Two years of trying – and failing – to get government consensus

Proposed in 2022 by the EU’s outgoing home affairs chief, Ylva Johansson, the draft EU CSA Regulation sent shockwaves throughout the privacy and human rights communities.

The European Commission tried to downplay the massive threat this law, coined “Chat Control”, would pose to the security of everyone’s digital communications. But soon, they had to reckon with intense criticism from every angle: civil society, legal experts, technologists, child rights specialists, and police, warning that the Regulation would be counter-productive to its stated aim of protecting children.

The EU’s independent legal services also joined in with damning criticism of the draft law, confirming that the law would mean such a massive violation of innocent people’s digital human rights, that the EU’s top court would surely strike it down.

This was an important set of developments because in order to pass this controversial bill, the European Commission would need the support of both the European Parliament and the Council of the EU (the body representing the governments of all 27 EU Member States).

Yet for over two years, the Council of the EU has been unable to find a position that satisfies both the EU countries that (thankfully) appreciate the importance of digital security – and those whose terrifying mission is to break encryption and put an end the presumption of innocence online.

Orbán pushes for backdoors into Europe’s private chats

In summer 2024, the government of Hungary became the fifth country to be given the unenviable task of attempting to broker a common position of the Council of the EU on this ill-fated law. The European Commission has long been trying to convince Member State governments that the proposed Regulation is legally sound (it isn’t), would protect encryption (it wouldn’t) and that reliable technologies already exist (they don’t).

Thankfully, leaked documents from September 2024 reveal that countries including Germany, Poland, Austria, Estonia, Slovenia and Luxembourg remain firm in their insistence that any such law must still comply with human rights and technological reality. Their leaders have been clear that until the proposed Council position meets these criteria, they cannot agree to it.

But pressure has been mounting on the countries that have been on the fence – apparently including the Netherlands, France and Italy – to say “yes” to a proposal that would give police a back door into everyone’s private digital chats.

According to Politico and to local reports, notorious Hungarian Prime Minister, Viktor Orbán, pulled out all the stops to try and convince the Netherlands to support the latest text. And in the last few days, he came worryingly close to succeeding.

Surprise as spooks come to the rescue

In late September, digital rights groups were shocked to hear reports that the Dutch government was suddenly considering endorsing Hungary’s proposal. The Netherlands had previously committed that they would not support any proposal on this law until they could be sure that it would protect encryption. But they may have been swayed by pervasive false claims that the latest proposal, coined “upload moderation”, protects encryption.

Over three hundred researchers and scientists from across Europe and beyond quickly jumped in to (once again) remind all EU governments that this completely contradicts widespread expert consensus. There is no way to systematically scan and report on private messages and keep those messages secure, regardless of whether you do this scanning on a person’s device or elsewhere.

On 1 October, following significant mobilisation from civil society, including EDRi member Bits of Freedom and national opposition politicians, the news broke that the Netherlands would officially abstain from the proposal. This is a welcome development, because it means that Hungary does not have a majority to move forward with their proposal, instead having to remove the CSA Regulation from an upcoming Council agenda.

One of the most interesting parts of the Netherlands’ will-they-won’t-they saga, however, is the fact that one decisive element seems to be an opinion of the national security service. Dutch spooks warned their government that the latest proposal would threaten the cybersecurity of the country, putting national security at risk. This is a warning that should resonate with other countries, too.

Dead but not buried (yet)

It’s hard to see where Hungary can go from here. Despite repeated attempts by several countries, it has once again been shown to be impossible to have a law that protects encryption whilst simultaneously undermining it, nor to legalise illegal mass surveillance.

This should be the final nail in the coffin for this Frankenstein’s Monster of a law, which EDRi has warned since the beginning is legally and technically infeasible. No amount of linguistic gymnastics can change that.

But this file has come back from seemingly being dead several times already in recent years. Since the very advent of encryption, governments have been arguing that they should be able to have widespread access to the encrypted communications of people even without reasonable suspicion.

With a new Commission taking up the charge at the end of 2024, this is an opportunity to press the reset button, and start again. We deserve a better proposal which would tackle the grave issue of child sexual abuse in a way that complies with EU human rights law. One which would ensure a safe internet for all, rather than causing even more harm.

Read the full article here.

Gerelateerd nieuws

Ontslaat het pseudonimiseren van gegevens mijn onderneming van de verplichtingen op grond van de AVG?

Het blijft een uitdaging: welke gegevens worden aangemerkt als persoonsgegevens onder de Algemene Verordening Gegevensbescherming (AVG)? Onlangs boog de Rechtbank Midden-Nederland zich over dit vraagstuk, specifiek met betrekking tot de zogenoemde HoNOS+-gegevens. Deze gegevens zeggen iets over de geestelijke en sociale toestand van cliënten. Het oordeel van de rechtbank? Deze gegevens zijn géén persoonsgegevens, waarom niet? Lees hieronder de blog van advocaat bij Elferink & Kortier Advocaten, Tom Boitelle.

Data & Privacy

NIS2: risicoanalyse van eigen organisatie helpt om grip te krijgen op leveranciersmanagement

De Europese NIS2-richtlijn heeft als doel de digitale weerbaarheid van organisaties én hun toeleveranciers te versterken. Dat betekent dat bedrijven niet alleen hun eigen cyberrisico’s moeten begrijpen, maar ook die van hun toeleveranciers. Dit roept bij veel organisaties een belangrijke vraag op: wat betekent dit nu voor ons leveranciersmanagement?

Data & Privacy

Wetsvoorstel: meer bevoegdheden voor burgemeester bij online ordeverstoring

Op 4 juli is een wetsvoorstel in consultatie gebracht dat twee nieuwe bevoegdheden aan de burgemeesters toekent. Hiermee kan de politie onder zijn gezag persoonsgegevens uit publiek toegankelijke bronnen vergaren over de dreiging van een ernstige verstoring van de openbare orde. Het doel van het wetsvoorstel is dat de burgemeester en de politie meer zicht krijgen op ernstige verstoringen van de openbare orde en zij op basis daarvan adequater maatregelen kunnen treffen om deze te voorkomen, beletten of te beëindigen.

Data & Privacy

Wat leren we van het datalek bij Bevolkingsonderzoek Nederland

Vandaag werd bekend dat er een groot datalek heeft plaatsgevonden bij (onder andere) Bevolkingsonderzoek Nederland. Dit is een instantie in Nederland die belast is het met uitvoeren van bevolkingsonderzoeken naar borstkanker, baarmoederhalskanker en darmkanker. In het kader van deze onderzoeken worden ontzettend veel persoonsgegevens verwerkt, waaronder bijzondere persoonsgegevens (zoals uitslagen van tests) en gevoelige persoonsgegevens (zoals bsn). Nu is gebleken dat gegevens van ongeveer 485.000 Nederlandse vrouwen gestolen zijn via een toeleverancier. Het gaat daarbij onder andere om allerlei soorten persoonsgegevens, zoals adresgegevens, medische gegevens (zoals uitslagen) en burgerservicenummers. Het datalek vond plaats bij het laboratorium dat uitstrijkjes en zelftesten analyseert. Deze gegevens zijn nu dus gestolen en volgens de nieuwsberichten worden deze aangeboden op het dark web. Naar aanleiding van de berichtgeving willen we kort stilstaan bij enkele zaken die opvallen.

Data & Privacy