Earlier this year the European Commission published a proposal for a regulation on the establishment of the digital euro. At the same time it also published another proposal for a regulation on the legal tender of euro banknotes and coins. See for more information this digital euro package.
A few months later, both the European Central Bank (ECB) and the EDPB/EDPS published their opinions on this proposal. I was asked to offer my views on these proposals to the Civil Liberties, Justice and Home Affairs (LIBE) committee of the European Parliament. This is what I submitted.
There are many good reasons to issue a digital euro, the primary one being that the use of cash (the only form of ‘public’ money) is dwindling. At the same time it is a balancing act: a too successful digital euro might push banks (the issuers of ‘private’ money) into bankruptcy. See the Commissions proposal for a much more in depth analysis. There are also many things in the proposal that I agree with, that I won’t mention here. Instead allow my to reflect on the commissions proposal from a few different perspectives where I think the propose regulation could be improved.
Regarding privacy, the proposal stresses its importance. Unfortunately this ambition is in fact not achieved because of strict Anti Money Laundering, Combating the Financing of Terrorism (AML/CFT), fraud detection and tax avoidance prevention requirements. In fact, to supplement cash (the most privacy friendly form of money), surprisingly enough an account based form of (online) digital euro is proposed, which is the worst possible form of money from a privacy perspective. This completely disregards the fact that it is perfectly possible to create non-account based forms of (online) digital euro that have privacy properties comparable to cash, without creating significant money laundering and terrorism financing risks.
With respect to accessibility, and strategic autonomy, the strong focus on a smartphone based implementation is worrisome. A significant number of people do not have a sufficiently modern smartphone. Also, this creates a strong dependence on smartphone hardware and operating system platforms that are almost exclusively under the control of foreign, non European, companies. Smart card based solution to implement the digital euro should therefore be considered.
The importance of clarifying the status of legal tender of both cash and digital euro, and requiring their acceptance in most cases, cannot be overestimated. Cash is the only really privacy friendly means of payment that is truly unpermissioned: I can pay anybody else in cash, and no party can prevent me from doing so. Cash needs to stay.
Finally, regarding democratic oversight, the Commission should ensure that it stays in control wherever possible also after the digital euro is issued. This is currently not sufficiently the case.
For each of the main points mentioned above a much more detailed discussion follows. But first let me start with some general remarks.
The proposal distinguishes an online and offline digital euro, where the offline digital euro can be used in situations where neither the payer nor the payee are connected to a network. The proposal is clearly written with a particular technical design of both this online and offline digital euro in mind. The online digital euro is essentially account and payment card based, similar and almost indistinguishable from current private euros on commercial bank accounts, and the offline digital euro is seen as an app on a smartphone (possibly integrated into the European Identity Wallet). This, however, is never made explicit (eg. ‘the offline digital euro shall be an app on a smartphone’). As a consequence the regulation has a blind spot for other possible designs for online and offline digital euro.
The problem is that the actual privacy and security properties (that I will mainly focus on here) very much depend on the actual technical design of the digital euro. This problem is not unique to this particular proposal: I would like to draw your attention to the proposal for a revision of the eIDAS regulation where the actual designs for the identity wallet where relegated to the Architectural Reference Framework that was drafted in parallel, with limited oversight, much to the discontent of the European Parliament; even as I write this there are last minute discussions about technical details in the eIDAS proposal.
For example, the offline digital euro should have privacy properties similar to that of cash. Cash is the most privacy friendly form of money around: for all practical purposes it is unlinkable, as it is hard to trace who spent a particular euro coin or bank note at a particular shop. However, if the ‘wallet’ (I am using that term even though the proposal does not really use it in this context) storing the digital euro on the smartphone is uniquely identified when spending digital euro at a merchant and the same (or otherwise linkable) identifier is used to load digital euro onto the wallet, little privacy is gained. (Note, for example, that by Article 37.3 PSPs are required to provide fund and defund transaction data to the Financial Intelligence Units on request, which includes the wallet identifier.)
Similarly, the requirement that offline digital euro should be transferable from ‘wallet’ to ‘wallet’ has security implications: it means that digital euro can move from one wallet to another for many ‘hops’ until it is being spent in a transaction to an account. This is of course great for privacy, but makes it harder to implement double spending prevention (an important security property in digital money), especially in a privacy friendly fashion. Many digital cash schemes discussed in the academic literature become much more complex once wallet-to-wallet spending is supported.
More fundamental is the following issue. The digital euro is supposed to be the digital supplement of cash. With cash being the most privacy friendly form of money that exists. The original proposals for the digital euro written by the ECB only considered an online, account based, digital euro. In a way this is quite surprising and a fundamental shift of what a ‘central bank euro’ is: thus far it was not account based. Account based money is the least privacy friendly form of money one can imagine. This is hardly a worthy supplement to (let alone a future replacement of) cash. Quite the opposite: we would be far worse of with such a ‘euro’.
Of course the current proposal also defines a more privacy friendly offline digital euro, which needs to be issued alongside the online digital euro. Unfortunately (and more about that later), this offline variant will not necessarily be freely available, and the ECB is already signalling it is going to be challenging to come up with a design that satisfies all the requirements in time.
But the main point is this: why not design a privacy friendly version of the online digital euro, i.e. one that is not completely account based. This is certainly possible, using for example GNU taler; see also a recent working paper by David Chaum and others. I also discussed another proposal earlier this year, that works without even having to change the existing payment infrastructure. (There are, admittedly, significant accessibility issues with the proposal as it is currently purely smartphone based.) In fact, why even distinguish an online and offline digital euro, and instead focus on a single, wallet or token based, privacy friendly design that can be used both offline and online (using a QR code for web-based transactions). The current framing of the Commission proposal completely overlooks this possibility!
And this is really a shame, because a true privacy friendly digital euro would be a unique selling point that could actually win citizens over to a digital euro. Because such a digital euro would offer a significant privacy improvement over current debit/credit card payments, and over Apple/Google Pay. This is all the more important as I fear that the current, account based, online digital euro will be met with indifference by citizens. Citizens already have an account with euro, that for all practical purposes, is already digital to them. Why would they bother opening another digital euro account, and why would they bother carrying yet another payment card? I really fear this won’t fly.
The proposal claims a high level of privacy. But in practice this is not really achieved as already argued above, but moreover because of strict AML/CFT, fraud detection and tax avoidance prevention requirements. Strict holding limits across accounts and wallets means that a single register of holdings of everyone that once held digital euro needs to be maintained forever. This is even worse than for current private euro bank accounts and card payments. Admittedly, Recital 25 says
The European Central Bank should implement appropriate technical and organisational measures, including state-of-the-art security and privacy-preserving measures, to ensure that the identity of individual digital euro users cannot be linked with the information in the single access point by entities other than payment service providers whose client or potential customer is the digital euro user.
But it is entirely unclear to me how that could work. And in any case a large group of entities (the PSPs, which include companies like Google) can link the identity of individual digital euro users by definition.
Another reason for having these strict holding limits is to prevent people from converting a significant part of their financial savings into digital euro, in other words to prevent a kind of digital bank run. For an account based online euro this makes sense, but for a wallet based solution (either for online or offline digital euro) this is less clear. People typically do not keep their financial savings in cash, for fear of loss or theft. Digital euro stored in wallets on smartphones also risk being lost or stolen. So it is unclear whether wallet based forms of digital euro really create such a risk of a digital bank run that such strict enforcement of holding limits is necessary.
To detect fraud, online digital euro transactions are subjected to a central, real time fraud detection and prevention mechanism operated directly (or indirectly) by the European Central Bank. This is even the case for low value transactions that are currently not subject to such checks in general. A similar waiver for not scanning low value transactions should be guaranteed for (online) digital euro transactions.
Article 34.4 only ensures that any data shared for these purposes with the European Central Bank and the national central banks or to providers of support services do not directly identify individual digital euro users. Any indirect identifications (using the account numbers that are surely involved in the analysis of transactions) is not prevented. Again this is a significant shift from the current situation where such transaction monitoring does not take place by or on behalf of the ECB.
Article 37.2 only ensures unobservability for offline digital transactions, not by requiring technical safeguards, but merely by making retaining such transactions unlawful. Moreover, Article 37.4 does require payment service providers to retain funding and defunding data. This data includes the identifier of the local storage device for offline digital euro payment. And in all likelihood this identifier will also turn up in the transaction data for any payment made with such a local storage device. That data will have to be forwarded into the payment network to finalise the settlement of the transaction.
If implemented well, the offline digital euro could be a proper, privacy friendly, replacement for cash. Unfortunately, the offline digital euro is not listed as belonging to the basic digital euro payment services (that are to be offered for free) in Annex II to the proposal. Moreover, the ECB is signalling, in its opinion (13.1), that it may not be able to offer both the online and offline version at the same time from the first issuance of the digital euro. Both factors make it unlikely that the offline digital euro will actually be used much in practice once the digital euro is issued. In particular if its use is not free.
It is unclear whether citizens can obtain offline digital euro without an account for online digital euro. It would be good if this was possible, especially if the enforcement of strict holding limits for offline digital euro is relaxed. This would mean that holders of only offline digital euro are not subjected to the same strict registration of their holdings in a single central register, and thus have more privacy.
As a final remark, even though I am not a lawyer, articles 34 to 46 stroke me as odd. They essentially make every party involved a (joint) controller. But if you make everyone a (joint) controller, in the end no-one is in control (or responsible). Similarly, Article 36.5 makes providers of support services also controllers. I am not sure whether that makes sense: shouldn’t those be seen as processors?
Recital 54 makes clear that accessibility is important:
The technical design of the digital euro should make it widely accessible to and usable by the general public. That design should, in particular, support access to financially excluded persons or persons at risk of financial exclusion, persons with disabilities […], persons with functional limitations who would also benefit from accessibility, or persons with limited digital skills and elderly persons.
I am not convinced the current proposals for digital euro satisfy this requirement, in particular for the offline digital euro, as the perceived form factor in which the online digital euro is distributed appears to be a (modern) smartphone. In practice this excludes a large group of people. Perhaps a card based solution for offline digital euro, similar to the payphone cards and the Dutch Chipknip and Chipper smart card based payment schemes from the late 90-ies, could be considered? I understand that at least the Commission is open to such approaches.
Moreover, it is in fact not entirely clear whether the online digital euro will be freely available to consumers in a simple payment card form factor: it could very well be that, in order to cut costs, banks will only issue them as a virtual card within their banking app. This should be prevented by the regulation. (Note that the regulation specifically requires PSPs to allow users to use the European Digital Identity Wallet for the digital euro if they wish to do so, see Article 25 and its explanation on page 15 of the proposal.)
This idea of integrating the digital euro into the European Digital Identity Wallet also creates the risk of putting all our eggs into one basket: if the underlying platform fails, both our payment and our identity platform fails. This is also a risk at the individual citizen level: if I lose my smartphone, I loose access to my identity and my digital euro. And without my identity, I (presumably) cannot regain access to my digital euro.
If the European Digital Identity Wallet serves both as a means to pay as well as a means to identify, malicious entities might be able to abuse this combined feature set to trick people into
This is clearly undesirable.
A card based solution for the offline digital euro might also be relevant from another perspective; that of strategic autonomy. In fact, the digital euro “would support open strategic autonomy by creating a new payment scheme that would be resilient against potential external disruptions” (p. 9 of the proposal). Yet, the offline digital euro is clearly envisaged as an app on a smartphone. The same is true for the European Digital Identity Wallet in the proposal for the eIDAS update. This means that Europe becomes critically dependant on smartphone hardware and operating systems for the issuance of two of its core assets: identity, and euro. These smartphone hardware and operating systems are almost exclusively under the control of foreign, non European, companies. This is the exact opposite of strategic autonomy, and a risk that needs to be mitigated.
The proposal for a digital euro is accompanied by a proposal for a regulation on the legal tender of euro banknotes and coins. This is necessary because the interpretation of the meaning of legal tender varies, in practice, across member states. In the Netherlands, for example, cash is rapidly disappearing and shops increasingly refuse to accept cash payments.
The importance of this cannot be overestimated. Cash is the only really privacy friendly means of payment that is truly unpermissioned: I can pay anybody else in cash, and no party can prevent me from doing so. Any digital form of payment is permissioned (and yes, this is even true for Bitcoin and other cryptocurrencies because in practice their ledgers are never truly immutable).
The unpermissioned nature of cash is an important feature, that needs to be protected by protecting cash itself. Even if a very privacy friendly from of digital offline euro is implemented in the future.
This is important to keep in mind during the upcoming negotiations: member states like the Netherlands may strongly oppose the legal tender status of cash, because of the significant local consequence this will have. Yet the digital euro can only exist if it has the same legal, tender, status of cash. We can expect weakening of the mandatory acceptance requirements of cash. But we should be vigilant to ensure that the list of exceptions to the mandatory acceptance does not become so large that ‘mandatory acceptance’ becomes essentially meaningless, eventually driving cash into extinction.
I welcome the explicit exclusion of programmability of the digital euro (Article 24), but worry that the fact that it must allow for some form of conditional payment transactions creates a ‘backdoor’ to implement a basic form of programmability. And in any case, any form of digital money risks being turned into something programmable.
For example a form of programmable money that is “subject to time limits after which they are no longer usable” (p. 14 of the proposal) is very similar to an account with a conditional payment transaction that clears the account after a certain date. Recital 55 explicitly states that “[c]onditional payments should not have, as object or effect, the use of digital euro as programmable money”; but is that enough? Especially if in the same recital the example of a conditional payment is given of “machines [that] are programmed to automatically trigger payments for their own spare parts upon ordering them, for charging and paying electricity at most favourable market conditions, for paying insurance, and leasing and maintenance fees on a usage basis”. In general, API access to digital euro mentioned in Recital 56 opens the possibility to create programmable money as a wrapper around the digital euro. In other words, the explicit exclusion of programmability could very well be a paper tiger that cannot be enforced in practice.
Even though I am not a lawyer, allow me to close by making a remark on the division of competences between the ECB and the Commission. The proposal is clearly a balancing act with the ECB stressing its independence of the Commission, based on the Treaties. From my point of view, the Commission should ensure that it stays in control where possible (and allowed within the boundaries of the Treaties) also after the digital euro is issued. The current proposal shows too little ambition in that respect. A solution could be to require the ECB to be transparent about updates and changes to the digital euro, and be required to consult the Commission before making such changes. For example, when deciding to make the digital euro bear interest.
Note that the claimed independence of the ECB all depends on the interpretation of what a ‘digital euro’ is. As the ECB itself mentions in its opinion of October 31, a programmable digital euro would be tantamount to a voucher, for which the ECB acknowledges that it does not have a mandate to issue those: that would be incompatible with the Treaties. The question then is, for example, whether a digital euro bearing interest is a ‘euro’ as covered by the Treaties. This turns back to the question of what a digital euro ‘is’ in a technical sense. Something that, in my mind, is currently underspecified in the proposal.