Home Knowledge To Encrypt or Not to Encrypt?

To Encrypt or Not to Encrypt?

June 23, 2017
Partner
John O’Connor
Partner
Leo Moore

The European Parliament’s Committee on Civil Liberties, Justice, and Home Affairs (LIBE) released on 9 June 2017 its draft report on the proposals for a new e-Privacy Regulation set to take effect alongside the General Data Protection Regulation (GDPR) on 25 May 2018.

LIBE proposed that “providers of electronic communications services” protect electronic communications data “by using specific types of software and encryption technologies.” This is in contrast to the language of the European Commission’s proposed e-Privacy Regulation which does not prescribe encryption but calls for “specific types of software or encryption technologies.”

While the GDPR does not make encryption of data mandatory for Data Controllers or Data Processors, it does encourage encryption as a means of enhancing “appropriate technical measures” for securing data. LIBE’s proposal, in relation to the e-Privacy Regulation, goes much further. 

Interestingly, as the proposed e-Privacy Regulation is designed to prevail over GDPR in relation to “electronic communications data that are personal data”, LIBE’s proposal would oblige “data controllers” and “data processors” to encrypt electronic communications data both at rest and in transit.

In Ireland, the General Scheme of Data Protection Bill 2017 mirrors the GDPR’s language around encryption. Additionally, current guidance from the Office of the Data Protection Commissioner recommends, but does not mandate, 256 bit whole disk encryption “where personal data is stored on a portable device or transmitted over a public network”. The Article 29 Working Party have been similarly reluctant to mandate encryption.

If adopted, LIBE’s proposals would put the EU on a privacy law trajectory diametrically opposed to the UK. Not only do LIBE’s proposals appear to contradict current UK legislation, i.e. the Investigatory Powers Act 2016, but they may also complicate UK government plans (as reported by media) for a ban on end-to-end encryption. 

Whether the proposed e-Privacy Regulation will be finalised by May 2018 is still very much in doubt. However businesses, the public sector and law enforcement authorities will undoubtedly be paying close attention to developments in this area. 

Contributed by John O’Connor

Recommended Insights

See all
Article and Insights
1
Feb 2024
Responsible Business Annual Report 2023
William Fry is pleased to launch its Responsible Business Annual Report 2023.
Article and Insights
2
Feb 2024
Digital Operational Resilience Act – second batch of technical standards launched for consultation
We focus on the second batch of draft implementation measures announced by the Eur...
WF_author_blank
Partner
John O’Connor
Article and Insights
2
Feb 2024
John Delaney Documents – Supreme Court Refuses Leave to Appeal
The Supreme Court has refused leave to appeal from a decision rejecting John Delan...
WF_author_blank
Consultant
Deirdre O’Donovan
Article and Insights
24
Jan 2024
Cross-Examining Affidavit Evidence in Insolvency Cases
The High Court recently dismissed a petition seeking the winding up of a biofuel c...
WF_author_blank
Partner
Fergus Doorly
prev
next
See all