BY Jenny L. Holmes, Vincent Tennant
In June 2019, Politico reported on the Trump administration’s possible pursuit of legislation to prohibit encryption that law enforcement could not break. A member of the European Parliament reacted by raising the issue in formal questions to the European Commission.
The European Commission is tasked by the General Data Protection Regulation (GDPR) framework with issuing “adequacy decisions” to nations outside of the European Union. Adequacy decisions—based on the assessment of each government’s level of data protection compared to the level required of EU member states under GDPR—allow the flow of information freely between EU member states and other nations. Currently, the EU-U.S. Privacy Shield has been deemed adequate.
The Commission’s responses (published last month) illuminate the balance the European Commission seeks to strike between individual privacy rights and the information processing and gathering needs of other governments and address the potential effect of an encryption ban on U.S.-EU data policy.
In response to whether the Commission is considering a similar ban in the EU:
Encryption is one means of protecting confidentiality as well as privacy and is widely recognized as an essential tool for security and trust in open networks. No ban on encryption is being considered.
At the same time, the use of encryption should be without prejudice to the powers of competent authorities to protect important public interests in accordance with the procedures, conditions, and safeguards set forth by law. In particular, access to communications data by national authorities may be justified in individual cases to prevent or investigate criminal offenses, as long as such measures are necessary, proportionate, and respect due process rights.
In response to whether the U.S. ban would violate the GDPR:
Should the U.S. enact new legislation in this area, the Commission will carefully assess its impact on the adequacy finding for the EU-U.S. Privacy Shield—which the Commission previously found to have a level of data protection on par with that of the EU, thus allowing for the transfer of personal data from the EU to participating companies in the U.S. without any further restrictions.
A downgrading of the EU-U.S. Privacy Shield hinted at in this answer would likely prove very disruptive to U.S.-based business on the Internet. Without an adequacy finding, each company seeking to do business involving cross-border data would have to implement additional and burdensome compliance practices.