Digital payment systems and cryptocurrencies are among the most hotly debated technologies of the last decade. Their development coincides with a heightened interest on the part of individuals in their privacy and the protection of their personal data. With multinational companies involved, in addition to the complex design, some are fascinated and enthusiastic about the Libra system.
New services offered in this field require attention from data protection regulators since privacy and data protection, along with the implications of choices made in the design phase, should be addressed before such systems or services become operational. In the European Union, the General Data Protection Regulation (GDPR) and the ePrivacy Directive guarantee privacy and personal data protection as fundamental rights for every individual. There can be no doubt that Libra would be subject to these laws.
It is clear that payment and transaction data convey a lot of information about the user, facilitating profiling. The European Data Protection Supervisor (EDPS) mainly examines potential data-sharing that may be triggered by Libra facilities on a previously unseen scale. Even if sharing would be conditional on user consent, the long-term implications may be the further loss of control over data.
Public storage of the transactions of millions of users that lasts for ever may be seen as challenging the broad notion of financial data secrecy, regardless of user identities being known only to the digital wallet controllers. Among the principles of GDPR is the data subject’s right to access his or her own personal data, and to modify or erase it. To this day, those responsible for the future Libra blockchain have not clarified how Libra would technically allow for effective removal or unlinking of user data.
There are more challenges of publicly accessible ledger data. It is already expected that fraud detection will be among the first needs to process transaction data, being a simple requirement of anti-money laundering regulations. We cannot rule out other actors developing an interest in the data, including for possibly illicit purposes.
These are only a few of the potential problems. We expect them to be addressed and explained properly before full deployment. The importance of delivering meaningful answers is all the more necessary in light of Facebook’s handling of user data that we have seen over the years.
All things considered, current cryptocurrencies are still relatively niche. The estimated number of active Bitcoin users is counted in tens of millions, and reaching this number took ten years. The user bases of some of the Libra Association members – particularly more than two billion Facebook users – Libra might become widely used very quickly, and in the long term prove to be transformative.
We have seen recently how transformative technologies, namely advertisement infrastructures, have found their use in wide-scale abuse to profile and target voters. Many such risks could have been predicted in advance, and handled appropriately. Experience shows that the impact of such technologies is better assessed before, not after, their broad deployment. This is precisely why the GDPR lays down a specific obligation to carry out a data protection impact assessment in such cases.
No matter how promising, no technology should be able to undermine basic privacy and data protection rights. For Europe, the ability to exercise meaningful enforcement and oversight of data protection rules is today also a question of strategic sovereignty. There are no doubts about Libra potentially having anonymity, privacy and data protection implications in the short, medium and long term. The full extent of the privacy impact of the broad system is not known today.
The EDPS, together with the other supervisory authorities in the European Data Protection Board, will continue its work on monitoring these technological developments.
Wojciech Wiewiórowski is the European Data Protection Supervisor
This article was originally published by WIRED UK
