‘ProtectEU’ security strategy: a step further towards a digital dystopian future

A new strategy but cast in the same old mould

On 1 April 2025 (sadly not a joke), the European Commission released its new five-year strategic plan, ‘ProtectEU’, to address ‘internal security threats’ of the continent.

The previous strategy, coined as the ‘Security Union Strategy’, had already posed a number of problems from a digital human rights perspective. For example, it led to the dangerous ‘chat control’ proposal, which still currently on the table and threatens the privacy, security and integrity of private communications globally (but is facing a political deadlock). It also justified not one but two reforms of the mandate of Europol, the EU police cooperation agency, and dramatically increased its surveillance powers, particularly against people on the move.

Unsurprisingly, the new strategy maintains a central role for punitive digital surveillance in the EU’s broader security agenda. The EU’s strong inclination for tech-supported securitisation is particularly worrying. In the past, technological ‘solutions’ have often been presented as silver bullets to ‘security threats’ – which are, in fact, complex societal issues requiring a holistic approach. Not only are these technologies ineffective, but also extremely harmful, including for the ones they claim to protect in the first place.

The techno-solutionist risk is tangible. The internal security strategy promises increased ‘public spending for security and [the promotion of] security research and investment’, including by the private sector. Private companies are behind some of the worst technological innovations that digital rights defenders had to fight back against in recent years. While the EU seeks to reach ‘strategic autonomy’, the veneer of homegrown tools cannot alleviate the rights-encroaching nature of these surveillance technologies. At the same time, important resources might be diverted away from policies and programmes that actually are or could provide safety and protection to people.

This article highlights the ProtectEU proposals which risk to undermine digital rights and even increase security threats.

Looming attack on encryption

The strategy announces “the preparation of a Technology Roadmap on encryption, to identify and assess technological solutions that would enable law enforcement authorities to access encrypted data in a lawful manner”. This idea stems from the recommendations of the High Level Group (HLG) on ‘Access to Data for Effective Law Enforcement’ or ‘Going Dark’ (recommendation 22).

Mainly composed of national law enforcement representatives, the HLG coined the concept of ‘lawful access by design’, according to which all internet service providers (ranging from telecommunications providers to private messaging services and connected objects) must tweak their digital security systems to enable access to encrypted data ‘in line with the needs expressed by law enforcement’. This amounts to enforcing encryption backdoors on every digital device and service, nothing less. Backdoors endanger not only the exercise of fundamental rights, but also our collective cybersecurity.

We warned at the time of their publication that ‘these recommendations should not be considered reliable guidance for any future legislative action’, especially if the EU wants to be true to its word when aiming to ‘safeguard cybersecurity and fundamental rights’. While the Commission is currently preparing the recruitment of technology experts for the drafting of the Technology Roadmap, it seems crucial to recall this very basic fact: building vulnerabilities in digital systems without undermining the level of security they offer is wishful thinking.

Data Retention 2.0

Another 2025 objective for the Commission is to produce ‘an assessment of the impact of data retention rules at EU level’. The Commission President Von der Leyen had announced it in her mission letter to the candidate for the Home Affairs portfolio, Magnus Brunner: she wants an ‘update’ of law enforcement’s tools for access to digital data and ‘rules on data retention’.

Retention of and access to data collected by internet service providers for law enforcement purposes is a policy issue with a long history in the EU. The previous legislation was struck down by the Court of Justice of the European Union (CJEU) over a decade ago, in a famous ruling prompted by EDRi member Digital Rights Ireland. Ten years after the annulment of the old Data Retention Directive, most Member States still kept mass data retention regimes, in blatant disregard of the Court’s judgment and thus, in violation of EU law.

Instead of addressing this rule of law crisis and enforcing the law as a guardian of the European treaties, the Commission preferred to look away. Now some Member States and international companies are pushing for harmonisation at EU level to replace the existing patchwork of national laws.

The proposals made by the HLG ‘Going Dark’ in that sense would not resolve the current problems of unlawful surveillance. They suggest the future EU instrument to include an obligation for companies to retain data so that any user can be identified and to widely expand the scope of internet service providers concerned by this legal obligation. This would result in higher level of surveillance of internet users than the former European legal regime.

What is at stake here is our ability to use online services anonymously. The possibility for anonymous speech is imperative in a time of shrinking civic space and increasing criminalisation of public protest also seen in European countries. Mass data retention could have a chilling effect on access to information, press freedoms and participation in online political activism.

Europol gets a raise, Frontex gets a raise, everybody gets a raise!

To bolster ‘EU security capabilities’, the Commission commits to reinforce its home affairs agencies. Europol in particular gets the spotlight and is promised ‘an ambitious overhaul’ of its mandate ‘to turn it into a truly operational police agency’.

While this legislative proposal to transform Europol is already in the pipeline, another reform to expand its powers and resources is still on the table and currently debated by EU policymakers. The previous one was adopted only three years ago, and was met with strong opposition from data protection authorities and civil society.

Europol’s history of abuses is well-documented. Yet, reforms to increase its powers continue to pile up, allowing the agency to amass vast amounts of personal data with minimal oversight, train algorithms for use by national police forces regardless of discriminatory impacts and employ dubious data mining techniques crucially lacking scientific testing or auditing. As the effects of the previous reforms have not been assessed, it is difficult to foresee what the full revamp of Europol’s mandate will aim to achieve.

Furthermore, both Frontex, the border control agency, and Eurojust, the judicial cooperation one, will received strengthened missions. The number of European Border and Coast Guards is set to triple to 30 000 over time and there is an expected uptake of ‘advanced technology for surveillance and situational awareness’. It is almost as if Frontex’s repeated illegal practices were rewarded by the Commission. In the past years, the agency was found complicit in numerous pushbacks and other human rights violations at EU borders, was caught red-handed in sidelining its own internal data protection watchdog while illegally transferring data to Europol and stopped in its attempt to roll out an illegal social media spying programme.

Incessant scandals and data protection infringements do not deter the Commission from its securitisation ambition. The home affairs agencies will be granted new surveillance capacities, more budget, resources and technologies, as well as technical means for the ‘swift mutual exchange of information, including for operational purposes’, between them.

Many fights to come

Instead of genuinely addressing security risks, the ProtectEU strategy further fuels an oppressive law enforcement infrastructure and its main agents, which are notorious for their systematic over-policing and under-protection of marginalised communities in Europe (migrants and racialised people in particular). Underpinning this infrastructure are the increased data collection, analysis and sharing by and among Member States, EU agencies, third countries and private companies. As law enforcement often secures sweeping exemptions from fundamental rights guarantees and public scrutiny in EU law, data protection and privacy protections are easily disarmed.

Digital rights activists should brace themselves and be ready to prevent these harmful plans from materialising. In that perspective, EDRi will actively monitor and engage in the policy debates at EU level and contest harmful tech-supported securitisation.