An introduction to encryption in Europe
January 2021 position paper
“Encryption is essential to the digital world, securing digital systems and transactions and also protecting a series of fundamental rights, including freedom of expression, privacy and data protection. ”
European Commission, 24 July 2020
“Privacy and security, both of individuals’ personal data and of critical infrastructure, are important preconditions for economic growth and societal benefit. Encryption is a fundamental tool to achieve these goals“
Digital Europe, 16 March 2020
“Under international human rights law, measures that would restrict the use of encryption are deeply problematic, as is the mass interception and blanket retention of communications data”
European Digital Rights (EDRi), 27 October 2020
Encryption is a fundamental tool to protect the confidentiality of personal data and the security of the information systems, specifically enshrined in article 32 of the GDPR.
This paper explores the European scenario, with a specific focus on the regulatory and policy instruments that address encryption.
Encryption is a mathematical function that uses a secret value – the key – to encode data that only users with access to that key can read. The science of encrypting and decrypting information is called cryptography.
There are two main types of encryption:
- Symmetric encryption: a common key (known by all involved parties) key is used to encode and decode the to protect data.
- Asymmetric encryption: this method uses two different keys - a public key and a private key - which are interlinked together mathematically. The private key (only known to the sender) is used to encrypt a message, the public key (that can be published on the Internet) is used to decode that message.
Being firstly used only in the military field, the advent of new communication technologies has seen encryption democratized through its integration into everyday products, such as websites, smartphones, and messaging protocols.
The use of encryption techniques as a means of guaranteeing confidentiality and integrity of data and user authentication has become an indispensable prerequisite for the normal functioning of infrastructures that we need for our daily lives (banking, sending, or receiving emails) and of the digital services offered over them.
Encryption technologies enable Internet users to protect their data and communications from unwanted observation and intrusion. Its importance has grown as information technology enables the creation and storage of massive/enormous quantity of personal information.
In this regard, the Internet Society, the international organisation promoting Internet use and access (hereinafter ISOC) highlights that “Encryption technologies enable Internet users to protect the confidentiality of their data and communications from unwanted observation and intrusion. Encryption is also a technical foundation for trust on the Internet. It promotes freedom of expression, commerce, privacy, user trust, and helps protect data from bad actors ”. Users’ data protection rights should be at the heart of any decisions related to the digital economy, as it has also been affirmed recently in the European General Data Protection Regulation (the so-called GDPR). “They are both the customers and the contributors to the success of the digital economy”.
1. The European landscape
At a European level, encryption is foreseen in several Union-wide regulatory instruments.
a) The GDPR foresees encryption at:
· article 32, as a means for the data controller to secure the data: «1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller, and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
(a) the pseudonymization and encryption of personal data; [….]».
Encrypting data represents a way to ensure confidentiality of personal data and strengthen therefore the resilience of the processing systems. Depending on the circumstances, an appropriate and effective encryption solution can in fact be a means of demonstrating compliance with the security requirements of the GDPR.
· article 34, the data controller is not obliged to notify the data breach to the data subject in case he «[…] has implemented appropriate technical and organizational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular, those that render the personal data unintelligible to any person who is not authorized to access it, such as encryption; [….]».
· article 5, par. f) GDPR states the principle of integrity and confidentiality «Processed in a manner that ensures appropriate security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures». Encryption represents an important means to ensure the respect of these two principles.
b) Directive 2002/58/EC (Directive on privacy and electronic communications)
· Recital 20: «Service providers should take appropriate measures to safeguard the security of their services, if necessary in conjunction with the provider of the network, and inform subscribers of any special risks of a breach of the security of the network [….]. Service providers who offer publicly available electronic communications services over the Internet should inform users and subscribers of measures they can take to protect the security of their communications for instance by using specific types of software or encryption technologies».
c) European Proposal for a Regulation on Privacy and Electronic Communication - that will replace the Directive 2002/58 - at Recital 37 states that: «Service providers who offer electronic communications services should inform end-users of measures they can take to protect the security of their communications for instance by using specific types of software or encryption technologies […] Security is appraised in the light of Article 32 of Regulation (EU) 2016/679».
Very few EU countries have adopted at a national level specific provisions on use of encryption, although it is the competence of EU member states to regulate at the national level the requirements, in particular for law enforcement authorities to conduct criminal investigations and the specific conditions to access communication information, especially when these are protected by encryption measures. In particular, the national laws regulate the cases and indicate the conditions under which law enforcement and judicial authorities can compel a suspect or a third party to disclose the access keys or to provide data in an unencrypted format.
To make sure that encryption is, and continues to be, a fundamental tool to protect data, there is, therefore, a strong need to push and move forward on public awareness on encryption at a national and European level.
2. Promotion and protection of fundamental rights in the European Union.
Data controllers are challenged every day to protect data users and prevent data breaches. Only in the first months since the GDPR entered into force, the European Data Protection Board (EDPB) had reported almost 65,000 breach notification.
The right to the protection of personal data represents today a fundamental value of the European system, enshrined by the GDPR and by the Charter of Fundamental Rights of the European Union.
To support the right to privacy, and other fundamental rights such as freedom of expression, intellectual property, individuals should be able to communicate confidentially and anonymously on the Internet.
Encryption represents an important means to assure confidentiality, integrity, and availability of information and, therefore, contributing to the protection of the aforementioned rights.
Additionally, encryption not only protects individual’s rights within the European context but might also prevent any risky transfer of personal information to third countries.
Security (“integrity and confidentiality”) is one of the principles relating to the processing of personal data, which uniquely contributes to the compliance and protection of individuals’ fundamental rights in all processing activities. Article 32 gives to encryption, together with pseudonymization, the rank of measures that need to be put in place for guaranteeing security.
3. Policy discussion on encryption
On 24 November 2020, the Council of the European Union adopted the resolution “Encryption - Security through encryption and security despite encryption”. It clearly supports strong encryption, while stresses the necessity for law enforcement and judicial authorities to exercise their lawful powers in protecting our societies and citizens. “
Always at a policy level, on 24 July 2020, the European Commission released a strategic document on the EU Security Union Strategy where it addressed, among the other things, the importance of finding a balance while using encryption. While being firm on the principles, it announced that “the Commission will explore and support balanced technical, operational and legal solutions to the challenges and promote an approach which both maintains the effectiveness of encryption in protecting privacy and security of communications, while providing an effective response to crime and terrorism.” What this means in practice, in terms of protecting the current regulatory regime in favor of encryption, remains unclear. At the jurisprudential level, after the Court of Justice of the European Union decision in the case Schrems II that invalidated the EU-US Data Protection Shield, national and European policymakers/regulators discussing which measures to put in place to reinforce the protection of personal data with regard to the international transfer, and encryption is listed as one of the most important – beside anonymization, pseudonymization.
In this context, it is also worth noting a letter dated on the 16th of July by the European Data Protection Board (EDPB) highlighting that “the availability of strong and trusted encryption as a necessity in the modern digital world and a technology contributing in an irreplaceable way to our privacy and to the secure and safe functioning of our society”. Any ban on encryption would seriously undermine compliance with GDPR.
Previously, the Data Protection Authorities of the European Union, represented by the Article 29 Working Party (WP29), and now replaced by the European Data Protection Board, remarked in a statement dated 11 April 2018 on the importance of strong and efficient encryption means to guarantee the protection of individuals with regard to confidentiality and integrity of their data, which are the elementary underpinning of the digital economy.
Previously, ENISA published a report in December 2016 on the use of encryption in the different daily activities and on the different technical solutions to address law enforcement issues.
The European Commission’s 2017 cybersecurity strategy recognized encryption as a vital tool for the protection of personal data and fundamental rights, such as privacy and freedom of expression.
Eurojust has dedicated its annual Cybercrime Judicial Monitor report in 2018 to encryption and to the legal requirements for decrypting information during judicial investigations.
Europol and Eurojust have recently published, respectively in 2019 and 2020, the First and Second report on the observatory function on encryption.
4. What does Encryption Europe stand for?
“Backdoors and master keys deprive encryption of its utility and cannot be used in a secure manner”.
As outlined in the Encryption Europe Principles, the Alliance has a zero-backdoor policy, and it supports the work of regulators against any possible weakening of encryption.
Encryption Europe defends, in fact, the choice for our members to secure the data and communications of their clients in 2 main ways:
- Providers may keep a copy of their clients’ keys (the benefit of this approach is that the clients are not at risk of losing access to their own data) and may provide them with a Key Management System (the benefit is that the clients manage their encryption keys in a more robust and reliable fashion);
- Providers may not keep any copy of their clients’ keys (the benefit is that the clients are guaranteed that their provider cannot access their own data). In such a case, some providers may prefer to perform “Know Your Customer” checks on their clients, while others may prefer not to.
Encryption represents today one of the most important available means to protect confidentiality, integrity, and authenticity of data. The right to protect personal data is a fundamental value of the European Union, recognized as such by the European Charter of Fundamental Rights and by the European Data Protection Regulation (GDPR). It is an agreed fact, that protecting personal data as well as the generalized use of encryption, accelerates the EU digital economy to grow and empowers its development. It is not possible to ensure security only partially. In fact, weakening encryption would put at risk all security and privacy, and as such the complete digital economy.
Encryption Europe stands for zero back-door and transparency when it comes to implementing encryption algorithms.
The role and commitment of Encryption Europe as a tech alliance of SMEs is to demonstrate that the encryption industry stands on clear principles but also recognises the political context and its mindset is to bring innovation and forward-looking solutions.
Encryption Europe encourages continued, focused dialogue on the topic with different national and European stakeholders.
 Communication from the Commission to the European Parliament, the European Council, the Council, the European
Economic and Social Committee and the Committee of the Regions on the EU Security Union Strategy, 24 July 2020 https://ec.europa.eu/info/sites/info/files/communication-eu-security-union-strategy.pdf
 Position paper DigitalEurope, Encryption: finding the balance between privacy, security and lawful data access, available at https://www.digitaleurope.org/resources/encryption-finding-the-balance-between-privacy-security-and-lawful-data-access/ ibidem, page 11.
 Open Letter to the European Commission: Civil society views on defending privacy while preventing criminal acts, 27 October 2020 https://edri.org/wp-content/uploads/2020/10/20201020-EDRi-Open-letter-CSAM-and-encryption-FINAL.pdf
 ICO, Security encryption, available at https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/security/encryption/.
 https://searchsecurity.techtarget.com/definition/encryption. The first traces of this technology go back to ancient Greece and to Julius Caesar’s cipher. See https://daily.jstor.org/tales-history-cryptography/.
 See Article 29 Data Protection Working Party, Statement of the WP29 on encryption and their impact on the protection of individuals with regard to the processing of their personal data in the EU, Brussels April 2018, available at https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=622229
 Carnegie Endowment for International Peace, Moving the Encryption Policy Conversation Forward, available at https://carnegieendowment.org/2019/09/10/moving-encryption-policy-conversation-forward-pub-79573
 Recital 7 GDPR.
 https://www.internetsociety.org/policybriefs/encryption/ on ISOC website that will help us to support our opinion and vision.
 Belgium, France, Ireland, UK. See Eurojust Cybercrime Judicial Monitor, Issue 4 – December 2018 9/L/2018, p. 34.
 Belgium, Denmark, France, Hungary, Ireland, Latvia, Luxembourg, Poland, Slovenia, Spain, The Netherlands, UK, Norway
 See Digital Europe position paper, cit. p. 5.
 See ENISA’s Opinion Paper on Encryption Strong Encryption Safeguards our Digital Identity, available at https://www.enisa.europa.eu/publications/enisa-position-papers-and-opinions/enisas-opinion-paper-on-encryption. See also ENISA and Europol joint statement available at https://www.enisa.europa.eu/publications/enisa-position-papers-and-opinions/on-lawful-criminal-investigation-that-respects-21st-century-data-protection.
 See Communication from the Commission to the European Parliament, the European Council and the Council Eleventh progress report towards an effective and genuine Security Union, 18th October 2017.
 See Eurojust, Cybercrime Judicial Monitor, Issue 4 December 2018, available at http://www.eurojust.europa.eu/doclibrary/Eurojust-framework/cybercrimejudicialmonitor/CJM%20Issue%204%20-%20December%202018/2018-12_CJM-4_EN.pdf
 Available at https://www.europol.europa.eu/publications-documents/first-report-of-observatory-function-encryption and https://www.europol.europa.eu/publications-documents/second-report-of-observatory-function-encryption.
 Court of Justice of the European Union, 16th July 2020, Data Protection Commissioner v Facebook Ireland and Maximillian Schrems Judgment in Case C-311/18
 For instance, on August 24, 2020, the Data Protection Authority (“DPA”) of the German federal state of Baden-Württemberg issued guidance on international data transfers following the judgment of the Court of Justice of the European Union (“CJEU”) in the Schrems II case (decision C-311/18 of July 16, 2020).
 See Digital Europe Policy paper, An early analysis of Schrems II – key questions and possible ways forward, p. 9, available at https://www.digitaleurope.org/wp/wp-content/uploads/2020/08/DIGITALEUROPE_An-early-analysis-of-Schrems-II_Key-questions-and-possible-ways-forward.pdf
 Article 29 Data Protection Working Party, Statement of the WP29 on encryption and their impact on the protection of individuals with regard to the processing of their personal data in the EU. See also EDPB Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, adopted on 10 November 2020, pp. 22-24.
 Article 29 Data Protection Working Party, Statement of the WP29 on encryption and their impact on the protection of individuals with regard to the processing of their personal data in the EU, page 2.