Privacy vs. Security: Will data legislators keep cool heads post-Paris?

United Kingdom

Following the recent horrific terror attacks in Paris, it is human nature to want law-makers to take all possible measures to protect us. But at the centre of this legislative process is the core requirement to balance the need for security with the right to privacy, and the international tech community is campaigning for data legislators to keep cool heads in the emotional wake of the attacks, when making this judgement.


Before the recent terror attacks in Paris, the pro-security debate around government policy on encrypted communications had been ramping up, whilst every data breach set the tech community encrypting more ferociously. But now that terrorists may have used encrypted communications to organise attacks beyond the eyes of French authorities, the encryption debate has become even more rife and legislators are starting to take action. Governments now have a reason to shout louder for the right to see all private encrypted communications, i.e. a “back door” through tech security systems.

But Apple’s CEO says, “you can’t have a back door that’s only for the good guys”. In the tech world, many (including the Information Technology Industry Council (ITI), representing brands such as Apple, Google and Microsoft) are asking for cool heads to prevail in the emotional wake of the attacks. They want governments to seek a different solution, as weakening encryption would hurt the infrastructure of Internet security and personal privacy more broadly. Tech companies work hard to make their products as hacker-proof as possible, using encryption in response to the recent cybercrime epidemic.

UK Investigatory Powers Bill

This encryption debate is being played out in the UK with the draft Investigatory Powers Bill (the “Bill”) at its core. The Bill was published on 4 November 2015 and was set to be introduced to Parliament in Spring 2016, but following the Paris attacks, MPs have agreed to “fast-track” the Bill through Parliament; a joint select committee report is expected by 11 February 2016, allowing only a few weeks to conduct expert hearings before Parliament breaks for Christmas on 17 December.

Major encryption provisions in the Bill include the prohibition of “end-to-end encryption” and an obligation on tech companies to “maintain capability to comply” with data search warrants issued by law enforcement agencies. The UK government argues that these measures are increasingly necessary because strong encryption is putting the country and its allies at risk.

On the other hand, the UN's special rapporteur on privacy, Joseph Cannataci, has described the draft Bill as “worse than scary”. The tech community warns against rushing such a serious surveillance Bill through Parliament on a wave of emotion, and says that the debate must be held maturely and intelligently. The ground-breaking Bill could give law enforcement agencies the right to see private data (conversations held over Whatsapp, for example) and force companies to engineer potentially vulnerable loopholes into their systems which they believe are otherwise secure.

Data Protection Directive for Police and Criminal Justice

With so much focus in the data protection world on the negotiation of the General Data Protection Regulation (“GDPR”) and the promise of a resolution being adopted before the end of the year, you may have forgotten that the Data Protection Directive for Police and Criminal Justice (the “Directive”) comes part and parcel with the new data protection regime. All three of the EU’s law-making bodies believe that the way in which the private and public sectors deal with personal data comes as a package deal.

A key purpose of the Directive will be to ensure that law enforcement authorities across the EU have access to the personal data necessary to investigate and prevent terrorism, through harmonised data protection rules. However, just as in the encryption debate, this negotiation is once again one of privacy vs. security.

The EU Council backed the draft Directive in early October, putting the legislative process on track to complete by the end of the year. However post-Paris, a pro-security voice has been raised in the negotiations by German MEP Alex Voss of the European People’s Party (“EPP”), who has called for the Directive trilogue to be suspended entirely. Voss made a statement on the EPP website on 16 November asserting, “The Paris terrorist attacks have shown that the security of our citizens has to prevail over bureaucracy! These negotiations are going in the wrong direction and we have to stop them now and call on the European Commission to come forward with a modified proposal which reflects reality!"

However rather than suspend the negotiations, many other MEPs have emphasised the urgency with which the Directive must now be passed. Again, people are calling for cool heads to prevail in the emotional wake of the attacks, however it is unclear whether adding recent additional concerns to the table might cause delay.

Other recent pro-security legislative measures

At an Extraordinary Meeting of the EU’s Justice and Home Affairs Council held on 20 November, Luxembourg's Minister of Justice, Félix Braz, made it a Council priority to finalise the Passenger Name Record (“PNR”) Directive by the end of 2015, stressing the urgency of the measures aimed at obliging airlines to hand EU countries the data of passengers entering or leaving the EU. Question marks for privacy rights in the PNR Directive remain, primarily over the retention period for this data, with the opinions of each EU law-making body ranging between “a sufficiently long period”, “one year” and “30 days”.

Félix Braz also announced an extension of the European Criminal Records Information System (ECRIS) to third country nationals as a matter of urgency.

In Cyprus, on 27 November the House of Representatives passed a bill that will allow police to monitor private electronic communications with a court order to “lift the communications privacy” of criminal suspects.

Also on 27 November, the Australian government released a second draft of legislation requiring telecommunications providers to increase network protection and provide greater oversight to government agencies to intervene for the purpose of protecting national security.

And meanwhile in the pro-security camp, on 30 November it was reported that the personal data of nearly 5 million parents and more than 200,000 children has been exposed in a data breach of Chinese company, VTech.