> When the processing of electronic
communications data by providers of
electronic communications services falls
within its scope, this Regulation
is without
prejudice to
the possibility for the Union or
Member States under specific conditions to
restrict by law certain obligations and
rights
set
out in
this Regulation
when such
a restriction
is targeted
at
persons
suspected of having committed a criminal
offence
and
constitutes a necessary and
proportionate measure in a democratic
society to safeguard specific public
interests, including national security,
defence, public security and the prevention,
investigation, detection or prosecution of
criminal offences or the execution of
criminal penalties, including
the
safeguarding against and the prevention of
threats to public security. Therefore, this
Regulation should not affect the ability of
Member States to carry out lawful
interception of electronic communications
or take other measures, if necessary and
proportionate to safeguard the public
interests mentioned above, in accordance
with the Charter of Fundamental Rights of the European Union and the European
Convention for the Protection of Human
Rights and Fundamental Freedoms, as
interpreted by the Court of
Justice of the
European Union and of the European Court
of Human Rights.
This is not about preventing state surveillance, this is about regulating non-state actors' ability e.g. to track users without their consent.
Edit: However, on page 74
> The providers of electronic
communications services shall ensure that
there is sufficient protection in place
against unauthorised access or
alterations
to the electronic communications data,
and that the confidentiality and safety of
the transmission are
also guaranteed by
the nature of the means of transmission
used or by state-of-the-art end-to-end
encryption of the electronic
communications data. Furthermore, when
encryption of electronic communications
data is used, decryption, reverse
engineering or monitoring of such
communications shall be prohibited.
Member States shall not impose any
obligations on electronic communications
service providers that would result in the
weakening of the security and encryption
of their networks and services.
It seems to me that this requires end-to-end encryption, but the regulation is scoped in such a way that the requirement may be lifted when it inconveniences law enforcement.
> When the processing of electronic communications data by providers of electronic communications services falls within its scope, this Regulation is without prejudice to the possibility for the Union or Member States under specific conditions to restrict by law certain obligations and rights set out in this Regulation when such a restriction is targeted at persons suspected of having committed a criminal offence and constitutes a necessary and proportionate measure in a democratic society to safeguard specific public interests, including national security, defence, public security and the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. Therefore, this Regulation should not affect the ability of Member States to carry out lawful interception of electronic communications or take other measures, if necessary and proportionate to safeguard the public interests mentioned above, in accordance with the Charter of Fundamental Rights of the European Union and the European Convention for the Protection of Human Rights and Fundamental Freedoms, as interpreted by the Court of Justice of the European Union and of the European Court of Human Rights.
This is not about preventing state surveillance, this is about regulating non-state actors' ability e.g. to track users without their consent.
Edit: However, on page 74
> The providers of electronic communications services shall ensure that there is sufficient protection in place against unauthorised access or alterations to the electronic communications data, and that the confidentiality and safety of the transmission are also guaranteed by the nature of the means of transmission used or by state-of-the-art end-to-end encryption of the electronic communications data. Furthermore, when encryption of electronic communications data is used, decryption, reverse engineering or monitoring of such communications shall be prohibited. Member States shall not impose any obligations on electronic communications service providers that would result in the weakening of the security and encryption of their networks and services.
It seems to me that this requires end-to-end encryption, but the regulation is scoped in such a way that the requirement may be lifted when it inconveniences law enforcement.