Here they come again …
The European Commission’s ProtectEU strategy aims, among other goals, to develop a “technology roadmap” that would enable lawful access to encrypted communications.
Superficially, this promises a careful balance: strong encryption preserved, yet decryptable when legally warranted. But beneath the veneer lies a direct conflict with the fundamental rights framework established by the European Court of Human Rights in Podchasov v. Russia (13 February 2024).
In that landmark judgment, the Court held that mandating any form of encryption weakening—such as backdoors or universal scanning—inevitably exposes all users to indiscriminate surveillance and undermines their right to respect for private life under Article?8 ECHR . The Court had no doubt: once a provider builds in decryption capability, it cannot be limited to a single suspect. It becomes a systemic vulnerability exploitable by hostile actors .
ProtectEU may frame its roadmap as respectful of encryption, but the logic is identical. Technical experts and civil society have been clear—and harshly so—warning that client-side scanning or key escrow will inevitably diminish security for all . The Commission’s insistence that “good guys only” will use these tools is quaint at best and disingenuous at worst. The ProtectEU roadmap adopts the very approach that Podchasov condemned as disproportionate and inconsistent with democratic oversight. Moreover, the ECtHR did not restrict its criticism to privacy alone. It recognized encryption as a pillar of freedom of expression, especially for journalists, activists, and vulnerable communities—those whose voices depend on confidentiality to avoid chilling or reprisal . Rolling out lawful access across the EU will chill dissent and undermine digital democracy, eroding public trust in digital services and weakening the EU’s global leadership on human rights.
The Commission’s appeal to “judicial oversight” and “case-by-case necessity” pales in comparison to the clarity of Strasbourg’s judgment. Podchasov emphasises that once surveillance capacity is built, it becomes normalized and harder to rein in. A roadmap may sound academic; a practical backdoor becomes institutional inertia.
In short, ProtectEU flagrantly violates the principles set out in Podchasov v. Russia: it targets the structural integrity of encryption, disregards the proportionality test under Article?8, and fails to protect freedom of expression. If the EU intends to uphold both its internal security and its democratic values, it must pause this roadmap, reconsider its alignment with fundamental rights, and seek investigative alternatives that do not compromise encryption.