Untangling Digital Euro's Personal Data Protection Challenges: An Exploration of Data Processing Activities and Latent Privacy Risks

The digital euro is a Central Bank Digital Currency (CBDC) that aims to revolutionise digital payments in the Eurozone by offering a public alternative to private digital payment schemes. The European Commission and the European Central Bank (ECB) have publicly stated their commitment to ensuring high levels of privacy and data protection for Europe’s newest form of payment. While the Digital Euro Proposal is already under discussion, this commitment has not been sufficiently examined from a data protection law perspective. The urgency to bridge the research gap in privacy and data protection standards for the digital euro cannot be overstated. The legislative momentum combined with the intended extensive social usage of this digital currency could seriously impact individuals’ lives as their principal means of payment is further digitalised and subject to intensive data-driven processing activities. Financial data, particularly regarding payments, is seen as more sensitive by data subjects, with empirical research establishing that users see privacy as an essential feature of a future digital euro. However, the Proposal presents intricate data-sharing processes that could raise data protection concerns if not adequately addressed. This paper examines the implications of the Digital Euro Proposal for the right to privacy and data protection, examining the characteristics, architecture, and complex relationships between the ECB, national central banks, service providers and intermediaries. To direct our research, we formulate the following research question: ‘How does the digital euro initiative address data protection and privacy issues following the principles, obligations, and rights in the EU data protection framework?’. The paper identifies and examines two principal challenges presented by the proposed digital euro in the context of data protection: unclear allocation of roles and responsibilities, which encompasses the ambiguity surrounding the distribution of duties among the diverse entities engaged in data processing, and balance between data minimisation and availability, i.e., the potential conflict between reducing the amount of data generated by this digital money system while ensuring that seemingly lawful grounds have acess to sufficient data to be fulfiled, such as anti-money laundering, which also includes adhering to the principle of purpose limitation.