Dutch decision puts brakes on Chat Control

This controversial draft EU law has seen so many twists and turns that it’s giving us whiplash. Under renewed pressure from Hungary’s Viktor Orbán, some lawmakers had hoped they could finally get enough support for the controversial bill this autumn. But following a vital last-minute decision by the Netherlands, we are safe from “Chat Control” – for now.

By EDRi · October 3, 2024

Two years of trying – and failing – to get government consensus

Proposed in 2022 by the EU’s outgoing home affairs chief, Ylva Johansson, the draft EU CSA Regulation sent shockwaves throughout the privacy and human rights communities.

The European Commission tried to downplay the massive threat this law, coined “Chat Control”, would pose to the security of everyone’s digital communications. But soon, they had to reckon with intense criticism from every angle: civil society, legal experts, technologists, child rights specialists, and police, warning that the Regulation would be counter-productive to its stated aim of protecting children.

The EU’s independent legal services also joined in with damning criticism of the draft law, confirming that the law would mean such a massive violation of innocent people’s digital human rights, that the EU’s top court would surely strike it down.

This was an important set of developments because in order to pass this controversial bill, the European Commission would need the support of both the European Parliament and the Council of the EU (the body representing the governments of all 27 EU Member States).

Yet for over two years, the Council of the EU has been unable to find a position that satisfies both the EU countries that (thankfully) appreciate the importance of digital security – and those whose terrifying mission is to break encryption and put an end the presumption of innocence online.

Orbán pushes for backdoors into Europe’s private chats

In summer 2024, the government of Hungary became the fifth country to be given the unenviable task of attempting to broker a common position of the Council of the EU on this ill-fated law. The European Commission has long been trying to convince Member State governments that the proposed Regulation is legally sound (it isn’t), would protect encryption (it wouldn’t) and that reliable technologies already exist (they don’t).

Thankfully, leaked documents from September 2024 reveal that countries including Germany, Poland, Austria, Estonia, Slovenia and Luxembourg remain firm in their insistence that any such law must still comply with human rights and technological reality. Their leaders have been clear that until the proposed Council position meets these criteria, they cannot agree to it.

But pressure has been mounting on the countries that have been on the fence – apparently including the Netherlands, France and Italy – to say “yes” to a proposal that would give police a back door into everyone’s private digital chats.

According to Politico and to local reports, notorious Hungarian Prime Minister, Viktor Orbán, pulled out all the stops to try and convince the Netherlands to support the latest text. And in the last few days, he came worryingly close to succeeding.

Surprise as spooks come to the rescue

In late September, digital rights groups were shocked to hear reports that the Dutch government was suddenly considering endorsing Hungary’s proposal. The Netherlands had previously committed that they would not support any proposal on this law until they could be sure that it would protect encryption. But they may have been swayed by pervasive false claims that the latest proposal, coined “upload moderation”, protects encryption.

Over three hundred researchers and scientists from across Europe and beyond quickly jumped in to (once again) remind all EU governments that this completely contradicts widespread expert consensus. There is no way to systematically scan and report on private messages and keep those messages secure, regardless of whether you do this scanning on a person’s device or elsewhere.

On 1 October, following significant mobilisation from civil society, including EDRi member Bits of Freedom and national opposition politicians, the news broke that the Netherlands would officially abstain from the proposal. This is a welcome development, because it means that Hungary does not have a majority to move forward with their proposal, instead having to remove the CSA Regulation from an upcoming Council agenda.

One of the most interesting parts of the Netherlands’ will-they-won’t-they saga, however, is the fact that one decisive element seems to be an opinion of the national security service. Dutch spooks warned their government that the latest proposal would threaten the cybersecurity of the country, putting national security at risk. This is a warning that should resonate with other countries, too.

Dead but not buried (yet)

It’s hard to see where Hungary can go from here. Despite repeated attempts by several countries, it has once again been shown to be impossible to have a law that protects encryption whilst simultaneously undermining it, nor to legalise illegal mass surveillance.

This should be the final nail in the coffin for this Frankenstein’s Monster of a law, which EDRi has warned since the beginning is legally and technically infeasible. No amount of linguistic gymnastics can change that.

But this file has come back from seemingly being dead several times already in recent years. Since the very advent of encryption, governments have been arguing that they should be able to have widespread access to the encrypted communications of people even without reasonable suspicion.

With a new Commission taking up the charge at the end of 2024, this is an opportunity to press the reset button, and start again. We deserve a better proposal which would tackle the grave issue of child sexual abuse in a way that complies with EU human rights law. One which would ensure a safe internet for all, rather than causing even more harm.