The European Court of Human Rights, or ECHR, has made a landmark ruling on data encryption that could affect the European Union’s online safety efforts. 

The court issued the decision on Tuesday but it got wide attention only today. It was made in connection with a 2019 complaint brought by a Russia-based user of Telegram, the popular messaging service. The case centered on a privacy technology known as end-to-end encryption.

With end-to-end encryption, a message sent through a chat app is scrambled before leaving the sender’s device and only becomes readable on the recipient’s handset. This ensures not even the chat app’s operator, in this case Telegram, can read the message. The company provides an opt-in end-to-end encryption option through a feature called “secret chat.”

In 2017, Russia’s intelligence agency ordered Telegram to decrypt the communications of “users who were suspected of terrorism-related activities.” The company refused to comply with the order, saying it would be impossible to do without “creating a backdoor that would weaken the encryption mechanism for all users.” In 2019, a Russian Telegram user brought a complaint before the ECHR charging that such a backdoor would breach Telegram users’ right to respect for their private life and for the privacy of their communications.

In its Tuesday ruling, the court accepted that position. The judges wrote in the decision that “the contested legislation providing for the retention of all Internet communications of all users, the security services’ direct access to the data stored without adequate safeguards against abuse and the requirement to decrypt encrypted communications, as applied to end-to-end encrypted communications, cannot be regarded as necessary in a democratic society.”

According to Ars Technica, it’s believed the ruling could have implications for an online safety bill currently being developed in the EU. The proposed legislation is commonly referred to as Chat Control 2.0. The implications of the ECHR encryption case for the bill will reportedly depend on whether Tuesday’s ruling is endorsed by the Court of Justice of the European Union, the EU’s top court.

The initial version of Chat Control 2.0 was proposed in May 2022. If implemented, the bill will require tech firms that offer chat apps and other communications services to scan users’ encrypted messages for illegal content such as child sexual abuse material. The rule would also apply to certain other companies, notably operators of commercial cloud storage services.

The original version of the bill would have required companies to scan all their users’ messages for illegal content. In November, the European Parliament’s civil liberties committee updated the draft with safeguards designed to prevent mass content scanning. The final text of the bill will be developed through negotiations between the European Parliament and EU member states. 

Image: Unsplash