Every year on January 28, the international Data Privacy Day is held. We take this day (or the week it falls in) as an opportunity to highlight once again the significance of data protection and online privacy – and each year, we must stress that these topics are more important than ever before.
The Age of Artificial Intelligence
In 2018, the following words of warning were published on this blog on the occasion of Data Privacy Day:
Once the data is acquired, it can be duplicated at will and preserved indefinitely. For what purposes the data can and will be used is uncertain; it might lead to totally unforeseen conclusions about the users who generated it.
At this point, however, there was no artificial intelligence as we know it today in the form of ChatGPT and similar models. Add to that the fact that we now spend even more time on the Internet, which means that potentially even more personal data accumulates in less time.
In light of these circumstances and given the rapid advancements in the field of AI, the potential conclusions that can be drawn about Internet users based on the massive amount of collected data is considerably more concerning than it was a few years ago.
Mass Surveillance Through “Chat Control”
However, AI advancements and larger data pools are just two of many factors that contribute to the increased relevance of online privacy and data protection. Another aspect are the various bills that call for large-scale surveillance of each and every Internet user.
The EU’s surveillance bill was appropriately nicknamed “Chat Control” and has managed to stir up controversies on various levels. For example, European media outlets exposed the multi-million-dollar lobby network (consisting of tech companies, security authorities, and PR agencies) behind the bill’s proponents. Furthermore, the EU Commission was heavily criticized (and may have to face legal consequences) for promoting the bill using an ad campaign that was targeted to specific social media users based on their political views and religious beliefs.
The following open letter, which was signed by numerous privacy-first companies and sent to the EU’s member states, outlines why we vehemently reject the Chat Control bill in its original form and why we believe it to be not only completely ineffective but also incredibly dangerous:
Dear Ministers of the Interior, Justice, and Economy of EU Member States,
We write to you as small and medium-sized companies and organizations from Europe, concerned about the proposal for a Regulation on Child Sexual Abuse (CSA). Collectively, we call on you to ensure that your country’s position on this file is brought as close as possible to the European Parliament’s (EP) one.
We all agree that ensuring children are safe online is one of the most important duties of tech companies and for this reason, we find the European Commission’s proposed Regulation extremely worrying. If it were implemented as proposed, it would negatively impact children’s privacy and security online, while also having dramatic unforeseen consequences on the EU cybersecurity landscape, on top of creating an ineffective administrative burden1.
The European Parliament recently adopted its position on the file, acknowledging that scanning technologies are not compatible with the aim of having confidential and secure communications. The crucial changes it therefore puts forward for the proposal reflect the opinions of the European Data Protection Supervisor (EDPS), the Council legal services as well as countless experts in cryptography and cybersecurity2. It also reflects the opinion of between 63% and 69% of the companies, public authorities, NGOs and citizens consulted by the European Commission in its Impact Assessment3.
As small and medium-sized tech companies and organizations, we share their concerns as we know that looking for specific content – such as text, photos and videos – in an end-to-end encrypted communication would require the implementation of a backdoor, or of a similar technology called “client-side scanning.” Even if this mechanism is created with the purpose of fighting crime online, it would also quickly be used by criminals themselves, putting citizens and businesses more at risk online by creating vulnerabilities for all users alike.
Data Protection Is a Strong Competitive Advantage
As tech companies operating within the European Union, we have built products and services in line with the strong data protection framework of the EU which still serves as an example and inspiration across the world.
The GDPR allowed for the creation of ethical, privacy-first tech companies in Europe, that would otherwise never have been able to compete against Big Tech. It gave European companies a strong competitive advantage in that field internationally and allowed consumers to finally be able to find alternatives to American and Chinese services. Our users, both within the EU and beyond, have come to trust our commitment to safeguarding their data and this trust is a key driver of our competitiveness. The learning curve for adapting to the necessary administrative burden brought about by the GDPR was high but was worth it.
However, the CSA Regulation could threaten this unique selling point of European IT companies and would also add a new administrative burden which we fear could overwhelm both our companies and law enforcement bodies. Considering the volume of communications and content transiting through our services, even an insignificant error rate of the technologies applied to scan for abusive material would result in millions of false positives to be manually reviewed every day.
The CSA Regulation Could Erode Trust and Safety Online
In a world where data breaches and privacy scandals are increasingly common, the EU's reputation for stringent data protection is a unique selling point for businesses operating within its borders. It provides us with a competitive edge, assuring our customers that their information is handled with the utmost care and integrity. This trust, once eroded, is challenging to rebuild, and any measures that compromise it such as mandatory scanning, or mandatory age verification have the potential to harm businesses both large and small.
Furthermore, the EU has recently adopted Regulation 2023/2841, which mandates that EU Institutions and bodies to consider the use of end-to-end encryption among their cybersecurity risk-management measures. There are also multiple “cyber” EU proposal currently on the table, such as the Cyber Resilience Act and the Cybersecurity Act. Supporting an opposite approach for the CSA Regulation would only undermine the EU cybersecurity framework creating a contradictory, incoherent and inefficient new set of measures that companies would not be able to enforce without putting citizens and businesses at risk.
The EU Parliament’s Proposal Goes in the Right Direction
Therefore, we applaud the European Parliament for its resolute stance in defending the European citizens’ right to privacy and secure communication. The European Parliament’s commitment to these principles is not only a testament to its dedication to human rights, but also a beacon of hope for businesses like ours that prioritize data protection and security. The position of the Parliament includes alternatives to scanning which have a minimal impact on cybersecurity and data protection, and which experts believe would be both more effective and more efficient than mandatory scanning. Such changes of paradigm would mean going beyond the false dichotomy between privacy and security, while also making the proposal respect the proportionality principle, as requested by the Regulatory Scrutiny Board.
Even if not perfect in our eyes, the changes the European Parliament made in its position are a good compromise to maintain digital security and confidentiality and to better protect children online. We believe that these changes strike the right balance between child protection and safeguarding privacy and cybersecurity.
As representatives of the vibrant European small businesses community, we encourage EU Member States to continue championing the values of privacy, cybersecurity and data protection. These principles not only align with the EU’s commitment to human rights, but also serve as a foundation for a thriving and competitive business environment. Let us defend and strengthen these principles, ensuring that the EU remains an advocate of privacy in the global marketplace.
For these reasons we call on you to:
- Ensure that Council’s position is aligned as closely as possible to the European Parliament’s. This will allow for a swifter adoption of the Regulation while building on the important work of the European Parliament.
- Maintain the high level of fundamental rights - and in particular data protection – enjoyed by citizens in the European Union.
- Refrain from forcing companies like us to conduct mass surveillance of private correspondence on behalf of law enforcement agencies.
- Guarantee a high level of cybersecurity in the EU by protecting end-to-end encryption and bringing the necessary safeguards in the text. Client-side scanning and backdoors in particular should not be mandated.
- Preserve the confidentiality of correspondence.
- Minimize the administrative burden of the proposal by making it more effective and efficient, through alternatives to mass scanning.
Blacknight Solutions (Ireland)
E Foundation (France)
Element (United Kingdom)
Mail.de GmbH (Germany)
Matrix Foundation (United Kingdom)
One Privacy (Luxembourg)
The Tor Project (USA)
Trade Associations and Supporters:
ACT | The App Association
Privacy & Access Council of Canada
Studio Legale Fabiano
1 A detailed summary of the proposal, drafted by the NGO EDRi, is available here.
2 For more information, you can read their statement from July 2023.
3 See in particular page 134 of the impact assessment.