB highlighted the risk of general tracking of transactions across the payment infrastructures, the risk of excessive identification of citizens using the digital euro, the security risk for payment data, and offered the EDPB assistance to mitigate them. Moreover, the letter advocated for the possibility to make part of the transactions anonymous or, at the very least, with a high level of pseudonymisation. Finally, the EDPB pointed out that physical cash was the relevant benchmark for the design of digital euro, especially to strike the right balance between privacy and data protection, on the one hand, and anti-money laundering and counter-financing of terrorism (hereafter ‘AML/CFT’) on the other. 4. On 14 July 2021, the ECB launched an investigation phase of the digital euro project. This 24- month phase aimed to address key issues regarding the design and distribution of a digital form of the euro, as well as to assess the possible impact of a digital euro on the market. Other objectives were to identify the design options to ensure privacy and avoid risks for euro area citizens, intermediaries and the overall economy. As part of its assistance to the European institutions on the subject matter, the EDPB took part in the consultation process of the investigation phase and held several meetings with ECB experts. On top of its positions expressed publicly, the EDPB held regular internal meetings on the subject matter, in which experts of the Commission participated. The Commission had thus the opportunity to benefit from regular informal EDPB advices along the elaboration phase of this Proposal. 5. In April 2022, the Commission launched a targeted public consultation 10 with the aim of gathering further information on a number of aspects including users’ needs and expectations, expected impacts on key industries as well as on privacy and data protection. The EDPB answered this consultation in June 2022 11 . In its contribution, the EDPB recalled its position in 7 ECB, Report on a digital euro, October 2020, available at: https://www.ecb.europa.eu /pub/pdf/other/Report on a digital euro4d7268b458.en.pdf 8 ECB, Report on the public consultation on a digital euro, April 2021, available at: https://www.ecb .europa.eu/press/pr/date/2021/html/ecb.pr210414ca3013c852.en.html 9 EDPB, Letter to the European institutions on the privacy and data protection aspects of a possible digital euro, 18 June 2021, available at: https://edpb.europa.eu/system/files/2021-07/edpb letter out 2021 0111- digitaleuro-toecb en 1.pdf 10 https://finance.ec.europa.eu/regulation-and-supervision/consultations/finance-2022-digital-euro en 11 EDPB, Response to the European Commission's targeted consultation on a digital euro, adopted on 14 June 2022, available at: https://edpb.europa.eu/system/files/2022-06/edpb responseconsultation 20220614 digitaleuro en.pdf Adopted 7 favour of a complete absence of AML/CFT checks under a certain threshold for low-value transactions and the necessity to avoid centralisation of the transactions by any public or private entity, advocating for local processing and storing of transaction data, under the control of the user. Furthermore, the EDPB underlined that any access to transaction data by the ECB and national central banks (hereafter, ‘the Eurosystem’) for the purposes of fraud mitigation or the enforcement of tax rules should be avoided. Lastly, the EDPB pointed out that the introduction of holding limits or fees thresholds would affect the rights and freedoms of data subjects as they would require additional data collections and controls. 6. In September 2022, the ECB published a first progress report on its enquiry phase, in which it proposed several data protection and privacy design options for the digital euro. The ECB also recalled that the regulatory framework established by the co-legislators would be key with regards to the privacy aspects of the digital euro 12 . In particular, the ECB proposed a baseline scenario based on the development of a digital euro available online with all transactions validated by financial intermediaries distributing the digital euro and which are fully transparent to them from the first issuance of the digital euro. The two options of a “selective privacy” , where a higher degree of privacy would be ensured for low-value/low-risk online payments, and of an ‘’offline functionality’’ , for which no tracing would take place for low-value offline payments carried out in close physical proximity, were described by the ECB as “beyond the baseline” , and subject to further investigation by the co-legislators. 7. On 10 October 2022, the EDPB published a statement 13 recalling the necessity to avoid systematic transaction tracing on such an account based-architecture. It warned that validation of all transactions with digital euros might not be in line with the data protection notions of necessity and proportionality, in accordance with case law of the Court of Justice of the European Union (hereafter ‘CJEU’). The EDPB recalled that the introduction of a privacy threshold for low value transactions, under which no tracing of transactions should occur, was necessary to balance this risk, both for the online and offline modalities. Moreover, the EDPB called for a public and democratic debate on the subject matter. 8. As regards the AML/CFT regime of the digital euro, the EDPB pointed out that the current legal framework on electronic payments did not seem to be appropriate for a tool like the digital euro which has fundamentally different characteristics in terms of policy objectives, and considering the level of trust necessary to meet the expectations expressed during the public consultation 14 . Therefore, the EDPB advocated for the creation of a specific legal regime for the digital euro and recommended to conduct an assessment of both the risks to privacy and AML/CFT at the same time. 9. The EDPB and the EDPS reiterate that the added value of a digital euro, in an already highly competitive European payment landscape, would reside mainly in its privacy and data 12 ECB, Progress on the investigation phase of a digital euro, 29 September 2022, available at: https://www.ecb.europa.eu/paym/digital euro/investigation/governance/shared/files/ecb.degov220929.en.p df?8eec0678b57e98372a7ae6b59047604b 13 EDPB Statement 04/2022 on the design choices for a digital euro from the privacy and data protection perspective, adopted on 10 October 2022, available at: https://edpb.europa.eu/system/files/2022- 10/edpb statement 20221010 digital euro en.pdf 14 See paragraph 2 above and footnote 8. Adopted 8 protection-preserving features. According to the EDPB and the EDPS, privacy and data protection-preserving features of the digital euro is indeed a precondition for gaining trust of the public for a digital form of central bank currency as well as a decisive trigger in its adoption by EU citizens 15 . This trust should not be undermined by an inappropriate design of the digital euro or legal framework. Avoiding such a situation is the very purpose of the Joint Opinion. 2 SCOPE OF THE OPINION 10. On 29 June 2023 the Commission requested a Joint Opinion of the EDPB and the EDPS (hereafter the ‘Opinion’) in accordance with Article 42(2) of Regulation (EU) 2018/1725 (hereafter the ‘EUDPR’) on two proposals for regulations forming part of the ‘Single Currency Package’. This legislative package comprises: • a Proposal for a Regulation on the establishment of the digital euro 16 (hereafter the ‘Proposal’); • a Proposal for a Regulation on the provision of digital euro services by payment services providers incorporated in Member States whose currency is not the euro and amending Regulation(EU) 2021/1230 of the European Parliament and the Council 17 . 11. These two proposals, which are mutually supportive, aim to establish the digital euro and to ensure that Europeans have both cash and digital payment options when they wish to pay with central bank money. In the context of this Opinion, only recommendations in relation to the Proposal for a Regulation on the establishment of the digital euro are made. 12. The Proposal provides the legal framework for the adoption and issuance of the digital euro by the ECB and, to this end, is largely based on the approach of the Third Progress Report issued by the ECB in April 2023 18 . 13. More specifically, the Proposal establishes the framework for the ECB to issue the digital euro, in accordance with the Proposal and without prejudice to the independent position and 15 In this regard, the EDPB and the EDPS note that according to a poll conducted on behalf of the Bundesbank in Germany, the main possible drawbacks for the respondents were the absence of added value (for 77% of the respondents), the fear of a first step toward abolition of physical cash (61%) and the possibility of a general surveillance of the purchasing habits (54%) (Deutsche Bundesbank, Monthly report, October 2021, available at: https://www.bundesbank.de/resource/blob/879312/8070 18037068359550e1d89a5dc366fe/mL/2021-10- digitaler-euro-private-haushalte-data.pdf ). Moreover, according to the last SPACE study of the ECB, 60% of Eurozone citizens consider it important to have the choice to pay in cash. The perceived key advantages of cash are for them its anonymity and protection of privacy (ECB, Study on the payment attitudes of consumers in the euro area, 20 December 2022, available at: https://www.ecb.europa.eu/stats/ecb surveys/space/html/ ecb.spacereport202212783ffdf46e.en.html ). 16 Proposal for a Regulation of the European Parliament and of the Council on the establishment of the digital euro, COM/2023/369 final. 17 Proposal for a Regulation of the European Parliament and of the Council on the provision of digital euro services by payment services providers incorporated in Member States whose currency is not the euro and amending Regulation (EU) 2021/1230 of the European Parliament and the Council, COM/2023/368 final. 18 ECB, Progress on the investigation phase of a digital euro – third report, 24 April 2023, available at: https://www.ecb.europa.eu/paym/digital euro/investigation/governance/shared/files/ecb.degov230424 pro gress.en.pdf . Adopted 9 powers of the ECB pursuant to the Treaties 19 . Moreover, the Proposal establishes the digital euro as legal tender and sets out rules on its distribution via payment service providers (‘PSPs’). In addition, the Proposal defines the roles and obligations of national central banks and the ECB in the issuance and financial supervision, and sets out the foundations for the technical characteristics of the digital euro. After the adoption of this Proposal, the ECB would have to further develop technical standards for the implementation of the digital euro. 14. Two modalities of a digital euro are proposed in the Proposal: an online and an offline modality. The choice of a digital euro user for either of these modalities has important data protection implications as the proposal differentiates the obligations between these modalities having regard, for example, to the settlement of transactions and the applicability of AML/CFT rules 20 . 15. The Proposal has important implications for individuals’ fundamental rights to privacy and personal data protection. The supervisory authorities established by the GDPR and EUDPR will be responsible for the supervision of the processing of personal data under the Proposal 21 . 16. The scope of this Opinion is limited to the aspects of the Proposal involving processing of personal data, which constitute one of the main pillars of the Proposal. Since the Proposal, as further explained in the Opinion, raises several concerns regarding the protection of fundamental rights to privacy and protection of personal data, the aim of this Opinion is not to provide an exhaustive list of all the issues, nor always to provide alternative provisions or wording suggestions. Instead, this Opinion aims at addressing the key issues in respect to the privacy and data protection aspects of the Proposal. 3 GENERAL REMARKS 17. The EDPB and the EDPS welcome the intention to design the digital euro in a way that minimises the processing of personal data by PSPs, by the Eurosystem, and by the providers of support services (hereafter the ‘PSSs’) to what is necessary to ensure the proper functioning of the Digital Euro 22 . This is clear in the way the Proposal attempts to frame the personal data to be processed by each of the above-mentioned actors, by defining categories of personal data that would fall within each processing activity listed under the Annexes accompanying the Proposal. The Proposal also stresses the need for an adequate implementation of the principle of data protection by design and by default, by requiring the implementation of state-of-the- art security and privacy-preserving measures 23 and specific safeguards in cases deserving particular attention based on their risks 24 . 18. The EDPB and the EDPS also welcome Recital 12 of the Proposal, referring to the EU data protection framework, as well as Recital 70 highlighting that a high standard of privacy and 19 Article 133 TFEU. 20 See Section 11 of this Opinion. 21 Recital 12 of the Proposal. 22 Recitals 71 and 72 of the Proposal. 23 For example, in Article 35(4) by imposing clear segregation of personal data to ensure that the European Central Bank and the national central banks cannot directly identify individual digital euro users. 24 See last sentence of Article 35(8) of the Proposal. Adopted 10 data protection is crucial to public trust in the digital euro and referring to the above- mentioned statement of the EDPB issued in 2022 on the design choices for digital euro 25 . 19. Taking into account the fact that privacy is considered the most important feature for a digital euro by both individuals and professionals 26 , the EDPB and the EDPS recall that data protection by design and by default should be embedded in the design of the digital euro from the outset, including the technical choices that would be made by the ECB under Article 5(2) of the Proposal, and with regard to the supplemental delegated and implementing acts from the Commission under Article 5(1) after the adoption of the Proposal. In this regard, the EDPB and the EDPS underline the importance of implementing privacy enhancing technologies (hereafter ‘PETs’) when designing the digital euro. 20. The EDPB and the EDPS also recall that, according to the case law of the CJEU, a necessity test for any limitations on the exercise of the rights to personal data protection and respect for private life with regard to the processing of personal data 27 applies. This involves assessing whether other measures would achieve the desired outcome with a lower degree of interference with the fundamental right at stake. Furthermore, when enacting measures that interfere with the fundamental rights to the protection of personal data, the legislator needs to assess whether the importance of the objective of general interest pursued by the processing is proportionate to the seriousness of the interference 28 . 21. Against this background, the EDPB and the EDPS consider that the tasks related to user management (i.e. management of digital euro accounts/wallets, provision and management of payment instruments), transaction management (i.e. transaction initiation, authentication and validation), and liquidity management (funding and defunding) should in principle be as 'decentralised' as possible. The EDPB and the EDPS thus welcome that the distribution of the digital euro under the Proposal would be carried out by regulated financial intermediaries in a decentralised manner, rather than by the Eurosystem directly. Notably, the decentralised approach could facilitate the exercise of data subject rights before each financial intermediary as controller. In this respect, Section 8 of this Joint Opinion contains several recommendations and calls for clarifications on roles and tasks that, without hindering the functioning of the digital euro and the ECB’s role, could be allocated to financial intermediaries. 25 EDPB Statement 04/2022 on the design choices for a digital euro from the privacy and data protection perspective, adopted on 10 October 2022, available at: https://edpb.europa.eu/system/files/2022- 10/edpb statement 20221010 digital euro en.pdf 26 Page 7 of the Proposal’s Impact Assessment, SWD(2023) 233 final.. 27 Judgment of 16 December 2008, Tietosuojavaltuutettu v Satakunnan Markkinapörssi Oy and Satamedia Oy. , C ‑ 73/07, EU:C:2008:727 , paragraph 56; Judgment of 9 November 2010, Joined Cases Volker und Markus Schecke , C-92/09 and C-93/09, EU:C:2010:662, paragraphs 77 and 86. Furtermore, see, EDPS, Guidelines on assessing the proportionality of measures that limit the fundamental rights to privacy and to the protection of personal data, 19 December 2019, available at: https://edps.europa.eu/sites/default/files/publication/19-12- 19 edps proportionality guidelines2 en.pdf . 28 Judgment of 1 August 2022, OT and the Vyriausioji tarnybinės etikos komisija , C-184/20, EU:C:2022:601, paragraph 98. Adopted 11 22. Furthermore, while the EDPB and the EDPS acknowledge the need for introducing a limit on digital euro holdings for each digital euro user, the EDPB and the EDPS point out that such a feature implies automatically loss of full anonymity and a degree of personal data processing 29 . 23. As already underlined by the EDPB 30 , a high standard of privacy and data protection is crucial to ensure the trust of citizens in the future digital euro and, ultimately, its success. In that regard, the recording of all online digital euro transactions, regardless of their amount, does not appear to be in line with the aim of the Proposal to support data protection as a key policy pursued by the Union, nor with the importance that citizens attach to privacy in the context of the digital euro, as reflected in the above-mentioned survey conducted by the ECB in 2021 31 . Thus, the EDPB and the EDPS consider it necessary to ensure a high level of privacy not only for offline digital euro payments, as currently envisaged by the Proposal 32 , but also for low- value online digital euro payment transactions. The EDPB and the EDPS recommend to achieve such objective through the introduction of a privacy threshold for low-value online digital payment transactions, as further elaborated in Section 11 below. 24. The EDPB and the EDPS also acknowledge the efforts made to ensure that the Proposal does not affect the application of existing EU laws governing the processing of personal data, including the tasks and powers of the supervisory authorities competent to monitor compliance with data protection laws, as indicated in the preamble of the Proposal 33 . An important aspect relates to the legal basis for controllers processing personal data in the context of the Proposal and the appropriate attribution of roles and distribution of responsibilities among the PSPs, the Eurosystem as well as the PSSs. This element is addressed under Section 10 of this Joint Opinion. 25. In addition, the EDPB and the EDPS take note that Article 282(3) of the Treaty on the Functioning of the European Union (hereafter ’TFEU’) provides that the ECB is independent in the exercise of its powers, and that EU institutions, bodies, offices and agencies - including the Commission and the co-legislators -, must respect that independence. Article 130 TFEU adds that, when exercising the powers and carrying out the tasks and duties conferred to it by the Treaties and the Statute of the ECB, the latter shall not seek or take instructions from EU institutions, bodies, offices and agencies. According to Article 132 TFEU, the ECB may make 29 See in this regard Section 7 of this Opinion. 30 EDPB Statement 04/2022 on the design choices for a digital euro from the privacy and data protection perspective, adopted on 10 October 2022, available at: https://edpb.europa.eu/system/files/2022- 10/edpb statement 20221010 digital euro en.pdf 31 ECB, Report on the public consultation on a digital euro, April 2021, available at: https://www.ecb .europa.eu/press/pr/date/2021/html/ecb.pr210414ca3013c852.en.html 32 Article 37 of the Proposal. 33 Recital 12 of the Proposal: “ Any personal data processing under the present Regulation must comply with Regulation (EU) 2016/679 and Regulation (EU) 2017/1725 insofar as they fall within their respective scope of application. Therefore, the supervisory authorities under Regulation (EU) 2016/679 and Regulation (EU) 2018/1725 are responsible for the supervision of processing of personal data carried out in the context of this Regulation ”. Additionally, Recital 70 states that “ The processing of personal data for compliance and in the context of this Regulation would be carried out in accordance with Regulation (EU) 2016/679 and Regulation (EU) 2018/1725, as well as, where applicable, Directive 2002/58/EC ”. Adopted 12 regulations and take decisions necessary to implement and carry out its tasks 34 , which the ECB often does, also concerning the way it processes and governs personal data in the context of its operations 35 . While the EDPB and the EDPS have due respect for the decisional autonomy of the ECB, they also stress the need for the Proposal to provide clear rules, subject to legislative discussion and approval, on the processing of personal data in the context of the issuance and use of the digital euro, with clear safeguards, thus ensuring the highest possible level of protection for the fundamental rights and freedoms. 26. In this respect, the EDPB and the EDPS understand that the EU legislator is mandated to “lay down the measures necessary for the use of the euro as the single currency’ ’, as per Article 133 TFEU, which is the legal basis of the Proposal in the Treaties. Nonetheless, the institutional and legal limitations of the Article 133 TFEU legal basis resulting from the rules enshrined in the TFEU require leaving a level of discretion to the ECB with regards to the detailed measures, rules and standards the ECB shall adopt to implement the measures passed by the co- legislators, such as those mentioned in Article 5(2) of the Proposal 36 . The EDPB and the EDPS also understand that this is the reason why, as a rule, the Proposal seldom mandates the ECB to carry out certain tasks, but often leaves to the ECB discretion (by using the word ‘’may’’ instead of ‘’ shall’’ ) whether or not to carry them out 37 . In any event, even in cases where technical choices are left to the ECB, these choices are subject to the need to ensure compliance with Union data protection legislation, including the requirements of necessity and proportionality. 27. Finally, the EDPB and the EDPS acknowledge that the Proposal, in addition to stressing the need to ensure compliance with the GDPR and the EUDPR, provides for specific constraints for controllers and safeguards for data subjects with regards to the processing of personal data. This is the case, for example, of the prohibition under Article 37(2) of the Proposal of the retention of transaction data by PSPs or by the Eurosystem for offline digital euro payment 34 This is also mirrored in Article 282(4) TFEU: “ The European Central Bank shall adopt such measures as are necessary to carry out its tasks in accordance with Articles 127 to 133, with Article 138, and with the conditions laid down in the Statute of the ESCB and of the ECB .” 35 See, as examples: Decision (EU) 2020/655 of the European Central Bank of 5 May 2020 adopting implementing rules concerning data protection at the European Central Bank and repealing Decision ECB/2007/1 (ECB/2020/28) OJ L 152, 15.5.2020, p. 13–20; Decision (EU) 2021/1486 of the European Central Bank of 7 September 2021 adopting internal rules concerning restrictions of rights of data subjects in connection with the European Central Bank’s tasks relating to the prudential supervision of credit institutions (ECB/2021/42) OJ L 328, 16.9.2021, p. 15–22; and Recital (10) of Decision (EU) 2022/1982 of the European Central Bank of 10 October 2022 on the use of services of the European System of Central Banks by competent authorities and by cooperating authorities, and amending Decision ECB/2013/1 (ECB/2022/34) ECB/2022/34 OJ L 272, 20.10.2022, p. 29–35. 36 Article 5(2) states that “ Within the framework of this Regulation, the digital euro shall also be governed by the detailed measures, rules and standards that may be adopted by the European Central Bank pursuant to its own competences. Where these detailed measures, rules and standards have an impact on the protection of individuals’ rights and freedom with regard to the processing of personal data, the European Central Bank shall consult the European Data Protection Supervisor prior to their adoption .” 37 See an example in Recital (25): “ The European Central Bank may support payment service providers in performing the task of enforcing any holding limits, including by establishing alone or jointly with national central banks a single access point of digital euro user identifiers and the related digital euro holding limits .” See also in Recital (68): “ the European Central Bank may establish a general fraud detection and prevention mechanism to support fraud management activities performed by payment service providers on online digital euro payment transactions.” (emphasis added) Adopted 13 transactions. The EDPB and the EDPS also welcome the requirement for the ECB to consult the EDPS prior to the adoption of detailed measures, rules and standards that may have an impact on data protection under Article 5(2) of the Proposal. 4 CHAPTER I - SUBJECT MATTER AND DEFINITIO NS 28. The EDPB and the EDPS note that Article 2 of the Proposal provides for definitions necessary for the understanding of the Proposal as a whole. However, the EDPB and the EDPS consider that some definitions are missing or require further clarifications in order to ensure legal certainty. 29. Firstly, central to the Proposal is the data generated by payment transactions. However, the Proposal does not define what ‘ ’transaction data’’ would entail and whether the offline or online payment modality differ in the types of transaction data that is either generated from the transaction or expected and required to successfully execute a transaction. The EDPB and the EDPS recommend to precisely define which type of data would fall under the category of ‘ ’transaction data’’ . In this regard, the EDPB and the EDPS also note that Annexes III, IV and V of the Proposal use broad categories of personal data that are expected to be processed by different actors. These categories of personal data should be more precisely defined, as detailed in Section 9 of this Joint Opinion. 30. Furthermore, the EDPB and the EDPS note that the Proposal refers to the term ‘ ’local storage devices’’ in several instances. Notably, the Proposal refers to the term ‘ ’local storage devices’’ under Articles 2(15), 34(1)(c), 35(1)(c), and 37(4)(b), which is not defined under Article 2 of the Proposal. According to Recital 34 of the Proposal: “ the payment service providers should register and de-register the local storage devices for offline digital euro payment transactions of their customers”. The same Recital also specifies that the PSPs would store temporarily the identifier of the local storage device used for offline digital euro. Recital 35 further specifies that PSPs should register and de-register the local storage devices for offline digital euro payment transactions of their customers. Finally, Recital 75 specifies that, in the context of offline digital euro payment transactions, PSPs would process “[...] only personal data related to depositing or withdrawing digital euros from digital euro payment accounts to load them onto the local storage devices, or from the local storage devices into the digital euro payment accounts. This includes the identifier of the local storage devices which payment service providers attribute to a digital euro user that holds offline digital euro”. Therefore, it appears that the use of the term ‘ ’local storage devices’’ in the Proposal refers to ‘ ’mobile devices’ ’. However, Article 2(31) explicitly defines ‘’mobile devices’’ as “[...] a device that enables digital euro users to authorise digital euro payment transactions online or offline including in particular smart phones, tablets, smart watches and wearables of all kinds ”. Furthermore, the EDPB and the EDPS note that where the Proposal defines ‘’digital euro payment account’’ under Article 2(5), the term ‘’offline digital euro device’’ is used. Against this background, the EDPB and the EDPS recommend clarifying whether ‘ ’local storage devices’’ would constitute devices other than ‘ ’mobile devices’’ as defined under Article 2(31) of the Proposal and, if this is the case, to include a separate definition for this term in Article 2 of the Proposal. Such clarifications should apply, mutatis mutandis , to the term ‘’offline digital euro device’’ referred to in Article 2(5) of the Proposal. Adopted 14 31. In addition, the EDPB and the EDPS recommend to clarify the definition of the term ‘ ’user identifier’’ under Article 2(27) of the Proposal. Article 2(27) of the Proposal defines ‘ ’user identifier’’ as “[...] a unique identifier created by a payment service provider distributing the digital euro that unambiguously differentiates, for online digital euro purposes, digital euro users but that is not attributable to an identifiable natural or legal person by the European Central Bank and the national central banks” . In this regard, the EDPB and EDPS note that Annex III states that the ‘ ’user identifier’’ would include the ‘ ’name of the local storage device holders’’ . Another example is the relationship between the notions ‘ ’user identifier’’ defined in Article 2 (27) of the Proposal and ‘’user alias’’ defined in Article 2(28) of the Proposal, both of which seem to point to method of pseudonymisation as defined in article 4(5) GDPR, although this is only made explicit under Article 2(28) of the Proposal. 32. Finally, the EDPB and the EDPS point out that Article 22(3) of the Proposal uses the term “unique digital euro payment account number ” which, however, is not defined in Article 2. Therefore, for purposes of legal certainty, the EDPB and the EDPS recommend including a definition of “unique digital euro payment account number” under Article 2. Introducing such definition would also help clarifying the difference between other types of identifiers in the Proposal, notably the “user identifier” as defined in Article 2(27) and the “user alias” as defined in Article 2(28) of the Proposal. 5 CHAPTER III - LEGAL TENDER 33. The EDPB and the EDPS welcome the policy objective of providing legal tender value for the digital euro as is the case for euro coins and banknotes. The digital euro must complement physical cash, which is an overarching means of payment for privacy and individual liberties, and not replace it. In this regard, the EDPB and the EDPS welcome the fact that the citizens will always have the choice to pay in digital euros or in cash, pursuant to Article 12(2) of the Proposal. 6 CHAPTER IV - DISTRIB UTION 34. The Proposal regulates the distribution of the digital euro via the existing EU legal framework for the provision of payment services provided by the Directive (EU) 2015/2366 (PSD2) 38 . PSPs may provide digital euro payment services to a number of categories of natural and legal persons pursuant to Article 13 of the Proposal. 35. The EDPB and the EDPS note that the digital euro can also be distributed to natural or legal persons that do not reside or are not established in Member States whose currency is the euro pursuant to Article 13(1)(b) and (c) of the Proposal. According to the current Proposal, however, it is not clear in which cases, how, and why digital euro payment services can be restricted to those categories of data subjects, how this affects the processing of personal data 38 Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC, OJ L 337, 23.12.2015, p. 35–127. Adopted 15 and whether or not personal data is erased when the use of the services are restricted. It is also not clear whether such information should be specified in the framework of this Proposal or the Proposal for a regulation on the provision of digital euro services by payment services providers incorporated in Member States whose currency is not the euro. Therefore, the EDPB and the EDPS recommend to clarify the processing carried out in the framework of the distribution of the digital euro to natural or legal persons that do not reside or are not established in Member States whose currency is the euro, either in this Proposal or in the Proposal for a regulation on the provision of digital euro services by payment services providers incorporated in Member States whose currency is not the euro. 36. In Article 13(4) of the Proposal, prior approval of a digital euro user is required to link a digital euro account to fiat payment accounts for both funding and defunding of the digital euro account and for supplementing payments that exceed the digital euro holding limit. This link would entail the processing of personal data, as information would be exchanged about multiple payment accounts that are not necessarily provided by the same PSP. From a data protection perspective, the EDPB and EDPS consider that the prior approval should not be interpreted as consent in the meaning of the GDPR, but rather as a safeguard of contractual nature. Therefore, the EDPB and the EDPS recommend replacing “ prior approval ” by “permission”. Such an approach would be in line with the Proposal for a Regulation on Payment Services (hereafter ‘PSR’) 39 and the Proposal for a Regulation on a framework for Financial Data Access (hereafter ‘FIDA’) 40 . In this regard, the EDPS has already made specific recommendations in its previous opinions 41 . These recommendations, namely on the need to distinguish ‘’permission’’ on the one hand, from the GDPR’s legal basis of consent for the processing of personal data on the other hand, would also be valid having regard to the Proposal. 37. Finally, the EDPS and EDPB would like to point out that the guidance from the Anti-Money Laundering Authority (hereafter ‘AMLA’) and the European Banking Authority (hereafter ‘EBA’) mentioned in Article 14(5) of the Proposal should be interpreted as meaning that PSPs should not register the status of potential digital euro users (e.g. as asylum seeker or beneficiary of international protection or individual with no fixed address or third country national who are not granted a residence permit), as this could stigmatise those users. 39 Proposal for a Regulation of the European Parliament and of the Council on payment services in the internal market and amending Regulation (EU) No 1093/2010, COM/2023/367 final. 40 Proposal for a Regulation of the European Parliament and of the Council on a framework for Financial Data Access and amending Regulations (EU) No 1093/2010, (EU) No 1094/2010, (EU) No 1095/2010 and (EU) 2022/2554, COM/2023/360 final. 41 EDPS Opinion 38/2023 on the Proposal for a Regulation on a framework for Financial Data Access, adopted on 22 August 2023, available at: https://edps.europa.eu/system/files/2023-08/2023-0730 d2425 opinion en.pdf ; EDPS Opinion 39/2023 on the Proposal for a Regulation on payment services in the internal market and the Proposal for a Directive on payment services and electronic money services in the Internal Market, adopted on 22 August 2023, available at: https://edps.europa.eu/system/files/2023-08/2023-0729 d2434 opinion en.pdf Adopted 16 7 CHAPTER V - USE OF T HE DIGITAL EURO AS A STORE OF VALUE AND AS A MEANS OF PAYMEN T 38. As a principle, Article 15(1) of the Proposal provides that the use of the digital euro as a store of value may be subject to limits. Article 16(1) of the Proposal establishes that the ECB shall develop instruments to limit the use of the digital euro as a store of value and shall decide on their parameters and use. Article 35(8) of the Proposal provides that for the purpose of supporting the obligation of PSPs to enforce the holding limits in accordance to Article 16(1) and ensuring the emergency switching upon the request of the user in accordance with Article 31(2), the ECB may alone or jointly with national central banks establish a single access point of digital euro user identifiers and the related digital euro holding limits. In addition, Article 35(8) provides that state-of-the-art security and privacy-preserving measures shall be implemented to ensure that the identity of individual digital euro users cannot be inferred from the information accessed via the single access point by entities other than PSPs whose customer or potential customer is the digital euro user. Moreover, Recital 77 of the Proposal states that a single access point of digital euro user identifiers and the related digital euro holding limits are necessary to ensure the efficient functioning of the digital euro across the entire euro area, as digital euro users may hold digital euro payment accounts in different Member States. When establishing the single access point, the Eurosystem should ensure that the processing of personal data is minimised to what is strictly necessary and that data protection by design and by default is embedded. 39. The EDPB and the EDPS recognise that to ensure that the holding limit is not exceeded by the digital euro user who can hold different digital euro accounts with different PSPs, a certain degree of processing of personal data is inevitable. In this regard, the EDPB and the EDPS note that according to Article 35(8) of the Proposal, “[...] the ECB may alone or jointly with national central banks establish a single access point of digital euro user identifiers and the related digital euro holding limits as referred to in point (4) of Annex 4 [...]”. Moreover, Recital 77 refers to the fact that “[...] [w]hen establishing the single access point, the European Central Bank and national central banks should ensure that the processing of personal data is minimised to what is strictly necessary and that data protection by design and by default is embedded [...]”. 40. At the same time, the EDPB and the EDPS consider that the Proposal does not sufficiently clarify the necessity and proportionality of the processing of the personal data listed under Annex IV, point 4. Thus, the EDPB and the EDPS recommend to further elaborate on the justification of the necessity and the proportionality of the single access point in Recital 77. Furthermore, the Proposal does not contain information on how data protection by design and by default is to be implemented in this regard. The EDPB and the EDPS recommend to further specify the measures that should be implemented to embed data protection by design and by default from the outset, including the technical measures that would enable a decentralised storage 42 . 42 Whereas it is understandable that the information to verify the overall holding limit of a digital euro user might come from more than one digital euro account which belongs to the same user, the implementation should explore the option of using PETs that could avoid storing centrally personal data used to perform computations and take relevant decisions (e.g. refuse a transaction, or a new account with a certain specific holding limit). IN this regard, Secure Multi-party Computation might be assessed as a possible technique (see UN Guide on Adopted 17 41. Furthermore, the Proposal is unclear about how personal data listed in Annex III, paragraph 1, would need to be processed by PSPs to enforce the holding limits in practice and what safeguards are in place for digital euro users, such as the right to object to or appeal decisions based on the enforcement of the holding limit. 42. Article 17 of the Proposal limits fees that PSPs may charge users for the use of digital euro payment services. The EDPB and the EDPS note that, when monitoring compliance by PSPs with the provision, the ECB may process personal data, as the ECB would be entitled to demand PSPs to provide ‘ ’all information necessary’’ to enforce the provisions of this Article. In this regard, the EDPB and the EDPS consider that a broad reference to ‘’all information necessary’’ could have disproportionate effects for the collection of personal data in practice. The EDPB and the EDPS recommend to specify that the application of this provision should be made in accordance with the data protection rules in line with the purposes of the processing, including the principle of data minimisation. The requests for information by the ECB should always be in writing, reasoned and occasional, and should not concern the entirety of a filing system or lead to the interconnection of filing systems 43 . 8 CHAPTER VII - TECHNI CAL FEATURES 8.1 Offline and online digital euro modalities 43. The EDPB and the EDPS note that the digital euro would be available in two modalities: an online version and an offline version 44 . The EDPB and the EDPS strongly support the introduction of the offline modality, as it would have a higher level of privacy compared to the online modality. In particular, the EDPB and the EDPS welcome the fact that, according to Article 23(1) of the Proposal, the digital euro will be available for both online and offline digital euro payment transactions as of the first issuance of the digital euro. 44. With regard to the online modality, the EDPB and the EDPS remark that, as specified under Article 13(6) read in conjunction with Recital 9 of the Proposal, contracts for the provision of such accounts and services would be signed between users and PSPs i.e. not between users and the ECB. This approach is welcome since it mirrors a decentralised implementation of the digital euro (namely, via PSPs), as opposed to a centralised approach, fully managed by the Eurosystem. 45. The EDPB and the EDPS note that according to Article 22(3) of the Proposal “each digital euro payment account shall have a unique digital euro payment account number”. However, as already pointed in Section 4 of this Opinion, the term “unique digital euro payment account number” is not defined under Article 2 of the Proposal. The absence of such definition raises questions with regard to: (i) who will be responsible for the rules to define this identifier; (ii) Privacy-Enhancing Technologies for Official Statistics, section 2.1 and related examples, available at: https://unstats.un.org/bigdata/task-teams/privacy/guide/index.cshtml ). 43 Recital 31 of the GDPR 44 Article 23(1) of the Proposal. Adopted 18 how the identifier would be generated: in a decentralised manner, for example with each PSP defining its own format; or in a more centralised way, for example by the ECB; and (iii) what would be included in this identifier. Therefore, the EDPB and the EDPS recommend defining such elements in a new definition of “unique digital euro payment account number” under Article 2 and any necessary operational provisions concerning its issuance in Article 22. 8.2 Conditional digital euro payment transactions 46. The EDPB and the EDPS stress the importance of ensuring that the digital euro would not be ‘‘programmable money’’ . In this regard, the EDPB and the EDPS underline the distinction between programmable money, defined in the Proposal as “ units of digital money with an intrinsic logic that limits each unit’s full fungibility ” 45 , and conditional digital euro payment transactions, understood as payment transactions instructed automatically upon fulfilment of predefined conditions (e.g. instalment payment to be made periodically) agreed between the payer and the payee 46 . 47. Such a distinction is provided in Article 24(2) of the Proposal, on conditional payment transactions, which explicitly prohibits the digital euro to be programmable money. In addition, Recital 55 specifies that “[...] conditional payments should not have, as object or effect, the use of digital euro as programmable money”. In addition, Article 12(1) provides that the digital euro must be convertible with euro banknotes and coins at par, which again illustrates the non- programmable nature of the digital euro, since it does not bind the digital euro to specific uses. 48. The EDPB and the EDPS welcome these specifications and strongly recommend the co- legislators to maintain these provisions in the Proposal. Indeed, from a privacy and data protection perspective, a programmable digital euro would raise unacceptable high data protection risks. For example, it could allow inferring the spending habits of the digital euro user, already at the moment of issuance of the digital euro or lead to the introduction of additional mechanisms to ensure that the instructions limiting the use of the digital euro would not be circumvented by the users. 8.3 European Digital Identity Wallets 49. To access and use digital euro payment services, the Proposal would allow digital euro users to rely on front-end services developed by PSPs and the ECB 47 . Such front-end services are defined as “ all components necessary to provide services to digital euro users that interact via defined interfaces with back-end solutions and other front-end services ” 48 . These front-end services “[...] shall be interoperable with or integrated in the European Digital Identity Wallets”, 45 Article 2(18) of the Proposal. 46 Article 2(17) of the Proposal. 47 Article 28(1) of the Proposal. Paragraph 2 adds that the ECB shall not have access to any personal data in relation to the front-end services developed by the ECB and used by the PSPs. 48 Article 2(20) of the Proposal. Adopted 19 and the latter’s functionalities may more broadly be relied on by digital euro users who request it 49 . 50. The EDPB and the EDPS recall that the envisaged technical implementation 50 of the Proposal for a Regulation establishing the European Digital Identity Wallets currently under negotiation 51 will ultimately determine whether additional data protection safeguards should be integrated or whether its design will be made in accordance with data protection law 52 . 51. The EDPB and the EDPS note that the proper identification of the digital euro account user shall be made by PSPs with appropriate know-your-customer verifications at the on-boarding stage, for which European Digital Identity Wallets could be leveraged. The EDPB and the EDPS welcome that the use of the European Digital Identity Wallets to that effect would only, according to Article 25(2) of the Proposal, occur at the request of digital euro users and not as a default, in line with the key data protection principle of data minimisation and the obligation for the controllers to ensure data protection by design and by default 53 . 8.4 Settlement 52. The EDPB and the EDPS note that the final settlement of online digital euro payment transactions would be performed in the digital euro settlement infrastructure adopted by the Eurosystem 54 . This is a different approach compared to the settlement of transactions in electronic private payments, which is made between payment institutions in a decentralised manner and where the Eurosystem has no access to the payment transactions. The EDPB and the EDPS acknowledge that settlement at macro level of digital euro online transactions would have to be performed by the ECB, as digital euros not deposited at bank level, are a direct liability towards the ECB and the national central banks 55 , and thus need a ledger at the ECB level. 53. At the same time, the EDPB and the EDPS underline that the settlement infrastructure adopted by the ECB would store data concerning all individuals using the digital euro online in a centralised manner and would include sensitive information, such as the user authentication 56 . Due to its scale and the nature of the data stored in a centralised manner, the consequences of any data breach could potentially harm a large number of individuals. The EDPB and the 49 Article 25(1) and (2) of the Proposal. 50 https://digital-strategy.ec.europa.eu/en/policies/eudi-wallet-implementation . 51 https://ec.europa.eu/commission/presscorner/detail/en/ip 23 3556 . 52 EDPS, Formal comments on the Proposal for a Regulation of the European Parliament and of the Council amending Regulation (EU) No 910/2014 as regards establishing a framework for a European Digital Identity, 21 July 2021, page 2, available at: https://edps.europa.eu/system/files/2021-07/21-07-28 formal comments 2021-0598 d-1609 european digital identity en.pdf 53 Articles 5(1)(c) and 25(1) and (2) GDPR. 54 Article 30 (2) and Recital 64 of the Proposal. 55 Recital 9 of the Proposal. 56 Point 2 of Annex IV accompanying the Proposal. Adopted 20 EDPS stand ready to assist in the assessment of the appropriate safeguards to be implemented in this regard. 54. Against this background, the EDPB and the EDPS welcome Recital 71 of the Proposal which specifies that “[...] settlement of digital euro transactions should be designed in such a way that neither the European Central Bank nor national central banks can attribute data to an identified or identifiable digital euro user” . The EDPB and the EDPS also welcome Recital 76, which specifies that “[t]he European Central Bank and national central banks may process personal data in so far as it is necessary to fulfil tasks that are essential to the proper functioning of the digital euro” . At the same time, the EDPB and the EDPS point out that the Proposal does not establish a binding obligation that would ensure pseudonymisation of transaction data vis-à- vis the ECB and the national central banks. The EDPB and the EDPS therefore recommend introducing an explicit obligation to pseudonymise transaction data vis-à-vis the ECB and the national central banks in the enacting terms of the Proposal, instead of only referring to it in Recital 76 of the Proposal. 8.5 General fraud detection and prevention mechanism 55. The EDPB and the EDPS note that Article 32(1) of the Proposal refers to a fraud detection and prevention mechanism (hereafter the ‘FDPM’) that the ECB may choose to establish to facilitate the fraud detection and prevention tasks that PSPs must perform under Directive 2015/2366 “[...] to ensure the smooth and efficient functioning of the digital euro” . The FDPM may be operated either directly by the ECB or by the PSSs designated by the ECB. The EDPB and the EDPS positively note that Article 32(2) would establish a duty for the ECB to consult the EDPS prior to developing the details on the operational elements of a FDPM. 56. According to Article 32 (3) the FDPM would: “ assess the exposure to fraud risk of online digital euro transactions in real-time at the exclusive use of payment service providers before the transaction is introduced into the digital euro settlement infrastructure ” 57 and “ support payment service providers in detecting fraudulent transactions in online digital euro payment transactions that have been settled ” 58 . 57. In this regard, it should be noted that PSPs already carry out fraud detection activities, notably in the framework of their legal obligations under PSD2 59 . Moreover, Article 32(1) states that that PSPs would also carry out such fraud detection activities in the context of the digital euro. At the same time, Recital 68 explains that the envisaged FDPM is necessary because “[...] it [timely fraud detection] can be made more effective with information on potentially fraudulent activity stemming from other payment service providers.” The same Recital further adds that: 57 COM (2023) 369 final, Article 32 (3) (a). 58 COM (2023) 369 final, Article 32 (3) (b). 59 See Article 72(2) of Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC (Text with EEA relevance) OJ L 337, 23.12.2015, p. 35–127. Adopted 21 “This general fraud detection function exists in comparable payment schemes and is necessary to achieve demonstrably low fraud rates in order to keep the digital euro secure for both consumers and merchants”. 58. The EDPB and the EDPS acknowledge that the establishment of FDPM could make the timely detection of fraud “more effective”. Nonetheless, the EDPB and the EDPS consider that making the timely detection of fraud more effective is not in itself sufficient to render the interference with the fundamental rights to privacy and data protection that the envisaged system would entail necessary in light of the Charter. Moreover, the EDPB and the EDPS consider that the Proposal does not provide for clear and precise rules governing the scope and application of the envisaged FDPM, including with regard to the nature of the support to be provided by the ECB to PSPs. For example, Recital 68 seems to imply that the FDPM would have a comparable role to a general function that exists in other payment schemes. However, Article 32 of the Proposal does not distinguish between the role and tasks of the ECB as the authority in charge of monitoring the general scheme to oversee the performance of antifraud activities, on the one hand, from the role and tasks of the PSPs, on the other hand. Therefore, the EDPB and the EDPS are of the opinion that Article 32 of the Proposal lacks foreseeability, undermining legal certainty and the ability to assess the necessity of establishing such measure, which is a necessary requirement for every limitation to the fundamental right to data protection under Article 52(1) of the Charter. 59. Furthermore, while the EDPB and the EDPS recognise that general fraud detection functions exist in commercial payment schemes as underlined in Recital 68, the EDPB and the EDPS recall that these activities are underpinned by the use of various technologies, from traditional solutions relying on rule-based fraud detection to systems based on real-time analysis, machine learning as well as artificial intelligence, all requiring the processing of large amounts of personal data 60 . Consequently, ensuring the protection of fundamental rights in this context requires careful consideration on the necessity and proportionality of the processing of personal data carried out, as well as robust safeguards. This assessment is all the more important when considering a system such as the envisaged FDPM. 60. As a conclusion, the EDPB and the EDPS consider that the Proposal does not demonstrate sufficiently the necessity for the ECB to establish a general FDPM operated by the ECB and of providing the appropriate safeguards necessary to make the processing compliant with the principle of proportionality. The EDPB and the EDPS thus invite the co-legislators to further demonstrate such necessity or, should such necessity not be demonstrated, consider less intrusive measures from a data protection perspective. In the eventuality that the necessity of such mechanism is demonstrated, specific safeguards, including in respect of appropriate storage limitation, should be defined to ensure that anti-fraud mechanisms do not result in 60 For example, international private card schemes operate general fraud detection mechanisms processing a wide range of personal data including behavioural biometrics that is used to analyse consumer behavioural patterns in order to detect fraud. Adopted 22 excessive and disproportionate interference with fundamental rights and freedoms to privacy and personal data protection of individuals 61 . 61. Finally, the EDPB and the EDPS note that the envisaged FDPM would be subject to a number of limitations and safeguards, including the fact that PSPs would be obliged to “[...] implement appropriate technical and organisational measures to ensure that the support service would not be able to directly identify the digital euro users on the basis of the information provided to the fraud detection and prevention mechanism ” 62 . Similarly, where the ECB decides not to confer the tasks related to the FDPM upon PSSs, the ECB and the national central banks should not directly identify individual digital euro users. 63 At the same time, Recital 68 explains that the transfer of information between PSPs and the FDPM should be subject to state-of-the-art security and privacy-preserving measures to ensure that individual digital euro users are not identified by the FDPM. 62. Notwithstanding the need to further substantiate the necessity and proportionality of the FDPM as outlined above, the EDPB and the EDPS also consider that neither PSSs nor the ECB or national central banks should be able to identify the digital euro users on the basis of the information provided to the FDPM, in line with the definition of pseudonymisation in Article 4(5) GDPR. Therefore Article 32(4) and 35(7) of the Proposal should be amended in line with the definition of pseudonymisation in Article 4(5) GDPR by stating that the PSPs on the one hand, and the ECB and national central banks on the other hand, should implement appropriate technical and organisational measures to ensure that the processing of personal data is carried out in such a manner that the personal data can no longer be attributed to an individual digital euro user without the use of additional information. Moreover, the EDPB and the EDPS recommend adopting the most appropriate PETs, which would ensure the highest level of protection from a data protection point of view while considering relevant utility and scalability needs. 9 CYBERSECURITY AND OP ERATIONAL RESILIENCE 63. The EDPB and the EDPS recognise the potential risks that digital euro payments could face from an IT and cybersecurity perspective. In this regard, the EDPB and the EDPS recall, as highlighted in the impact assessment accompanying the Proposal 64 , that the Digital Operational Resilience 61 In particular, the rapid development of technologies such as confidential computing and homomorphic encryption could allow for the implementation of dynamic identifiers implying neither the identification of individual users of the digital euro, nor their individual profiling, at FDPM level. 62 Article 32(4) of the Proposal. 63 Article 35(7) of the Proposal. 64 SWD(2023) 233 final, p.87. Adopted 23 Act 65 would be applicable to PSPs and PSSs and that the Eurosystem is expected to be subject to the new Cybersecurity Regulation 66 , currently under negotiation. 64. Accordingly, the EDPB and the EDPS recommend including a reference to the applicable cybersecurity legal framework in a recital. 65. Furthermore, in the absence of an overarching law on cybersecurity that would apply to all relevant actors, the EDPB and the EDPS recall that it is important to ensure a consistent approach between, on the one hand, the security and operational resilience of the digital euro infrastructure and, on the other hand, of the infrastructure of the PSPs. Moreover, any high- level cybersecurity and operational resilience provisions that are specific to the digital euro infrastructure, and that would not be covered by the above-mentioned cybersecurity framework (such as any possible references to certification), should be included in the enacting terms of this Proposal. 10 CHAPTER VIII - PRIVA CY AND DATA PROTECTI ON 66. The EDPB and the EDPS welcome the objective expressed in Recital 70 of the Proposal, recalling the need to establish a high level of privacy and data protection to ensure the trust of Europeans in a future digital euro and the realisation of other rights and freedoms enshrined in the Charter. In this respect, the EDPB and the EDPS recall that, to achieve this objective, the legislation should address the personal data protection aspects of the digital euro specifically and clearly 67 . 67. In this context, the EDPB and the EDPS welcome the establishment of the purposes for which processing of personal data can be carried out for the provision of the digital euro in Chapter VIII. This Chapter also aims to define the respective responsibilities of the PSPs, of the ECB and/or of the national central banks, and, where appropriate, of the PSSs for the processing operations. However, as indicated further below 68 , the EDPB and the EDPS consider that the co-legislators should provide further clarifications on these aspects as well as on the legal bases applicable to these processing operations. 68. In addition, the EDPB and the EDPS welcome the approach followed by the Proposal, which aims to regulate the categories of personal data that may be processed by each of the actors taking part in the issuance of digital euro in the Annexes accompanying the Proposal. At the same time, the EDPB and the EDPS note that these Annexes do not always list exhaustively the 65 Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011, PE/41/2022/INIT, OJ L 333, 27.12.2022, p. 1–79 66 Proposal for a Regulation of the European Parliament and of the Council laying down measures for a high common level of cybersecurity at the institutions, bodies, offices and agencies of the Union, COM(2022) 122 final. 67 EDPB Statement 04/2022 on the design choices for a digital euro from the privacy and data protection perspective, adopted on 10 October 2022, available at: https://edpb.europa.eu/system/files/2022- 10/edpb statement 20221010 digital euro en.pdf 68 See paragraphs 74-76, 81, 85 and 86 below. Adopted 24 types of personal data to be processed, thus undermining legal certainty. The EDPB and the EDPS invite the co-legislators to further specify these lists - wherever possible by taking into account the needs of the relevant stakeholders, and the respect for the data minimisation principle and the obligation of data protection by design and by default. 10.1 Article 34: Processing by Providers of Payment Services 69. The EDPB and the EDPS acknowledge that Article 34(1) of the Proposal aims to define the purposes for which PSPs will process personal data when providing services related to the digital euro. However, the reference to the word "including" in Article 34(1)(a) and (c) of the Proposal raises legal uncertainty as to the exact purposes for which PSPs may process personal data. The EDPB and the EDPS consider that the purposes should not be expressed in general terms, but rather in a clear and precise manner and be objectively connected to the tasks entrusted to them under the Proposal. Therefore, the EDPB and the EDPS recommend that Article 34(1)(a) and (c) refer exhaustively to the relevant tasks entrusted to PSPs for which personal data may be processed under the Proposal. The legal bases applicable to the processing performed by PSPs 70. The EDPB and the EDPS consider that the Proposal is not sufficiently clear as to which legal basis PSPs will rely on for the processing carried out for the purposes referred to in Article 34(1) of the Proposal, since it includes references to reliance on both public interest and legal obligation. In particular, the Proposal states that the tasks listed in Article 34(1) of the Proposal shall be carried out by PSPs " in the public interest" which implies that PSPs are performing a task in the public interest in accordance with Article 6(1)(e) GDPR, when processing users’ personal data for the purposes listed in Article 34 of the Proposal. Furthermore, the EDPB and the EDPS note that while Recital 73 of the Proposal refers explicitly to Article 6(1)(c) GDPR and acknowledges that processing carried out by PSPs is “necessary for compliance with a legal obligation to which the controller is subject pursuant to this Regulation” , it also states that the processing of personal data for the purposes of the tasks referred in Article 34(1)(a) to (c) are ‘’tasks in the public interest that are essential for the protection of citizens making use of the digital euro as well as for the stability and integrity of the Union's financial system”. By contrast, Recital 73 of the Proposal specifies that PSPs may also process personal data to comply with existing tasks in the public interest or for compliance with a legal obligation established in Union law. 71. In this regard, the EDPB and the EDPS wish to reiterate that, according to the GDPR, processing of personal data is lawful only if and to the extent that an adequate legal basis under Article 6(1) GDPR applies and the application of one of these six bases must be established prior to the start of a processing activity and in relation to a specific purpose 69 . In particular, while the EDPB and the EDPS understand the Commission’s view that the digital euro is a public 69 EDPB Guidelines 05/2020 on consent under Regulation 2016/679, adopted on 4 May 2020, paragraph 121, available at: https://edpb.europa.eu/sites/default/files/files/file1/edpb guidelines 202005 consent en.pdf (also making reference in footnote 59 to the fact that controllers are required to inform data subjects as to the legal basis they rely upon for each processing pursuant to Articles 13(1)(c) GDPR and 14(1)(c) GDPR). Adopted 25 commodity of common good, the EDPB and the EDPS are of the opinion that, to the extent that the purposes listed in Article 34(1)(a) to (c) of the Proposal result from legal obligations to which the PSPs are subject to under this Proposal 70 , Article 6(1)(c) GDPR appears to be the most relevant basis for these processing activities. The EDPB and the EDPS therefore recommend that the co-legislators clarify in Recital 73 and Article 34 of the Proposal that the processing to be carried out in accordance with Article 34(1)(a) to (c) of the Proposal are performed on the basis of a legal obligation (Article 6(1)(c) GDPR). 72. In addition, the EDPB and the EDPS recommend to clarify in Recital 73 and Article 34 of the Proposal that the processing activities carried out in accordance with Article 34(1)(d) and (e) of the Proposal are performed on the basis of a legal obligation (Article 6(1)(c) GDPR) as this is the most appropriate legal basis considering that processing for these purposes are required by Union laws. 73. Moreover, the EDPB and the EDPS wish to clarify that the legal basis specified under Article 34 should not apply to digital euro payment services developed and provided by PSPs on top of basic digital euro payment services 71 , for which Article 6(1)(b) GDPR or Article 6(1)(a) GDPR would apply, considering that these services are subject to Directive 2015/2366 72 . The types of personal data processed by the PSPs 74. Article 34(2) of the Proposal clarifies the categories of personal data that should be processed for the purposes listed under Article 34(1)(a) to (c), which are referred to in Annex III of the Proposal. The EDPB and the EDPS consider that Annex III would benefit from further specification as to the exact type of data that can be processed by PSPs. A clear definition of the types of personal data is all the more important as, for the legal basis referred to in Article 6(1)(c) of the GDPR to be valid, the legal obligation itself must be precise, have a sufficiently clear basis in law as to the processing of personal data it requires, and the controller must not have undue discretion as to how to comply with this legal obligation. 73 75. In particular, the EDPB and the EDPS recommend the co-legislators to further specify the types of personal data that would fall under the following data categories : 70 See for instance, the use of the term ‘’shall’’ in Article 13 (2) (‘’[PSPs] [...] shall enable digital euro users to manually or automatically fund or defund their digital euro payment accounts’’), (3) (‘ ’ [PSPs] shall make available funding and defunding functionalities ), (4) ( ’’[PSPs] [...] shall enable digital euro users [...] ’’), Article 16(1) (‘ ’ [PSPs] [...] shall apply these limits to digital euro payment accounts ’’) of the Proposal, as well as in Article 23(1) (‘’ the digital euro shall be available for both online and offline digital euro payment transactions’’) Article 30(3) of the Proposal (‘ ’final settlement of offline digital euro payment transactions shall occur at the moment when the records of the digital euro holdings concerned in the local storage devices of the payer and payee are updated’’ ) (emphasis added). 71 In this regard, the EDPB and the EDPS note that according to Recital 30 the exact nature of these services will be developed by PSPs, and are thus not defined in the Proposal. 72 With regard the application of Article 6(1)(b) and 6(1)(1)(a) GDPR, we refer to EDPB Guidelines 06/2020 on the interplay of the Second Payment Services Directive and the GDPR, adopted on 15 December 2020, available at: https://edpb.europa.eu/sites/default/files/files/file1/edpb guidelines 202006 psd2 afterpublicconsultatio n en.pdf 73 See Art 6(1)(c), Art 6(3)(a) and Recital 41 GDPR Adopted 26 • ‘’the user identifier’’ in Annex III, 1, point (i), for which Annex III, 3, (i) indicates it may include, but is not limited to, the ‘ ’name of the local storage device holders’’ 74 . In addition, the EDPB and the EDPS note that the term ‘’user identifier’’ is also used in Annex III, 3, point (i), which applies to the processing for the provision of offline digital euro (Article 34(1)(c)). However, according to Article 2(27), ‘’user identifier means a unique identifier created by a payment service provider [...] for online digital euro purposes [...]’’ , which seems to be in contradiction with the use of this term in Annex III, 3, point (i). • “information on digital euro payment accounts” in Annex III, 1, point (iii). While the EDPB and the EDPS note it may include ‘ ’information on digital euro holdings of the digital euro user and the unique digital euro payment account number’ ’, Annex III, 1, point (iii) does not provide enough clarity on what other types of personal data would fall within this category; • ‘‘ information on online digital euro payment transactions’’ in Annex III, 1, point (iv). While the EDPB and the EDPS note it may include ‘‘ the transaction identifier and the transaction amount’ ’, Annex III, 1, point (iv) does not provide enough clarity on what other types of personal data would fall within this category; • “ unique digital euro payment account number ” in Annex III, 2, point (iii). Considering that no definition is provided under Article 2 of the Proposal 75 , it is not clear what would be included in this identifier, nor how and by whom it would be generated (i.e., whether in a decentralised manner with each PSP defining its own format or in a more centralised way, by the ECB). 76. Last, the EDPB and the EDPS note the absence of listed categories and types of personal data for the purposes listed in in Article 34(1)(d) and (e), and recommend that the co-legislators further elaborate on lists of categories and specific types of personal data to be processed for these purposes in Annex III. The sharing of responsibilities between PSPs 77. According to Article 34(3) of the Proposal, PSPs must be considered as the controllers for the personal data processing carried out for the purposes referred to in Article 34(1) of the Proposal. The Proposal also specifies that, when a digital euro payment account held by one PSP is linked to a non-digital euro payment account held by another PSP in accordance with Article 13(4) of the Proposal, these PSPs must be joint controllers. The EDPB and the EDPS wish to recall that, in accordance with Article 26(1) GDPR, in the absence of respective responsibilities determined in the context of this Proposal, it will be for the joint controllers to determine their respective responsibilities with regard to such processing, in particular as regards the exercise of data subject's rights and the obligations to provide information under Articles 13 and 14 GDPR 76 . 74 See Section 4 of this Opinion 75 See Section 4 of this Opinion. 76 See EDPB Guidelines 07/2020 on the concepts of controller and processor, adopted on 7 July 2021, paragraphs 161-170, available at: https://edpb.europa.eu/system/files/2023-10/EDPB guidelines 202007 controller processor final en.pdf Adopted 27 The obligation to implement appropriate technical and organisational measures by PSPs 78. The EDPB and the EDPS welcome the introduction in Article 34(4) of the Proposal of the obligation for PSPs to implement appropriate technical and organisational measures, including state-of-the-art security and privacy-preserving measures, so that any personal data transmitted to the ECB or national central banks or PSSs are not able to directly identify individual digital euro users. However, to reinforce this obligation, the EDPB and the EDPS recommend specifying that such measures should ensure that personal data are pseudonymised in such a manner that these data can no longer be attributed by the ECB or the national central banks to an individual digital euro user without the use of additional information. 10.2 Article 35: Processing of personal data by the ECB or national central banks The legal basis applicable to the processing performed by the ECB or national central banks 79. Article 35 of the Proposal defines the tasks for which the ECB and national central banks may process personal data to perform a task ‘’in the public interest or exercise of official authority’’ . However, the Proposal does not make explicit reference to the legal basis under which they will rely on for the processing carried out for the purposes referred to in Article 35(1) of the Proposal. According to the EDPB and the EDPS, the processing listed in Article 35(1) of the Proposal may be carried out by the ECB and national central banks in the public interest or in the exercise of official authority. In order to clarify the legal basis for the processing carried out by the ECB, the EDPB and the EDPS therefore recommend the co-legislators to refer more explicitly to Article 6(1)(e) GDPR and Article 5(1)(a) EUDPR in Recital 76 of the Proposal. The sharing of responsibilities between PSPs and the ECB or national central banks 80. The EDPB and the EDPS acknowledge that the ECB or national central banks and the PSPs are considered as separate controllers when personal data are transmitted by the PSPs to the ECB or national central banks for the performance of its tasks under Article 35(1) of the Proposal. While noting that users of digital euro will only enter into a contractual relationship with PSPs (Article 13 of the Proposal), the EDPB and the EDPS wish to underline that this qualification raises the question of how the obligation of transparency and the exercise of data subjects' rights will be ensured by the ECB or national central banks when processing personal data for the purposes listed in Article 35(1) of the Proposal. In particular, the EDPB and the EDPS consider that cooperation between PSPs and the ECB or national central banks on this matter will be essential to ensure the effectiveness of data subjects' rights as required by the GDPR, and thus build the high level of trust sought in the Proposal. The types of personal data processed by the ECB or national central banks 81. Article 35(2) of the Proposal refers to categories of personal data listed in Annex IV that may be processed by the ECB and by the national central banks for the purposes listed in Article 35(1). At the same time, Annex IV does not exhaustively list the type of personal data to be processed by the ECB or national central banks, but illustrates them in a non-exhaustive manner by using the term ‘’ including’ ’. The EDPB and the EDPS recommend to list exhaustively the type of personal data instead of using the word “including” in particular with regard to: Adopted 28 • Annex IV, 1, point (ii), which refers to processing of ‘’ information on online digital euro payment transactions. information linked to an unique digital euro payment account number, including the transaction amount’’ . • Annex IV, 3, which refers to processing of ‘ ’the data required for counterfeit analysis of offline digital euro payment transactions: information on the local storage device, including the local storage device number’’. 10.3 Article 36: Processing by Providers of Support Services 82. Article 36 of the Proposal describes the purposes for which processing may be carried out by PSSs in the situation where the ECB decides to confer them with the task of developing and managing a dispute mechanism function (Article 27 of the Proposal) or tasks in relation to the FDPM (Article 32 of the Proposal). 83. In addition to the recommendations already made above in Section 8.5 in relation to the general FDPM , the EDPB and the EDPS wish to raise the following comments on Article 36 of the Proposal. The allocation of responsibilities between PSSs and the ECB 84. The EDPB and the EDPS understand from Articles 27(2), 32(1) and 36(1) of the Proposal that, while the ECB and the national central banks will be responsible for the establishment of dispute resolution and general fraud detection mechanisms, the PSSs will be in charge of supporting the functioning of these mechanisms, should the ECB delegate this task to them. Article 36(5) of the Proposal further specifies that PSSs are to be considered as controllers when providing such support. On this aspect, it is essential to bear in mind that the determination of the role of the controllers in legislative acts must be aligned with the actual responsibilities attributed to these actors in these legislative acts 77 . However, the EDPB and the EDPS consider that the Proposal, as it stands, does not provide sufficient information on the actual tasks that will be performed by the PSSs in the context of the dispute resolution and general fraud detection mechanisms, thus preventing the EDPB and the EDPS from assessing their role as controllers or processors when processing personal data for the purposes referred to in Article 36(1) of the Proposal. Therefore, the EDPB and the EDPS recommend the co- legislators to further specify the responsibilities attributed to the PSSs with regard to these mechanisms that would justify their role as controllers. Alternatively, the co-legislators are invited to remove from Article 36(5) the qualification of the PSSs as controller in all cases, such qualification having to be assessed at a later stage in the light of the actual tasks entrusted by 77 EDPB Guidelines 07/2020 on the concepts of controller and processor, adopted on 7 July 2021, paragraph 23, available at: https://edpb.europa.eu/system/files/2023-10/EDPB guidelines 202007 controllerprocessor final en.pdf ; EDPS Guidelines on the concepts of controller, processor and joint controllership under Regulation (EU) 2018/1725, adopted on 7 November 2019, page 8, footnote 6, available at: https://edps.europa.eu/sites/edp/files/publication/19-11-07 edps guidelines on controller processor and jc reg 2018 1725 en.pdf Adopted 29 the ECB to the PSSs in relation to Articles 27 and 32 of the Proposal, as well as the EDPB's and EDPS's guidance on the concepts of controller and processor 78 . The types of personal data processed by PSSs 85. T he EDPB and the EDPS note that when the ECB decides to entrust the task of a general fraud prevention and detection mechanism to PSSs, categories of personal data referred to in Annex V would be directly transmitted by the PSPs to these providers under Article 32(4) of the Proposal. However, the EDPB and the EDPS note that Annex V points (i) to (iii) of the Proposal, by referring to the term “including”, does not contain an exhaustive list of types of personal data, and thus recommend that further clarifications be made as to the type of personal data that could be processed by PSSs under these categories. 86. Moreover, the EDPB and the EDPS note the absence of listed categories of personal data to be processed by the PSSs when operating the exchange of messages for the resolution of disputes pursuant to Article 27(2) of the Proposal, as well as the absence of clarification as to who would provide this information. Therefore, the EDPB and the EDPS recommend adding these clarifications to Annex V. The legal basis for the processing of personal data by PSSs 87. Finally, the EDPB and the EDPS note that the Proposal does not make explicit reference to the legal basis for the processing carried out by PSSs for the purposes referred to in Article 36(1) of the Proposal. Therefore, the EDPB and the EDPS recommend to clarify in Recital 76 or Article 36(1) of the Proposal that Article 6(1)(e) GDPR would apply to these processing of personal data considering that the processing carried out by PSSs will be made in the framework of a public task conferred to them by the ECB. 11 CHAPTER IX - ANTI - MO NEY LAUNDERING 88. The EDPB and the EDPS welcome that Article 37 contains a specific regime on the application of AML/CFT rules regarding offline digital euro transactions. Such provisions aim at ensuring the appropriate balance between protection of privacy and personal data, on the one hand, and the application of AML/CFT rules, on the other hand, while taking into account the specific risk profile of the digital euro. Indeed, the EDPB and the EDPS are of the opinion that the AML/CFT rules currently applicable to electronic payments, allowing traceability of commercial bank money, need to be adapted to achieve the objective of the digital euro to ensure the highest possible level of privacy 79 . 78 EDPB Guidelines 07/2020 on the concepts of controller and processor, adopted on 7 July 2021, available at: https://edpb.europa.eu/system/files/2023-10/EDPB guidelines 202007 controllerprocessor final en.pdf ; EDPS Guidelines on the concepts of controller, processor and joint controllership under Regulation (EU), adopted on 7 November 2019, available at: https://edps.europa.eu/sites/edp/files/publication/19-11- 07 edps guidelines on controller processor and jc reg 2018 1725 en.pdf . 79 EDPB Statement 04/2022 on the design choices for a digital euro from the privacy and data protection perspective, adopted on 10 October 2022, page 3, available at: https://edpb.europa.eu/system/files/2022- 10/edpb statement 20221010 digital euro en.pdf Adopted 30 89. However, the EDPB and the EDPS note that the impact assessment of the Proposal 80 states that option 2e (selective privacy for low-value payments online) “ could be attractive for criminals and terrorists ”, but does not explain why the risk profile of this option would necessarily be higher than the risk profile of cash. 90. In this regard, it should be noted that, as the Financial Actions Task Force (‘FATF’) recalls in its recommendations 81 , the level of AML/CFT risk should not be determined in an abstract way, but in relation to the specific design choices that would be made for a given central bank digital currency (‘CBDC’). On this aspect, the impact assessment does not sufficiently analyse the AML/CFT risk profile of the digital euro which, in practice, depends on the technology used and design choices made during the conception phase. In doing so, the impact assessment fails to take into account the different AML/CFT risk profiles of this option, including the fact that this risk could be reduced by the actual design of the digital euro, if properly assessed and managed on a risk-based approach. 91. In particular, the EDPB and the EDPS consider that there exist a number of mitigating measures that should be taken into account in order to reduce the AML/CFT risk of the online digital euro. As stressed in recent relevant literature 82 , such measures include design and technological choices to be made at a later stage to reduce the AML/CFT risk, such as: (i) the level of the holding limit (ii) the introduction of a specific threshold for low-value online transactions, above which complete checks can occur and (iii) the possibility to re-identify the user account in case of suspicion. In addition to these measures, technical limitations could be added, such as the adoption of an appropriate definition of instantaneity to avoid “ high frequency ” transactions, the limitation of the number of transactions per day with the same unique digital euro payment account number or a monitoring of funding-defunding patterns (as it is the case with the offline modality) to prevent abusive use of the threshold approach. In this regard, the EDPB and the EDPS note that Recital 79 of the Proposal explicitly envisages that the digital euro online transactions could be low-risk by foreseeing the elaboration of regulatory technical standards by AMLA concerning “ simplified due diligence measures” that PSPs should apply. 92. In this regard, the EDPB and the EDPS note that the impact assessment of the Proposal does not take into account the existence of the holding limit as a possible mitigation for the AML/CFT risk applying to online digital euro, which cannot be used as a means to store value contrary to what is the case with physical cash. In addition, the impact assessment does not make any distinction between standard AML/CFT risk and a possible low risk status, which would allow simplified checks, thus adopting a ‘’one-size-fits-all’’ approach of the risk. 93. Therefore, the EDPB and the EDPS recommend including an obligation for the Eurosystem to implement the most appropriate technical measures to further reduce the AML/CFT risk profile 80 Page 71 of the Proposal’s Impact Assessment. 81 FATF, Report to the G20 Finance Ministers and Central Bank Governors on so-called Stablecoins, June 2020, available at: https://www.fatf-gafi.org/content/dam/fatf-gafi/reports/Virtual-Assets-FATF-Report-G20-So- Called-Stablecoins.pdf see Annex B, points 88 and 92 and 94. 82 The White House, Technical evaluation for a U.S. central bank digital currency system, September 2022, page 19, available at: https://www.whitehouse.gov/wp-content/uploads/2022/09/09-2022-Technical-Evaluation-US- CBDC-System.pdf Adopted 31 of low-value online digital euro transactions (for example by introducing a specific provision under Chapter X). In particular, the EDPB and the EDPS are of the opinion that the AML/CFT risk of low-value online digital euro transactions should be addressed and mitigated during the design phase of the digital euro, which would be more appropriate than an a priori limitation of the privacy and data protection features of low-value online digital euro transactions. With the mandatory adoption of appropriate technical measures to reduce the AML/CFT risk profile as proposed, the a priori limitation of privacy and data protection features of low-value online digital euro transactions would not be technically justified and would not provide the right balance between the protection of privacy and personal data, on the one side, and the AML/CFT prevention, on the other. 94. Having regard to all these considerations, the EDPB and the EDPS regret that the “ selective privacy approach ” for online digital euro payments, which was considered by the ECB itself 83 was discarded in the Proposal. More specifically, the EDPB and the EDPS recommend that the specific regime which would apply to the offline modality (which AML/CFT checks only for funding and defunding) should be extended to the online modality for low-value transactions, thereby establishing a privacy threshold, or in other words, a threshold under which no tracing of transactions for AML/CFT purposes would occur. This threshold could be established by an implementing act following the procedure set out in Article 37(5) and (6) of the Proposal, based on a previous risk assessment covering both data protection risks and AML/CFT threats. For the purpose of simplicity and efficiency, this threshold could be the same as the transaction limit for the offline modality, covering in particular low value daily transactions 84 . 95. Furthermore, as regards the definition of the ‘’transaction limits’’ for the offline modality, the EDPB and the EDPS recall the need to strike the right balance between the prevention of AML/CFT risks on the one hand and the preservation of the right to data protection and privacy on the other hand. This should be reflected in Article 37 of the Proposal. In particular, the EDPB and the EDPS note that the criteria to be taken into account by the Commission in Article 37(6) when deciding on transaction and holding limits for the offline modality are related to the AML/CFT risk and the “usability and acceptance” of the digital euro, but the reference to privacy of payments is still missing. This is surprising from a data protection perspective, as the preservation of privacy is one of the main objectives of this modality. The EDPB and the EDPS 83 For example, in a recent speech to the ECON committee, Fabio Panetta, member of the ECB Executive Board, declared, while commenting on the risk level of lower-value payments: “In general, a greater degree of privacy could be considered for lower-value online and offline payments. These payments could be subject to simplified AML/CFT checks, while higher-value transactions would remain subject to the standard controls’’ . See: ECB, Introductory statement by Fabio Panetta, Member of the Executive Board of the ECB, at the Committee on Economic and Monetary Affairs of the European Parliament, 30 March 2022, available at: https://www.ecb.europa.eu/press/key/date/2022/html/ecb.sp220330 1f9fa9a6137.en.html 84 The EDPB and the EDPS note that such a tiered approach (with the absence of checks or reduced checks for low-value online transactions) is increasingly common place in the CBDC design all over the world. As stated // noted in a recent IMF background paper, “[...] all three active CBDC projects have chosen the same way to handle the policy trade-off between anonymity/financial inclusion and AML/CFT compliance. Their approach has been to provide a tiered selection of wallets with different levels of thresholds. Those with lower thresholds allow for greater anonymity. (…) The use of tiered CBDC wallets thus gives rise to “policy synergies” between anonymity, risk-reduction (of bank runs), and financial inclusion . See: International Monetary Fund, Behind the scenes of central bank digital currency: emerging trends, insights and, policy lessons, February 2022, page 13, available at: https://www.imf.org/-/media/Files/Publications/FTN063/2022/English/FTNEA2022004.ashx . Adopted 32 therefore recommend that Article 37(6) of the Proposal refer to implications in terms of privacy and personal data protection. 96. Moreover, the EDPB and the EDPS note that Article 37(6) of the Proposal only provides that the Commission ‘’may’’ consult the EDPB when enacting a delegated act on this topic. However, it is unclear if and how this consultation would take place. A structured and institutionalized mechanism, rather than a mere possibility to consult the EDPB, should be provided by the Proposal. The EDPB and the EDPS thus recommend the co-legislators to introduce, at the end of Article 37(6), an obligation for AMLA to work in close cooperation with and formally consult the EDPB when issuing the opinion requested by the Commission (as proposed in the EDPS opinion with regards to Article 7(4) of the FIDA Proposal 85 ) and for the Commission to take the opinion into account before providing a draft delegated act. This would be without prejudice to the consultation of the EDPS in accordance with the EUDPR. 97. Lastly, some provisions of this Article need clarifications to avoid any doubts on the prominence given to privacy and personal data protection for the offline modality. In particular: • The EDPB and the EDPS recommend to ensure consistency between Article 37(2), which states that no transaction data shall be retained by PSPs, by the ECB or by national central banks - and point 3 of Annex IV - which provides that the Eurosystem can read all information on the local storage device for the purpose of counterfeit analysis of offline digital euro payment transactions” • In Article 37(2) the term “retain” [transaction data] is unclear from a data protection perspective as one would have expected the term “process” or “access”. “Retain” seems to imply that data can be accessed, which does not meet the privacy level aimed at with the offline modality. The EDPB and the EDPS therefore recommend replacing “ retain” by “process ”; • Article 37(4) includes, among “funding and defunding data ” to be processed for AML/CFT purposes, the identifier of the local storage device for offline digital euro payments. In this regard, the EDPB and the EDPS recommend clarifying the rationale for the necessity to process such data category for the purpose of Article 37(3), considering that the Proposal already provides for the processing of other categories of personal data, including the account number(s) used for funding and defunding; 98. Finally, the EDPB and the EDPS note according to Article 35(4), read in conjunction with Recital 76 of the Proposal, there should be clear segregation of personal data to ensure that the Eurosystem cannot directly identify individual digital euro users. In this respect, the EDPB and the EDPS recommend to introduce an obligation for the Eurosystem to provide for the segregation of data in the local storage device in relation to offline and low-value online transactions. It should be stated in the Proposal that transaction data should be “ring-fenced” (that is, stay within the local storage device) and should not be exported out of the device (data is processed and stored locally). From a technical perspective, it is possible to implement and make this segregation operational, thereby ultimately providing users with stronger safeguards with regard to privacy settings for the use of offline digital euro. 85 EDPS Opinion 38/2023 on the Proposal for a Regulation on a framework for Financial Data Access, adopted on 22 August 2023, paragraph 30, available at: https://edps.europa.eu/system/files/2023-08/2023- 0730 d2425 opinion en.pdf Adopted 33 12 C HAPTER X - FINAL PRO VISIONS 99. The EDPB and the EDPS note that Article 38 of the Proposal empowers the Commission to modify the annexes via delegated acts. In this respect, given the expected significant impact on the level of privacy and protection of personal data of the persons concerned, the EDPB and the EDPS recommend to introduce a clear reference to Article 42 EUDPR to make clear that the EDPS and/or the EDPB shall be consulted as appropriate when such delegated acts are proposed. 100. As regards the review of the Regulation under Article 41 of the Proposal, privacy and data protection should be a central aspect to be assessed by Commission in its reports. The EDPB and the EDPS remain available to provide relevant information to the Commission when preparing these reports to be presented one year after the first issuance of the digital euro and every three years 86 . CONCLUDING REMARKS 101. While the EU legislative process is ongoing, the ECB Governing Council will review the outcome of the investigation phase in the autumn 2023 and, on this basis, will decide whether to launch a more experimental phase of the digital euro, with the ambition to issue the digital euro in two or three years 87 . In this context, the EDPB and the EDPS recall the obligation for all digital euro controllers and joint controllers to perform a data protection impact assessment (hereafter ‘DPIA’), to the extent that the requirements of Article 35 GDPR or Article 39 EUDPR for carrying out such an assessment are met, and ideally to publish this DPIA. 102. The ECB should also evaluate the need to consult the EDPS before carrying out processing in relation to the digital euro, as such processing would likely result in a high risk to the rights and freedoms of natural persons. In particular, processing of personal data by the ECB would fulfil at least three of the criteria laid out in the EDPB guidelines on DPIAs (e.g., evaluation or scoring in the context of the FDPM, processing of sensitive personal data as it relates to digital euro users’ finances, and large scale processing) 88 . 103. Against this background, the EDPB and the EDPS recommend that the Proposal recalls the ECB’s obligation to carry out a DPIA and entrusts the ECB to provide a digital euro with built-in compliance with the obligation of data protection by design and by default during the next steps of the project such as the adoption of technological choices, scheme rules, and proof of concept. Such a provision would clearly ensure transparency for the public on the safeguards put in place to achieve a digital euro that effectively protects their privacy and personal data. 86 Article 41(1) of the Proposal. 87 ECB, Progress on the investigation phase of a digital euro – fourth report, 14 July 2023, available at: https://www.ecb.europa.eu/paym/intro/news/html/ecb.mipnews230714.en.html#::text=The%20fourth%20p rogress%20report%20on,it%20could%20strengthen%20financial%20inclusion . 88 WP29, Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679, adopted on 4 April 2017, pages 9-11, available at: https://ec.europa.eu/newsroom/article29/items/611236/en Adopted 34 They could, for example, be introduced through an Article 36a or in the final provisions (Chapter X). For the European Data Protection Supervisor The European Data Protection Supervisor (Wojciech Wiewiorowski) For the European Data Protection Board The Chair (Anu Talus)

Similar Content