Decryption orders could violate human rights, Dutch judiciary council says

Ordering someone to decrypt his files could mean he's incriminating himself, the council said

A Dutch draft law that aims to introduce a decryption order that forces suspects to decrypt data on their computers could violate the European Convention on Human Rights (ECHR), said the Dutch Council for the Judiciary on Wednesday.

Several E.U. countries such as France, Belgium and the U.K. already have laws that compel individuals or companies to decrypt data requested by law enforcement authorities for investigations.

In the U.K for instance, failure to comply could mean a prison sentence of up to two years for cases not involving national security or five years for those that do. Refusing to give access to encrypted material if requested by a judge or another person with appropriate permission can be punished with a maximum jail sentence of one year and a fine in Belgium.

In France, punishment can be as high as three years in jail and a fine of €45,000 (US$59,000) if someone refuses to hand over the key to encrypted files that may have been used to prepare, aid or commit a crime. If it turns out the disclosure of the keys could have prevented a crime or diminish the effects of a crime, the punishment can go up to five years in jail and a €75,000 fine.

In the Netherlands, a similar law is being readied. Deliberately refusing to comply with a decryption order would be punishable by a maximum prison sentence of three years or a fine with a maximum of €19,500 should the law enter into force, according to the draft law's explanatory statement.

The Dutch government wants to introduce the decryption order because detection of computer crime is hampered by the use of encryption, especially in cases of child pornography, according to the document.

However, introducing a law that forces suspects to decrypt information could violate Article 6 of the ECHR, which states that a person doesn't have to incriminate oneself, said the Council for the Judiciary in a letter sent to the Minister of Safety and Justice dated July 4 and published on Wednesday.

While it is part of the Dutch Judiciary, the Council itself does not actually adjudicate legal matters. Instead, the Council is dedicated to ensuring that the courts of law can perform their duties effectively. It also represents the interests of the courts in the political arena as well as in administration and government, notably to the Minister of Security and Justice.

While the ministry maintains that the proposed law can operate within the boundaries of Article 6, the council is not sure that is possible.

A judge could conclude that the decryption order does violate Article 6 of the ECHR, which may have consequences for the usefulness of the evidence of the results of such an order, the Council said. The Council recommended reconsidering the relationship between the proposed decryption order and Article 6 of the ECHR and when doing so, to take a close look at a recent case, Chambaz v. Switzerland.

In that case, the European Court of Human Rights ruled last year that the right not to incriminate oneself and the right of access to evidence held by the prosecuting authorities were not respected when Yves Chambaz was fined several hundred thousand euros for refusing to produce all the documents requested in relation to his business dealings with a company and banks in a tax evasion case.

Loek is Amsterdam Correspondent and covers online privacy, intellectual property, open-source and online payment issues for the IDG News Service. Follow him on Twitter at @loekessers or email tips and comments to

Join the CSO newsletter!

Error: Please check your email address.

Tags Criminalsecuritylegalencryptionlegislationgovernment

More about European Convention on Human RightsIDGSwitzerland

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Loek Essers

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts