Privacy in a Cashless World

Giovanni Buttarelli

Twice a year the EDPS trainees organise an expert discussion on a topical theme related to data protection. Today’s event looks at digital technology and banking. The EDPS has always supported young generations in developing their appetite for knowledge and deepening their involvement in shaping our future. As EDPS, we are proud to act as a platform for sharing knowledge across generations and we believe we will reap the benefits of this intergenerational cooperation in the near future.

I would like to thank Els Kindt for moderating the conference, and to Carl-Christian Buhr, Jérémie Dubois-Lacoste, Farid Aliyev and Philippe de Koster for taking part in our lively panel discussion.

Our guest blogger today is Joseph, one of our trainees involved in organising the conference and provides here an introduction. He and the team should be proud of their efforts.

Slowly but surely, Europe is embracing a cashless way of life.

The rate of change is quicker in some Member States than in others. In Germany, for instance, society remains ‘cash heavy’, while in Sweden, handing over a 200 krona banknote at the supermarket might very well be met with a puzzled look. In any case, our tendency to rely on cashless options to make payments is increasing. Last year, the European Central Bank reported that the use of cash as a percentage of total transactions had fallen across all nations in which surveys were conducted.

Done correctly, the full digitalisation of our monetary system can benefit us all. However, without due care, complications are likely to arise - not least with regard to data protection. With this in mind, the EDPS and EDPB trainees organised a lunchtime conference, entitled Big Banking is Watching You: Privacy in a Cashless World.

The two-hour conference took place earlier this afternoon, on 28th January 2018. Held at the European Parliament in Brussels, it explored the questions surrounding the protection of privacy and personal data in online transactions and payments. Trainees and officials from the EU institutions and beyond were invited to attend. It was particularly encouraging to see so many youthful faces in the audience, eager to find solutions to the privacy concerns emerging today, which will undoubtedly have in impact in the future.

The date chosen for the conference was no coincidence. Every year on 28th January we celebrate Data Protection Day. On this day in 1981, the Council of Europe adopted Convention 108 - dubbed the ‘foundational document on data processing’. To mark the occasion, the 47 countries of the Council of Europe, as well as the European institutions, seek to raise awareness on data protection rights and obligations by hosting various privacy-related events.

The EDPS has always played an active role in Data Protection Day. This year was no different. Alongside the trainee conference, we organised a handful of panels for the CPDP Conference and coordinated an IPEN Privacy Engineering Workshop.

EDPS Giovanni Buttarelli and Assistant EDPS Wojciech Wiewiorowski kicked off proceedings at the trainee conference, offering opening remarks on the topic before the expert discussion began. The trend towards non-cash transactions is merely the most recent development in the long history of human trade. First we engaged in barter, before moving on to metal coins, cheque books and chip-and-PIN cards.

In many ways, a life free from coins and cash sounds appealing. Much of this is down to convenience. After becoming accustomed to hovering a contactless card on top of a payment terminal, even the task of manually entering a PIN feels arduous.

But aside from added convenience which, as far as I am aware, has yet to become a Fundamental Right, the reduction in global cash transactions also allows for a better collection of economic data, a fall in various criminal activity (including money laundering and tax evasion), and even in a reduction in the transmission of disease via bacteria-ridden-banknotes. Studies have also shown a positive correlation between a cutback in cash and the level of street crime in a society.

Though there is no shortage of writers, both past and present, who have longed for a cashless world, what many of them have overlooked is the potential impact of this on privacy.

All the way back in 1888, American novelist Edward Bellamy published Looking Backward, in which he painted a picture of the United States in the year 2000. Bellamy’s utopia envisioned a society without physical money. Instead, each citizen was granted a ‘credit’ card by the government, allowing for a more egalitarian social order. Bellamy’s conception of a world in which all payments were traceable through receipts would sound alarm bells to any data protection authority today.

Already, the partial digitalisation of the financial system has raised important questions: how is financial data used by those who collect it? Who has access to this data? And how can the prospect of increased surveillance be mitigated? As we move closer towards cashlessness, concerns surrounding social and financial exclusion, profiling and automated decision making will only intensify.  It is important to find a compromise between the advantages gained from the full digitalisation of payments and the privacy risks that such an upheaval entails.

Cashless transactions have also become possible using digital currencies. We can expect to see a further uptake in the application of blockchains, the technology used by most cryptocurrencies in order to record transactions, over the coming months and years. The privacy implications surrounding the burgeoning use of blockchains have been high on the agenda of data protection professionals of late. As a result, it was fitting to have a representative on the panel at the trainee conference from a blockchain-based cryptocurrency focused specifically on privacy.

There has been a good deal of discussion as to whether blockchain technology can be compatible with the General Data Protection Regulation (GDPR) when personal information is stored on the chain. This is an interesting debate. To keep things simple, it appears that consonance depends first on the type of blockchain under consideration. For example, permissioned blockchains tend to be more ‘GDPR friendly’ than permissionless blockchains. What’s more, concerning the rights provided for under the GDPR, a public blockchain helps exercise the rights to information, access and portability, but less so the rights to erasure, rectification and objection to processing.

Apparent discordance between certain features of the GDPR and a public blockchain does not mean that we should disregard the new technology altogether. Far from it. Instead, we should look to the principle of privacy by design. Blockchain technology has proven to be malleable. This presents the data protection community with an opportunity to encourage blockchain developers to consider data protection concerns when creating new blockchains. As a united front of data protection and privacy professionals and enthusiasts, we can help shape the future of blockchains to be a privacy conscious technology. And what better occasion to promote the privacy by design precept than on Data Protection Day?

The fintech revolution is reshaping finance and it is important that data protection principles are protected in the process. With the EDPS leading by example, I am confident that we can reap the benefits without experiencing any harmful repercussions to privacy. Earlier, I mentioned Bellamy’s literary depiction of a cashless society, but perhaps we should end by looking closer to home. 503 years ago, Sir Thomas More published Utopia just down the road from us, in Leuven. Like in Looking Backwards, the inhabitants of More’s island of Utopia did not carry coins in their pockets. That certainly sounds convenient, but we must ensure that privacy is protected first.

Joseph Sweeney, EDPS Trainee