This study elucidates the intersection of privacy and central bank digital currencies (CBDCs), employing Solove's pragmatic approach and Nissenbaum's theory of contextual integrity to dissect privacy within various CBDC frameworks. It articulates three foundational principles for privacy-centric CBDC design: legal acknowledgment of privacy rights, embedding privacy by design, and prioritizing user-centricity. This analysis not only deepens the understanding of privacy in the digital currency domain but also proposes a legal and technical blueprint for central banks aspiring to develop CBDCs that respect and protect user privacy.
TopIntroduction
The development of Central Bank Digital Currencies (CBDC) has become a subject of intense research and discussion worldwide, encompassing countries representing over 98% of global GDP (Jiang, 2023). These research and pilot initiatives span various development stages, from exploration to full-scale implementations, highlighting the diverse approaches to CBDC globally (Senarath et al., 2017). Initial implementations, such as the Sand Dollar in The Bahamas and DCash in the Eastern Caribbean Central Bank member states, mark milestones in the evolution of digital money (Uberti, 2022). Furthermore, several central banks, including the People's Bank of China, the European Central Bank, and the Federal Reserve of the United States, are actively investigating the potential of CBDCs, underscoring their interest and possible development directions.
While the debate on CBDCs often focuses on economic and technological aspects, legal issues, especially those concerning privacy and data protection, remain equally important. The introduction of CBDCs brings forth privacy challenges that necessitate thorough consideration within the existing legal frameworks, such as the General Data Protection Regulation (GDPR) in the European Union, the Payment Services Directive 2 (PSD2), and anti-money laundering (AML) directives (Pocher & Veneris, 2022). In the United States, where there is a lack of a unified data protection system at the federal level, the introduction of a CBDC might require the creation of new, unified regulations concerning financial and personal data protection.
The introduction of CBDCs reduces the questions related to privacy that go beyond the traditional understanding of personal data protection. There is a broad range of possible CBDC models, from single-tier systems, where the central bank directly manages the currency, to two-tier systems engaging financial intermediaries. Each of these models carries unique challenges for user privacy, requiring from CBDC system designers not only a deep understanding of technical capabilities but also a sensitivity to the needs and expectations of society in the area of privacy protection.
Authors emphasize that the key principle that should be adopted in designing CBDCs is “privacy by design” – the integration of privacy protection at the system design stage. It is important that decisions regarding the specific CBDC model and accompanying legal regulations are made before the start of work on the technological implementation of the system. Such a sequence ensures that privacy protection is built into the very structure of the CBDC, not added afterward as a security layer.
Attention should also be paid to the fact that blockchain technology, which may underpin some CBDCs, is characterized by the immutability of records. This means that any design decisions, including those concerning privacy, must be carefully considered at an early stage, as later modifications may prove to be extremely difficult or impossible to implement.
When considering the introduction of CBDCs, one cannot ignore the experiences resulting from the evolution of other payment systems, such as online banking. Traditionally, innovations in financial systems often outpaced the development of appropriate regulations, which were introduced in response to emerging challenges. Examples include the PSD1 and PSD2 directives, which were developed to regulate the growing sector of electronic payments in the European Union. In the case of CBDCs, due to their potential scope and impact on the financial system, it is necessary that these regulations be shaped concurrently with the technological design of the currency, not after its implementation.
This paper aims to examine the general issues associated with the introduction of CBDC, with an emphasis on data privacy protection. By adopting a broad approach, we strive to present various aspects of CBDC introduction, ranging from technological design through regulatory issues to social and economic implications. Understanding the dynamic nature of technology and monetary policy, we acknowledge that our analysis may not be exhaustive but rather an invitation for further discussion and research in this rapidly evolving field.