Privacy-Enhancing Technologies in Digital Payments: BIS WP 1242 ( January 23, 2025) Observations through GDPR Lens

Relevance of the BIS Paper to GDPR Compliance

The BIS Working Paper No. 1242 by Auer, B?hme, Clark, and Demirag provides a critical examination of Privacy-Enhancing Technologies (PETs) in digital payments. This is a well researched contribution on a topical issue - privacy in the context of consumer protection is giving financial regulators a hard time with rapid growth in the digital and payments ecosystem. Therefore, I propose to look at the BIS paper from the lens of GDPR , especially the points where BIS proposals intersect with GDPR guidance. Since GDPR is the base for privacy guidelines worldwide ( i.e. the gold standard), this comparative analysis has to be conducted by financial regulators when they decide to implement BIS recommendations to strngthen privacy technology, or, more aptly, Privacy by design.

From a General Data Protection Regulation (GDPR) perspective, this research highlights key issues related to data protection, user control, and lawful processing. The GDPR establishes stringent requirements for the processing of personal data, emphasizing principles such as data minimization, purpose limitation, and accountability. The BIS paper's insights into PETs offer a technological pathway for financial institutions to align their digital payment systems with GDPR compliance obligations. As the authors state, "The issue of privacy for digital money needs to move center stage in the public policy discussion" (Auer et al., 2025). This assertion resonates strongly with GDPR’s core objective: ensuring that privacy and data protection are embedded into financial services by design and default.

The Role of Privacy-Enhancing Technologies in GDPR Compliance

GDPR mandates that personal data processing must be lawful, fair, and transparent, requiring organizations to implement measures that protect users' privacy. The BIS paper categorizes PETs into soft and hard privacy mechanisms, both of which align with GDPR’s Privacy by Design and Privacy by Default principles. Soft privacy mechanisms, such as access controls, data retention policies, and oversight structures, ensure institutional compliance with GDPR mandates. Meanwhile, hard privacy mechanisms, including Zero-Knowledge Proofs, Homomorphic Encryption, and Multi-Party Computation, provide technological safeguards that minimize data exposure and mitigate compliance risks.

The BIS paper underscores that "technology also has an important role to play for soft, institution-based, privacy" (Auer et al., 2025). This aligns with GDPR’s accountability principle, which requires organizations to demonstrate their compliance through structured privacy policies and governance frameworks.

Data Minimization and Anonymization in Digital Payments

A fundamental requirement under GDPR is data minimization, which mandates that organizations should only collect and process personal data that is strictly necessary for a specific purpose. The BIS paper identifies cryptographic techniques such as Zero-Knowledge Proofs and Anonymous Credentials as potential solutions to meet this requirement. These technologies allow transactions to be verified without revealing the underlying personal data, ensuring compliance with GDPR’s pseudonymization and anonymization provisions.

As the BIS authors note, "Better technological solutions offering hard privacy need to emerge, and development efforts should also focus on building payment systems that combine hard and soft approaches" (Auer et al., 2025). This statement reinforces GDPR’s recommendation that financial services should incorporate privacy-preserving architectures that minimize unnecessary data exposure.

Challenges in Balancing Privacy and Regulatory Obligations

While PETs offer promising solutions for GDPR compliance, they also present challenges in balancing privacy with regulatory obligations, such as anti-money laundering (AML) and counter-terrorism financing (CTF) requirements. GDPR explicitly allows proportional data processing for legal and regulatory compliance, which means that PETs must be carefully designed to maintain both privacy and accountability. The BIS paper highlights that "current PETs, such as zero-knowledge proofs, are computationally expensive and may struggle with scalability in large financial systems" (Auer et al., 2025). This presents a potential barrier to widespread adoption within high-volume digital payment infrastructures.

The right to erasure ("right to be forgotten") under GDPR also raises concerns regarding the use of immutable blockchain-based PETs. Organizations leveraging these technologies must explore reversible privacy measures to ensure compliance with GDPR’s data subject rights.

GDPR’s Risk-Based Approach and PET Adoption

GDPR encourages a risk-based approach to data protection, requiring organizations to assess, mitigate, and document privacy risks. The BIS paper aligns with this approach by emphasizing the need for financial institutions to implement PETs based on their unique operational and regulatory environments. As the authors state, "Well-designed payment systems present an opportunity to enhance consumer welfare by offering a level of digital privacy that currently does not exist" (Auer et al., 2025). This reflects GDPR’s broader objective of empowering individuals with greater control over their personal data while promoting innovation in privacy-focused solutions.

By integrating PETs into their privacy strategies, financial institutions can demonstrate compliance with GDPR’s Data Protection Impact Assessment (DPIA) requirements, ensuring that digital payment solutions effectively mitigate privacy risks while remaining legally compliant. By extension, the same applies to financial institutions outside Europe where data privacy laws are similar to GDPR.

Conclusion

From a privacy law regime standpoint, PETs offer a compelling solution for achieving compliance while safeguarding user privacy in digital payments. However, challenges such as scalability, regulatory trade-offs, and user rights must be carefully navigated. As financial institutions continue to modernize their payment infrastructures, adopting a privacy law-aligned Privacy by Design approach that integrates both technological and governance-driven privacy measures will be essential.

References

Auer, Raphael, Rainer B?hme, Jeremy Clark, and Didem Demirag. "Privacy-Enhancing Technologies for Digital Payments: Mapping the Landscape." Bank for International Settlements Working Paper No. 1242, January 2025. https://www.bis.org/publ/work1242.pdf

European Parliament and Council of the European Union. "General Data Protection Regulation (GDPR)." Official Journal of the European Union, Regulation (EU) 2016/679, April 27, 2016. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679.