Last week, the Spanish Presidency of the European Council delayed a vote regarding the Council’s position on the controversial Child Sexual Abuse Regulation(nieuw venster) (CSAR) due to a lack of consensus over the issue of encryption, among others. This proposed regulation is contentious as it opens the door to a new mass surveillance regime and could force companies to scan everyone’s digital communications all the time. In other words, it threatens to effectively ban end-to-end encryption.
Proton and others have been vocal about the dangers of this proposal. As we have discussed previously, banning encryption puts Europe’s cybersecurity (and security in general) at grave risk, undermines the competitiveness of European tech companies, and violates the basic rights to privacy that millions of Europeans have fought for.
However, last week’s decision to delay has highlighted the differing positions of key EU Member States. As the debate continues, Proton has some specific requests for the representatives of these Member States.
Supporting encryption
Several Member States have reportedly prevented the vote on the Council’s position from taking place on the grounds that the clauses affecting privacy will have a detrimental impact on privacy and security. We welcome this and encourage them to continue pushing for a progressive approach to tackling crime online.
In particular, we call on Germany and Austria to use their influence in Europe to bring more countries onto the right side of the debate. Their voices and support for privacy have already had a positive impact. It’s now vital that they hold their ground.
Sitting on the fence
Not all Member States have decided on their national position yet, most notably France. France is a highly influential member of the European community, and its support for privacy, security, and encryption would be invaluable in debates to come.
France has rightly made cybersecurity a top government priority. At the same time, it has successfully nurtured an exciting and vibrant start-up scene. If the French government wants to protect these two cultural and economic interests, it must ensure that the EU proposal does not have any negative impact on encryption, as outlined repeatedly by its own cybersecurity agency(nieuw venster) (ANSSI).
Disregarding the dangers
Despite these positive steps from some Council members, others still do not yet see the risks this legislation will pose for encryption and security in Europe.
To Spain, who holds the Presidency of the EU Council, we urge them to consider the facts. There are many ways for law enforcement to fight crime and protect citizens without undermining the rights and online security of the entire population. Spain is in a unique position to take a leadership role in this debate, so we ask them to listen to progressive voices in the European Parliament, their population, and the wider tech industry.
We urge all European Union Member States to seriously consider the impact of this text specifically in two key areas:
First, it’s vital to acknowledge that this regulation would endanger European citizens rather than protect them. Largely thanks to the war in Ukraine, Europe is now at the center of a cyberwar. But aside from the current geopolitical situation, it remains a fact that cybercrime in general has steadily increased year over year. Breaking encryption will expose us all to criminals, foreign interference, and state-sponsored actors willing to undermine Europe. Now is not the time to weaken our defenses.
Second, Europe’s economy overall, particularly its tech sector, will suffer if encryption is undermined. Tech companies headquartered and operating in Europe, especially the millions of SMEs that make up the backbone of Europe’s digital economy, are vulnerable to cyberattacks and therefore depend on the trust and security encryption offers. Not to mention the reputational hit European companies will face if they’re seen as unable to protect users’ privacy at a time when global demand for greater privacy is on the rise.
Time to change course
It remains unclear when the Council vote will finally take place. Last week’s delay means there will have to be further negotiations between Member States. However, we urge those undecided and those unwilling to rebalance the text to better protect privacy to take a moment and seriously consider the alternatives.
At Proton, we have been very clear. If the legislation is passed in its current form and we subsequently receive requests to undermine our encryption we would mount a robust legal challenge as we have done previously in other countries(nieuw venster). The Council’s own legal advice suggested the proposal would likely be illegal(nieuw venster) under European law and we expect to win future legal challenges. We all want a safe, secure, prosperous, democratic Europe. Without protecting encryption, none of this will be truly possible.