The European Court of Human Rights has ruled in the judgment Podchasov vs. Russia of February 13, 2024 dealt with the question of when an obligation to decrypt data is in line with the Convention.
The applicable Russian law obliges so-called “organizers of information dissemination on the Internet”, all communication data for one year and content data for six months on Russian soil for a long time and to hand them over to the authorities in certain cases, decrypted or with a decryption option, and with users’ personal data. According to the plaintiff – Mr. Podchasov, a Telegram user – these requirements for Telegram violate the ECHR. Telegram contains a Optional end-to-end encryption.
The ECtHR agrees with him. The relevant Russian law is disproportionate and violates Art. 8 ECHR:
- Storing personal data in itself constitutes an interference within the meaning of Art. 8 ECHR, regardless of its use, and as already stated in 2015 in Roman Zakharov recorded, represents the existence of Russian surveillance measures constitutes an encroachment, even without access, given its secret nature, broad scope and lack of effective means of challenge;
- justification would only come from a constitutional basis which, in particular, is proportionate. This is lacking in Russia. Although data access must be approved by a court, providers must install devices that allow law enforcement authorities direct remote access to the stored data, and they do not need to present the court approval to the provider;
- Encryption has a special significance, among other things because it protects privacy and the secrecy of correspondence on the Internet;
- it is obviously technically impossible to provide keys for individual Telegram users – decryption would affect all end-to-end encrypted communication, which would make the Telegram’s encryption technology as such weakens.
In its reasoning, the ECtHR refers, among other things, to
- the “Report on the right to privacy in the digital age” of the Office of the United Nations High Commissioner for Human Rights (A/HRC/51/17);
- the annex to the “Recommendation CM/Rec(2012)4 of the Committee of Ministers to member States on the protection of human rights with regard to social networking services„,
- the judgment of the ECJ in the case of Digital Rights Ireland;
- the Schrems II decision of the ECJ;
- the Joint Statement of Europol and ENISA “lawful criminal investigation that respects 21st Century data protection”;
- the Joint Opinion 04/2022 of the EDPB and the EDPS “on the Proposal for a Regulation of the European Parliament and of the Council laying down rules to prevent and combat child sexual abuse”.