New internal security plans could fundamentally change how people in the European Union communicate privately. Law enforcement wants more access to pursue possible crimes, while privacy and internet security advocates fear a deepening surveillance state.
The European Commission’s ProtectEU security strategy, unveiled last month, aims to tackle threats both from hostile foreign states and criminal groups. It would introduce measures on “lawful and effective access to data for law enforcement” and work towards “updating the EU’s data retention rules.”
End-to-end encryption is getting extra attention. The technology secures messaging by using a unique key on the sending device that only the receiving device can decrypt.
Legislative efforts to weaken that level of data protection have privacy advocates ringing alarm bells and complaining that the Commission has not taken their concerns seriously. Last week, 39 civil society organisations and 43 privacy experts wrote a letter to Henna Virkkunen, the European Commissioner responsible for tech sovereignty, security and democracy, warning of the dangers of opening encryption to police.
“Encryption is a vital tool to protect everyone's personal information and personal lives online,” Ella Jakubowska, head of policy at European Digital Rights (EDRi), a coalition of NGOs that helped to organise the letter, told The Parliament. “We've had wave after wave of attempts particularly by the European Commission to build in a back door to encrypted communications.”
Protecting children
For criminals, encrypted messaging apps can help keep their illicit activity beyond the reach of law enforcement. With ProtectEU, the Commission wants to give them more tools to go after illegal and harmful content, such as child sexual abuse material (CSAM).
In a recent report, Protect Children, a Helsinki-based NGO, surveyed over 30,000 people anonymously identified as CSAM offenders. Of those, 32% said they had used social media platforms to search for, view or disseminate CSAM; 29% said they had used messaging apps for the same purpose.
Outside of encrypted apps, police can more easily intercept messages by applying for a warrant and then listening in, much the same way they do for phone calls, text messages or email. If criminals use the dark web, they may be able to more easily evade detection, but at the cost of ease of use, thus limiting the scale of activity. While the end-to-end encryption technology has existed for years, police and child protection advocates say that the widespread accessibility of end-to-end encrypted messaging makes it too easy for criminals to operate in secrecy.
“The amount of images that offenders are pushing online, it's absolutely crazy,” Nina Vaaranen-Valkonen, the Protect Children executive director, told The Parliament. “Who would use the dark web if you can use the end-to-end encrypted services in a safe way?”
Another piece of EU legislation, the Regulation to Prevent and Combat Child Sexual Abuse (CSAR), is gathering momentum. Proposed by the Commission in 2022, it would compel messaging services to perform indiscriminate scans of their content to detect child sexual abuse material — including on platforms that use end-to-end encryption. This would effectively force companies to retrieve content that they currently cannot access, requiring a redesign of their products.
The legislation has the support of Denmark, which will take over the rotating presidency of the Council of the EU in July. Proponents have played down concerns that it would lead to mass surveillance.
“If you think about me flying somewhere, I put my suitcase on a plane and then my suitcase comes from the plane and the dog is sniffing around if I'm carrying any illegal stuff in my bag — it's the same system,” Vaaranen-Valkonen, who also chairs a specialist sub-group for INTERPOL, the global inter-governmental police organisation, said. “It's absolutely not that everybody's messages will be checked.”
Artificial intelligence would help scan images for CSAM, which in theory would detect illegal material without humans snooping on legal messages.
“Tech is catching up, so I do think pushing companies to do more to balance that is really important,” Rebecca Smith, head of child protection at Save the Children International, told The Parliament. “Predators hide behind encryption all the time.”
The legal possession of a warrant, however, doesn’t address the technical difficulties and considerable resources required to break end-to-end encryption without weakening the entire system. Encrypted data passes through company servers but remain unreadable — including by the service providers themselves. If intercepted, data appear as scrambled code.
“It's really easy to see how our most sensitive information is not going to be safe,” EDRI’s Jakubowska said. “That's just the technical reality of encryption.”
EU Council divided
EU member states are divided. Spain wants to ban encryption entirely, leaked documents show. Sweden has advocated for a proposal that would mandate companies to store and provide law enforcement with access to users’ communications, including those that are end-to-end encrypted.
But the Netherlands, Finland and Austria say they oppose any weakening of encryption, warning that such measures would compromise digital security for all users and expose systems to abuse. Germany is also part of the blocking minority on the CSAM legislation, though the government has been quiet on the issue during a government handover.
France recently U-turned on a national bill that would have gutted end-to-end encryption in the name of fighting drug trafficking. The legislation, which the interior ministry still advocates for, would have allowed law enforcement to silently join encrypted chats, undermining private communication.
Critics said the law could be abused to create systemic vulnerabilities and damage trust in secure communication platforms.
“At the political level, the problem is now that our law enforcement have been losing ground to criminals because our police investigators don't have access to data,” Virkkunen, the tech and security Commissioner, said at a news conference last month.
Bigger issues than encryption
A recent joint report by Europol and Eurojust found that one of the primary challenges for law enforcement is not gathering information — encrypted or otherwise — but managing and processing the vast amounts of data that they can collect.
“This idea that they can't see anything, that they're not able to do their jobs because they don't have data, is really not realistic or accurate,” Jakubowska said. “We see it as part of a much broader state surveillance agenda that wants to have unfettered access to all of the things that we're doing just in case we do something wrong.”
The European Court of Justice (CJEU) and European Court of Human Rights (ECtHR) have consistently ruled on the legality of EU proposals such as facial recognition in public spaces and the collection and retention of user data by service providers.
Markéta Gregorová, a Green MEP from the Czech Republic, said the benefits of encryption were too important to discard in the name of law enforcement. “Encryption is not a threat – it is a cornerstone of secure digital communication, vital for journalists, activists, businesses and everyday citizens,” she told The Parliament.
Birgit Sippel, a German MEP from the centre-left S&D group, said there might be a way to allow law enforcement access to encrypted data in limited circumstances, but that this would have to be carefully calibrated.
“While I recognise the need for law enforcement to address digital threats, we must reject any approach that quietly dismantles the confidentiality of our communications or builds vast, interconnected databases without robust, independent oversight,” Sippel told The Parliament in an email statement. “The push for ‘lawful access’ must not become a backdoor to mass surveillance.”
Sign up to The Parliament's weekly newsletter
Every Friday our editorial team goes behind the headlines to offer insight and analysis on the key stories driving the EU agenda. Subscribe for free here.