Commission security plan reopens encryption debate, with fewer privacy defenders in sight

The European Commission is floating new and old ideas on how to increase internal security in Europe — promising, among other things, to find ways to access encrypted data. With the most passionate privacy advocates gone from the European Parliament, a worry is emerging: who will be the opposition in the neverending search for balance between the two priorities.

Like a boomerang, the idea of breaking encryption keeps coming back. The new rules on fighting the spread of child sexual abuse material online, which first introduced the idea, have yet to be finalised, but the European Commission is already teasing new plans to find ways to access more data.

In the EU Internal Security Action plan, unveiled last Tuesday, the executive body says it will “prioritise (…) the preparation of a Technology Roadmap on encryption, to identify and assess technological solutions that would enable law enforcement authorities to access encrypted data in a lawful manner, safeguarding cybersecurity and fundamental rights”.

Breaking encryption is not a new idea. The European Commission has already proposed the practice as part of the directive to prevent the spread of child sexual abuse material, later dubbed “chat control” because it suggested providers should have to detect, report, and remove such material from their services, including those providing encrypted communication. The European Parliament refused the idea in its stance voted on in plenary before the 2024 elections. The Council is yet to agree on a common position.

You might be interested

EU has golden chance to learn from Ukraine, MEP Petras Auštrevičius argues

The security action plan leads to the invasion of privacy, expert warns

That notwithstanding, the idea has been brought back again. “We consider this extremely dangerous, particularly in cases where such a tool would be used for mass decryption of secured communication, or where service providers would be forced to create backdoors allowing authorities to access the content of communications,” says Jan Vobořil of Iuridicum Remedium, a Czech legal NGO focused on privacy and an EDRi member organisation. “In effect, this would lead to the end of secure encryption in the EU,” he warns.

Yet, more oversight over online messaging is not the only problematic proposal the lawyer sees in the action plan. He also mentions a possible update to rules on data retention, or the promised “ambitious overhaul of Europol’s mandate”. The organisation has, Mr Vobořil maintains, a proven track record of problematic approach to personal data. The document, while vague, is “clearly intended to lead to a restriction of privacy”, he says.

“If you’re asking whether the EU will find a balance between privacy and security, I’m afraid there’s no indication of that,” he says, sceptical even to the promise of getting more safety in return. “Long-term comparisons of crime trends data in EU countries during periods when electronic communication data was collected on a mass scale, as opposed to periods when it wasn’t (for example, due to constitutional courts striking down such obligations), show clearly that eliminating this tool — which massively interferes with all of our privacy — had no impact on crime rates or clearance rates,” he says.

Despite that, he believes, it is sort of understandable for security forces to ask for more information. But it is the job of politicians to stand up to that pressure and keep privacy in mind as well.

Ex-MEP: The European Parliament’s stance on privacy is waning

That may prove an issue. The European Parliament has historically been the most privacy-oriented among the EU institutions, as seen for example in the child sexual abuse material directive. But the MEPs behind this approach are now, after the 2024 elections, mostly gone.

One of them, Patrick Breyer, a German digital rights activist, jurist and an ex-MEP, believes that the European Parliament will still be the strongest advocate for online privacy among the co-legislators. “But with MEPs like Sophie in’t Veld gone, its stance is waning. Fewer MEPs are focusing on privacy than before, and we have seen a shift to the law-and-order right wing since the last elections,” warns the German Pirate Party politician.

He knows what he is talking about. He coined the term chat control, and loudly opposed the planned breaking of private messages encryption in the last term. Having decided not to run for office again, he promised to keep up the fight as a lawyer and a citizen.

After all, he does believes privacy has begun to pull the short end of the stick quite some time ago. “At least since 9/11, our fundamental right to privacy has been eroded more and more,” Mr Breyer says. Yet, he believes, the adoption of the CSAM Regulation would be a fundamental shift.

“The encryption wars are raging on,” he says in reaction to the newly unveiled action plan.