In this #31 issue of “Lexing Insights,” the members of the network focus on the “legal framework for encryption tools”.
Encryption: A tool to secure your data
Initially used by military leaders and diplomats, cryptology has become an integral part of our daily lives since the advent of the Internet. This science of secret writing, which is divided into two types (cryptography and cryptanalysis), is today essential for the security of information systems. Under the terms of the GDPR, encryption, which is a cryptographic process that makes it possible to guarantee the confidentiality of information, is a way to mitigate the risks inherent in the processing of personal data.
Cryptology tools may be subject to restrictions depending on the country. In France, in accordance with the LCEN Act, the use of encryption tools is free, but their import and export are subject to declaration with or authorization from the ANSSI.
The Lexing® network members provide a snapshot of the current state of play worldwide:
- –What is encryption and why use it?
- –What are the requirements for using or exporting/importing encryption software?
- –Are encryption software providers required to build backdoors?
- –What is a dual-use item?
- –What is the position of data protection authorities with regard to encryption?
A world tour of rules on encryption tools
We start our world tour in South Africa, where our Lexing member gives us a general definition of cryptography and presents the various laws adopted by the South African legislator (including ECT Act and RICA) to regulate encryption.
Then, our member for Belgium, after a reminder of the Belgian definition of cryptography under the Law of 13 June 2005, describes a Belgian bill that is currently the subject of much controversy, as it would require operators to install backdoors in their communication software with the aim of facilitating police investigations, and indicates the position of the Data Protection Authority in this respect.
We then move on to China, where our Lexing member outlines the Chinese legal framework governing the import, export and use of cryptography as well as the three different types of cryptography in China (core cryptography, ordinary cryptography and commercial cryptography).
Back to Europe, with our member for Spain reminds us of the role played by encryption in the security policy of organisations and the provisions of the GDPR applicable to encryption with regard to the protection of personal data, before addressing the constraints posed by the Spanish General Telecommunications Act.
Next step: France, where we review the legal framework applicable under the LCEN Act and the steps to be taken with ANSSI. Our French member examines encryption as a measure to ensure the security of personal data and presents the two main types of data encryption (asymmetrical encryption and symmetrical encryption) before describing the decisions taken by the Cnil and the Council of State regarding encryption.
Our world tour ends in Greece and Luxembourg, where our Lexing members summarize the situation of dual-use items in their respective countries, inter alia in the light of Regulation (EU) 2021/821 of 20 May 2021 (which entered into force on 9 September 2021 and repealed EU Regulation No. 428/2009 of 5 May 2009) setting up a Union regime for dual-use items and the Wassenaar Arrangement.