The European Court of Human Rights (ECHR) has made a new landmark decision, ruling that laws that weaken data protection violate human rights.
According to the ECHR, legislation that increases data retention and erodes encryption is against the European Convention on Human Rights. The court spoke of an “extremely broad duty of retention” and “exceptionally wide-ranging and serious interference.”
It called the statutory obligation to decrypt end-to-end encrypted communications “disproportionate” and said that the impugned legislation was not “necessary in a democratic society”. Russia overstepped the margin of appreciation, the Court said.
Concerning the need to provide security agencies with the information required to decode electronic messages, the Court “observes that international bodies have argued that encryption provides strong technical safeguards against unlawful access to the content of communications and has therefore been widely used as a means of protecting the right to respect for private life and the privacy of correspondence online.”
The Court further noted that “In the digital age, technical solutions for securing and protecting the privacy of electronic communications, including measures for encryption, contribute to ensuring the enjoyment of other fundamental rights, such as freedom of expression.”
“Encryption, moreover, appears to help citizens and businesses to defend themselves against abuses of information technologies, such as hacking, identity and personal data theft, fraud and the improper disclosure of confidential information. This should be given due consideration when assessing measures which may weaken encryption,” the Court states.
“Moreover, mandated back doors in encryption tools create liabilities that go far beyond their usefulness with regard to specific users identified as crime suspects or security threats. They jeopardize the privacy and security of all users and expose them to unlawful interference, not only by States, but also by non-State actors, including criminal networks.”
The verdict could have a big influence on proposed European legislation that tries to circumvent end-to-end encryption and various decryption laws.
Patrick Breyer, German MEP for the Pirate party, is a vocal opponent of EU proposals on mass scanning of private messages, and told Brussels Signal it is an “outstanding landmark judgement”.
He says that “The ‘client-side scanning’ surveillance on all smartphones proposed by the EU Commission in its chat control bill is clearly illegal,” as “it would destroy the protection of everyone instead of investigating suspects.”
“EU governments will now have no choice but to remove the destruction of secure encryption from their position on this proposal – as well as the indiscriminate surveillance of private communications of the entire population!”
“It is a scandal that the EU Council’s latest draft position still envisages the destruction of secure encryption. We Pirates will now fight even harder for our digital privacy of correspondence!”
The European Data Protection Supervisor (EDPS) told Brussels Signal they “do not comment court rulings as a matter of fact”, but did point towards reports where they expressed concern and said European legislation proposals “would result in general and indiscriminate monitoring of private communications,” and would thus “restrict individuals’ fundamental rights to privacy and personal data.”
Encryption, the coding of information to conceal it, is an essential security tool for online communication and security. However, governments have been increasingly pushing for more surveillance and to access digital communication to scan for illegal content.
In the aforementioned case, it was Russian legislation that now has been found in breach of Article 8 of the European Convention on Human Rights, protecting privacy. The case was brought to the ECHR by a Russian Telegram user who took issue with legislation mandating that messaging providers retain metadata for a year, store users’ chats for six months and give law enforcement access to decode users’ chats upon request.
Russia is no longer a member of the court, due to the invasion of Ukraine, but the case was filed in Russia in 2017 and brought to the ECHR in 2019. The verdict has European-wide consequences.
Next to Russia, the EU is also working on legislation to circumvent encryption. Most notably via the child sexual abuse material or CSAM-scanning proposal, which aims to fight child sexual abuse online.
Should it become EU law, all messaging providers would have to examine all of their messages for possible CSAM content, which would necessitate backdoors or the loss of end-to-end encryption.
The plan would impose extensive new obligations on online companies to “detect, report, block and remove” CSAM items from their platforms.
Individual Member States also have far-reaching demands. Spain even wants to go as far as banning end-to-end encryption altogether.
With the decision of the ECHR, it is however unclear how these law proposals will go forward.