The European Court of Human Rights (ECtHR), in its February 2024 ruling in Podchasov v. Russia, judges the importance of encryption in protecting "the right to privacy. This right is enshrined in Article 8 of the European Convention on Human Rights (ECHR). The case concerns whether end-to-end encryption of encrypted communications via Telegram may be decrypted for use by the Russian Federal Security Service FSB for national security purposes.
This article explains how the ECtHR ruling affects the balance between national security and privacy, specifically in the context of data retention (the retention of data) and the obligation to decrypt encrypted communications. First is an analysis of the facts of this case, followed by an explanation of the extent to which this case extends existing case law. This is followed by an explanation of the lack of legal safeguards in data retention, namely deficiencies in judicial oversight, consequences of indiscriminate data collection, and lack of transparency, accountability and remedies. The consequences of decrypting encrypted communications are then discussed. Finally, the conclusion highlights that Podchasov shows that data retention and the obligation to decrypt end-to-end encryption, without adequate legal safeguards, are not compatible with the protection of Article 8 ECHR.
The case revolves around Russian legislation that requires an "Internet Communications Organizer" (ICO) to store Telegram users' metadata, such as identification data, traffic data and location data, for one year and to retain the content of all communications for six months. In addition, the legislation requires these services to provide access to this data upon request by authorities and to provide information needed to decrypt encrypted messages. Telegram, a popular messaging service, was approached by Russian authorities to share technical information that would allow the FSB to decrypt the messages of specific users. However, Telegram refused; decrypting messages would lead to a weakening of encryption for all users. In response, Russian authorities imposed sanctions, including a court order blocking the service in Russia. Podchasov and others challenged these obligations and subsequent measures in Russian courts, but their complaints were dismissed. This eventually led to a complaint to the ECtHR, alleging that the Russian legislation and subsequent measures taken by the authorities, including the blocking of Telegram and the imposition of sanctions, seriously violated the right to respect for private life and correspondence enshrined in Article 8 ECHR.
The case Podchasov builds on previous ECtHR jurisprudence, which has already extensively addressed the legality of data retention and access to this data. In previous cases, such as Roman Zakharov and Big Brother Watch, the ECtHR focused on the legality of large-scale data collection and the lack of effective safeguards against misuse. ECHR 25 May 2021, case nos. 58170/13, 62322/14 and 24960/15(Big Brother Watch and others v. United Kingdom); ECHR 4 December 2015, case no. 47143/06(Roman Zakharov v. Russia).
Effective judicial oversight
One of the most fundamental shortcomings identified by the ECtHR was the lack of effective judicial oversight within Russian law. The Court found that Russian legislation allows authorities to gain direct and remote access to stored communications data without requiring prior judicial authorization. This lack of prior review significantly increases the risk of arbitrary and unauthorized access to personal information. According to the Court, this constitutes a serious violation of the rights of individuals under Article 8 of the ECHR. See paragraphs 72-73.
The ECtHR emphasized that judicial oversight is a safeguard to ensure that access to Internet communications and related communications data is granted only when justified and necessary. However, in the context of Russian law, authorities are not required to provide evidence of judicial authorization to the ICOs concerned before accessing the data. This makes it impossible for service providers to verify the legality of requests. This provides no protection against potential abuse by the authorities. This lack of control was a central criticism of the ECtHR, as it undermines a fundamental aspect of rule of law and proportionality. See paragraphs 72-73.
Indiscriminate data collection
The ECtHR also criticized the massive and indiscriminate storage of communications data required by Russian legislation. This legislation required ICOs to store all Internet communications data, without distinction by individuals, time periods, or geographic areas. The Court ruled that such untargeted and comprehensive data collection goes beyond what is necessary for legitimate purposes such as national security or crime fighting. The indiscriminate nature of this collection, according to the Court, violates the principles of necessity and proportionality, which are central to protecting the right to privacy under the ECHR. See paragraph 70-71.
The impact of this broad approach is compounded by the risks inherent in mass data collection. Storing data from all users, regardless of their involvement in suspicious activities, increases the likelihood of data breaches, unauthorized access, and misuse of information, which can have serious implications for the privacy and security of individuals. This was viewed by the ECtHR as a significant risk that was inadequately addressed by Russian legislation, especially given the aforementioned lack of effective oversight and accountability mechanisms. See paragraph 71.
Transparency, accountability and remedies
An additional problem identified by the ECtHR is the lack of transparency and accountability in Russian legislation. The legislation does not provide the necessary public oversight mechanisms that are essential to prevent abuse and maintain public trust. The ECtHR stressed that without mandatory reporting requirements on the use and scope of surveillance practices, it is difficult to assess the proportionality and effectiveness of such measures. This lack of transparency was considered a serious shortcoming in the protection of fundamental rights, and the ECtHR warned that such systemic problems undermine the rule of law. See paragraphs 74-75.
In addition, the ECtHR criticized the limited remedies available to individuals to oppose these measures. Since individuals are not notified of surveillance measures taken against them, even after the fact, it is nearly impossible for them to seek legal remedies or challenge violations of their rights. This lack of effective remedies contributes to a culture of opacity and lack of accountability, which the Court says sets a dangerous precedent for future surveillance practices. See paragraph 75.
Weakening of encryption and security risks
A particularly troubling aspect of the Russian legislation is the obligation for ICOs to decrypt encrypted communications and hand over the corresponding keys to the authorities. The ECtHR stated that this obligation essentially amounts to weakening encryption for all users, not just specific suspects. This makes the overall security of digital communications more vulnerable to cyber threats and unauthorized access by malicious actors.
The Court ruled that such weakening of encryption is an unnecessary and disproportionate infringement on the right to privacy, especially since the impact is not limited to suspected individuals but affects all users. This broad obligation undermines the confidentiality of communications and increases exposure to cyber threats such as hacking and data breaches, which can harm not only individual users but also the broader society. The ECtHR emphasized that such a weakening of encryption is disproportionate to the intended goals of national security and crime fighting. See paragraphs 76-79.
The Podchasov ruling has important implications for both member states and users of secure communication apps such as Telegram and Signal. The ECtHR has made it clear that broad, indiscriminate data collection and weakening of encryption without effective safeguards cannot be justified as "necessary in a democratic society." This means that attempts by member states to undermine encryption, without proper legal safeguards and oversight, are not permissible.
For the average user of services such as Telegram, this ruling means that their confidential communications remain better protected from unauthorized access by the government. The ECtHR has confirmed that weakening encryption, even in the name of national security, can only be justified under very strict conditions and with sufficient legal safeguards. This provides users with assurance that their right to privacy and the security of their communications are protected under European human rights standards, which is essential for trust in digital communication services.
