New Draft Resolution on Encryption Casts Doubt on EU’s Commitment to Data Protection

The decades-old debate over encryption once again made the news after a draft resolution of the Council of the European Union leaked to the Austrian press. The resolution, dated November 6, 2020, suggested that the EU could be taking a step toward banning end-to-end encryption—encryption that allows users to exchange encoded messages that nobody else can read, including any Internet intermediaries. This proposal caught many by surprise because the EU is supposed to be the vanguard of consumer data protection, and it is often critical of other countries’ digital surveillance practices. But this latest action shows that the EU’s commitment to data protection may be weaker than it appears.

The resolution affirms the EU’s support for strong encryption but also states that law enforcement “must be able to access data in a lawful and targeted manner.” It stops short of calling for a ban on end-to-end encryption or a mandate for “backdoors,” mechanisms that enable law enforcement to decrypt communications, but it concludes that it is “essential to preserve the powers” of law enforcement to access electronic evidence in criminal investigations.

Law enforcement officials around the world have long complained that strong encryption makes it more difficult or even impossible to do their jobs and decipher the communications of criminals and terrorists. The United States continues to grapple with the issue, and in October the Five Eyes intelligence alliance released a statement that in many ways resembles the EU Council’s draft resolution, simultaneously acknowledging the importance of encryption while emphasizing the need for law enforcement to access encrypted communications.

On the other side of the debate, tech companies, consumer advocacy groups, civil liberties groups, and privacy advocates contend that encryption is a powerful and necessary tool for privacy and security. There’s no way to give law enforcement and other good actors access to encrypted communications without also weakening encryption and giving criminals and malicious state actors easier access to sensitive data. The effect would be reducing the overall security of law-abiding citizens, businesses, and even governments while doing little to impede serious criminals and terrorist organizations that could obtain more securely encrypted products and services.

The EU Council’s draft resolution acknowledges the many benefits of encryption in protecting the fundamental rights to security, privacy, and protection of personal data. Any effort to weaken encryption—by banning strong forms like end-to-end encryption, requiring tech companies to build backdoors into their encryption systems, or any other mechanisms—would run counter to the EU’s commitment to data protection.

If the EU wants to maintain its position on the importance of data protection and privacy, it should continue to support strong encryption. So far, it does not look like the EU Council’s draft resolution will spell the death of end-to-end encryption in Europe, but it also doesn’t look like the debate over encryption is going away any time soon.