NEWSLETTER No 34 // Thursday 29 September 2022
|
|
|
|
THE DIGITAL EURO: WHAT ARE THE CHALLENGES FOR PERSONAL DATA PROTECTION?
|
|
|
|
This month La Lettre du DPO interviewed Dominique Jeanne (Data Protection Officer at the Banque de France), Luc Millot (Expert in cyber resilience and operational risk management at the Banque de France) and Barbara Buchalik (IT lawyer, co-founder of the FinTech Brygge, after working at the Federal Ministry of Finance in Germany). They have provided La Lettre du DPO with their insight on the challenges of the digital euro.
The digital euro: a reaction to the development of cryptocurrencies. On 2 October 2020, the European Central Bank (ECB), having observed the decline of cash payments in favour of digital payment solutions in many European countries, published a report on the digital euro. According to the ECB, the digital euro would be the equivalent of euro banknotes in a dematerialised form, but would not replace them. This parallel form of electronic money would be issued by the Eurosystem (the ECB and the national central banks of the Euro Area) and would be accessible to both individuals and companies. This project aims to face up to the development of “cryptocurrencies” as well as the Libra/Diem project of Meta (formerly Facebook), which has come up against considerable reluctance from financial regulators since 2019. The creation of a “Central Bank Digital Currency” would thus make it possible to compete with “cryptocurrencies” for innovative digital uses. The Eurosystem is currently weighing up the pros and cons of a digital euro in order to continue to cater for the needs of all Euro Area residents. This study phase, which began in October 2021, is expected to end in October 2023.
Privacy: a key issue for the digital euro. The results of the ECB’s public consultation on the digital euro, published in April 2021, show that for 43% of respondents, privacy is the most important issue, way ahead of security (18%). In this context, the development of a privacy and data protection standard will undoubtedly be one of the main keys to the success of the future digital euro. In addition, the European data protection authorities have recently highlighted the significant privacy and data protection risks that may result from the digital euro (such as, for example, widespread tracking and monitoring of transactions through payment systems, excessive interference in payment data by centralised State entities or private services, etc.) and the need to design the digital euro in accordance with European laws and principles (such as ‘privacy by design’ and ‘privacy by default’).
Recommendations for limiting privacy risks. In order to limit privacy risks, the European data protection authorities recommend a balance based, on the one hand, on a space with anonymous access that must be preserved without traceability (for example, below a certain threshold for everyday transactions); and, on the other hand, on transactions that must be traceable solely by entities invested with a legal mission of public interest. On a national level, the most recent work of the Conseil national du numérique has made this an issue of sovereignty by recommending that a margin of anonymity be maintained for transactions, in order to prevent the use of personal data by the major digital services. For its part, the CNIL considers that a democratic debate on the digital euro is essential and it will work closely with the Banque de France to find a balance between the legal requirements in financial matters and the issues at stake for the privacy of individuals.
Enjoy the reading!
Matthieu Bourgeois and Laurent Badiane, partners in charge of the Intellectual Property and Digital Law Team.
To subscribe, click here
|
|
|
|
The future of digital currency is trust
|
|
|
|
Respectively Data Protection Officer (DPO) and expert in cyber resilience and operational risk management at the Banque de France (BDF), Dominique Jeanne and Luc Millot are accompanying the 200yearold institution in its digital transformation, in particular with the project for launching a Central Bank Digital Currency (“CBDC”) to offer, in digital form, a secure currency in the face of the proliferation of private digital currencies, which are characterised by their lack of physical or financial backing and which are becoming increasingly attractive, threatening the stability of financial systems and the monetary sovereignty of States.
Aware of the importance of this project, but also of its possible repercussions on the fundamental rights of Europeans (privacy, security of transactions, etc.), Dominique Jeanne and Luc Millot share their views on this subject with La Lettre du DPO.
|
|
|
|
1/- What is your background, and what led each of you to take an interest in digital technology and data?
DJ: “As a lawyer by training, throughout my career at the BDF I have held positions devoted to regulatory practices and developments (in particular relating to overindebtedness and payment incident files), then in the field of banking services and institutional relations (management of State accounts). I was thus able to combine legal expertise with more operational and technical aspects. This led me to take an interest in the protection of personal data and the automation of data processing procedures.”
LM: “An engineer by training, specialised in industrial computer systems, I then worked in different sectors where data is crucial (telecoms, banks, stock exchange ...), with a strong international dimension, which led me to take an interest in information security and operational risk management. In 2019, I participated in a training course at the IHEDN (Institut des Hautes Études de Défense Nationale), in which I addressed digital sovereignty and during which I met experts from the CNIL.”
2/- What are your current responsibilities in this respect, within the Banque de France?
DJ: “I am the full-time DPO of the BDF and its subsidiaries, working with a team of three people covering the three main tasks of the Bank (monetary policy, financial stability and services to the economy). For certain activities, this involves processing large volumes of data. My role is one of business support, monitoring compliance with the GDPR, and training/raising awareness. This also covers relations with the Central European Bank, which is subject to EU Regulation 2018/1725 incorporating the essence of the GDPR and which is applicable to European institutions.”
LM: “For my part, I work mainly on the BDF’s contributions to European projects (payment systems in Central Bank Digital Currency) for which cyber security is of major importance in order to preserve the continent’s financial security, and in the framework of which I carry out appraisal tasks and coordination of experts.”
3 /- How do you see the future of the digital economy and the Central Bank’s currency (the digital euro)?
DJ: “Physical distance imposed by the pandemic has considerably increased contactless and mobile payments. The BDF is supporting the players in these new payment methods so that they can be integrated into the regulatory framework. The use of a central bank currency must respect, as cash does today, the rights and freedoms of users and guarantee the security of personal data by complying with the regulations on personal data protection.”
LM: “The arrival of certain new players raises issues of sovereignty, particularly for those who issue socalled cryptocurrencies, since minting money is, in essence, the prerogative of the sovereign, with the corollary of protecting the State’s monetary stability. Furthermore, the digital trace left by payment instruments can expose our private lives to the extreme. It is therefore essential that these new tools be governed by strong legal and technical guarantees. The future of digital currency is the battle for trust. After single currency, our Old Continent can and must succeed in winning this battle.”
|
|
|
|
“CBDC could be designed in such a way that it offers significantly higher data protection than existing electronic payment instruments”
|
|
|
|
Barbara Buchalik started her career in private practice as an IT lawyer in Germany before she joined the German Financial Supervisory Authority (BaFin), then the German Federal Ministry of Finance at a time when ICOs were springing up like mushrooms and the regulation of crypto assets, decentralised finance, stablecoins and Central Bank Digital Currency (CBDC) became the centre of discussion. About a year ago she left the public sector and co-founded ‘Brygge’, a FinTech start-up with social impact focusing on a solution for people 55+. Barbara Buchalik agreed to share with La Lettre du DPO her views and practical insights on CBDC, and the discussions surrounding data protection. Click here to read the full version of our exchange.
Data Protection as a unique selling point for CBDC. CBDC could be designed in such a way that it offers significantly higher data protection than existing electronic payment instruments such as card or internet payments.
The ECB recently published a document presenting the privacy options it is considering in the development of a CBDC. Three main privacy options are being considered for the design of the CBDC.
In the first scenario, the CBDC will be designed to imitate current digital transactions where only intermediaries like commercial banks will have access to transaction data. The second option will allow for selective privacy for low-value/low-risk transactions as information collection by intermediaries will be restricted. The last option will allow for even greater privacy by enabling offline functionality for low-value/low-risk transactions. While each option still requires user checks by intermediaries and central banks during onboarding, the ECB stated that the first scenario is the currently applicable baseline it is working with.
Reconciling data protection and the fight against money laundering and the financing of terrorism. Two policy objectives weigh heavily in the scales: antimoney laundering and combatting the financing of terrorism. Both topics have a high importance in the political agenda. So, will the policy maker be willing to cut back on AML standards in order to enable greater privacy? I am guessing that will hardly be the case. We need an open debate on that issue. The CNIL is taking a very active role in this debate. I do not see that much of a discussion in Germany even though it is known for being a strong advocate of data protection. And still I think this discussion should be held more loudly so that privacy is at least guaranteed for lowvalue payments.
|
|
|
|
CRITEO’S PROFILING ACTIVITY FOR TARGETED ADVERTISING PURPOSES SOON SANCTIONED BY THE CNIL? |
|
|
|
On 5 August 2022, CRITEO announced, via a press release published on its website, that the CNIL’s rapporteur had sent it their final report (not made public) stating several violations of the GDPR and recommending a financial penalty in the amount of 60 million euros. This report follows a complaint sent in November 2018 by the English NGO Privacy International to the CNIL, to the Irish supervisory authority (CPD) and to the English supervisory authority (ICO) against CRITEO, QUANTCAST and TAPAD, all data brokers specialising in targeted advertising. The CNIL opened a formal investigation against CRITEO, following this complaint, in January 2020. Amongst the breaches criticised by Privacy International, there are notably those of violation of the principle of transparency, fairness and lawfulness of the processing of profiling for targeted advertising purposes. Privacy International notes that “one of the major problems with the data-processing activities of these Adtech companies is scale. They are profiling millions of people across the EU at any one time” (§197). The CNIL’s decision is expected in mid-2023.
For more information click here.
|
|
|
|
TOTALENERGIES ÉLECTRICITÉ ET GAZ FRANCE sanctioned
|
|
|
|
In its 2022-2024 strategic plan, the CNIL has placed its focus on organisations failing to enable the exercise of people’s rights. TOTALENERGIES ÉLECTRICITÉ ET GAZ FRANCE paid the price of such failure just before the summer period. Following the receipt of 27 complaints, the CNIL undertook a compliance audit of France’s third largest electricity and gas supplier, which has nearly 8 million customers and prospects. The company was fined €1 million, mainly for having failed, on the one hand, to implement a method enabling people filling in an energy contract subscription form to object to the re-use of their data for the purpose of sending them commercial offers (Art. L.34-5 French Civil Procedure Code); on the other hand, to inform persons canvassed by telephone via a voicemail message or by any other means of access to this information (implementation of a telephone button to be pressed for example). Further, and of no lesser importance, the company was also sanctioned for violating the right of access and the obligations relating to methods for exercising rights, for not having respected the onemonth deadline for responding.
|
|
|
|
Google Analytics FAQ: what use is still allowed?
|
|
|
|
On 7 June 2022, the French data protection authority (CNIL) published a frequently asked questions document designed to answer the questions raised by the formal notices it sent regarding the now illegal transfer of European Internet users’ data through the use of the Google Analytics audience analysis tool, as a result of the invalidation of the Privacy Shield. Amongst others, the CNIL states, firstly, that the standard contractual clauses and the additional legal, organisational and technical measures put in place by Google with the targeted organisations are deemed insufficient, and that it is not possible to set up the tool in such a way as to prevent transfers outside the European Union. The CNIL then confirms that encryption can constitute an additional guarantee only if the encryption keys are kept under the exclusive control of the data exporter. Lastly, it indicates that a possible solution could be to use a proxy to avoid any contact between the Internet user’s terminal and the Google Analytics servers. Alternatively, obtaining consent from individuals remains possible in the case of occasional transfers only.
|
|
|
|
Monday 7 November 2022 from 2pm to 6pm |
|
|
|
Air2022 event “futures, innovations and revolutions” organised by the CNIL
|
|
|
|
Organised by the CNIL, this annual event of ethical reflection, which brings together field, political and scientific expertise, will focus this year on Edtech (publishers of software and interactive digital resources in the education sector) and digital uses in education.
The event, which will take place from 2pm to 6pm at the CNIL (Paris) and on social networks, will offer a future-oriented reflection on the issue of digital development in education and its ethical consequences on the evolution of the French educational model.
For more information and to register, click here.
|
|
|
|
The Intellectual Property and Digital Law Team at klein • wenner
Fortified by in-depth experience, klein • wenner's attorneys in the IT Law and Intellectual Property team, who are experts in the digital sector and in GDPR, have developed a transversal practice unique in the area of data law. We work with other experts (in cybersecurity, SI/data governance and other areas), and our team offers a global, cooperative approach to all the issues relating to data (privacy, intellectual property, cybersecurity and open data - *with klein • wenner's Public Law team).
|
|
|
|
La Lettre du DPO is a publication of KGA Avocats which processes your data in accordance with the regulation regarding personal data. To learn more, click here
|
|
|
|
|
|
|
|
