Encryption Policy Issues in the EU
Friday, May 25, 2018
encryption, data security, policies, eu member states, split

Related Practices & Jurisdictions
Print Mail Download i

In light of increasing discussion about the public policy implications of encryption, opinions among EU Member States on how best to tackle the issue are split.  Certain Member States, such as the UK, have repeatedly called for uninhibited access by national authorities to encrypted messages for national security purposes.  Others recognize the legitimate security interests of users.

The EU has recognized the importance of this issue.  The European Commission has therefore published a series of Communications and legislative proposals addressing encryption and access to data during criminal investigations.

Technical Measures

The conclusions drawn from a public expert consultation launched by the Commission were presented in a Communication on October 18, 2017, which laid out a number of technical measures aimed at supporting the activities of Member States on encryption.

The technical measures proposed include the following:

  • Strengthening Europol’s technical capabilities, in particular its decryption capabilities;
  • Developing a “toolbox” of both legal and technical instruments aimed at obtaining information encrypted by criminals in a facilitated manner;
  • Establishing a network of centers of expertise;
  • Establishing an observatory for future developments;
  • Providing training for law enforcement and judicial authorities, supported by EUR 500,000 from the Internal Security Fund in 2018;
  • Leading structured dialogue and collaboration with industry and civil society, and with internet service providers in particular, to help develop appropriate solutions while maintaining strong encryption.

Legislative Proposals

On April 17, 2018, the European Commission published a Communication on the Fourteenth progress report towards an effective and genuine Security Union and two legislative proposals: a proposal for a Regulation on European Production and Preservation Orders for electronic evidence (“e-evidence”) in criminal matters and a proposal for a Directive laying down harmonized rules on the appointment of legal representatives when gathering evidence in criminal proceedings.  Both proposals intend to facilitate EU cross-border access to data by law enforcement authorities in criminal investigations.

The proposed Regulation introduces the concept of binding European Production and Preservation Orders, which are requests made by law enforcement authorities to either provide or retain certain data necessary to the criminal investigation when the evidence is stored in another EU Member State.  Under the proposal, both Orders will need to be issued or validated by a judicial authority, and could be served on digital service providers, including electronic communication service providers, social networks, online marketplaces, online hosting services, or domain registries.

Four types of data are specified in the Regulation: subscriber data, which relates to the identity of the user or customer; access data, which relates to the commencement and termination of a user’s access session; transactional data, which relates to data that provides context or additional information about the service; and content data, which relates to digitally stored data, including text, voice, videos, images, and sound.  Companies would have a standard deadline of ten days to provide the requested data, or six hours in emergency situations, where “there is an imminent threat to life or physical integrity of a person or to a critical infrastructure” (see here, Article 9).

The Regulation comes with certain safeguards, however.  European Production Orders for subscriber and access data may be issued for any criminal offence, whereas transactional or content data may only be requested for criminal offences with a maximum sentence of at least three years, or for specific offences listed in the proposal, including various cyber-dependent, cyber-enabled or terrorism-related crimes.

If passed, the Orders provided for in the Regulation would be legally enforceable, and companies would face sanctions for non-compliance.

Interestingly, the proposed Regulation mentions encryption only once: recital 19 states that “data should be provided regardless of whether it is encrypted or not.”

For further detail on the Commission’s legislative proposals, see Lauren Moxley’s Inside Privacy blog post.

The Commission has indicated on a number of occasions that it does not aim to undermine or weaken encryption.  European Commission Vice-President Andrus Ansip has repeatedly stated that he is against implementing “backdoors” to encrypted systems, as they erode trust.  The aforementioned Communication from October 2017 proposed technical measures that do not prohibit, limit or weaken encryption.  Any technical measures that could weaken encryption were not considered (see here, at pages 9 and 10).  The Commission has recognized the challenge of preserving strong encryption for cybersecurity, data protection and privacy reasons, while simultaneously enabling legitimate access to encrypted data by law enforcement authorities (see here, for example).

Complementary Action in the Field of Decryption

In parallel, the Commission appears to be exploring alternative approaches, including investing in decryption.  In its Communication published on January 24, 2018, the Commission agreed to amend Europol’s 2018 budget to include an additional EUR 5 million to enhance the agency’s decryption capabilities of lawfully obtained encrypted data in criminal investigations.

Additionally, over the course of four years (from January 1, 2018 to December 31, 2020), the EU will contribute over EUR 4.2 million to FENTEC, a Horizon 2020 project developing “functional encryption” (“FE”) technology.  FE aims to “overcome the all-or-nothing limitations of classical encryption” by making it possible to process the data and obtain a partial view of the message in plaintext, thereby attempting to strike a balance between digital privacy and cybersecurity, and public safety.

Whether this technology will meet the legislators’ objectives and service providers’ needs in the EU remains to be seen.

© 2024 Covington & Burling LLP

Current Legal Analysis

More from Covington & Burling LLP

Standing Issues in Data Breach Litigation: An Overview
by: Priscilla Fasoro , Lauren Wiseman
Financial Agencies Release Joint Statement on Innovative Efforts to Combat Money Laundering and Terrorist Financing
by: Lucille C. Bartholomew
Senate Confirms Kraninger as BCFP Director
by: Luis Urbina
FTC Solicits Public Comment on Identity Theft Detection Rules
by: S. Burr Eckstut
Significant FDA Digital Health Policy Development for Prescription Drug Sponsors
by: Mingham Ji , Christina G. Kuhn
First Significant Pay-to-Play Legislation for the District of Columbia Approved by D.C. Council
by: Kevin Glandon
FTC Settles with PR Firm and Publisher Over Social Media Endorsements
by: Inside Privacy Blog at Covington and Burling
Senate Testimony Highlights Tensions in BSA/AML Reform Efforts as Lawmakers Consider Bipartisan Legislation
by: Sam Adriance
Reprieve in U.S.-China Trade Tensions: U.S. Tariffs on $200 Billion in Chinese Imports to Stay at 10 Percent for 90 Days; China to Purchase U.S. Goods
by: Christopher Adams , John Veroneau
AI Update: FCC Hosts Inaugural Forum on Artificial Intelligence
by: Thomas Parisi

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins