Encryption: EU Member States call for lawful access, Commission in line with them
Encryption and lawful access to communication data is a topic that has been extensively discussed at EU level during the past few weeks. As a result, two communications were recently published:
-the Council Resolution on “Security through encryption and security despite encryption” adopted today [14 December] by the Member States;
-the Commission’s Counter-Terrorism Agenda, published on 9 December.
Both publications stress the need to find the right balance between 1) maintaining the effectiveness of encryption and 2) providing an effective response to crime and terrorism.
These documents are not binding (this is no legislation) but set an orientation for the EU.
The Board of Eurosmart prepared a press release to react to the Council Resolution. This press release will be published and sent today.
Council Resolution on encryption
EU Member States underline the importance of encryption as a means to protect individuals, civil society, critical infrastructures, media and journalists, industry and governments by ensuring the privacy, confidentiality, data integrity and availability of communications and personal data. They further state that “it is evident that all parties benefit from encryption technology”. The Council also notes that end-to-end encryption is more and more used in communication channels and data storage services. In addition, EU privacy bodies recommend using encryption to transfer data outside the EU.
However, Member States explain that encryption renders access to and analysis of communications content extremely challenging or practically impossible “despite the fact that the access to such data would be lawful”. They believe that encryption hinders the work of competent authorities to fight crime and terrorism.
Therefore, Member States conclude that a balance must be reached between 1) protecting the privacy and security of communications through encryption and 2) upholding the possibility for competent authorities in the area of security and criminal justice to lawfully access relevant data for legitimate, clearly defined purposes in fighting crimes and terrorism.
The Council stresses the need to join forces with the tech industry. Member States intend to establish an active discussion with the technology industry, while associating research and academia “to ensure the continued implementation and use of strong encryption technology”. Technical solutions enabling lawful access must be in line with the principles of legality, transparency, necessity and proportionality including protection of personal data by design and by default. Member States further conclude that there should be no single prescribed technical solution to provide access to encrypted data.
Member States will assess the need for a dedicated regulatory framework.
Commission’s Counter-Terrorism Agenda
In this document, the European Commission is in line with the Council.
The European Commission plans to work with Member States to “identify possible legal, operational, and technical solutions for lawful access and promote an approach which both maintains the effectiveness of encryption in protecting privacy and security of communications, while providing an effective response to crime and terrorism".