The past few years have witnessed the rise of the central bank digital currency (or CBDC), with many countries exploring and testing the viability of issuing a CBDC and dissecting their political and economic implications. The current literature surrounding CBDCs focuses mainly on technical design, institutional architecture, financial inclusion benefits, macroeconomic implications, and financial stability concerns. Missing in these discussions is CBDC’s potential to infringe on citizens’ privacy and what can and should be done about it. A CBDC, if it became a reality, would allow an issuing central bank and its collaborating third-party providers to collect and process enormous amounts of citizens’ personal and transactional data. Current discussions seem to believe that privacy concerns of CBDCs can be addressed through the design of a token-based, two-tier structure. This design prevents the issuing central bank from accessing personal and transactional data directly, thus avoidiCurrent discussions seem to believe. In our recent paper, however, we disagree with that assumption.
We argue that sovereign states might misuse CBDCs to serve their agendas for anti-money laundering, crime investigation and prevention, or social control reasons. Central banks may not be capable of saying no to their governments, especially in an era where political interference with central banks’ decisions is becoming pervasive, and policymakers assign central banks with way too many atypical missions, such as tackling climate change and mitigating inequality. To complicate the situation, we argue that the rise and use of CBDC will erode central bank independence and turn central banks into rather politically-oriented machines. The abundant value of CBDC data will lead other governmental agencies to force central banks to intervene or cooperate on issues they do not necessarily have the authority or capacity to tackle.
All the abovementioned factors beg the profound question of who gets to supervise central banks in issuing CBDCs and processing CBDC data, and through what methods? We argue that there must be institutional designs or disciplinary mechanisms to address the privacy concerns of CBDC domestically and internationally. Before we delve into those potential solutions, one must recognize that any disciplinary mechanism might hold the potential to jeopardize central bank independence and thus does not come without a cost. From a status quo point of view, a central bank can use three methods to avoid privacy concerns:
First, and perhaps the most common way for central banks to respond to CBDC privacy concerns, is to comply with existing privacy protection laws. Most central banks would choose to undertake the privacy protection obligations imposed by the existing privacy protection laws if they are given tools and incentives to do so more easily. They might be willing to undertake it, particularly if they determine that the expected benefit from CBDC surpasses the compliance cost. The concern with this approach is its credibility. Central banks might not possess the necessary expertise and capacity to undertake these duties. Their motivation to comply with privacy protection laws might be weak.
Second, central banks might consider anonymizing CBDC data to avoid applying privacy laws. Modern data protection laws do not apply to processing anonymous data (personal data that is no longer identifiable). If a central bank anonymizes or deidentifies the CBDC data, it no longer holds personal data and may thus be free from data protection duties. Data anonymization or deidentification, however, is not an easy task. In general, it requires the absence of any reasonable means to be used by any person to identify a natural person directly or indirectly. In other words, fully anonymized CBDC data means that no one can identify the exact CBDC user of a given CBDC account. This would impair the CBDC project because no one can identify the payer and payee in the transaction to complete CBDC payments. It also increases the risk of failing to prevent money laundering and terrorist financing. Having said that, anonymizing CBDC arguably provides best safeguards to citizens’ privacy, but it really depends on whether the issuing central bank has other agenda to pursue.
Third, central banks to delegate ledger administration to partnering institutions and cast compliance burden on them under a modified two-tier structure. This structure contains two steps. As the first step, a central bank issues the CBDC to its partnering institutions on a wholesale basis. At this stage, the central bank possesses the information related to the CBDC holding of these partnering institutions. This information, however, is merely attributed to these partnering institutions, which are legal persons rather than natural persons. Therefore, privacy concerns, at this stage, does not lie with the central bank. As the second step, the partnering institutions transfer the issued CBDC assigned to them to public CBDC users. This move does not subject the central bank to data protection obligations if the partnering institutions refrain from passing the data of CBDC users to the central bank. Under this design, the central bank cannot administer an integrated CBDC ledger because it does not have data attributed to each CBDC user. Instead, it merely possesses the CBDC data attributed to partnering institutions wholesale. Data protection laws, if applicable, apply only to partnering institutions and would not extend to the central bank. The main cost of adopting this structure is that the central bank no longer administers an integrated CBDC ledger. This compromises several functions of CBDCs. For instance, the money flow cannot be as transparent as envisaged because this structure fragments the CBDC ledger.
Critics argue that these methods undermine CBDC’s utilities as the issuing central bank will not be able to analyze money flow for good purposes such as anti-money laundering. We, therefore, propose three possible solutions accordingly. First, ask legislatures to establish a permanent CBDC privacy safeguard committee that requires a central bank to conduct CBDC-related privacy impact assessments and report user complaints regularly. Moreover, central banks must develop internal controls to monitor and manage the preservation and access to CBDC data. Second, a legislative branch may establish a special independent institution to oversee a central bank. This institution may consist of consumer representatives, banking associations, experts on IT and cybersecurity, and human rights activists. With the participation of human rights activists, this institution will likely pay closer attention to any suspicious misuse of personal data by the issuing central bank. Third, sovereign states should rethink the application of privacy laws to government agencies and create a tailor-made regime for CBDC-issuing central banks. For instance, such a regime may allow the central bank to collect and analyze CBDC data for specific legitimate purposes, and these purposes will undergo periodic ex-post empirical review.
The other source of discipline, we argue, might come internationally. Modern data privacy laws such as General Data Protection Regulation (GDPR) carry out extraterritorial effects and may apply to foreign central banks if CBDC data is collected from a protected data subject. CBDCs may well circulate across borders in the future, and such a Brussels Effect will, in effect, subject CBDC-issuing central banks to the purview of the privacy protection agency in a foreign country. Major sovereign states may start by exploring bilateral or multilateral dialogues to harmonize the impact of domestic privacy laws, which would, in effect, serve as an international disciplinary mechanism.
Cheng-Yun Tsang is an Associate Professor at the College of Law, National Chengchi University (NCCU), Director of the Financial Innovation and Technological Evolution Center (FINTEC) at NCCU Law; and a Visiting Fellow at UNSW School of Private & Commercial Law.
Yueh-Ping (Alex) Yang is an Associate Professor at the College of Law, National Taiwan University (“NTU”) and the Director of the Asian Center for WTO & International Health Law and Policy at NTU.
Ping-Kuei Chen is an Associate Professor at the Department of Diplomacy, National Chengchi University, Taiwan.
This post is adapted from their paper, “Disciplining Central Banks: Addressing the Privacy Concerns of CBDCs and Central Bank Independence,” available on SSRN.
Until the privacy issues for retail cbdc operations are resolved no retail cbdc system should be allowed to operate.