25 July 2025 - Advocacy
The “roadmap” for the ProtectEU initiative, recently announced by the European Commission and framed as an effort to “ensure effective and lawful access” to data for law enforcement and judicial authorities, marks a reversal of democratic priorities: privacy and fundamental rights are treated as obstacles to be managed, rather than founding values to be protected.
In document COM/2025/349 final, drafted as part of the ProtectEU strategy, the new “internal security” plan unveiled by Commission President Ursula von der Leyen, we read that “security is the cornerstone upon which all fundamental freedoms are based.” This statement represents an ideological inversion, one that clashes with both the original framework of European integration and its foundational texts, starting with Article 2 of the Treaty on European Union and the Charter of Fundamental Rights of the EU, which place liberty and human dignity at the heart of the common legal order.
The Commission’s strategy risks turning exception into rule: permanent suspicion becomes standard, preventive data collection is institutionalized, and mass surveillance is established as a governing infrastructure. It is the same security-driven approach that has been promoted for over thirty years across political camps, one that has already eroded essential freedoms, from the right to peaceful protest to the free expression of dissent, wherever it has been implemented.
As a secondary consequence, it is now well documented that mass surveillance produces a chilling effect: the mere awareness of being watched leads to self-censorship, undermining pluralism. According to recent scholarship, it also narrows the space for personal and political development and drains public debate of participation. What is often at stake is not only privacy, but a portion of democracy’s very vitality.
The proposed roadmap contains a long list of critical issues, spanning a range of themes: from the misuse of AI in investigations to the all-too-familiar proposal to weaken encryption.
One of the most critical issues is data retention. The Commission promises an “impact assessment”, but the goal is already evident: to update existing rules in order to ensure broader and more systematic access to data for authorities. In other words, a return to forms of indiscriminate data retention, a practice already declared unlawful in multiple rulings by the Court of Justice of the EU (e.g., CJEU, 8 April 2014. Digital Rights Ireland Ltd v Minister for Communications, Marine and Natural Resources and Others).
The section dedicated to decryption is equally troubling. The Commission aims to promote “solutions that facilitate access to encrypted data” by 2030. Once again, encryption, which is one of the most effective tools available to protect sensitive communications, is in the crosshairs. This is a glaring contradiction, considering that the previous Commission, also led by Von der Leyen, recommended the use of Signal, a messaging app known for its end-to-end encryption.
Introducing backdoors into encryption technologies means making them vulnerable for everyone. There is no such thing as a “safe backdoor” that only authorities can access. Once a flaw is created, it is only a matter of time before it is exploited by malicious actors, criminal groups, or foreign and domestic governments. It is a spectacular act of self-sabotage within a strategy that claims to promote “Internal Security”.
The push to develop forensic computing tools and artificial intelligence for analyzing digital data poses a direct threat to the right to a fair trial. This type of analysis often relies on data obtained illegally, and is conducted through algorithms that are inevitably subject to ethnic, social, religious, and gender biases. As a result, it can only produce unfounded evidence, disproportionately affecting already vulnerable groups. The questionable nature of such evidence makes it inadmissible in court.
The roadmap repeatedly emphasizes that access to data must be “necessary, proportionate, and respectful of fundamental rights.” But in practice, we know that once a technology exists, it will be used and abused especially by those in power. We have seen this with every instance of mass surveillance, from the Snowden revelations to the ongoing spyware crisis, which is partly European in origin and continues to be ignored by the Commission. We also know, as was the case then, that export and usage controls are ineffective, and that state investigations are deeply lacking, even when they formally fulfill legal obligations.
The EU Commission’s current roadmap risks becoming the infrastructure of a European digital panopticon. It is time to firmly restate that privacy is not the problem: it is part of the solution. Defending it is not an obstacle to justice, but a precondition for a truly democratic society.
We call on civil society organizations, legal advocacy groups, data protection authorities, and Members of the European Parliament to urgently raise the debate around ProtectEU, before it becomes binding law without meaningful public scrutiny.
You’ve read an article from the Advocacy section, where we defend online privacy and anonymity, document threats and invasive practices such as surveillance companies, and promote a conscious and free digital culture.
We are a non-profit organization run entirely by volunteers. If you value our work, you can support us with a donation: we accept financial contributions, as well as hardware and bandwidth to help sustain our activities. To learn how to support us, visit the donation page.
