EU raises eyebrows at possible US encryption ban

The growing battle over end-to-end encryption took another turn last week, when EU officials warned that they may not take kindly to a US encryption ban or insertion of crypto backdoor technology.

In June 2019, senior US government officials met to discuss whether they could legislate tech companies into not using unbreakable encryption. According to Politico, the National Security Council pondered whether to ask Congress to outlaw end-to-end encryption, which is a technology used by companies to keep your data safe and secure.

To recap briefly, US law enforcement worries about its targets such as criminals and terrorists “going dark” by using this technology to shield their communications. Banning it outright would make it easier for government agencies to access those messages and documents. Encryption advocates counter that making encryption breakable would also allow malicious actors such as foreign governments to steal domestic secrets and they also worry about unlawful access to information by their own governments.

US officials didn’t reach a decision on the issue, but news of the conversation spooked MEP Moritz Körner enough to ask the European Commission some formal questions picked up by Glyn Moody over at Techdirt. Körner asked whether the Commission would consider a similar ban on encryption in the EU. He also asked what a US ban would mean for existing data exchange agreements between the EU and the US:

Would a ban on encryption in the USA render data transfers to the US illegal in light of the requirement of the EU GDPR for built-in data protection?

Currently, the two regions enjoy an agreement known as the EU-US Privacy Shield, which they introduced after the European Court of Justice invalidated a previous agreement called the International Safe Harbor Privacy Principles.

The Privacy Shield is a voluntary certification scheme for US businesses. By certifying under the scheme, US companies prove their adequacy to transfer and process data on EU citizens. It shows that they have made some effort to follow Europe’s strict privacy principles in the absence of any cohesive federal privacy law in the US.

On 20 November, European Commission officials gave their answers, confirming that they would not consider a ban on encryption in the region and pointing out that the General Data Protection Regulation (GDPR) explicitly refers to encryption as a privacy protection measure.

The next answer was a bit more contentious:

Should the U.S. enact new legislation in this area, the Commission will carefully assess its impact on the adequacy finding for the EU-U.S. Privacy Shield, a framework which the Commission has found to provide a level of data protection that is essentially equivalent to the level of the protection in EU, thus allowing for the transfer of personal data from the EU to participating companies in the U.S. without any further restrictions.

In short, the jury is out on how the EU would react to cross-Atlantic data transfers if the US implemented crypto backdoors.

Ashley Winton, partner at McDermott Will & Emery UK LLP and specialist in data privacy law, explained that a split between the two territories on data exchange could have serious consequences. He told us:

We know that under the GDPR personal data must be held securely, and so legislating against strong encryption or introducing legal back doors, is not going to be good for the safe passage of European Personal Data – howsoever it gets there.

Unlike the annual review of Privacy Shield, if the European Court rules that the transfer of Personal Data to the US is not safe, all affected transfers will be stopped immediately and a world of data protection compliance pain will ensue.

The EU’s reservations about an encryption ban sit in stark contrast to the UK’s approach.

The Investigatory Powers Act 2016 compels communication providers to let the government know in advance of any new encryption products and services, allowing it to request technical assistance in overcoming them. Last month, the UK and the US signed an agreement under the March 2018 CLOUD Act allowing each other to demand electronic data directly from tech companies based in the other country, without legal barriers.

Winton said that another soon-to-be decided case will once again bring the issue of data transfer from the EU to the US into the spotlight. On 12 December 2019, the European Court of Justice (ECJ) will decide on a case known as Schrems 2. This is a legal challenge against Facebook in Ireland by Austrian Attorney and privacy advocate Max Schrems.

Schrems was responsible for bringing down the original Safe Harbour agreement. Concerned by Facebook’s cooperation with the US intelligence services as revealed by Edward Snowden, he filed a complaint with the Irish Data Protection Commissioner complaining that the transfer of his personal data to Facebook US violated his rights. The ECJ ruled in his favour.

Schrems 2 focuses on another mechanism used to transfer data from the EU to the US: standard contractual clauses (SCCs). These are bilateral agreements between EU and US organizations based on standard templates, and they’re often used by companies in countries that don’t have an adequacy agreement.

SCCs are a big deal because they are the go-to mechanism for extraterritorial data transfers among 88% of respondents, according to this report by the International Association of Privacy Professionals.

We will stay tuned.