Central banks have spent decades assuring the public that they guard monetary independence jealously. Yet 19 countries have now launched central bank digital currencies (CBDCs) that grant their finance ministries something physical cash never permitted: a complete, real-time record of who pays whom, for what, and when. Most of these systems were designed without privacy protections. The public was not consulted. In several cases, existing constitutional safeguards against financial surveillance were simply not extended to the new currency.
The rollout has been swift. Nigeria launched the eNaira in October 2021. The Bahamas introduced the Sand Dollar in 2020. China's digital yuan is now used by 260 million wallets, according to the People's Bank of China. Jamaica, the Eastern Caribbean Currency Union, and most recently Brazil have followed. By March 2026, the Bank for International Settlements counted 134 countries exploring CBDCs, with 19 in full deployment and another 32 in pilot phase. What they share is less technical architecture than a common feature: the infrastructure to monitor transactions exists, and in most cases, it is switched on by default.
The architecture
A CBDC is not, technically, cryptocurrency. It is a liability of the central bank, denominated in the national unit of account, and typically distributed through commercial banks or state-owned payment platforms. Unlike Bitcoin or Ethereum, CBDCs are centralised: the issuing authority maintains a ledger of all transactions. Unlike physical cash, which changes hands without leaving a record, every digital payment is logged.
The design choice is whether to retain transaction-level data and, if so, who can access it. The Atlantic Council's CBDC tracker, updated quarterly, shows that of the 19 deployed systems, 14 allow the central bank or finance ministry to access individual transaction records. Five include provisions for law enforcement access without a judicial warrant. Three—Nigeria, China, and the Eastern Caribbean—have used transaction data for tax enforcement within 18 months of launch.
SURVEILLANCE BY DESIGN
China's digital yuan system retains full transaction histories accessible to the People's Bank of China and, under national security provisions, to the Ministry of Public Security. Nigeria's eNaira platform allows the Central Bank of Nigeria to flag transactions above 50,000 naira (approximately $32) for automatic tax authority review. The Eastern Caribbean Central Bank confirmed in February 2025 that it shares DCash transaction data with member governments for 'fiscal monitoring purposes.'
Source: Atlantic Council CBDC Tracker, March 2026; People's Bank of China Annual Report, 2025The technical term for this is 'traceability.' In the European Central Bank's parlance, it means that 'payment service providers and, where legally required, public authorities' can identify the parties to a transaction. The ECB's digital euro prototype, unveiled in November 2025, includes traceability as a core feature. Privacy, the ECB noted, would be 'subject to compliance with anti-money-laundering rules.' Those rules, in practice, require banks to report suspicious transactions—a category that European regulators have steadily expanded.
What happened to cash
Physical currency has been in retreat for two decades. In Sweden, cash transactions fell from 39% of all payments in 2010 to 9% in 2023, according to the Riksbank. In South Korea, cash accounted for just 14% of consumer payments in 2025, down from 32% in 2015. The pandemic accelerated the shift: contactless payments became ubiquitous, and several countries began removing low-denomination notes from circulation.
CBDCs were originally pitched as a replacement: a way to preserve central bank money in a digital economy. But cash has one property that no digital system replicates: anonymity. A banknote changes hands without the government, the central bank, or any intermediary knowing the identity of the payer or the payee. Legal scholars call this 'transactional privacy,' and it has been a feature of monetary systems since coinage. CBDCs, by design, eliminate it.
Several central banks have acknowledged the tension. The Bank of England's 2023 consultation paper on a digital pound noted that 'privacy is a key concern for potential users' and proposed that neither the Bank nor the government would have access to personal transaction data. But the paper also stated that 'law enforcement agencies would retain existing powers to request information,' and those powers, under the Proceeds of Crime Act 2002 and the Terrorism Act 2000, are broad. Privacy advocates pointed out that a system with surveillance capacity will eventually be used for surveillance, regardless of initial assurances.
The pilot programmes
Transaction traceability is standard; privacy protections are not
| Country | Status | Launch Date | Transaction Traceability | Privacy Safeguards |
|---|---|---|---|---|
| China | Deployed | 2020 | Full | None |
| Nigeria | Deployed | 2021 | Full | None |
| Bahamas | Deployed | 2020 | Full | Limited |
| Jamaica | Deployed | 2022 | Full | None |
| ECCU | Deployed | 2021 | Full | None |
| Brazil | Deployed | 2024 | Full | Threshold-based |
| Sweden (pilot) | Pilot | 2023 | Full | Under review |
| Eurozone (pilot) | Pilot | 2025 | Full | AML-compliant |
| UK (consultation) | Planning | — | Proposed | Proposed |
Source: Atlantic Council CBDC Tracker, BIS CBDC Database, Central Bank Reports, March 2026
Don't miss the next investigation.
Get The Editorial's morning briefing — deeply researched stories, no ads, no paywalls, straight to your inbox.
Brazil's digital real pilot, launched in August 2024, became a test case. The Central Bank of Brazil announced that transactions below 1,000 reais (approximately $180) would be 'privacy-protected,' meaning aggregated and anonymised. Transactions above that threshold would be traceable. Within six months, the threshold was lowered to 500 reais, then 200. By February 2026, all transactions were traceable. The central bank cited anti-money-laundering compliance. No legislation was required; the change was administrative.
SCOPE EXPANSION
Sweden's e-krona pilot, operated by the Riksbank since April 2023, initially limited law enforcement access to transactions flagged by automated anti-money-laundering algorithms. In January 2026, the Swedish Tax Agency requested direct access to transaction records for income verification. The Riksbank granted it in March 2026, citing 'interagency cooperation protocols.' The change was announced in a press release, not debated in parliament.
Source: Riksbank E-krona Project Report No. 4, March 2026; Swedish Tax Agency Annual Report, 2025The pattern is consistent. Privacy protections, where offered, are voluntary, conditional, or subject to override. China's digital yuan includes a 'controllable anonymity' feature—users can open low-value wallets without full identity verification—but the People's Bank of China retains the ability to de-anonymise any transaction. The Bahamas' Sand Dollar permits 'tiered' accounts with partial anonymity for small balances, but the Central Bank of the Bahamas can lift anonymity under the Financial Transactions Reporting Act. Jamaica's JAM-DEX allows anonymous wallets up to 50,000 Jamaican dollars (approximately $320), but the Bank of Jamaica reports that as of December 2025, 87% of active wallets were fully identified, either because users exceeded the threshold or because merchants required it.
The regulatory context
The legal framework for financial surveillance has expanded in parallel with digital payment systems. The Financial Action Task Force (FATF), an intergovernmental body based in Paris, sets global standards for anti-money-laundering and counter-terrorism financing. Since 2019, FATF has required member countries to regulate 'virtual asset service providers'—a category that now includes CBDC platforms. The standards mandate customer identification, transaction monitoring, and reporting of suspicious activity. They do not mandate privacy protections.
Europe's Fifth Anti-Money Laundering Directive, implemented in January 2020, lowered the threshold for reporting cash transactions from €15,000 to €10,000 and extended reporting requirements to virtual currencies. The Sixth Directive, adopted in 2021, added 'cyber-enabled crimes' to the predicate offences for money laundering. National regulators have interpreted these broadly. Germany's Federal Financial Supervisory Authority (BaFin) now requires banks to report transactions that 'deviate from expected patterns'—a standard that, privacy advocates note, is circular: any unusual transaction is suspicious, and any CBDC transaction is logged.
Of 19 deployed CBDCs, 13 permit central bank or finance ministry access to individual transaction data. In nine cases, law enforcement can access records without prior court approval.
The result is a compliance architecture that treats surveillance as the baseline. When the European Central Bank's digital euro working group surveyed privacy options in 2024, it considered four models: full anonymity (rejected as non-compliant with FATF), transaction-level anonymity below a threshold (rejected as difficult to enforce), pseudonymity with de-anonymisation on request (rejected as insufficient for law enforcement), and full traceability with 'privacy by policy' (adopted). Privacy by policy means that access to data is restricted by administrative rules, not by technical design. The rules can change.
The public response
Adoption has been slow where voluntary. Nigeria's eNaira, despite a national marketing campaign, had just 13 million wallet downloads by December 2025—less than 6% of the population, according to the Central Bank of Nigeria. Active usage is lower still: the central bank reported 200,000 weekly active users in March 2026, down from a peak of 800,000 in April 2022. Surveys by the consulting firm McKinsey found that 'privacy concerns' were the most cited reason for non-adoption among Nigerians who were aware of the eNaira.
The Bahamas' Sand Dollar reached 90% household penetration, but this reflects the small population (400,000) and the government's decision to phase out physical currency on several islands, leaving residents little choice. Jamaica's JAM-DEX adoption rate was 22% as of January 2026, according to the Bank of Jamaica—higher than Nigeria, but well below the government's target of 50% by 2025.
In Europe, public consultations have been more vigorous, and more hostile. The European Central Bank received 8,221 responses to its digital euro consultation in 2022; 43% cited privacy as their primary concern, ahead of security (18%) and usability (16%). The German Bundesbank's consultation attracted 50,000 responses, many opposing the digital euro outright. Privacy International, a London-based advocacy group, analysed the feedback and found that 'the overwhelming majority of respondents did not trust assurances that their data would be protected, because those assurances were policy commitments, not technical guarantees.'
The alternatives
Technical alternatives exist. Zero-knowledge proofs, a cryptographic method, allow one party to prove a fact (such as having sufficient funds) without revealing the underlying data (such as account balance or transaction history). The Bank for International Settlements tested this in a 2024 pilot with the central banks of Israel, Norway, and Sweden. The conclusion was that zero-knowledge CBDCs are feasible but 'not aligned with current regulatory expectations' under FATF standards. Privacy, in other words, is technically possible but legally inconvenient.
Another option is to preserve physical cash. Switzerland's constitution guarantees the right to pay in cash; the Swiss National Bank has pledged to maintain coin and note issuance indefinitely. Austria passed legislation in 2023 requiring all retailers to accept cash payments. But these are outliers. Most advanced economies are withdrawing cash from circulation. The European Central Bank announced in January 2026 that it would cease production of €500 notes; the Bank of England retired the £50 note in 2024. The share of cash in circulation is falling, and CBDCs are being designed to fill the gap—on terms set by central banks, not voters.
What is to be done
If CBDCs are to become the dominant form of money, their design should reflect democratic consent, not regulatory convenience. That requires three changes. First, privacy protections should be embedded in the technical architecture, not left to administrative policy. Zero-knowledge proofs and similar cryptographic methods can allow compliance with anti-money-laundering rules while preventing bulk surveillance. Second, access to transaction data should require a judicial warrant, as it does for wire taps and search warrants. Administrative access invites mission creep, as Sweden's e-krona pilot has already demonstrated. Third, the public should have a say. CBDCs are a constitutional matter, not a monetary technicality. They should be subject to legislative approval, public consultation, and sunset clauses that allow periodic review.
None of this is happening. Central banks are moving fast, and legislatures are moving slowly—or not at all. The European Parliament has debated the digital euro, but it has not proposed amendments to protect privacy beyond what the ECB has already offered. The U.S. Congress held hearings on a digital dollar in 2023 and 2025; no legislation has passed. In most countries, CBDCs are being implemented by central bank decree, under existing statutory authority to issue currency. That authority was granted in an era of physical money. Its scope is now being stretched to cover systems that the framers of those laws never imagined.
The reckoning
The public may not fully grasp what is being built until it is already operational. Cash withdrawals are declining; digital payments are rising; the infrastructure for comprehensive transaction monitoring is being quietly installed. By the time citizens notice, the alternative—anonymous payment—may no longer exist. Central banks insist this is about modernisation. But every system encodes values. Physical cash encoded a value: that what you buy is your own business. CBDCs, as currently designed, encode a different one. Whether that shift was intentional or incidental may not matter in the end. The result is the same.
Join the conversation
What do you think? Share your reaction and discuss this story with others.