EU Tells US: Ban Strong Encryption, And Privacy Shield Data Sharing Agreement Could Be At Risk

from the question-of-adequacy dept

As a recent post underlines, law enforcement agencies around the world are still trying to argue that things are "going dark", and that strong encryption is bad and should be made illegal. Techdirt and many others have pointed out what an extremely stupid idea this would be. Here's a further reason why the US shouldn't ban strong encryption: it might lead to the EU making data transfers across the Atlantic much harder. The possibility has emerged thanks to some formal questions to the European Commission (pdf) submitted by a Member of the European Parliament, Moritz Körner. They include the following:

According to the news website Politico, the US government is considering a ban on encryption. 1. Would the Commission consider a similar ban in the EU to be useful? 2. Would a ban on encryption in the USA render data transfers to the US illegal in light of the requirement of the EU GDPR for built-in data protection?

The answers from the European Commission have now been published (pdf). The first response is as follows:

Encryption is one of the means of protecting confidentiality as well as privacy and is widely recognised as an essential tool for security and trust in open networks. No ban on encryption is being considered.

That's good, but:

At the same time, the use of encryption should be without prejudice to the powers of competent authorities to protect important public interests in accordance with the procedures, conditions and safeguards set forth by law. In particular, access to communications data by national authorities may be justified in individual cases by the objective of preventing or investigating criminal offences, as long as such measures are necessary, proportionate and respect due process rights.

The boilerplate caveat doesn't say how the EU aims to provide lawful access to communications data when strong encryption is employed, and so doesn't really illuminate EU policy here. By contrast, the response to the second question about the impact a US ban on strong encryption might have does provide new information:

Should the U.S. enact new legislation in this area, the Commission will carefully assess its impact on the adequacy finding for the EU-U.S. Privacy Shield, a framework which the Commission has found to provide a level of data protection that is essentially equivalent to the level of the protection in EU, thus allowing for the transfer of personal data from the EU to participating companies in the U.S. without any further restrictions.

Privacy Shield governs the flow of EU citizens' personal data to the US -- something of vital importance to US Internet companies, and many others. Because of the GDPR's requirements, that flow can only take place if the European Commission issues an "adequacy decision" -- essentially confirming that a country outside the EU offers a sufficient level of data protection. Without adequacy, US companies would be forced to take additional, more onerous measures to guarantee that EU personal data was protected to the level required by the GDPR.

The European Commission's reply indicates that adequacy could be at risk if the US were to ban strong encryption. That's surprising, because the Commission has generally tried to ignore criticisms -- from the European Parliament, for example -- about the level of data protection in the US. This may just be a little saber-rattling on the Commission's part. But it's a useful hint that a US ban would not just be bad for the Internet, but could also turn out to be bad for the US.

Follow me @glynmoody on Twitter, Diaspora, or Mastodon.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community. Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis. While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: encryption, eu, privacy, privacy shield, us