SAFETY OR PRIVACY? BALANCING THE PROTECTION OF DIGITAL AND FUNDAMENTAL RIGHTS IN THE EU

Privacy is a highly valued right whose protection became exponentially more important after its combination with new mass-communication technologies. But new technologies may also bring about new problems. Legislation and Government seek to balance the right to privacy and the protection of other human rights regarding Electronic Communication Services.



The right to private communication is considered a human right itself and it is protected as such in both international and national legal provisions. Italy, as one of the members of the European Union, tries to guarantee this right as well, complying with the European standards and regulating it within its legislation. Attached to the stronger protection of privacy, Instant Messaging Platforms have widely spread throughout the last decade, enabling us to share data and media with other users in real-time. The massive success of these new forms of communication has also raised concern over the protection of our private virtual conversations. This led to many software creators developing new technologies to guarantee privacy between customers.

How is Privacy Protected and Attacked in Virtual Conversations?

The most common of these techniques to safeguard users’ privacy is data encryption, by which the message is coded in a way that is only readable to those who share the code of encryption. WhatsApp, one of the most popular platforms, uses a widespread technology of encryption called end-to-end encryption or E2EE. Using this technology, any message and even multimedia information becomes unreadable to any third eye and thus only readable by the final recipient of the information. This technique should protect our privacy even from the service provider. WhatsApp then would only store our information without being able to read the content of the conversations that take place between its users.

While companies try to protect the privacy of their users against interceptions carried out by other individuals or third parties, new modes of hacking this technology arise. The E2EE has also spread the use of spyware, which is an illegal software that hacks devices for the acquisition of a person’s private information without their notice.

Privacy Protection by the authorities – The Case of Italy

In theory, our information is – or should be - only ours. However, that information risks being stolen. When it comes to domestic legislation the level of protection granted may vary. If we analyse the case of Italy, article 15 of its Constitution protects freedom and secrecy of communication in any of its forms. Interception, according to the Italian Criminal Code in its article 617 quarter, is the illicit listening and/or recording of external communication through a mechanic or electronic devices, breaking thus into the private sphere of another. Alternatively, Article 615 bis of the Italian Criminal Code regulates crimes of capturing data and images related to private life. These crimes are regulated as such to ensure the inviolability of the domicile of the person, understanding the virtual data as part of the private sphere of the person, and the interception as a violation of the individual space necessary for personal development of life.

But can the Government access our information? Interception can be carried out by the government only when requested by the Giudice per le Indagini Preliminari and in some circumstances (with the notification and eventual authorization of the same judge), also the Prosecutor, through the judiciary police. These cases are regulated by law in articles 267 and 268 of the Criminal Procedure Code.

Hacking powers are thus given to the authorities in proceedings relating to a list of predefined serious crimes, established in article 266 (1) of the Italian Code of Criminal Procedure and when there is serious evidence of the commission of a crime. Due to the encryption techniques, the acquisition of the information becomes more difficult.

Authorities can request data that, even if it is not the actual content of the conversation, is still highly valuable. The information regarding phone numbers contacted, the device used, the network to which it is connected, the time and length of a conversation, or the IP are stored by the software provider and can be requested by the authorities when necessary.

How far can this go?

Therefore, interception becomes possible when aimed at enhancing our safety but, how far can they go under this justification? Appealing to security can be vague enough to open new situations when interception can take place to the detriment of our right to privacy. For instance, with child pornography, people may think differently when you have to sacrifice one for the other. This is exactly one of the side-effects that may arise from the European Commission’s new proposal, submitted on the 11th of May 2022, for the Regulation “laying down rules to prevent and combat child sexual abuse” ("The Regulation”).

For this purpose, one of the measures that the Commission wants to implement is the obligation of Instant Messaging, Search Engines, and Online Shopping Platforms to monitor the explicit content of the communications between its users within EU Members. The explicit process to reach this goal is not specified by the regulation, thus granting free rein to the companies to find the most effective way to comply. The new regulation introduces an obligation of result, whose means can be directly harmful to digital rights like privacy and secrecy of information.

It is important to note that this draft regulation comes from a different part of the Commission than the rest of the EU’s digital service regulatory efforts. Instead of coming from the Directorate-General for Communications Networks, Content, and Technology, it comes from the Directorate-General for Migration of Home Affairs, which has a reputation for giving primacy to security to the detriment of privacy and digital rights as the secrecy of communication.

Consequences of Renouncing Privacy

Some limits have been set to the Regulation. This new piece of legislation proposes under article 7(4) that the motivating reasons for issuing the interception of the information “must outweigh the adverse consequences for the rights and legitimate interests of all concerned”. In this case, the interest at stake is the protection of children’s rights and the prevention of any kind of harm to them.

Despite the extended opinion of experts which state that tasks of scanning and surveillance are not safe, the European Commission decided to proceed with the Regulation, giving direct access to government and companies to intercept what used to be private and secure communications. EDRi (European Digital Rights) highlighted different ways in which the new regulation can prejudice society, undermine the right to privacy and encourage the misuse of information by malicious actors.

The most likely scenario to perform that task could be the content verification by the company before the encryption or the use of spyware that would remove the obstacle of end-to-end encryption or the possession of the device. The procedure suggested by the Commission is the use of an AI technology called hashing, characterized by doing an algorithmic scan of the information. Data and media are given long codes of numbers and letters and if they match with those inserted in the AI it will come out as positive.

These tools, which are inaccurate and highly risky to the safety of the internet structure, freedom of expression, and autonomy, are already being used in many countries of the world. As has already happened with Pegasus Software, Governments and Companies would have at their disposal valuable information for incrimination purposes coming from lawyers, politicians, activists, and civil society in general.

The impact assessment integrated into the proposal suggests Client-Side Scanning to monitor their users, which would damage our privacy as well as cause exposure to fake positives, the fact that would directly attack the innocence presumption of the people. Everyone who has one of the Instant Messaging Applications will no longer benefit from the illusion of perfect privacy conveyed by encryption techniques, as there might be an “extra” silent participant in these conversations.

Is Rights’ Protection Developing?

This might be a new ground for the political debate about the social importance of the confidentiality of communication and the hierarchy of human rights. The Regulation is still in process, but in case of being approved, the EU will be part of the global pattern which started in 2018, when the alliance between the intelligence services of Canada, New Zealand, Australia, the UK, and the US was created for the enforcement of the law to access encrypted messages. This means that the battle for digital rights is not only on the domestic level, and not even on European, as it transcends to the international level.

Less severe alternatives were possible, and several of them were proposed to the Directorate-General for Migration and Home Affairs, nevertheless, it chose to foster the most stringent measure. Four other proposals suggested non-legislative, practical measures to enhance prevention; detection and reporting of online child sexual abuse, assistance to victims or the implementation of voluntary measures by providers to report abuse”.

The European Union has strong and efficient policymaking on digital rights. Important legislation has been enacted in terms of freedom of expression, access to information, or the right to association. However, when the task of creating a regulation concerning the control exercised on the web is given to a different department, the array of rights granted might vary in the relevance given to each of them. The right to privacy might encounter some limits when it is believed to clash with other “more relevant rights”. The difficult task is to strike a balance between the right to privacy and other fundamental rights (as could be the prohibition of torture for instance) to an extent where the safeguard of one does not happen at the expense of the other. There is no doubt how important the protection of fundamental rights is, especially when it comes to the protection of children. However, the tools used for its persecution must be assessed in terms of efficiency and sustainability, rather than directly lessening others.


A cura di Adriano Lopez Manera