CDBC v. Cryptocurrency
Central Digital Bank Currency (CDBC) is a digital form of currency issued and backed by the central bank. Similar to cash, CDBC is risk-free and has a direct liability of the central bank. That means the central bank is accountable to the end users of CDBC for guaranteeing that CDBC’s value is not fluctuating beyond a predefined period. However, instead of being printed, CDBC will be provided via digital coins. Simply speaking, CDBC could be treated as a digital representation of cash.
One of the main reasons for the issuance of CDBC is to compete with cryptocurrencies. During the last decade, cryptocurrencies, such as Bitcoin, have achieved significantly robust development, due to their simple transfers in the global market. But these benefits cannot override the high risks posed to financial stability and data protection. First, cryptocurrencies are issued by private organisations, thus they are not liable to any public entity and lack any intrinsic value. This explains the high volatility of their price, as well as the potential failure to convert them back into the number of national currencies, e.g. the pound or the U.S. dollar, invested by the users in the beginning. More strikingly, cryptocurrencies are not anonymous. The address where users send and receive cryptocurrencies is like an indirect identifier of an individual, if this address could be linked to users. That in turn implies that private issuers could acquire sensitive transactional data on users, generating a high unregulated risk to data protection.
As a response, central banks from 105 countries, accounting for over 95 per cent of global GPD, are exploring CDBC, while 10 countries have fully launched a state-owned digital currency. Among them, first-mover China’s pilot sets to expand in 2023, yet the UK and the US are still in the research stage. Regardless of the various stages of CDBC developments across the world, the fundamental difference between cryptocurrencies and CDBC is that CDBC is a risk-free liability of the central bank which will replace private issuers to process transactional data on users.
Nevertheless, the issuance of CDBCs brings up various privacy and security concerns. In this article, we will discuss two of these concerns and present potential solutions to mitigate them.
1st Concern: Security of CDBC Database
Our main concern is whether we could trust the central bank to utilise appropriate technical or organisational measures to ensure the security of our transactional data if all data was concentrated in the database of the central bank.
Granted that the central bank, compared to private issuers, is a public institution that manages the currency of a country, its traditional role in issuing paper cash makes us question its capability to safeguard a giant database where the transactions of digital currency within a country will be recorded. Take the Bank of England as an example. In the second quarter of 2022, the average daily payment and settlement values are 760 billion pounds approximately. If half of the UK population, which is estimated to be 68 million, shifted towards the payment of CDBC, this would generate the 380-billion-value transactional data linked to 34 million users. Incentivised by this sheer volume of transaction data, private hackers may attack the aforementioned database of the central bank to gain profits from data fraud, extortion or exfiltration.
Given such a high concentration of data is in the central bank’s hand, it is imperative for the central bank to design a holistic security approach to protect its database before the provision of CDBC. Specifically, cyber resilience will have to be established within the CDBC ecosystem to guarantee its ability to offer comprehensive protection of data from cyberattacks.
2nd Concern: Anonymisation or Pseudonymisation of End Users
Our second concern is whether a user could be directly or indirectly identified when CDBC is being used. It is understood that an anonymous use of CDBC will be challenging to be realised, mainly because of the tracking of transactions throughout the payment system for compliance with the Anti-Money Laundering and Countering Financing of Terrorism (AML/CFT) laws. Nevertheless, is it reasonable for the protection of privacy and personal data to be outweighed by the legal obligations of AML/CFT? From a data protection standpoint, it is more likely to be out of necessity and proportion, especially in the case of generalised surveillance, where governments could possibly surveil its citizens via unregulated access to the giant database.
This answer does not mean that we advocate the central bank to eschew the tracking of CDBC transactions. In contrast, inspired by the GDPR’s principles of data minimisation and purpose limitation, we agree with this tracking to some degree, under which the collection of user data should be minimised to what is necessary to transact CDBC and the identification of the user should be limited to what is necessary to the compliance with legal obligations. Yet, how to design the architecture of CDBC to execute these data protection principles remains complicated.
A threshold-based approach proposed by the European Data Protection Board (EDPB) has caught our attention. Under this approach, the identification of end users will be determined by the monetary value of the transaction. A low-value of transaction could entail privacy ranging from full anonymisation to a high-level pseudonymisation of end users. On the other hand, if the transaction is of higher value, the processing of personal data must be permitted for audit purposes to prevent money laundering, terrorism financing and tax evasion. This distinction would alleviate our concern about the identification of users via CDBC transactional data. However, two significant issues wait to be resolved by the central bank intending to implement this approach. The first one is how to underscore a clear line between the low value and high value of transactions, while the second one is how to utilise privacy technologies to enhance anonymity or pseudonymity during the whole lifecycle of transactions. We will keep monitoring this approach’s progress and make it updated if any progress is made.
Our privacy concern over CDBC resonates with the same worry in privacy and security predominantly selected by the European public. In a 2021 finding, 61% of them wanted the most from CDBC was privacy and security. To address these privacy issues, the design of CDBC is of paramount importance, under which the central bank will have to consult with a wide range of stakeholders to settle down database security measures, utilise privacy-enhancing technologies and establish cyber resilience of the financial ecosystem. Facing the decline of cash use accelerated by Covid-19 together with the necessity to reduce the ecological footprint, the issuance of CDBC by the central bank appears to be promising and practicable if a balance could be struck between privacy and data protection on one hand, and various interests from digital innovation to financial stability on the other hand.
 Personal data shall be limited to what is necessary in relation to the purposes for which it is processed.
 Personal data shall be collected for specified, explicit and legitimate purpose and not further processed in a manner that is incompatible with those purposes.