EU Tells US: Ban Strong Encryption, And Privacy Shield Data Sharing Agreement Could Be At Risk

As a recent post underlines, law enforcement agencies around the world are still trying to argue that things are "going dark", and that strong encryption is bad and should be made illegal. Techdirt and many others have pointed out what an extremely stupid idea this would be. Here's a further reason why the US shouldn't ban strong encryption: it might lead to the EU making data transfers across the Atlantic much harder. The possibility has emerged thanks to some formal questions to the European Commission (pdf) submitted by a Member of the European Parliament, Moritz Kirner. They include the following:

According to the news website Politico, the US government is considering a ban on encryption.

1. Would the Commission consider a similar ban in the EU to be useful?

2. Would a ban on encryption in the USA render data transfers to the US illegal in light of the requirement of the EU GDPR for built-in data protection?

The answers from the European Commission have now been published (pdf). The first response is as follows:

Encryption is one of the means of protecting confidentiality as well as privacy and is widely recognised as an essential tool for security and trust in open networks. No ban on encryption is being considered.

That's good, but:

At the same time, the use of encryption should be without prejudice to the powers of competent authorities to protect important public interests in accordance with the procedures, conditions and safeguards set forth by law. In particular, access to communications data by national authorities may be justified in individual cases by the objective of preventing or investigating criminal offences, as long as such measures are necessary, proportionate and respect due process rights.

The boilerplate caveat doesn't say how the EU aims to provide lawful access to communications data when strong encryption is employed, and so doesn't really illuminate EU policy here. By contrast, the response to the second question about the impact a US ban on strong encryption might have does provide new information:

Should the U.S. enact new legislation in this area, the Commission will carefully assess its impact on the adequacy finding for the EU-U.S. Privacy Shield, a framework which the Commission has found to provide a level of data protection that is essentially equivalent to the level of the protection in EU, thus allowing for the transfer of personal data from the EU to participating companies in the U.S. without any further restrictions.

Privacy Shield governs the flow of EU citizens' personal data to the US -- something of vital importance to US Internet companies, and many others. Because of the GDPR's requirements, that flow can only take place if the European Commission issues an "adequacy decision" -- essentially confirming that a country outside the EU offers a sufficient level of data protection. Without adequacy, US companies would be forced to take additional, more onerous measures to guarantee that EU personal data was protected to the level required by the GDPR.

The European Commission's reply indicates that adequacy could be at risk if the US were to ban strong encryption. That's surprising, because the Commission has generally tried to ignore criticisms -- from the European Parliament, for example -- about the level of data protection in the US. This may just be a little saber-rattling on the Commission's part. But it's a useful hint that a US ban would not just be bad for the Internet, but could also turn out to be bad for the US.

Follow me @glynmoody on Twitter, Diaspora, or Mastodon.