To Encrypt or Not to Encrypt?

25/06/2017

The European Parliament's Committee on Civil Liberties, Justice, and Home Affairs (LIBE) released on 9 June 2017 its draft report on the proposals for a new e-Privacy Regulation set to take effect alongside the General Data Protection Regulation (GDPR) on 25 May 2018.

LIBE proposed that "providers of electronic communications services" protect electronic communications data "by using specific types of software and encryption technologies." This is in contrast to the language of the European Commission's proposed e-Privacy Regulation which does not prescribe encryption but calls for "specific types of software or encryption technologies."

While the GDPR does not make encryption of data mandatory for Data Controllers or Data Processors, it does encourage encryption as a means of enhancing "appropriate technical measures" for securing data. LIBE's proposal, in relation to the e-Privacy Regulation, goes much further.

Interestingly, as the proposed e-Privacy Regulation is designed to prevail over GDPR in relation to "electronic communications data that are personal data", LIBE's proposal would oblige "data controllers" and "data processors" to encrypt electronic communications data both at rest and in transit.

In Ireland, the General Scheme of Data Protection Bill 2017 mirrors the GDPR's language around encryption. Additionally, current guidance from the Office of the Data Protection Commissioner recommends, but does not mandate, 256 bit whole disk encryption "where personal data is stored on a portable device or transmitted over a public network". The Article 29 Working Party have been similarly reluctant to mandate encryption.

If adopted, LIBE's proposals would put the EU on a privacy law trajectory diametrically opposed to the UK. Not only do LIBE's proposals appear to contradict current UK legislation, i.e. the Investigatory Powers Act 2016, but they may also complicate UK governmental plans (as reported by media) for end-to-end encryption.

Whether the proposed e-Privacy Regulation will be finalised by May 2018 is still very much in doubt. However businesses, the public sector and law enforcement authorities will undoubtedly be paying close attention to developments in this area.

Read more:https://www.lexology.com/library/detail.aspx?g=33d3bbbd-8835-430c-9454-5f702b414e65