Europe considers the ability to exercise meaningful enforcement and oversight of data protection rules as a question of strategic sovereignty
Digital payment systems and crypto currencies have been the most debated technologies since the last decade. The development of crypto currencies coincides with a heightened awareness of individual privacy. In the European Union, the GDPR and the ePrivacy Directive guarantees personal data protection and privacy as fundamental rights for everyone. There is no doubt that Libra would be subject to these laws.
The European Data Protection Supervisor (EDPS) examines potential data-sharing triggered by Libra facilities on a scale not witnessed earlier. Even if sharing would be dependent on user consent, the long-term implications could be further loss of control over data. Public storage of million user transactions lasts forever; this is a challenge considering the broad notion of financial data secrecy. Among other principles of GDPR, the data subject’s right to access his or her personal data to modify or erase it. Those responsible for the future Libra Blockchain haven’t yet clarified how Libra would technically allow for effective unlinking or removal of user data.
There are challenges of publicly accessible ledger data. It is expected that among other priorities, fraud detection will be to help process transaction data as a simple requirement of anti-money laundering regulations. No one can rule out other actors developing an interest in the personal data, including for possibly illicit purposes.
And, these are only a few of the potential problems which still need to be addressed and explained explicitly before full deployment. Delivering meaningful answers is all the more critical in light of accusations made against Facebook handling of user data over the years.
Considering all the factors, current crypto currencies are still relatively niche. The estimated number of active Bitcoin users counts up to tens of millions over the decades. The user bases of the Libra Association members – particularly over two billion Facebook users – Libra is expected to become widely used, and in the long term, prove to be transformative. Experience shows that the impact of such disruptive technologies is better assessed before, not after, their wide-scale deployment. This is precisely why the GDPR has specified a set of obligations to carry out a data protection impact assessment in similar cases.
No matter how promising, no technology should have the power to undermine essential privacy and data protection rights. For Europe, the ability to oversee data protection rules and exercise meaningful enforcement is still a question of strategic sovereignty. There are zero doubts regarding Libra potentially having privacy, anonymity, and data protection implications in short as well as long term.
The full extent of the privacy impact of the comprehensive system is unknown today. The European Data Protection Board, along with the other supervisory authorities, will continue the examination of the implications of such technological developments.