Protecting Human Rights through a Global Encryption Provision

In a global digital economy, data pass through servers, located in diff erent countries with diverse rules on data protection security. Diff erent standards and requirements lead to the problem of the global system only being as strong (or weak) as cyber-security requirements in the “least trusted country”.1 Encryption is oft en put forward by the crypto experts as an eff ective security measure. At its core, encryption transforms text-information into a seemingly random string of words and letters that can only be deciphered by using another bit of information, called the decryption key. Th e rules on use of encryption vary and some countries have adopted regimes that may compromise information and conversations despite use of appropriate encryption techniques.2 Encryption is also an important measure contributing to human rights, especially freedom of expression and the right to privacy. It keeps communications inaccessible and safe from prying eyes, enabling the sharing of opinion, accessing online information and organising with others to counter injustices.3 In data protection, encryption is a privacy preserving technique, that also contributes to security of processing personal data.4


INTRODUCTION
In a global digital economy, data pass through servers, located in diff erent countries with diverse rules on data protection security. Diff erent standards and requirements lead to the problem of the global system only being as strong (or weak) as cyber-security requirements in the "least trusted country". 1 Encryption is oft en put forward by the crypto experts as an eff ective security measure. At its core, encryption transforms text-information into a seemingly random string of words and letters that can only be deciphered by using another bit of information, called the decryption key. Th e rules on use of encryption vary and some countries have adopted regimes that may compromise information and conversations despite use of appropriate encryption techniques. 2 Encryption is also an important measure contributing to human rights, especially freedom of expression and the right to privacy. It keeps communications inaccessible and safe from prying eyes, enabling the sharing of opinion, accessing online information and organising with others to counter injustices. 3 In data protection, encryption is a privacy preserving technique, that also contributes to security of processing personal data. 4 1 Intersentia Th e data protection framework has seen two important changes in 2018 and 2019: the General Data Protection Regulation (GDPR) becoming applicable, and the modernisation of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (so-called Convention no. 108+), respectively. Both instruments are oriented toward European states. However, due to their extraterritorial eff ects, the two instruments can be considered as means of globalising the data protection framework to achieve a worldwide adequate level of protection of personal data. 5 A connected world with international data fl ows could therefore benefi t from globalised data protection rules. However, as discussed in this paper, progress has been slow, and not all instruments explicitly contain a reference to encryption. Nevertheless, if the international community decided to push for an obligation to use encryption under international law, some potentially applicable rules are already in place. Such an obligation would apply globally. 6 Th is paper attempts to address the challenge of fi nding such an obligation by examining provisions, relevant to encryption, that could potentially lead to a worldwide encryption requirement, thus obviating the problem of the least trusted country. 7 More specifi cally, it poses the question: in the absence of a global encryption treaty, which existing legal documents in the international law on privacy and data protection apply to encryption, and how could a binding legal obligation on states to mandate the use of encryption be imposed?
To answer the question, which is descriptive and normative in its nature, the following steps will be taken. First, encryption is explained from the perspective of concepts of cybersecurity and data protection, and its contribution to protection of human rights is examined. Applicable legal sources from Europe, Western Africa, Asia-Pacifi c and East Asia regions are analysed in order to fi nd relevant provisions on encryption. Finally, three ways on binding states to impose encryption obligations are suggested: adoption of a relevant new international treaty on data protection or data security, globalisation of existing (European) rules, or keeping the status quo. Traditional desk research model is the most suitable method of choice, including analysis of legal state of the art in Technology and Electronic Commerce Law [i]. Bruce Schneier, 'Essays: Why We Encrypt' (Schneier on Security, June 2015) <https://www. schneier.com/essays/archives/2015/06/why_we_encrypt.html> accessed 17 July 2019. versus less security. 22 Namely, setting up a system that would enable lawful and exceptional access either to keys or to plaintext would be very costly and technologically very diffi cult. In fact, such a system would be almost impossible to implement, highly impractical and it would not prevent access by hackers or foreign, unfriendly governments. It would decrease the cybersecurity of all communications and transactions. 23 Moreover, backdoors may not be necessary, since arguments have been made by cybersecurity experts and lawyers 24 that law enforcement can take alternative steps to access encrypted text or information.
Th e advent of the digital society through the internet and associated technologies has been benefi cial to businesses, individuals and society at large; however, it has also made state surveillance and mass surveillance much easier. As Amnesty International notes in its report on encryption, tracking and discovering crime used to be a laborious, cost-ineff ective exercise that required agents to install wiretaps or intercept communications, has now become "easily achievable through the deployment of inexpensive electronic surveillance technologies that can conduct analyses at a speed and volume that far outpaces the capacity of traditional law enforcement or intelligence services". 25 Intelligence services globally have made use of the information technologies in order to spy on own and foreign citizens alike. Companies, especially social media networks and technological giants like Google, have had to hand over their customers' data to state agencies without disclosing it properly. 26 26 Google provides an interesting overview of its own compliance with user data request warrants at: Google, 'Requests for User Information -Google Transparency Report' (Google) <https://transparencyreport.google.com/user-data/overview> accessed 4 July 2019; A comparative analysis of other 'big tech' companies was compiled by Wong at: Joon Ian Wong, 'Here's How Oft en Apple, Google, and Others Handed over Data When the US Government Asked for It' (Quartz, 19 February 2016) <https://qz.com/620423/heres-how-oft en-applegoogle-and-others-handed-over-data-when-the-us-government-asked-for-it/> accessed 4 July 2019. However, this does not take into account secret and undisclosed warrants whose scale was leaked by Snowden -see footnote 27.
Intersentia revelation of NSA's secret programmes, the pervasiveness of surveillance is has gained traction and awareness. 27 Encryption contributes to genuine enjoyment of the right to expression online by providing the opportunity to communicate confi dentially. Together with anonymity, encryption creates a 'zone of privacy to protect opinion and belief'. Th is is especially important in environments, which are politically, socially or religiously hostile to members of certain communities -for example, artists in countries with strong censorship, or people who wish to explore their gender identity in socially conservative places. Confi dential communication is also important for human rights defenders, lawyers and journalists, who wish to protect their sources or clients from societal or governmental repercussions. Nevertheless, like many other technologies, encryption can also be abusedfor examples, when it is used to mask comprehensible behaviour of criminals, terrorists or cowardly cyberbullies. However, whenever states impose limitations on encryption they inadvertently aff ect both benefi cent and malefi cent users of encryption. Th erefore, encryption deserves special protection. 28 Human rights law traditionally reins in governments' powers by mandating negative obligations -i.e. the state must not interfere with the exercise of the right. Nonetheless, sometimes it is necessary to implement certain measures in order to ensure eff ective exercise of human rights, leading to the notion of positive obligations. Positive obligations are implied the International Covenant on Political and Civil Rights, whose Article 17(2) grants the right to the protection of the law against interferences with one's privacy rights. Th e European Court of Human Rights views positive obligations as necessary for the exercise of human rights in general 29 and in order to ensure private communications are not disclosed publically. 30 Accordingly, in a cyber-insecure world, where encryption has been proposed as the best line of defence against cyber-attacks, 31 positive state obligations on ensuring secure encryption is used, could be considered justifi able. Such obligations can include, but are not limited to, ensuring security of online communications, spreading awareness of internet security, encouraging vulnerability disclosure practices and facilitating the use of encryption. 32 In a global digital economy, data traverse the globe easily and with relatively low costs. Data may pass through servers, located in diff erent countries with PROEF 2 diverse rules on data or general IT security. As Swire and Ahmad 33 point out, diff erent standards and requirements on strength of encryption, lead to the problem of the global system only being as strong as cyber-security requirements in the "least trusted country" mandate. For example, if a country imposes secret backdoors for law enforcement and intelligence purposes, it creates the risk that another, potentially hostile, country could access seemingly secure encrypted data as well by exploiting the decreased strength of encryption. 34 Security holes multiply when more and more governments impose limitations on strong encryption and when data pass through such territories, there is a risk that important communications end up in the hands of the least trusted country, potentially unencrypted for unauthorised eyes to see.
While the problem of least trusted country could have been contained if data never left national borders in any form, that was not possible any more by the late 90s. By 1997, there were already millions of internet users throughout the world, using tens of millions (or more) private and public keys, and there were numerous law enforcement agencies interested in accessing information located in various countries. 35 Since then, while the use of internet has expanded rapidly and the society has become very dependent on the use of networks, the arguments against -or for, from the point of view of law enforcementimposing either key escrows, backdoors or otherwise decreasing the strength of encryption, have remained the same. Cryptographic experts point out that constructing infrastructure that would satisfy the needs of secure but accessible key escrow or exceptional access to plaintext is technically too costly and too complicated to set up according to the current technical state of the art. 36 Moreover, the systems would have to be aligned: either all the countries adopted a mandatory key escrow system, or none. A divergence in systems would decrease the usability and security of key escrows signifi cantly. 37 Adoption of standards has been proposed as a means of bridging the divergence in systems -a collaboration to use cryptography for good of all mankind. 38 Standardisation has a positive eff ect on innovation, leading to better products and services. 39 Standards, however, are voluntary, and most of the eff ort has been led by a limited amount of actors, thus risking that potentially 33 Peter Swire and Kenesa Ahmad (n 1). 34 Peter Swire and Kenesa Ahmad (n 1). 35 Hal Abelson and others (n 9). 36 Harold Abelson and others (n 21). 37 "And this prohibition would have to be enforced on a global scale, for if this kind of initiative were to be adopted only by a limited number of countries, its usefulness would be greatly undermined. Full international consensus on the matter would have to be achieved, and this is clearly an extremely complex ambition, given the particular interests at stake." Hassan Aljifri and Diego Sánchez Navarro, 'International Legal Aspects of Cryptography: Understanding Cryptography' (2003)  Another way to harmonise rules is globalisation-driven regulatory convergence. Governments lay down rules for businesses to follow, and since there is an interest to explore foreign markets, the legal frameworks may start resembling each other. However, in the absence of formal harmonisation, the great powers will lead the eff ort, and set the rules for everyone else. 40 Since the United States are without doubt a leader in the technological development, the result could be that other legal systems would follow it without allowing for more nuanced frameworks.
Finally, there are rules on an international level. As discussed above, international human rights law could in certain instances bind states to adopt certain measures in order to protect human rights rather than prevent them from doing so, as is traditionally understood. Certain areas of law, such as private international law and commercial law have profi ted from unifi cation at international or regional level. Traditionally, rules are laid down in a treaty or a convention, open to other countries. However, draft ing countries must be careful not to make the text too infl exible lest conventional rules become too diffi cult to realise in practice. 41 Th e benefi ts of international rules are also stressed by the Council of Europe in its Explanatory Report to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108). 42 It cites reasons of unresolved jurisdiction issues -though those may not be entirely resolved by international conventions 43 -and facilitated exercise of data subjects' rights.
Adopting uniform rules on encryption -a global obligation on states to mandate the use of encryption -at international level therefore has its benefi ts and drawbacks. As a uniform fl exible standard, it would enhance innovation in order to fi nd a more secure encryption algorithm and other techniques, which would ensure a comparable level of protection of human rights in diff erent legal system. On the other hand, if global superpowers, such as US and EU 44 were the only ones leading the eff ort, they could skew the rules in their favour, which could prevent better encryption tools being considered, and the decreased level of protection of human rights. Th e report is available at 'Convention 108 and Protocols' (Council of Europe) <https://www. coe.int/en/web/data-protection/convention108-and-protocol> accessed 4 July 2019. 43 Aljifri and Sánchez Navarro (n 37). 44 US has by far the most encryption products available on the market, with EU member states (as a whole) not far behind it. China is surprisingly lagging behind despite their eff orts at creating a home-grown encryption market. See: Bruce Schneier, Kathleen Seidel and Saranya Vijayakumar, 'A Worldwide Survey of Encryption Products' (2016) Social Science Research Network SSRN Scholarly Paper <https://papers.ssrn.com/abstract=2731160> accessed 18 July 2019.
However, the questions remains -is there already a provision obliging states to mandate the use of encryption? Th is will be explored in the next section.

FRAGMENTED PROVISIONS IN INTERNATIONAL HUMAN RIGHTS LAW
On the international law level, cryptography can trigger questions in relation to human rights, law enforcement and jurisdiction, intelligence, trade and economy, as well as export controls. 45 Data gathering as a result of breaking or limiting encryption can be seen as encroachment upon another state's territory, and lead to jurisdiction issues, which are not completely resolved by the existing legal framework. 46 As the UN special rapporteur David Kaye has noted, encryption and/or anonymity are capable of creating "a zone of privacy to protect opinion and belief", and that any restrictions on encryption must be provided for by the law, can be imposed only if legitimate grounds exist, and such a restriction must meet the tests of necessity and proportionality. 47

GENER AL HUMAN RIGHTS FR AMEWORK
Th e right to privacy is enshrined in several international human rights legal documents.
Th e Universal Declaration of Human Rights (UDHR), 48 arguably the most important and well-known human rights instrument despite its non-binding character, 49 provides for the right to be free from interference with, inter alia, privacy and communications in its Article 12. Any restrictions placed upon the privacy of communications, incl. restrictions on encryption, must not be arbitrary (as set out in Article 12), nor can they be arbitrary and unlawful (as laid down in Article 17).
Th e International Covenant on Civil and Political Rights (ICCPR) 50 likewise provides for freedom from arbitrary or unlawful interference with privacy and communications in its Article 17. 47 Kaye (n 28).

Intersentia
On regional European level, the European Convention on Human Rights 51 in its Article 8 provides for the right to respect for private and family life, home and correspondence. Th e provision applies to private and family life, home and correspondence. Th e European Court of Human Rights has ruled that the notion of correspondence covers not only physical means, such as letters, but also email and internet, 52 as well as instant messaging. 53 Case law has also confi rmed that this right extends to interception of communications 54 in a mass surveillance scenario. 55 Th e Council of Europe's Convention no. 108 56 protects an individual's right to privacy, with regard to automatic processing of personal data relating to him ("data protection"). Unlike the other human rights international conventions, it specifi cally applies to protection of personal data, and contains provisions about data security, which will be discussed in the next section.
Th e European Union legal framework provides for both rights to privacy and data protection in Articles 7 and 8 of the Charter of Fundamental Rights of the European Union, 57 respectively.
However, while all of the above provisions provide for either the right to privacy, or the right to data protection, they do not explicitly require the states to mandate adoption of any type of cryptography measures. While most of the provisions require confi dentiality of communications, encryption is far from the only confi dentiality measure. For example, measures such as access controls, integrity checking, intrusion detection systems and non-disclosure agreements can also contribute toward confi dentiality. 58 Since many national security agencies' eff orts involve listening in to private communications, and storing information about them (metadata), masking communications through use of encryption has been put forward as a viable solution. 59  See, among others, Edward Snowden's 2014 speech reported at Lauren C Williams, 'Edward Snowden Says Encryption Is Th e Only Way To Counter Mass Surveillance' (Th inkPogress, 10 March 2014) <https://thinkprogress.org/edward-snowden-says-encryption-is-the-onlyway-to-counter-mass-surveillance-ee450433dca8/> accessed 4 July 2019. See also Joris VJ An implicit link between mass surveillance and encryption has been made by the European Court of Human Rights (ECtHR) in the Big Brother Watch case. 60 While ruling on the mass surveillance regime in the UK, the court indirectly acknowledged the importance of encryption as a measure against such surveillance, as it blocks intelligence services from accessing the content of a telecommunication, in para. 356 of the judgment. Moreover, as already discussed above in the introductory section, the UN Special Rapporteur's reports have explicitly linked encryption to the right to privacy and freedom of expression; however, unlike the judgment, which is binding for the country addressed, and may become a precedent in the court's case law, the reports are non-binding and recommendatory in their nature.
Th e Court of Justice of the EU (CJEU) has a wide-ranging jurisprudence on privacy and data protection. 61 Th e case law has set high standards to protect the rights and interests of individuals in mass surveillance scenarios in cases such as Digital Rights Ireland, Schrems, Tele2 Sverige and in its Opinion 1/15, having ruled on data retention rules and transfer of personal data to the United States. According to Directive 2006/24/EC (Data Retention Directive), telecom providers were required to keep metadata of their users from 6 months to 2 years, which was justifi ed by the blanket provision of "investigating, detecting and prosecuting serious crime". Metadata retention in itself falls under the "private life" provision of Article 7 of the Charter of Fundamental Rights, as it makes people feel that their private lives are the subject of constant surveillance. 62 In principle, general-blanket-data retention is incompatible with European data protection rules, while targeted data retention may be permissible if Tele2 Sverige criteria are met. 63 Th e need for data retention is assessed upon the strict necessity and proportionality test. As the CJEU reiterates in its Opinion 1/15 on the EU-Canada Agreement on the transfer of Passenger Name Record data (PNR), general data retention and processing is not strictly necessary and does not meet the threshold of the test. 64  Intersentia pointed out the need of data subjects -surveilled population -to have adequate control and access to court, and to have their data processed without the risk of unauthorised third party interference. 65

SECURITY MEASUR ES AND STANDARDS IN DATA PROTECTION LAWS
Contrary to the human rights frameworks, data protection laws contain explicit provisions on security of (personal) data. Th is section will discuss the regional frameworks in Europe, Asia-Pacifi c and Western Africa, although it should be kept in mind that certain national legal systems, for example health data regulation in the United States under the Healthcare Insurance Portability and Accountability Act, also require the adoption of security measures.

European Union (EU)
Th e European Union is known for its strict data protection laws. otherwise than by automatic means of personal data which form part of a fi ling system or are intended to form part of a fi ling system. Recital 46 spelled out the need for security measures: when the protection of the rights and freedoms of data subjects required adoption of technical and organisational security measures, their adoption should be performed by taking into account the state of the art and the costs of their implementation in relation to the risks inherent in the processing and the nature of the data to be protected. Article 17 followed the recital, requiring controllers to adopt security measures having regard to the state of the art and the cost of their implementation. Th e level of security had to be appropriate to the risks represented by the processing and the nature of the data to be protected. However, encryption was not specifi cally mentioned in the text.
In 2018, the Directive was replaced by the GDPR, which entered into force on May 25 2018.
Th e GDPR similarly applies to processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a fi ling system or are intended to form part of a fi ling system, according to its Article 2.
In the regime established in the GDPR, encryption plays a double role. Firstly, according to Article 32 of the GDPR, encryption is a relevant measure in ensuring the security of personal data processing. Th e provision is risk-based, meaning that state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity to human rights must be taken into account when assessing the need for encryption or during its implementation. Th e risk assessment takes into account human rights -could the data processing lead to discrimination, or will there be government intervention. If so, the risks are considered to be signifi cant (in the words of recital 75), and a higher level of security measures, including stronger encryption, is required., 70 71 Secondly, encryption may contribute toward depersonalising personal data in the sense that it renders them unintelligible to third parties without the possession of the decryption key. Th ere are, however, varying opinions on how anonymous encrypted data truly are. In its opinion on anonymisation techniques, 72 the Article 29 Working Party suggests that as long as the keys or the original, Intersentia unencrypted data, are available, it is still possible to identify the data subject. On the other hand, in its Breyer 73 judgment, the CJEU has introduced the criterion "lawful means reasonably likely", when assessing the notion of identifi ability of a data subject. Accordingly, some authors have suggested that encrypted data could be considered anonymous for actors, which do not possess the key and are reasonably unlikely to obtain it by lawful means. Th is also means that when assessing the anonymous nature of encrypted data, the strength of the encryption algorithm, the key length, and the key management system must be taken into account; and the decryption key(s) must be kept separate from the data. 74 Th e rules on privacy in electronic communications in the EU have been harmonised through the ePrivacy Directive, which is scheduled to be replaced by a newer ePrivacy Regulation 75 (COM/2017/010).
Articles 4 and 5 of the ePrivacy Directive require that providers of public communications networks adopt security and confi dentiality measures. While the Directive talks about such measures generally, the proposed Regulation, in its Recital 37, specifi cally recommends service providers, such as telecoms or internet service providers, to use encryption techniques as part of their products. Article 5 of the current ePrivacy Directive prohibits listening, tapping, storage or other kinds of interception or surveillance of communications and the related traffi c data. A similar provision is included in Article 5 of the proposed Regulation. However, both the Directive and the proposed Regulation explicitly exempt typical law enforcement actions out of their scope, such as prevention, investigation, detection or prosecution of criminal off ences or the execution of criminal penalties. Th is means that the security and confi dentiality measures of the ePrivacy framework will not apply to the extent that law enforcement and security agencies are involved in wiretapping or otherwise interfering with electronic communications, as specifi ed in Article 1(3) of the Directive. 76 Nevertheless, this does not mean free rein for the agencies -as already mentioned above, data retention resulting from communications network monitoring for purposes of crime prevention has been subject to close scrutiny by the CJEU., 77 78 73 Th e test of lawful means reasonably likely to be used was defi ned in the Patrick Breyer case of the European Court of Justice, and answers several questions posed in (n 70).

Convention no. 108 of the Council of Europe
Th e Council of Europe is an international organisation of 47 member states spanning across the geographical Europe. 79 Th e legislative eff orts of the Council and the case law of the European Court of Human Rights have resulted in important contributions to European data protection and privacy law.
In 1981, the Council of Europe adopted the fi rst international binding treaty on data protection, the Convention no. 108. It applies to protection of personal data, which are defi ned in Article 2(a) as 'any information relating to an identifi ed or identifi able individual'. Chapter II, which lays out the basic principles of the Convention, contains a provision on data security, which requires that appropriate security measures are taken for the protection of personal data stored in automated data fi les against accidental or unauthorised destruction or accidental loss as well as against unauthorised access, alteration or dissemination. According to the Explanatory report to the Convention 108, there should be specifi c security measures for every fi le, taking into account its degree of vulnerability, the need to restrict access to the information within the organisation, requirements concerning long-term storage, and so forth. Th e security measures must be appropriate, i.e. adapted to the specifi c function of the fi le and the risks involved. Th ey should be based on the current state of the art of data security methods and techniques in the fi eld of data processing.
Th e Convention has been amended twice and modernised in 2018; since the last update, it has been referred to as Convention 108+. 80 Unlike the original 1981 version, the modernised convention extends its scope to non-automated data processing.
Th e security rule contained in the Convention 108+ is slightly extended compared to its previous iteration. Th e fi rst paragraph requires controllers and processors to put in place appropriate security measures against risks such as accidental or unauthorised access to, destruction, loss, use, modifi cation or disclosure of personal data. Th e second paragraph obliges the controller to notify the supervisory authority if the security of personal data has been breached and the breach could impact the rights and fundamental freedoms of data subjects.
As with its previous version, an explanatory report is provided for Convention 108+ as well. Th e security provision is interpreted in paragraphs 62-66, which state that the implementation of technical and organisational security measures must take into account the nature of the personal data, the volume of personal data processed, the degree of vulnerability of the technical architecture used for the processing, the need to restrict access to the data. 79 'Council of Europe' <https://www.coe.int/en/web/portal/home> accessed 4 July 2019. 80 Full text of the original Convention, Additional Protocols and Convention 108+ available at: 'Convention 108 and Protocols' (n 42).

Intersentia
Moreover, they must be adopted according to the current state of the art, taking into account the implementation costs proportional to the potential risks.

Economic Community of West African States (ECOWAS)
Th e ECOWAS is an economic union of 15 states in the Western part of Africa with legislative powers; hence, the rules it adopts are binding for its member states. 81 Its Model Data Protection Act, 82 adopted in 2010, obliges the member states to adopt their own data protection laws. Th e framework is similar to the pre-GDPR regime in the European Union regarding its basic defi nitions, principles and obligations; however, the enforcement mechanisms among diff erent states lack coordination and harmonisation, nor does the act provide for judicial remedy nor civil liability. 83 Th e Act specifi cally provides for security of personal data in two provisions. First, in Article 28, the principle of confi dentiality and security requires the protection of personal data especially in transit -although whether that obliges data controllers to implement encryption at rest is debatable. Secondly, according to Article 43, data controllers must adopt measures to ensure that data are not deformed, damaged or accessible to unauthorised third parties. 84 provisions, nine information privacy principles and provisions on domestic and international implementation.

Asia-Pacifi c Economic Cooperation (APEC)
Information Privacy Principle no. VII of the 2015 Privacy Framework 88 requires controllers of personal data to adopt appropriate safeguards against risks, such as loss or unauthorized access to personal information, or unauthorized destruction, use, modifi cation or disclosure of information or other misuses. Similarly to the GDPR, the security requirements are balanced against other criteria, such as sensitivity of the information and the context in which it is held, they must be proportionate to the likelihood and severity of the harm threatened, and periodically reviewed and reassessed. 89

R ECOMMENDATIONS OF EXPERT BODIES
Th is section will explore expert opinions on cryptography and encryption by international bodies and national expert agencies. While such opinions are non-binding (so-called soft law), they are nevertheless important as they can represent an important contribution to the scientifi c and practical state of the art in the fi eld.
Th e OECD was set up in 1961 to promote international trade and progress. Today, it counts 36 member countries from mainly Western or Western-style economies, including the US, Canada, Japan and several EU member states.
In the 90's, during the fi rst crypto war, talks resulted in the 1997 Recommendation concerning Guidelines for cryptography policy. 90 Th e Guidelines address policy-makers with the goal of decreasing obstacles in international trade and evolution of information and communication networks by reducing policy disparities. Encryption is linked to both privacy and data protection as well as security, similarly to the approach adopted by the European legislator. Th e Guidelines stipulate eight principles to be taken into account when designing cryptography policies at government level: (1) user trust into cryptography to facilitate electronic and online commerce, (2) user choice in using specifi c cryptographic techniques, (3) market-driven development rather than top-down requirements, (4) voluntary standardisation, (5) cryptography as a privacy and data protection preserving technique, (6)  encrypted communications, (7) the need for liability provisions, and (8) international cooperation to ensure compliant free fl ow of data across borders. 91 While the Guidelines seem to promote strong encryption, the background of the talks must be taken into account. Th e impetus for discussion were cryptographic export controls in the US and its erstwhile administration's attempts to impose the use of specifi c cryptographic products, called the Clipper Chip, which enabled lawful access to communications by the FBI. Th is explains the notions of lawful access (Principle 6) and the use of cryptographic methods subject to applicable law (Principle 2). 92 In the end, the Clipper Chip initiative was dropped due to serious concerns following the outcry of civil rights advocates and the crypto community, while the principles remained in the text. 93 United Nations adopted brief guidelines on computerised fi les in 1990. Principle no. 7 deals with security of fi les, requiring adoption of appropriate measures to protect the fi les against both natural dangers, such as accidental loss or destruction and human dangers, such as unauthorized access, fraudulent misuse of data or contamination by computer viruses. 94 A follow-up report was discussed in 1999, though the series seem to have been discontinued.
ENISA is the EU agency responsible for network and systems security to the benefi t of individuals, society and member states with the aim of facilitating smooth functioning of the EU single digital market. According to the upcoming Cybersecurity Act, 95 ENISA will play an important role in the upcoming certifi cation scheme of cyber security products -however, cryptographic products are conspicuous by their absence from the Regulation. In fact, encryption is mentioned only once throughout the Act, in recital 40, which prompts ENISA to raise awareness about it as a counter-measure against cyberattacks.
ENISA has tackled encryption in its non-binding recommendatory work, both from the perspective of privacy by design and the security/law enforcement access aspects. Th e 2014 Report on Privacy by design 96 addresses policy-makers and engineers involved in diff erent levels of privacy design processes. Encryption plays diff erent roles; as a privacy-enhancing technique, privacy preserving technique, a tool to secure conversations, enable secure storage of data at rest, and as a computational tool. However, it does not address larger concerns about encryption, such as backdoors or access to plaintext.
ENISA's Opinion paper on encryption 97 focuses on cryptography as a confi dentiality and authentication measure, both from design perspective, as well as in the context of lawful access for law enforcement and intelligence services context. Its position is strongly negative toward backdoors and key escrow due to their previous ineff ectiveness, arguing that criminals will always fi nd a way around the law, and that backdoors will decrease the level of cybersecurity across the board, making criminals' work easier. More specifi cally, ENISA and Europol in their Joint Statement on Encryption 98 argue for 'encryption circumvention', echoing 'encryption workarounds' from Kerr and Schneier's work. 99 On the other side of the Atlantic, the National Institute of Standards (NIST), part of the US Department of Commerce has led many important initiatives in the fi eld of cryptography, for example promoting the Data Encryption Standard from 1970 until its eventual obsolescence. 100 It published cryptography guidelines in 2016 and in 2019.
NIST's report on Cryptographic Standards and Guidelines Development Process 101 suggests to base crypto development processes on balance of interests of government, industry and academia. Th e standards developed must be strong and practical, and they must be capable of meeting the needs of (federal) government, as well as the user community in the broad sense. Standards adopted should be globally acceptable since encrypted products, developed in the US, are sold internationally. Th e document also stresses the need for consultation with government agencies, such as the National Security Agency  Later on, DES turned out to be relatively easy to crack, and was replaced by the AESadvanced encryption standard.

Intersentia
(NSA) and the Department of Homeland Security. Cooperation with NSA is especially advised due to its high level of expertise.
Th e 2019 Guidelines for Using Cryptographic Standards in the Federal Government 102 exhort the government to use cryptography in order to protect important data it stores as part of its daily business. While the report does not address backdoors or access to plaintext, it does provide for key storage principles under section 5.4.3. Some keys might have to be stored for longer periods of time should there be a legal order to decrypt text. However, the report also addresses an older standard which would have enabled key escrow if it had been implemented. Th e use of such a standard as part of an algorithm, called Skipjack, is disallowed, according to section 3.2.1.4. 103

OTHER UPCOMING INITIATIVES BY R EGIONAL ORGANISATIONS
In the wake of the digital economy, several other regional international organisations are adopting, or considering adopting, relevant legislation on encryption, either in a data protection context or as part of cybersecurity measures. MERCOSUR, i.e. the Common Southern Market, is a trading bloc in Latin America, established in 1991. Its member states include Argentina, Brazil, Paraguay and Uruguay, with associated countries such as Chile and Peru, thus unifying a major part of South American economies. 104 While MERCOSUR's focus areas are agriculture, social development and human rights, it has recently tackled development and cooperation in the digital economy. It has been noted 105 that MERCOSUR countries are interested in laying down rules on data protection, but a GDPR-type of legislation is considered to be too infl exible. Under current Argentinian leadership, expert groups are consulting on future direction of the organisation's digital agenda, 106 though no legislation 102 Th e Guidelines are not fi nal -a draft version is available for public perusal, and the fi nal version should be available in September 2019. Th elma A Allen, 'Guideline for Using Cryptographic Standards in the Federal Government -Cryptographic Mechanisms: NIST Releases Draft NIST SP 800-175B Rev. 1' (NIST, 3 July 2019) <https://www.nist.gov/ news-events/news/2019/07/guideline-using-cryptographic-standards-federal-government-cryptographic> accessed 16 July 2019. 103 Th ere have been some allegations that NIST endorses standards, which include a secret backdoor for NSA's exclusive use. Th omas C Hales, 'Th e NSA Back Door to NIST' (2014) 61 Notices of the American Mathematical Society. has been proposed yet. Moreover, MERCOSUR is collaborating with the Pacifi c Alliance, a trading bloc in the same area, on topics such as digital trade and cybersecurity. 107 ASEAN, Association of Southeast Asian Nations, is an intergovernmental organisation which was set up in 1967. 108 Its 2016-2020 ICT Masterplan, adopted in 2015, 109 lists development of regional data protection principles, as part of establishing information security in the regional framework. 110 However, as per the Masterplan's Annex A, only sharing best practices is currently planned. Th e adoption of cyber-norms foreseen in the Masterplan would be a major step forward, though its eff ective use is in doubt due to costly barriers to market entry and lack of user trust into using digital services. 111 To conclude, while privacy and data protection are strongly recognised human rights at international level, very few legal instruments specifi cally provide for encryption. Since the 80's, when computers became more ubiquitous, regional instruments on data protection have emerged, such as the APEC Privacy Framework, the Convention 108, and the European Union data protection legislation; however, none of these apply globally. In the next section, three potential pathways to ensure global encryption obligations will be explored. Intersentia unlikely to adopt a non-binding resolution on end-to-end encryption, 112 let alone adopt a comprehensive treaty (geo-and cyber-political interests would not allow for one). 113 A potential forum for discussion could be the UNCTAD, 114 the UN Conference on Trade and Development, since its ICT policy work includes data protection, e-commerce and development of the digital economy. 115 Another possible forum is the UNCITRAL, the UN Commission on International Trade Law. Th e UNCITRAL has adopted the Model Law on Electronic Signatures, 116 which inter alia lays down the rules on signature authenticity, including certifi cates. It does not, however, contain specifi c rules on cryptographic techniques or protocols, which are left to national legislation. 117 However, in order for the UN to adopt a treaty, there must be enough consensus in the General Assembly to pass the vote. Could countries, which use the international forums as a battleground for asserting geopolitical and geostrategic interests, ever agree on issues such as backdoors, access to plaintext, key disclosure and key strength? In the words of Greenleaf -"the likelihood of a new UN treaty being developed from scratch are miniscule" 118 ; or, according to Bygrave, there is "realistically, scant chance". 119 Th e World Trade Organisation is another potential candidate to adopt a treaty including encryption requirements. One if its policy areas is e-commerce in the context of trade development 120 ; however, its progress in legislating has been slow since the 1998 adoption of its ecommerce work programme. Moreover, as Bygrave has noted, any WTO legislation would have a commercial bias, 121 and thus regulate protection of personal data from a trade/competition point of view rather than a human rights one.

OPTION 2A -GLOBALISATION BY MEANS OF ACCESSION
As explored above, several regional data protection instruments provide for security requirements, which may specifi cally include encryption. To globalise an existing treaty or framework, non-regional actors would accede to the treaty according to its rules, thus extend its scope onto a larger scene. According to the Vienna Convention on the law of Treaties, 122 accession is only possible if the treaty implicitly or explicitly provides for it, or if the states signatories agree on it. 123 Th e ECOWAS Act does not provide for non-member accession, nor does the APEC Privacy Framework. Unlike them, Convention 108+ allows non-member accession in its Article 27(1), which states that the Committee of Minister of the Council of Europe may invite any non-member state or an international organisation to accede to the Convention. Member states must agree to this accession. So far, only Uruguay has acceded to the treaty, whereas nine nonmember states acceded to the 1981 Convention. 124 As already discussed above, the treaty does not explicitly provide for encryption, but it is recommended that data controllers adopt it. Th erefore, globalisation of the Convention 108+ could be a viable option to ensure global encryption requirements, although it goes without saying that the economic powers of acceding non-members should be taken into account as well when assessing the Convention's globalisation success. Th e GDPR applies also in Norway, Iceland and Liechtenstein, therefore personal data can be transferred to those countries without reference to Chapter V.
the criteria set down in Article 45 of the GDPR, such as the rule of law, respect for human rights and fundamental freedoms, legislation dealing with security, law enforcement access to data, personal data regulation etc., as well as their enforcement in practice, and possible international contractual obligations with regards to personal data protection. One of the criteria is also meeting the requirement of security and confi dentiality measures. As long as these criteria are met, then the personal data fl ow freely between the EU and the state whose level of protection has been deemed adequate. Currently, these are Andorra, Argentina, Canada (applies only to Canadian commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay and the United States of America., 126 127 Unlike the GDPR, the current proposal for the ePrivacy Regulation, which covers other data involved in a communication context that are not personal data, does not include a similar clause, thus restricting its scope to EU proper instead of globalising its standards.
Nevertheless, there are some possible drawbacks to globalising European standards (Europeanising?) through the Convention 108+ and the GDPR. As Greenleaf points out, there is a pro-European bias in the current enforcement system of the Convention 108+. Th ere is no adjudication forum for non-European countries who accede to the treaty: while European countries, members of the Council of Europe, can be directly challenged in the European Court of Human Rights, the Court's jurisdiction does not extend to non-members regardless of their accession to the Convention 108+, therefore depriving local data subjects of eff ective remedies against violations of the Convention. 128 Another drawback are data localisation rules, such as data export restrictions in the GDPR's Chapter V. Such rules can bring high costs to outside actors seeking to enter the system and who are not yet compliant with it and may bring welfare losses to national economies. 129 Moreover, what if a new (cryptographic or other) technology were to emerge; one that is better at promoting human rights than the current encryption requirements imposed by European instruments? Of course, if the security provisions are interpreted broadly enough, then the rules should be fl exible 126 European Commission, 'Adequacy Decisions' (European Commission) <https://ec.europa. eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en> accessed 4 July 2019. 127 Aft er the invalidation of the Safe Harbour agreement, the US negotiated the Privacy Shield framework, in which participating companies are certifi ed to comply with the criteria laid down by the Federal Trade Commission. 128 Greenleaf, 'A World Data Privacy Treaty?' (n 5). enough to accommodate such new technologies; nevertheless, this is a question that can be better answered in the future by case law (especially decisions by the CJEU), further expert work and industry eff ort.

OPTION 3 -MAINTAIN THE STATUS QUO
Last but not the least, it may be business as usual for the foreseeable future. In this scenario, the legal frameworks will apply regionally or nationally as currently provided with or without reference to encryption. However, when governments change policies -especially when the government's geo-political weight is signifi cant -the ripple eff ects emanating from their actions could be sizeable. For example, requiring a foreign company to disclose decryption keys to the law enforcement could lead to loss of consumer trust in confi dential communication, and potentially to competitive advantages for domestic companies. Such ripple eff ects could be mitigated by informal talks and coordination between governments, or by assessing policy impact ahead of its adoption. 130

CONCLUSION
Th is paper explored instruments, applicable to encryption in an international human rights legal framework, and given the absence of an international encryption treaty, discussed a potential imposition of a binding legal obligation on states to mandate the use of encryption.
First, the connection between encryption, privacy/data protection and human rights was explained. Encryption functions as a measure to prevent unauthorised parties from seeing the data in their plaintext form. It enables safe communications and data transactions. It holds a very important role in a global economy, where data are transferred between diff erent countries with diff erent levels of data protection. Moreover, thanks to these functions, encryption facilitates the exercise of human rights, such as freedom of expression and the right to privacy.
Th en, applicable legal instruments were analysed. Th e elementary texts of human rights law, such as the Universal Declaration of Human Rights, the International Covenant on Civil and Political Rights, the European Convention on Human Rights, and the EU Charter of Fundamental Rights all provide for the right to privacy, including privacy of communications, with the EU Charter also explicitly providing for the right to personal data protection. None of those, 130 Ryan Budish, Herbert Burkert and Urs Gasser, 'Encryption Policy and Its International Impacts: A Framework for Understanding Extraterritorial Ripple Eff ects' Stanford University 28.
Intersentia however, mentions explicitly the need for security -let alone encryptionmeasures.
More detailed rules on data protection were found in regional instruments. Th is chapter examined the EU framework (GDPR, ePrivacy Directive and the proposed Regulation), Convention 108 of the Council of Europe, the ECOWAS's Model Data Protection Act and the APEC Privacy Framework, as well as some upcoming legislative initiatives by other regional organisations. Th e EU legal framework specifi cally refers to encryption as a security or data masking measure, whereas the other instruments require data security measures in general.
Recommendations on encryption by the expert bodies argue for use of encryption in order to facilitate online commerce and data security. Th e OECD 1997 guidelines provide, however, for potential backdoors or plaintext access by law enforcement, which puts the strength of encryption in jeopardy.
Lastly, a global encryption obligation is discussed -a global treaty, possibly under the United Nations or World Trade Organisation, is unlikely. As an alternative, globalisation of the GDPR or of the Convention 108+ is proposed, although such globalisation does not come without drawbacks, such as bias. Should the states decide to maintain the status quo, further ripple eff ects of national encryption policies are to be expected.