On April 1, 2025, the European Commission unveiled its latest five-year strategic blueprint, titled ProtectEU, aimed at tackling the pressing issue of internal security threats across the continent. This initiative follows the previous Security Union Strategy, which had garnered significant criticism, particularly concerning its implications for digital human rights.

The earlier strategy raised alarms with proposals such as the controversial chat control, which remains a contentious topic in political discussions. This initiative threatens the privacy, security, and integrity of private communications on a global scale, yet it remains mired in political stalemate. Additionally, the former strategy led to two significant reforms in the mandate of Europol, the EU's police cooperation agency, which expanded its surveillance powers significantly, particularly targeting individuals on the move.

Unsurprisingly, the new ProtectEU strategy continues to emphasize punitive digital surveillance as a key aspect of the EUs security agenda. There is a growing apprehension regarding the EU's inclination toward tech-supported securitization. Historically, technological solutions have frequently been touted as panaceas for complex security challenges, which are, in reality, multifaceted societal issues that necessitate a comprehensive approach. The over-reliance on such technologies not only proves ineffective but can also inflict severe harm on the very populations they purport to protect.

The risks associated with this techno-solutionist mindset are evident. The internal security strategy promises increased funding for security, aiming to promote both public spending and security research and investment, which includes the involvement of the private sector. However, this raises concerns, as many private companies have been implicated in developing some of the most egregious technological innovations that digital rights advocates have fought against in recent years. While the EU aspires for strategic autonomy, the superficial adoption of domestically-developed tools cannot mitigate the rights-encroaching nature of these surveillance technologies. Moreover, there is a significant risk that essential resources may be diverted away from policies and programs that could genuinely enhance safety and protection for individuals.

This article delves into the ProtectEU proposals, which pose a significant threat to digital rights and could potentially exacerbate existing security challenges.

Looming Attack on Encryption

One of the most alarming components of the new strategy is the announcement of the preparation for a Technology Roadmap on encryption. This roadmap aims to explore and assess technological solutions that would enable law enforcement agencies to access encrypted data lawfully. This proposal is rooted in recommendations from the High Level Group (HLG) on Access to Data for Effective Law Enforcement, also known as Going Dark, specifically recommendation 22.

The High Level Group, primarily composed of national law enforcement representatives, proposed the concept of lawful access by design. This initiative would require all internet service providers, from telecommunications companies to private messaging services and connected devices, to modify their digital security protocols to allow for law enforcement access to encrypted data. Essentially, this would mandate the implementation of encryption backdoors across all digital devices and services. Such backdoors not only threaten fundamental rights but also compromise collective cybersecurity.

In response to the original publication of these recommendations, critics warned that they should not be viewed as reliable guidance for future legislative action. If the EU is truly committed to safeguarding cybersecurity and fundamental rights, it is crucial to recognize that introducing vulnerabilities into digital systems while maintaining their security is an unrealistic expectation.

Data Retention 2.0

Another critical objective set by the Commission for 2025 involves producing an assessment of the impact of data retention rules at the EU level. President Ursula von der Leyen emphasized this in her mission letter to Magnus Brunner, the candidate for the Home Affairs portfolio. She seeks an update of law enforcement's tools for accessing digital data alongside revised rules on data retention.

The retention and access to data collected by internet service providers for law enforcement purposes have been contentious issues within the EU for many years. A decade ago, the Court of Justice of the European Union (CJEU) invalidated previous legislation on data retention, a ruling that arose from a case initiated by EDRi member Digital Rights Ireland. Despite the annulment of the old Data Retention Directive, numerous Member States continue to uphold mass data retention regimes, blatantly disregarding the Courts judgment and violating EU law.

Rather than addressing this rule of law crisis and enforcing compliance with EU treaties, the Commission has chosen to look the other way. Currently, some Member States and international corporations are advocating for harmonization at the EU level to replace the existing fragmented national laws.

The proposals outlined by the HLG Going Dark do little to resolve existing issues related to unlawful surveillance. They suggest that future EU legislation should require companies to retain data to facilitate the identification of any user and broadly expand the range of internet service providers included under this legal obligation. This would ultimately result in heightened surveillance of internet users beyond what was previously permitted under European law.

The implications of such changes are profound, particularly concerning the publics ability to use online services anonymously. In a climate where civic spaces are increasingly restricted and public protests are criminalized, the right to anonymous speech is more crucial than ever. An uptick in mass data retention could deter access to information, curtail press freedoms, and inhibit participation in online political activism.

Europol and Frontex: Increased Powers

To enhance the EU's security capabilities, the Commission has pledged to bolster its home affairs agencies. Europol, in particular, is set to receive an ambitious overhaul of its mandate to evolve into a truly operational police agency.

While this legislative proposal to transform Europol is already underway, another reform aimed at expanding its powers and resources is currently under discussion among EU policymakers. This proposal comes only three years after a previous reform that faced considerable pushback from data protection authorities and civil society.

Europol's history of overreach and abuse is well-documented. However, reforms intended to increase its powers continue to accumulate, enabling the agency to gather extensive personal data with minimal oversight, develop algorithms for national police forces without regard for potential discriminatory outcomes, and employ questionable data mining techniques that lack proper scientific validation or auditing. Given that the effects of prior reforms remain unassessed, it is challenging to predict the ultimate goals of the proposed overhaul of Europols mandate.

Additionally, both Frontex, the European border control agency, and Eurojust, the judicial cooperation agency, are set to receive enhanced missions. The number of European Border and Coast Guards is expected to triple, reaching a total of 30,000 over time, coupled with an anticipated increase in the use of advanced surveillance technologies for situational awareness. This expansion seems to reward Frontex for its previous illegal practices, including complicity in numerous pushbacks and human rights violations at EU borders. The agency has previously been caught sidestepping its own internal data protection oversight while illegally transferring data to Europol and attempting to roll out an illegal social media surveillance program.

The ongoing scandals and violations of data protection rights have not deterred the Commission from pursuing its securitization objectives. The home affairs agencies will be granted expanded surveillance capabilities, increased budgets, and more resources, along with enhanced technical means for the rapid exchange of information, including operational purposes, between these agencies.

The Road Ahead

Rather than genuinely addressing security concerns, the ProtectEU strategy appears to fuel an oppressive law enforcement infrastructure, primarily benefiting agents known for their systemic over-policing and inadequate protection of marginalized communities in Europe, particularly migrants and racialized groups. This infrastructure relies on increased data collection, analysis, and sharing among Member States, EU agencies, third countries, and private corporations. As law enforcement often secures broad exemptions from fundamental rights guarantees and public scrutiny under EU law, data protection and privacy safeguards are easily undermined.

Digital rights activists must prepare for the looming challenges and strive to prevent these detrimental plans from coming to fruition. In this context, the European Digital Rights Initiative (EDRi) will actively monitor and participate in policy debates at the EU level, contesting harmful tech-supported securitization measures.