Brussels, 18 January 2017 WK 528/2017 INIT LIMITE CYBER COPEN JAI ENFOPOL GENVAL COSI WORKING PAPER This is a paper intended for a specific community of recipients. Handling and further distribution are under the sole responsibility of community members. WORKING DOCUMENT From:                 Commission Services To:                   Horizontal Working Party on Cyber issues Subject:              The role of encryption in criminal investigations - Informal draft of the Commission's Work Plan Delegations will find in Annex the informal draft of the Commission's Work Plan on the role of encryption in criminal investigations, in view of the meeting on 20 January 2017. WK 528/2017 INIT LIMITE                                                                                             EN

The role of encryption in criminal investigations - Informal draft of the Commission's Work Plan The purpose of this document is to provide an overview as regards the Commission's next steps on the role of encryption in criminal investigations. I.       Policy background The Commission committed in the April 2015 European Agenda on Security to exploring with service providers the concerns that law enforcement authorities have on encryption technologies. In addition, Commissioner King at his September 2016 Parliamentary hearing undertook to explore with Member States practical solution to address issues on encryption in criminal investigations. Finally, at the informal JHA Council in July 2016 the Slovak Presidency initiated a discussion on the role of encryption in criminal investigations, which was concluded at the 8-9 December 2016 Council meeting with a call on the Commission to facilitate further reflection on the matter. II.      Objectives of the work The objective of the work is to consider a European Commission position on the role of encryption in criminal investigations. Where relevant, further actions or recommendations may be suggested. III.     General observations The Commission will build on the outcome of the discussion at the 8-9 December 2016 Justice and Home Affairs Council meeting, where Member States called for a reflection process, and also noted options for improving technical capabilities, the possible role of the European Judicial Cybercrime Network, and the need for training for authorities. The work completed thus far under the Slovak Presidency indicates that both technical and legal aspects of the role of encryption in criminal investigations need to be assessed. In order to gather the necessary expertise to be able to cover both aspects, the Commission will establish an information gathering process with expert and stakeholder involvement. Member States will be informed by means of updates provided to Justice and Home Affairs Counsellors. Member States will also be involved by means of experts´ involvement throughout the policy process. The Council and the European Parliament will be informed on the progress of the work throughout the process. The process will be discussed at the Horizontal Working Party on cybersecurity and cybercrime on 20 January 2017. The European Data Protection Supervisor will be involved on an informal basis. Private sector organisations and civil society organisations will initially be involved on an ad-hoc basis through roundtable meetings. As part of the third step of the policy process a larger public event may be organised in September 2017 to collect stakeholder views on the basis of a discussion paper. 1

The role of encryption in criminal investigations is considered in the context of a number of discussions, and by a number of organisations. The matter is also considered by third countries, including the United States, in relation to which it should be noted that the topic will be discussed by the EU-US working group on cybercrime in February 2017. IV.     Suggested process This (informal draft) work plan is the result of preliminary discussions among Commission services and EU agencies. The process will include two working streams, one dedicated to exploring technical issues, and the second one to exploring the legal framework. Thirdly, the results of the two working streams will be brought together, for the Commission to draw conclusions on the way forward. 1. The two working streams (technical and legal) The two working streams will be used to collect information and explore the options for a European perspective on the role of encryption in criminal investigations. As the required expertise is quite distinct, and the two streams are likely to require the involvement of different experts, the technical and legal working streams will be organised separately. Work between the two streams will be coordinated to support the development of synergies at an early moment, and to avoid a duplication of work. a. Technical work stream The technical work stream will be used to assess the use / abuse of encryption by criminals, and the technical capability of law enforcement and judicial authorities to address the use of encryption as part of criminal investigations. A number of expert meetings will be organised to assess these elements. The technical working stream will to a great extent be guided by the Europol-ENISA working group that was established following their May 2016 joint statement on the role of encryption in criminal investigations. The working group can already draw on relevant expertise. •   Output: A scoping paper with definitions and a mapping of technical issues. •   Participants: HOME, CNECT, Europol, ENISA (Europol-ENISA working group), JRC. Where relevant, additional experts at Member State level, private sector companies or academics may be invited on an individual basis. •   Input: The work plan prepared during the first step of the policy process. Additionally, the Europol – ENISA working group's terms of reference (yet to be adopted) will be used to guide the work. For each expert meeting an agenda and discussion paper will be circulated. •   Timing: From mid-January 2017 until August 2017. b. Legal work stream The legal work stream will be used to assess the legal framework at Member State level, as well as related practices and procedures, for law enforcement and judicial authorities to address the use of encryption as part of criminal investigations. 2

The work stream will be based on a mapping of Member State's legal frameworks. The basis for the mapping will be the results of the questionnaire on the matter circulated by the Slovak Presidency, to the extent that the results are accessible for the Commission. Member States will be contacted to provide support, e.g. to identify relevant legislation. Eurojust and the European Judicial Cybercrime Network may provide support. Additional questions may be circulated to complete the picture. The mapping exercise may be supported by an external contractor. A number of expert meetings will be organised to provide for an assessment of these elements. •   Output: A mapping of relevant legislation in Member States. •   Participants: HOME, JUST, FRA, Eurojust and the European Judicial Cybercrime Network. •   Input: The work plan prepared during the first step of the policy process. Results of the questionnaire of the Slovak Presidency, where available. For each expert meeting an agenda and discussion paper will be circulated. •   Timing: From mid-January 2017 until August 2017. 2. Synthesis of the results of the work streams The third step of the policy process will be used to bring together the results of the technical and legal work stream. On the basis of the results of the work streams the European Commission will summarise the information gathered and present the conclusions in the form of [a report]. Where relevant, recommendations and further actions may be suggested. Recommendations and actions may cover options for improving technical capabilities, the possible role of the European Judicial Cybercrime Network, and the need for training for authorities. A number of expert meetings will be organised. •   Output: A report to the Council in second half of 2017. •   Participants: Member States' representatives, CEPOL, ECTEG, national Cybercrime Centres of Excellence. •   Input: The scoping paper as a result of the technical work stream, and the mapping of Member States' legislation, practices and procedures. •   Timing: Second half of 2017. V.        Deliverables of the work At the end of the process the Commission will present a report on the role of encryption in criminal investigations, possibly accompanied by recommendations for further action. The format is still to be determined. VI.       Planning of the policy process Depending on political validation, the technical and legal work streams will run from mid-January 2017 until August 2017. The final step of the policy process that will result in the report to the Council deliver in the second half of 2017. 3