Activities of Domènec RUIZ DEVESA related to 2023/0212(COD)
Shadow opinions (1)
OPINION on the proposal for a regulation of the European Parliament and of the Council on the establishment of the digital euro
Amendments (58)
Amendment 42 #
Proposal for a regulation
Recital 18
Recital 18
(18) Since the digital euro requires the capacity to accept digital means of payment, imposing an obligation of mandatory acceptance of payments in digital euro on all payees could be disproportionate. To this end, exceptions to the mandatory acceptance of payments in digital euro should be provided for natural persons acting in the course of a purely personal or household activity. Exceptions to mandatory acceptance should also be provided for microenterprises, which are particularly important in the euro area for the development of entrepreneurship job creation and innovation, playing a vital role in shaping the economy. Union policies and actions should reduce regulatory burdens for enterprises of this size. Exceptions to mandatory acceptance should also be provided for non-profit legal entities which promote the public interest and serve the public good performing a variety of goals of societal interest, including equity, education, health, environmental protection and human rights. For microenterprises and non-profit legal entities, the acquisition of the required infrastructure and the acceptance costs would be disproportionate. They should therefore be exempted from the obligation to accept payments in digital euro. In such cases, other means for the settlement of monetary debts should remain available. Nevertheless, microenterprises and non-profit legal entities that accept comparable digital means of payment from payers should be subject to the mandatory acceptance of payments in digital euro. Comparable digital means of payment should include debit card payment or instant payment or other future technological solutions used at the point of interaction, but should exclude credit transfer and direct debit that are not initiated at the point of interaction. Microenterprises and non-profit legal entities that do not accept comparable digital means of payment from their payers in settlement of a debt (e.g. they only accept euro banknotes and coins), but may use digital payments in settlement of a debt to their payees (e.g. they pay with credit transfers), should not be subject to the mandatory acceptance of payments in digital euro. Finally, a payee may also refuse a payment in digital euro if the refusal is made in good faith and if the payee justifies the refusal on legitimate and temporary grounds, proportionate to concrete circumstances beyond its control, leading to an impossibility to accept payments in digital euro at the relevant time of the transaction, such as a power outage in the case of online digital euro payment transactions, or a defective device in the case of offline or online digital euro payment transactions.
Amendment 44 #
Proposal for a regulation
Recital 19
Recital 19
(19) In order to ensure that additional exceptions to the mandatory acceptance of the digital euro may be introduced at a later stage if they are required, for example due to technical specificities that may appear in the future, the power to adopt acts in accordance with Article 290 of the Treaty on the Functioning of the European Union should be delegated to the Commission in respect of the introduction of additional exceptions of a monetary law nature to the obligation to accept digital euro payment transactions, which would apply in a harmonised way across the euro area, taking into account any proposals from Member States to this end. The Commission may only adopt such exceptions if they are necessary, justified on grounds of general interest, proportionate, and preserve the effectiveness of the legal tender status of the digital euro and if other public means of payment are available. The power of the Commission to adopt delegated acts for the introduction of additional exceptions to the obligation to accept digital euro payment transactions should be without prejudice to the possibility for Member States, pursuant to their own powers in areas of shared competence, to adopt national legislation introducing exceptions to the mandatory acceptance deriving from the legal tender status in accordance with the conditions laid down by the Court of Justice of the European Union in its judgment in Joined Cases C-422/19 and C-423/19.
Amendment 64 #
Proposal for a regulation
Recital 71
Recital 71
(71) The digital euro should therefore be designed so as to minimise the processing of personal data by payment service providers and by the European Central Bank to what is necessary to ensure the proper functioning of the digital euro as referred to under Article 5, paragraph 1, point c of the GDPR. The digital euro should be available offline, with a level of privacy vis a vis payment service providers which is comparable to withdrawals of banknotes at automatic teller machines. The settlement of digital euro transactions should be designed in such a way that neither the European Central Bank nor national central banks can attribute data to an identified or identifiable digital euro user.
Amendment 65 #
Proposal for a regulation
Recital 73
Recital 73
(73) Payment service providers should be able to process personal data in so far asonly if they are performing a task in the public interest on the basis of a legal obligation (Article 6(1)(c) GDPR) it is necessary to fulfil tasks that are essential to the proper functioning of the digital euro. In line with Article 6(1)(c) of Regulation (EU) 2016/679, processing activities should be considered lawful as regards the digital euro if and to the extent that they are necessary for compliance with a legal obligation to which the controller is subject pursuant to this Regulation. In the framework of this regulation, the processing of personal data for the purposes of the enforcement of holding limits, the initiation of the funding and de- funding of a user’s holdings, and the management of local storage devices for offline digital euro payments are tasks in the public interest that are essential for the protection of citizens making use of the digital euro as well as for the stability and integrity of the Union's financial system. Payment service providers will be the controller of personal data as regards these tasks. In addition, payment service providers may process personal data to comply with existing tasks in the public interest or for compliance with a legal obligation established in Union law that apply to funds defined in Directive (EU) 2015/2366. These tasks apply to the provision of payment services and the prevention and detection of fraud in accordance with Directive (EU) 2015/2366, combatting money laundering and terrorist financing in accordance with Directive (EU) 2015/849, the fulfilment of obligations related to taxation and tax avoidance, and the management of operational and security risks in line with Regulation (EU) 2022/255. No further processing of personal data is allowed. This includes the access, storage and processing of data by third parties in the framework of open banking
Amendment 69 #
Proposal for a regulation
Recital 76
Recital 76
(76) The European Central Bank and national central banks may process personal data in so far as it is necessary to fulfil tasks that are essential to the proper functioning of the digital euro on the basis of Article 6(1)(e) GDPR and Article 5(1)(a) EUDPR. In the framework of this regulation, the processing of personal data for the purposes of the settlement of digital euro payment transactions and the management of the security and integrity of the digital euro infrastructure are tasks in the public interest that are essential for the protection of citizens making use of the digital euro as well as for the stability and integrity of the Union's financial system. The task of maintaining the security and integrity of digital euro infrastructure includes activities related to ensuring the stability and operational resilience of the digital euro. The European Central Bank and national central banks would be the controller of personal data as regards these tasks. The European Central Bank and national central banks would process personal data for these tasks using state-of- the-art security and privacy-preserving measures, such as pseudonymisation or encryption, to ensure that data cannot be used to directly identify a specific digital euro user..
Amendment 70 #
Proposal for a regulation
Recital 77
Recital 77
(77) For the purpose of enforcing the holding limits and ensuring the exceptional switching of digital euro payment accounts in emergency situations upon the request of the digital euro user, a single access point of digital euro user identifiers and the related digital euro holding limits is necessary to ensure the efficient functioning of the digital euro across the entire euro area, as digital euro users may hold digital euro payment accounts in different Member States. When establishing the single access point, the European Central Bank and national central banks should ensure that the processing of personal data is minimised to what is strictly necessary . with due respect to the principle of necessity and proportionality and that data protection by design and by default is embedded. The European Central Bank and national central banks should consider, where appropriate and to minimise the risk of data breaches, the use of decentralised data storage.
Amendment 73 #
Proposal for a regulation
Recital 83
Recital 83
(83) In order to ensure uniform conditions for the application of holding and transaction limits for offline proximity payments, implementingdelegated powers should be conferred on the Commission. Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and of the Council40 . The examination procedurethe procedure referred in Article 38 should be used for the adoption of the implementingdelegated acts specifying the transaction and holding limits of the offline digital euro, given that those acts contributes to the fight against money laundering and terrorist financing. _________________ 40 Regulation (EU) No 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by Member States of the Commission’s exercise of implementing powers (OJ L 55, 28.2.2011, p. 13).
Amendment 88 #
Proposal for a regulation
Article 5 – paragraph 2
Article 5 – paragraph 2
2. Within the framework of this Regulation, the digital euro shall also be governed by the detailed measures, rules and standards that may be adopted by the European Central Bank pursuant to its own competences. Where these detailed measures, rules and standards have an impact on the privacy and protection of individuals’ rights and freedom with regard to the processing of their personal data, the European Central Bank shall consult the European Data Protection Supervisor prior to their adoption.
Amendment 91 #
Proposal for a regulation
Article 6 – paragraph 2 a (new)
Article 6 – paragraph 2 a (new)
2 a. Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC [General Data Protection Regulation] and Regulation (EU) 2018/1725 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC [EUDPR] shall govern the supervision by competent authorities, the sanctions regime and supervisory arrangements between the competent authorities of the home Member States and the host Member States, concerning compliance by data controllers of their obligations pursuant to Chapter VIII of this Regulation
Amendment 93 #
Proposal for a regulation
Article 9 – paragraph 1 – point a
Article 9 – paragraph 1 – point a
(a) where the payee is a an enterprise which employs fewer than 10 persons or whose annual turnover or annual balance sheet total does not exceed EUR 2 million, or is a non-profit legal entity as defined in in Article 2, point (18), of Regulation (EU) 2021/695 of the European Parliament and of the Council44 , unless it accepts comparable digital means of payment; _________________ 44 Regulation (EU) 2021/695 of the European Parliament and of the Council of 28 April 2021 establishing Horizon Europe – the Framework Programme for Research and Innovation, laying down its rules for participation and dissemination, and repealing Regulations (EU) No 1290/2013 and (EU) No 1291/2013 (OJ L 170, 12.5.2021, p. 1).
Amendment 94 #
Proposal for a regulation
Article 9 – paragraph 2
Article 9 – paragraph 2
For the purposes of point (b) and (d), the burden of proof to establish that legitimate and temporary grounds existed in a particular case and that the refusal was proportionate shall be on the payee.
Amendment 96 #
Proposal for a regulation
Article 11 – paragraph 1
Article 11 – paragraph 1
The Commission is empowered to adopt delegated acts in accordance with Article 38 to supplement this Regulation by identifying additional exceptions of a monetary law nature to the principle of mandatory acceptance. Those exceptions shall be justified by an objective of public interest and proportionate to that aim, shall not undermine the effectiveness of the legal tender status of the digital euro, and shall only be permitted provided that other public means for the payment of monetary debts are available. When preparing those delegated acts, the Commission shall consult the European Central Bank.
Amendment 101 #
Proposal for a regulation
Article 13 – paragraph 4 – subparagraph 2
Article 13 – paragraph 4 – subparagraph 2
For the purpose of points (a) and (b), and upon prior approvalermission by the digital euro users, payment service providers shall link each digital euro payment account to a single non-digital euro payment account designated by the digital euro users. Digital euro users shall be allowed to have that designated non-digital euro payment account with a different payment service provider than the one where a given digital euro payment account is held.
Amendment 109 #
Proposal for a regulation
Article 14 – paragraph 5
Article 14 – paragraph 5
5. The anti-money laundering authority of the Union (‘AMLA’) established under Regulation (EU) [please insert reference - proposal for a Regulation creating an EU Authority for anti-money laundering and countering the financing of terrorism (‘AMLA’) - COM/2021/421 final)] and the European Banking Authority shall jointly issue guidelines specifying the interaction between AML/CFT requirements andon the provision of basic digital euro payment services with a particular focus on financial inclusion of vulnerable groups inc, exluding asylum seekers or beneficiaries of international protection, individuals with no fixed address or third country nationals who are not granted a residence permit but whose expulsion is impossible for legal or factual reasons.the registration of the status of digital euro users
Amendment 116 #
Proposal for a regulation
Article 17 – paragraph 4
Article 17 – paragraph 4
4. The European Central Bank may require payment service providers to provide all information necessary for the application of this Article and to verify compliance with it. Any information requested shall be sent by payment service providers within the time limit set by the European Central Bank. The European Central Bank may require that such information is certified by an independent auditor. The request by the European Central bank shall be made in accordance with the data protection rules for the purposes of the processing, including the principle of data minimisation. The requests for information by the European Central Bank shall always be in writing, reasoned and occasional, and shall not concern the entirety of a filing system or lead to the interconnection of filing systems
Amendment 120 #
Proposal for a regulation
Article 19 – paragraph 3
Article 19 – paragraph 3
3. The agreement between the Union and the third country shall specify the necessary implementing measures and procedures, and the cases under which the agreement may be restricted, suspended, or terminated, in particular where the third country has been identified as a third country with significant strategic deficiencies in its national anti-money laundering and combating the financing of terrorism regime as referred to in Article 23 of Regulation [please insert reference – proposal for Anti-Money Laundering Regulation - COM/2021/420 final] or as a third country with compliance weaknesses in its national anti-money laundering and combating the financing of terrorism regime as referred to in Article 24 of Regulation [please insert reference – proposal for Anti-Money Laundering Regulation - COM/2021/420 final] ] or as a third country posing a threat to the Union’s financial system as referred to in Article 25 of Regulation [insert reference – proposal for Anti-Money Laundering Regulation - COM/2021/420 final]. . That agreement shall be complemented by an arrangement between the European Central Bank and the national central bank and, where appropriate, the national competent authority of the third country.
Amendment 127 #
Proposal for a regulation
Article 27 – paragraph 2
Article 27 – paragraph 2
2. The European Central Bank and the national central banks may make mechanisms available for payment services providers to facilitate the exchange of messages for the resolution of disputes. To this purpose, transaction data shall be pseudonymised. Those mechanisms may be operated directly by the European Central Bank or by the providers of support services designated by the European Central Bank.
Amendment 138 #
Proposal for a regulation
Article 33 – paragraph 3 a (new)
Article 33 – paragraph 3 a (new)
3 a. For the purpose of fraud detection and prevention, payment service providers and the European Central Bank shall take into account the principles of data protection by design and by default, as defined in Regulation (EU) 2016/679 ensuring that the processing of personal data is carried out in such a manner that the personal data can no longer be attributed to an individual digital euro user without the use of additional information
Amendment 140 #
Proposal for a regulation
Article 34 – paragraph 1 – subparagraph 1 – introductory part
Article 34 – paragraph 1 – subparagraph 1 – introductory part
Payment service providers perform a task in the public interest whereshall process personal data solely where they perform a task in the public interest that are limited to the following purposes, nd for which they processing of personal data for the following purposesunder indent (a) to (c) are to be performed on the basis of (Article 6(1)(c) GDPR).:
Amendment 146 #
Proposal for a regulation
Article 34 – paragraph 1 – subparagraph 1 – point a
Article 34 – paragraph 1 – subparagraph 1 – point a
(a) the enforcement of limits, including the verification of whether prospective or existing digital euro users have digital euro accounts with another PSP, as referred to in Article 16; for the purposes of enforcement of limits
Amendment 149 #
Proposal for a regulation
Article 34 – paragraph 1 – subparagraph 1 – point c
Article 34 – paragraph 1 – subparagraph 1 – point c
(c) the provision of offline digital euro, including the registration and de- registration of the local storage devices as referred to in letter (b) of Annex I; for the provision of offline digital euro
Amendment 155 #
Proposal for a regulation
Article 34 – paragraph 2
Article 34 – paragraph 2
2. For the purposes referred to in paragraph 1 (a) to (c), of this Article, Annex III lays down the types of personal data. that can be processed
Amendment 164 #
Proposal for a regulation
Article 34 – paragraph 4 a (new)
Article 34 – paragraph 4 a (new)
4 a. The European Data Protection Board, after consulting the European Central Bank, shall issue guidelines on the implementation of appropriate technical and organisation measures including of anonymisation techniques
Amendment 166 #
Proposal for a regulation
Article 34 – paragraph 4 b (new)
Article 34 – paragraph 4 b (new)
4 b. No further processing of personal data shall be allowed.
Amendment 167 #
Proposal for a regulation
Article 34 – paragraph 4 c (new)
Article 34 – paragraph 4 c (new)
4 c. For the purpose of authentication and identification, and in line with the principles of data minimisation and data protection by design and by default as laid down in 2016/679/EU, payment service providers shall provide, by default, authentication and identification methods that do not rely on biometric data
Amendment 171 #
Proposal for a regulation
Article 35 – paragraph 1 – introductory part
Article 35 – paragraph 1 – introductory part
1. The European Central Bank and the national central banks perform a task in the public interest or exercise official authority where they may process personal data for the following purposes:
Amendment 176 #
Proposal for a regulation
Article 35 – paragraph 4
Article 35 – paragraph 4
4. Personal data processed for tasks referred to in paragraph 1 shall be supported by appropriate technical and organisational measures including state-of- the-art security and privacy-preserving measures. This shall include the clear segregation of personal data to ensure that the European Central Bank and the national central banks cannot directly or indirectly identify individual digital euro users.
Amendment 177 #
Proposal for a regulation
Article 35 – paragraph 4 a (new)
Article 35 – paragraph 4 a (new)
4 a. Providers of support services designated under this Article shall be subject to the Directive and Regulation on digital operational resilience for the financial sector
Amendment 179 #
Proposal for a regulation
Article 35 – paragraph 5
Article 35 – paragraph 5
5. The European Central Bank shall be considered the controller of personal data under as regards to the purposes referred to in paragraphs 1 and 8 of this Article. When the European Central Bank carries out a task referred to in paragraphs 1 and 8 jointly with the national central banks, they shall be joint controllers for that task.
Amendment 180 #
Proposal for a regulation
Article 35 – paragraph 6 a (new)
Article 35 – paragraph 6 a (new)
6 a. European Central Bank shall, in cooperation with Payment Service Providers, take all necessary measures to ensure the effectiveness of data subjects' rights under the General Data Protection Regulation
Amendment 187 #
Proposal for a regulation
Article 36 – paragraph 1 – introductory part
Article 36 – paragraph 1 – introductory part
1. Where the European Central Bank decides to confer tasks referred to in Article 27 and 32 upon providers of support services, providers of support services shall provide payment-related services across PSPs. In such a situation, payment service providers shall solely process personal data where they perform a task in the public interest, where they process personal data forlimited to the following purposes:
Amendment 200 #
Proposal for a regulation
Article 37 – paragraph 2
Article 37 – paragraph 2
2. TPersonal transaction data shall not be retainprocessed by payment service providers or by the European central banks and the national central banks.
Amendment 206 #
Proposal for a regulation
Article 37 – paragraph 5
Article 37 – paragraph 5
5. The Commission is empowered to adopt implementingdelegated acts setting offline digital euro payment transaction limits and holding limits. Those implementingdelegated acts shall be adopted in accordance with the examination procedure referred to in Article 398.
Amendment 208 #
Proposal for a regulation
Article 37 – paragraph 6 – subparagraph 1 – introductory part
Article 37 – paragraph 6 – subparagraph 1 – introductory part
Transaction and holding limits shall take into account the need to prevent money laundering and terrorist financing while not unduly restricting the use of the offline digital euro as a means of payment. The Commission, when drawing up the implementingdelegated acts referred to in paragraph 5, shall take into account in particular the following:
Amendment 213 #
Proposal for a regulation
Article 37 – paragraph 6 – subparagraph 2
Article 37 – paragraph 6 – subparagraph 2
For the purposes of point (a), the Commission may request AMLA to adopt an opinion assessing the level of money laundering and terrorist financing threats associated with the offline digital euro and its vulnerabilities. The Commission mayshall consult the European Data Protection Board.
Amendment 214 #
Proposal for a regulation
Chapter X – title
Chapter X – title
X FINAL PROVISIONS
Amendment 217 #
Proposal for a regulation
Article 38 – paragraph 3 a (new)
Article 38 – paragraph 3 a (new)
3 a. When adopting delegated acts pursuant to Article 34 or Article 35 of this Regulation, the European Commission shall consult the European Data Protection Supervisor and European Data Protection Board as laid down in Article 42 of the Regulation (EU) 2018/1725 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC.
Amendment 226 #
Proposal for a regulation
Annex III – point 1 – introductory part
Annex III – point 1 – introductory part
1. For the purpose of point (a) of Article 34(1), processing of personal data shall be limited to:
Amendment 228 #
Proposal for a regulation
Annex III – point 1 – point iii
Annex III – point 1 – point iii
(iii) information on digital euro payment accounts; including information on digital euro holdings of the digital euro user and the unique digital euro payment account number; and
Amendment 230 #
Proposal for a regulation
Annex III – point 1 – point iv
Annex III – point 1 – point iv
(iv) information on online digital euro payment transactions, including the transaction identifier and the transaction amount.
Amendment 233 #
Proposal for a regulation
Annex III – point 2 – introductory part
Annex III – point 2 – introductory part
2. For the purpose of point (b) of Article 34(1), processing of personal data shall be limited to:
Amendment 234 #
Proposal for a regulation
Annex III – point 2 – point iii
Annex III – point 2 – point iii
(iii) information on digital euro payment accounts, including the unique digital euro payment account number; and
Amendment 238 #
Proposal for a regulation
Annex III – point 2 – point iv
Annex III – point 2 – point iv
(iv) information of non-digital euro payment accounts, including the account number of the linked non-digital euro payment account.
Amendment 241 #
Proposal for a regulation
Annex III – point 3 – introductory part
Annex III – point 3 – introductory part
3. For the purpose of point (c) of Article 34(1), processing of personal data shall be limited to:
Amendment 242 #
Proposal for a regulation
Annex III – point 3 – point i
Annex III – point 3 – point i
(i) the user identifier; including the name of the local storage device holders; and
Amendment 244 #
Proposal for a regulation
Annex III – point 3 – point ii
Annex III – point 3 – point ii
(ii) information on the local storage device, including the identifier of the local storage device.
Amendment 248 #
Proposal for a regulation
Annex IV – point 1
Annex IV – point 1
Amendment 253 #
Proposal for a regulation
Annex IV – point 2 – introductory part
Annex IV – point 2 – introductory part
2. For the purpose of point (b) of Article 35(1), processing of personal data shall be limited to:
Amendment 255 #
Proposal for a regulation
Annex IV – point 2 – point i
Annex IV – point 2 – point i
(i) the user alias;a one-time identifier created by the Payment Services Provider allowing the European Central Bank and national central banks to settle the payment without allowing them to directly or indirectly identify individual digital euro users
Amendment 256 #
Proposal for a regulation
Annex IV – point 2 – point iv
Annex IV – point 2 – point iv
Amendment 260 #
Proposal for a regulation
Annex IV – point 3
Annex IV – point 3
3. For the purpose of point (c) of Article 35(1), processing shall beof personal data shall be strictly limited to the data required for counterfeit analysis of offline digital euro payment transactions: information on the local storage device, including the local storage device number.
Amendment 261 #
Proposal for a regulation
Annex IV – point 4 – introductory part
Annex IV – point 4 – introductory part
4. For the purposes of points (d) and (e) of Article 35(1), and the single access point referred to in Article 345(8), processing shall beof personal data shall be strictly limited to:
Amendment 262 #
Proposal for a regulation
Annex IV – point 4 – point ii
Annex IV – point 4 – point ii
Amendment 264 #
Proposal for a regulation
Annex IV – point 4 – point iii
Annex IV – point 4 – point iii
(iii) information on digital euro payment accounts, including the unique digital euro payment account number, digital euro holdings of the usdigital euro holdings linked to a user identifier, the holding limit selected by the user and the type of digital euro account.
Amendment 267 #
Proposal for a regulation
Annex V – paragraph 1 – introductory part
Annex V – paragraph 1 – introductory part
For the purposes of point (a) of Article 36(1), processing shall beof personal data shall be strictly limited to the data required for the prevention and detection of fraud across payment service providers:
Amendment 268 #
Proposal for a regulation
Annex V – paragraph 1 – point i
Annex V – paragraph 1 – point i
(i) information on digital euro payment accounts, including the unique digital euro account identifier;the user aliases
Amendment 272 #
Proposal for a regulation
Annex V – paragraph 1 – point ii
Annex V – paragraph 1 – point ii
(ii) information on online digital euro payment transactions, including the transaction amount; and
Amendment 274 #
Proposal for a regulation
Annex V – paragraph 1 – point iii
Annex V – paragraph 1 – point iii
(iii) the device internet protocol address-range providing information on the transaction session of a digital euro user, including the device internet protocol address-range .