The Portuguese Presidency is calling for an EU-wide regulation on access to encrypted content by police and judiciary. This should also affect device manufacturers. Failure to comply could result in companies being banned from doing business in the EU.
The European Union is to adopt a legal framework on decryption in the near future so that authorities can access “lawfully relevant data”. This was written by the Portuguese EU Council Presidency in a Communication which also presents a roadmap for this purpose. An important milestone is a proposal for “way forward”, which the EU Commission will prepare by 2022.
The paper from Portugal has been coordinated with the previous German and the upcoming Slovenian EU Presidencies. The German Ministry of the Interior had taken a new initiative against end-to-end encryption at the start of this so-called trio presidency and adopted a Resolution and Conclusions on the implementation of decryption capabilities. It states that the member states themselves should decide on the methods they use.
“Consistent regulatory framework across the EU”
The Council Communication published last week could now point in a different direction. According to it, the effects of already existing “different relevant regulatory frameworks” are to be examined. Based on this, the Council of Ministers wants to develop a “consistent regulatory framework across the EU”.
The directives or regulations in question are not mentioned. Among other things, the European Investigation Order could be meant, with which the member states promise each other assistance in police investigations. This also concerns intercepting and diverting telecommunications to the “issuing state” or house searches to seize electronic devices. If necessary and feasible, the “executing state” should subsequently decrypt the devices at its own expense.
The planned Regulation on European production and preservation orders for electronic evidence in criminal matters (e-Evidence) may also affect encrypted systems. The proposed legislation does not directly address how to deal with this. However, if EU member states have to hand over cloud data to each other, this could fail due to encryption.
In addition, the Regulation on a temporary derogation from certain provisions of Directive 2002/58/EC also comes up against the limits of encrypted content. The regulation, hastily enacted last year, allows messenger and mail providers to screen content on their platforms to combat child sexual abuse. As the European Electronic Communications Code is in force since 21 December 2020, the companies fall under the EU’s General Data Protection Regulation, which actually prohibits such monitoring. The recast of the E-Privacy Regulation would also prevent this as things stand.
Finally, the required decryption legal framework also affects the planned EU Regulation on Artificial Intelligence. According to the Commission, if the encrypted data is available for police and judicary in plain text, the authorities should analyse it with the help of new technologies. In order “to understand what they found “, the decrypted data “must be put in context with other data”. The extent to which this data mining is permitted is to be specified in the new regulation.
“Leverage the strength of its single market”
According to the Council paper, law enforcement and judicial authorities would have to be allowed to access encrypted content “both online and offline”. This wording had already been used by the Commission on 14 April in its Communication on an EU strategy against organised crime 2021-2025. It refers, among other things, to encrypted storage media.
However, providers of encrypted telephony are also directly addressed. The Commission complains about a “niche market for encrypted communication devices”, which became evident after the recent raids against Encrochat and SkyECC. The companies were hacked by secret services, after which police and judicial authorities received millions of intercepted messages for investigations and prosecutions.
The impending regulation therefore not only puts the onus on internet service providers, but also on device manufacturers in general. According to the Council of Ministers, both are to “create technologies that meet the Member States’ needs”. If the companies refuse to cooperate, they could also be banned from doing business in the European Union in the new regulation. The Portuguese Presidency’s paper stresses that the EU could “use the strength of its single market” to do so.
Solution should anticipate future technologies
The Council paper leaves open which offences the requested law should apply to. However, the text mentions terrorism, serious organised crime, trafficking in illegal substances and money laundering. The Commission also wants the technical and legal solutions to “anticipate” future encryption and decryption technologies. Mentioned are 5G interception and technologies “and beyond”.
Member states are now called upon to participate in the legislative process. For this purpose, the ministries of the interior and justice are to answer a questionnaire, which the Commission will evaluate for its “way forward”. The German Presidency had insisted that the Council will be regularly informed about the progress of this report.
Apparently, the ministers now want to have a decisive influence on its contents. The Council paper assigns the Commission the role of “co-driver alongside the Member States”. The Council brings the “COSI community” into play as a new actor. This refers to the Standing Committee on Internal Security, which is made up of senior officials from the interior and/or justice ministries of all EU member states as well as the Commission and the External Action Service.
This also gives more weight to the EU agencies and Council working groups affiliated to COSI. “Practitioners” such as the German Ministry of the Interior and its Federal Criminal Police Office are organised there. Both have been significantly determining the course for EU decryption legislation for five years.