Data retention and encryption emerged as the most pressing issues for law enforcement in the EU government’s comments on the establishment of a High-Level Expert Group on police access to digital data.

Data retention is a long-standing issue in Europe, as governments have sought to give their law enforcement agencies to hold onto electronic data that might be relevant for investigations.

Meanwhile, EU and national courts have repeatedly struck down disproportionate data harvesting practices.

The capacity of police forces to obtain and retain electronic communications data has caused the stalling of the ePrivacy Regulation, a legislative proposal that an increasing number of countries think will never see the end of the legislative process.

“The subject of data must be approached in a global and coherent manner, and not be limited to questions of access, but also preservation and exploitation,” France’s commentary reads.

Estonia puts it more bluntly, stating that “data retention is the basis of this whole topic. Simply put: if there is no data retained, there is no point in talking about access to data.”

Lithuania and Poland both reiterated this point, calling for the group to be co-chaired by the Commission and the rotating presidency of the EU Council of Ministers.

France adds that there should be regular monitoring by the Standing Committee on Operational Cooperation on Internal Security (COSI), which ensures the cooperation on EU internal security matters, “in conjunction with the justice sector”.

Moreover, Warsaw also wants sub-groups dedicated to encryption and data localisation. Indeed, Paris sees both issues as playing a pivotal role in fighting criminal organisations and terrorist networks.

In addition, the French government said that rather than taking stock of existing legal cases on the issue of data retention, the new body should propose concrete guidelines to address the challenges security forces face in this area.

France also wants to define a clear mandate and precise methodology for the group to develop “a common framework for data retention and access that is balanced with regard to the preventive and law enforcement needs of the member states”.

Paris pointed to its attempt to establish an open dialogue with judicial authorities, civil society, data protection, national lawmakers and industry players, an example the Swedish presidency is invited to follow.

Regarding participation, several countries supported the idea of including technical experts in the group. Still, Belgium said that to do that, “you have to have a profound knowledge of the involved digital technologies”.

As for who should be part of this group of experts, Greece and the EU Fundamental Rights Agency (FRA) mentioned the involvement of non-constitutional actors “as appropriate”, but according to Greece, this “should be more clearly detailed and agreed upon”.

Child sexual abuse: Data retention, quick removals top concerns for EU states

In formal comments on a draft law seeking to fight child sexual abuse material (CSAM), EU countries have highlighted end-to-end encryption, quick removals of such material, and preservation of evidence, according to internal comments seen by EURACTIV.

While most countries thanked the Swedish presidency for including this topic among its priorities, Warsaw mentioned that the presidency’s identified areas and challenges should not be considered exhaustive.

In this regard, Slovenia pointed to the need to find practical solutions for the legal basis necessary to “access to data, especially in connection to data retention and encrypted information.”

The Czech Republic also emphasised that a clear legal framework is needed, for example, “to distinguish legitimate calls from fakes using a combination of contact number spoofing with AI voice manipulation”.

Besides data retention, the EU countries’ other most emphasised aspect is end-to-end encryption.

However, according to Estonia, data retention should be dealt with first, before encryption, or in parallel since “it doesn’t matter much if the content is encrypted if the data simply isn’t there”.

While they think that end-to-end (E2E) encryption should not be weakened, Tallinn admitted that it is unclear what this means.

“If the service provider, court or some other institution has the key, is the E2E weaker? Perhaps we are talking about the reluctance to technical weakening of the system? In other sense, is the door weaker if someone has the key?” the Estonian commentary reads.

Encryption can still pose challenges, even “if the information was not subject to lawfully intercepted communication and was found using other lawful measures (e.g. house search) stored on data carrier (eg. data stored on HDD encrypted with TPM chip),” said the Czech Republic.

France raised the point that access to digital evidence might become even more challenging if stored in IT infrastructure outside the EU. Sill, access to data can cause problems also in the EU, as past legal cases have shown.

Germany’s ongoing debate on data retention

Even though the European Court of Justice ruled against data retention a few weeks ago, in Germany, the debate on the topic does not seem to end. The government is still not in agreement on whether to follow a “quick …