The emergence of cryptocurrencies has prompted several countries across the world to launch central bank digital currency (CBDC) or study its various contours. Unlike cryptocurrencies, CBDC is a digital currency that is issued only by a central bank or a competent monetary authority. In simpler terms, it is the digital equivalent of government-issued paper currency. This article focuses only on privacy risks and concerns with respect to CBDC and offers policy recommendations to make a case against the harnessing of these currencies at the cost of individual privacy.
A number of central banks are researching or experimenting with CBDC. In October 2020, the island country of Bahamas became the first country in the world to launch a nationwide CBDC. The Chinese government began trials of e-yuan from April 2020 onwards and is planning to ramp up its promotion during 2022 Beijing Winter Olympics. European officials want to launch digital euro by 2025. The G7 is working on a common set of CBDC principles for central banks to issue their own currency. It is estimated that that countries constituting nearly 20% of world’s population will be using them in next three years. According to Atlantic Council, CBDC Tracker, 19 countries are involved in various CBDC pilot projects as of April 2021.
While digitised money can allow governments to provide relief-related monetary assistance and flag criminal activities, it also allows them to track peoples’ spending in real time. The possibility of central bank overseeing all our transactions highlights the fact that there will be an increased state intervention into our daily lives, while attempting to control what we do with our money. Examples of these controls can be seen in the form of China’s “Great Firewall” which prevents Chinese people and foreigners residing in China from accessing selected foreign websites and tools, and slows down cross-border internet traffic. Moreover, experimental trials of social credit systems in China have demonstrated how people can be denied access to travel and other activities if they have low credit scoring. So, CBDC can also be used to restrict people from purchasing certain products and services.
According to Atlantic Council, CBDC Tracker, 19 countries are involved in various CBDC pilot projects as of April 2021.
The attachment of expiration dates with e-yuan during trial phases indicate the extent to which the government will have control over people’s money. Consequently, a burst of cash accumulation was observed among the Chinese people last year. Such a scenario could be avoided by ensuring that the central bank digital currency is merely an extension of means through which people can access their money, while also not aspiring to become a completely cashless society.
Apart from government-related surveillance, it is also important to ensure privacy from private sector. In China, prominent mobile payment services Alipay and Tenpay have encountered a number of data breaches and security lapses despite the fact that they collect an excessive amount of personal data. These issues are not only restricted to Chinese mobile payment services. Data breaches incidents related to mobile payment services have occurred in several countries including India and Japan to name a few. Therefore, there is a need to regulate excessive personal data collection by private mobile payment systems. Case studies like Germany’s Barzahlen/Viacash should be studied so that privacy by design should remain at the heart of mobile payment system infrastructure.
To create a balance between personal data privacy and reporting of suspicious transactions, it is important that a trusted legal system should be formulated so that it allows to identify participants as part of legal investigation with probable cause. Moreover, the unmasking of the participants will also be required for surveillance purposes to monitor suspicious activities. However, it is important that the principles of proportionality and necessity be invoked when surveillance-related activities are carried out.
To create a balance between personal data privacy and reporting of suspicious transactions, it is important that a trusted legal system should be formulated so that it allows to identify participants as part of legal investigation with probable cause.
Regarding criminal, fraudulent or mistaken transactions, it is important to determine whether or not the CBDC related transactions are to be treated as final transactions with no chance of reversal. In such a scenario, it is important to set up a court system or a third-party mediator that individuals could approach for reversal of criminal, fraudulent or mistaken transactions. In this regard, American Congressman George William Foster calls for providing a digital backdoor to the court system or mediator.
A digital ID will remain a precondition for participation in CBDC. The IDs will need to be legally traceable and biometrically verified so that individuals cannot operate them in multiple jurisdictions. It is important that these IDs should be maximally privacy preserving. Currently, there exist technologies which ensure that only minimum amount of necessary information is provided for transaction while leaving out key details like what was purchased and where it was purchased. A case in point is encrypted barcodes which are used by a German company Barzahlen/Viacash to ensure that personal data is not transferred to third parties.
In future, it will be important to see how cross-border transactions of central bank digital currency will be undertaken amidst the existence of cross-border data transfer restrictions in several countries. The cross-border usage of CBDC will require international credentialing of authorized legally traceable participants. An extensive round of negotiations will be required among states to materialize the prospects of such a framework.
While different aspects and concerns of privacy will continue to unfold in the future with the rolling out of CBDCs around the world, it is important to acknowledge the fact that a good number of people will prefer to trade-off their privacy for convenience. However, formulation and strict enforcement of data protection laws can guarantee that public and private sector entities do not use financial data of citizens for malicious purposes.