Cash-like privacy in the digital euro has become one of the clearest examples of why many critics view CBDCs as structurally incompatible with true cash-style freedom. The project’s toughest tradeoff is effectively a forced choice between meaningful user anonymity and strict AML/CTF enforcement.
Negotiations in late 2025 produced a compromise centered on dual online and offline modes, but the underlying message is blunt: the system cannot deliver what the public typically associates with cash privacy. Digital “cash-like” privacy is explicitly framed as an approximation rather than full anonymity.
Why “Cash-Like” Privacy Still Means Built-In Constraints
The offline digital euro was specified to maximize transactional privacy by keeping payment data on the devices of the transacting parties, while recording only wallet funding and defunding. Even in the most privacy-oriented mode, participation depends on certified devices holding private keys and is limited to low-value, everyday payments.
Regulators and technical experts warned that offline payments cannot perfectly replicate the untraceability of physical cash, and the European Data Protection Board flagged practical limits like the inability to guarantee physical proximity and exposure to relay attacks. Policy texts therefore describe offline payments as “highly private” while conceding they are not fully anonymous.
Compliance First, Privacy Second in the Online Design
The online digital euro is built around a different set of tradeoffs: the central bank would hold only pseudonymized payment data, while regulated intermediaries such as payment service providers would process the minimum information required to satisfy AML/CTF rules. In practice, the design embeds regulated visibility into the payment flow, even when the stated goal is restraint.
The compromise also includes rules that prevent intermediaries from using payment data for commercial profiling without user consent. The need for explicit prohibitions underscores that transactional data remains valuable and potentially exploitable within the CBDC distribution chain.
The governance picture reinforces how contested and politically exposed the model is, with multiple bodies pulling on different levers. The ECB proposed the core architecture, the Council pushed for limits, the Parliament is expected to press for stronger privacy safeguards, and the Commission retains delegated powers shaping implementation details.
Transaction and holding limits were positioned as core policy tools, with tighter caps on offline transfers and wallet holdings advanced to reduce AML/CTF risks and limit deposit flight from commercial banks. The Council’s mandate in December 2025 formalized those options and framed them as necessary tradeoffs between privacy and financial stability. These caps translate the privacy debate into hard constraints on how people can actually use the instrument.
ECB President Christine Lagarde summarized the handoff from engineering to politics by saying, “The decision now rests with EU lawmakers,” noting that technical readiness had been completed while legal and political choices remained. That framing highlights a recurring CBDC concern: the decisive issues are governance and control, not just technology.
EU lawmakers will finalize the legal framework and the Parliament’s bargaining positions will determine how the compromise becomes operational rules. Market participants from PSPs and banks to compliance teams and privacy-focused product designers will track the negotiations closely because the outcome will dictate costs, compliance models, and adoption. The legislative endgame will test whether citizens will accept enhanced privacy in principle while living with enforceable constraints in practice.
