Last Updated on 2025-06-23 by Joop Beris
There’s something strange going on in Europe. While we have some of the strongest privacy laws in the world, while we fine companies for violating user rights all while considering the most draconian surveillance laws imaginable. Again, the EU is considering a mass surveillance law that, if implemented, will basically put an end to online privacy.
ProtectEU
This new mass surveillance law is proposed under the banner of ProtectEU, an initiative of the European Commission to strengthen the internal security of Europe. It includes plans for intelligence sharing, measures to fight serious crime and combating terrorism. All very laudable initiatives of course but as usual, the devil is in the details. Tucked away in this grand initiative is a plan to have service providers gather and retain data for law enforcement. But wait, I hear you say: didn’t we already have such a law in the EU?
Yes, such a law existed before. In March of 2006, the EU made the Data Retention Directive. The law required telecom and internet providers to store data on users for up to 2 years. The European Court of Justice struck it down on April 8, 2014 on the following grounds:
- Interference with privacy
- Breach of proportionality
- Lack of safeguards
But like a hydra, no matter how often you cut off the head of the surveillance monster, another head will grow back. Fast forward to 2025 and here we have ProtectEU, proposing that telecom and internet providers store metadata for law enforcement. It’s not clear what has changed in the past 11 years that would make the collection of metadata suddenly okay according to the European Court of Justice, but here we are.
Why this proposal is an end to online privacy
At this point, I can’t help but think back to 2011 and 2012 when I was very active in the fight against ACTA. At that time, I also accused the European Commission of ignorance and arrogance. It appears that the EC just never learns. So, let’s break down what is wrong with ProtectEU and why it deserves a strong “No”, just like the Data Retention Directive did and the proposal for client-side scanning of chat messages.
The myriad problems
- Controversial encryption measures
The Technology Roadmap on encryption proposes exploring legal mechanisms for lawful access to encrypted communications, basically undermining End-to-End encryption. The whole premise of E2EE is that no one but the sender and recipient can read what was sent. The only ways to make this possible, would weaken encryption and make communications less safe for everyone. This would go directly against the NIS2 directive, which intends to strengthen information security in Europe. - ProtectEU seeks to legalize mass retention of data
This part of ProtectEU is just the Data Retention Directive 2.0, going directly against the ruling of the European Court of Justice. Metadata can reveal sensitive personal data and the mass retention of it, will amount to mass surveillance of all Europeans on an unprecedented scale. While catching criminals and terrorists are laudable goals, such a measure is entirely disproportionate. - Elimination of anonymity
The ProtectEU also seeks to tie every action to an identity. This would make it illegal to hide your identity online and use a VPN to mask who you are. Tools to protect your identity would be forced to retain logging to identify you and connections should be logged under your legal name, turning the entire EU population into permanent suspects. - Backdoors by design
Manufacturers of security hardware and software are forced to built backdoors into their systems for law enforcement. This again would make everyone less safe online because those backdoors will be found and exploited by adversaries. A backdoor for one is a backdoor for all. - Resistance is criminalized
People, organisations or companies who refuse to comply are faced with fines, market bans or prison. This would outlaw apps like Signal, because the Signal foundation actually seeks to preserve privacy. - No exceptions
The directive covers every “electronic communication service”, no matter what its purpose, who operates it or how big or small it is. So setting up a small, private chat server for your own family or friends, would still be illegal under the new directive.
(Photo by Anna Shvets on Pexels.com)
Secrecy
You may wonder who the hell would think up such a draconian idea in a supposedly democratic environment, where we value individual freedom and personal autonomy. Well, the European Commission won’t tell us. The draft of the directive comes from an unknown lobby group and outsiders were not consulted. When Patrick Breyer a German member of the European Parliament requested this information, he received a list where every name had been censored. This so called “High Level Group” has done its entire work in the shadows. How’s that for transparency and the democratic process? Well done, European Commission! I guess my criticism still stands.
It’s not too late, yet
Apparently, it is once again time to explain to the European Commission that in a world where privacy and anonymity are outlawed, only criminals will enjoy privacy and anonymity. The European Commission is asking for your feedback on their latest attempt to further turn Europe into a surveillance state. I urge you and every other EU citizen to go there and tell the European Commission to stick their proposal where the sun doesn’t shine! While you still can, of course…
Comments