EU – EDPB addresses data protection aspects of digital euro and publishes response to EDRI on enforcement of GDPR

The documents released by the EDPB include:

• draft Guidelines on certification as a tool for international data transfers (summarised in last week’s update and available here);
• its response to European Digital Rights (EDRi) and several other privacy rights organisations, regarding GDPR enforcement and its work to promote and safeguard data protection; and
• its response to the European Commission’s consultation on a digital euro.

Response to the European Commission’s consultation on a digital euro

In its response to the targeted consultation of the European Commission exploring the possibility of issuing a digital euro and related regulatory implications, the EDPB reiterated that establishing a high level of privacy and data protection would be key for the digital euro to succeed.

The EDPB noted high risks to the rights and freedoms of individuals and highlighted the distinction between anonymous use of the digital euro and situations where a natural person would be identified or identifiable. A high level of pseudonymisation would be necessary for all modalities of digital euro in order to protect individuals’ rights to privacy and the protection of personal data. In implementing the digital euro, the EDPB took the view that, for transactions below a certain threshold, offering a possibility of carrying out offline transactions in a non-traceable form would be necessary in order to preserve individuals’ rights. Introducing fees thresholds or holding limits for digital euro accounts would also trigger additional data collection and controls, with negative impact on the privacy of individuals. The letter further highlighted the importance of minimising situations when individuals would need to identify themselves when making a payment, suggesting that any identification on top of compulsory identification during on-boarding should be prohibited. To avoid digital exclusion, the EDPB also stressed the importance of enabling the use of the digital euro on multiple devices (e.g. including cards and other devices, and not just smartphones).

The risks of data concentration (for example, cybersecurity risks) were also noted as a point of concern, given the centralised location of data processing foreseen under a digital euro provided through the ECB.

For international retail transactions, the EDPB also stressed the need to comply with Chapter V GDPR on international transfers, along with the points addressed in the Schrems II case.

Response to EDRI on structural and procedural GDPR enforcement

In response to a joint letter written by several privacy rights organisations, including European Digital Rights (EDRi), Amnesty International, La Quadrature du Net, none of your business (noyb), Privacy International and some others, the EDPB noted its numerous initiatives aimed at improving the cooperation between data protection supervisory authorities. Those initiatives include the Coordinated Enforcement Framework, the Support Pool of Experts and secondment programmes. The Guidelines 02/2022 on the application of one-stop-shop procedures and new Guidelines 04/2022 on the calculation of administrative fines were also highlighted, addressing several key cooperation issues to achieve common approaches by supervisory authorities. The EDPB further referred to the new commitments on enhanced enforcement cooperation on strategic cross-border cases announced in April 2022. You can read about the enhanced cooperation in our article.

The press release of the 66th plenary session is available here, and the EDPB’s response to the EDRi and European Commission is available here and here respectively.