The first part of this series examined jurisdictions that have adopted a coercive approach to cryptographic barriers. Nations such as the United Kingdom, Australia, and France navigate the practical hurdles of end-to-end encryption through statutory workarounds. Rather than attempting to break the encryption itself, these legal systems apply pressure directly to the device owner – even if the owner is the suspect. By treating the refusal to provide decryption keys or passwords as a standalone criminal offense, they effectively bypass the technical roadblock. Under this model, non-compliance triggers its own set of penalties, entirely separate from the underlying investigation.

This second part turns to a different legal paradigm, examining jurisdictions that prioritize established civil liberties over state access. The focus here rests on legal frameworks maintaining that foundational constitutional protections – most notably the privilege against self-incrimination – cannot be set aside simply to accommodate investigative convenience. For these nations, forcing a suspect to produce a password or PIN crosses a critical line, shifting from the lawful seizure of physical evidence to the unlawful compulsion of testimony. The following chapters explore how these countries structure their laws to preserve traditional rights, even as the realities of modern digital forensics present unprecedented challenges for law enforcement.

The Protectors of Digital Rights

In contrast to jurisdictions that penalize a suspect’s refusal to decrypt personal devices, a distinct cohort of nations – prominently including Canada, Germany, Belgium, and the Netherlands – anchors its approach in established constitutional and procedural safeguards. Rather than treating investigative access as an absolute imperative, these legal systems maintain that the fundamental privilege against self-incrimination must endure in the digital arena. Within this framework, courts and legislators generally separate the lawful oversight of third-party telecommunications providers from the direct coercion of the individual suspect.

Canada

Canada stands against the coercive decryption model. The Canadian judicial system evaluates these modern police practices strictly through the lens of the Canadian Charter of Rights and Freedoms, specifically Section 7, which guarantees the right to life, liberty, and security of the person. This section has been heavily interpreted to encompass the right to silence and robust protection against self-incrimination. Canadian courts have consistently rebuked attempts by the Crown to force suspects to divulge passwords.

In the pivotal case of R. v. Shergill (2019 ONCJ 54), the Ontario Court of Justice faced a novel application by the Crown seeking an “assistance order” under section 487.02 of the Criminal Code to compel an accused to unlock a seized cellphone. The police openly admitted they lacked the technology to bypass the phone’s security without destroying the data. Justice Philip Downes explicitly recognized the immense challenges law enforcement faces with modern encryption but ultimately balanced the public interest in prosecuting crimes against the accused’s liberty interests under the Charter. The court flatly refused to order the accused to unlock the smartphone, reinforcing that the right to silence unequivocally extends into the digital realm.

This protective stance was further reinforced by the Ontario Court of Appeal in R. v. O’Brien (2023 ONCA 197). In O’Brien, the court approached police demands for device passwords through the lens of the Charter, emphasizing the inherently coercive circumstances of the search, the lack of truly informed consent, and the failure to provide a meaningful opportunity to exercise the right to counsel before access was obtained. The decision underscores that consent to search a digital device cannot be manufactured through state pressure, confusion, or ignorance of one’s rights.

Germany

Germany operates as a prominent stronghold for digital privacy within the European Union, anchoring its approach to compelled decryption in the foundational legal principle of nemo tenetur se ipsum accusare – the right not to incriminate oneself. Under the German Code of Criminal Procedure (Strafprozessordnung, or StPO), the right to silence is protected in the digital realm. While investigators are fully authorized to seize locked devices and attempt to extract data using their own forensic tools, the law strictly prohibits forcing suspects to surrender their personal passwords, PINs, or cryptographic keys. Compelling an individual to actively unlock their own device is treated as an unacceptable breach of this core procedural safeguard, ensuring that suspects cannot be coerced into handing over the exact tools needed for their own prosecution.

This procedural shield is heavily reinforced by Germany’s highest court. In a landmark 2008 ruling, the Federal Constitutional Court (Bundesverfassungsgericht) established a specialized constitutional protection: the fundamental right to the confidentiality and integrity of information technology systems (often referred to as the “IT fundamental right”). Derived from the broader right of personality outlined in the German Basic Law, this ruling set a high judicial bar for state interference with personal computing devices. The court effectively recognized that modern digital devices require explicit and stringent protections against unwarranted state access.

Consequently, the German legal framework places the technical burden of decryption entirely on the state. If law enforcement encounters a heavily encrypted smartphone, investigators must rely on their own technical resources to bypass the security, and cannot jail the device owner for refusing to provide the password.

Netherlands

Dutch legislation embeds the privilege against self-incrimination directly into its statutory text regarding digital forensics. Article 125k of the Dutch Code of Criminal Procedure empowers investigators to issue a decryption order to individuals who possess specific technical knowledge of the encrypted system in question. However, the statute explicitly dictates that this legal order absolutely cannot be issued to the suspect. Tellingly, this core protection has been actively preserved even as the country undergoes a sweeping, multi-year Modernization of Criminal Procedure.

The Biometric Compromise

The global legal landscape surrounding compelled decryption is vast, and this analysis does not attempt to review every jurisdiction. Many nations would comfortably align with either the coercive or protective camps. For the purposes of this scope, developing nations, autocracies such as China and Russia, and much of the Asian region – including Japan and South Korea – are still waiting to be explored. Comprehensively cataloging every national approach in a single text, or even two, is impossible and falls outside the primary goal of examining this core legal divide.

Between the extremes of criminalizing digital silence and absolutely protecting it, a widespread compromise has emerged across numerous jurisdictions: compelled biometric unlock. As device manufacturers transitioned away from typed passwords and seamlessly integrated fingerprint and facial recognition technologies, they unintentionally provided law enforcement with a legal loophole. This rapid technological shift introduced a profound vulnerability into the jurisprudence surrounding self-incrimination.

Constitutional protections against self-incrimination are fundamentally designed to shield the “contents of the mind,” preventing the state from forcing an individual to share a memorized code or articulate a thought. Conversely, the law has long maintained that physical traits do not constitute compelled testimony. This strict legal dichotomy is deeply rooted in nineteenth-century forensic science. Following the development of Alphonse Bertillon’s anthropometry (Bertillonage) and the global rise of dactyloscopy, courts universally accepted that measuring a suspect’s physical body or taking their fingerprint did not violate the right to silence.

Modern prosecutors have utilized this historical distinction. Because a fingerprint or a face is classified as a physical attribute rather than a memorized secret, courts routinely rule that forcing a suspect to unlock a device via biometrics does not trigger self-incrimination protections. Armed with this reasoning, law enforcement agents regularly secure search warrants authorizing them to physically press a suspect’s thumb onto a scanner or forcibly hold a smartphone to a suspect’s face. Under this framework, the human body is legally reduced to a physical key.

This creates a procedural paradox. A suspect who relies on a traditional PIN can legally invoke their right to silence and refuse to surrender the code, while a suspect utilizing a biometric shortcut for the exact same cryptographic code can be physically restrained and forced to unlock the device without any recognized constitutional violation occurring. The legal outcome relies entirely on the technical distinction between what the suspect knows versus what the suspect is.

While this biometric workaround remains widely exploited by authorities, there are signs of judicial resistance. In January 2025, the D.C. Circuit Court of Appeals issued a potentially landmark ruling in United States v. Brown, concluding that compelling a defendant to unlock a cellphone with a fingerprint actually violated his Fifth Amendment right against self-incrimination. The court reasoned that the compelled biometric unlock was inherently “testimonial” because it explicitly communicated the suspect’s control and ownership over the device and its hidden contents.

Conclusion

The global legal landscape is currently defined by a collision between modern cryptography and the coercive power of the state. In an effort to bypass encryption, several jurisdictions have granted police the leverage to force suspects to unlock their devices under the threat of severe penalties. However, this approach effectively hollows out the ancient legal principle of nemo tenetur se ipsum accusare – the right against self-incrimination.

This increasing reliance on statutory coercion, coupled with the exploitation of outdated biometric loopholes, signals a significant shift in the balance of legal power. If these practices continue unabated, the fundamental protection against forced self-incrimination risks surviving only as a theoretical construct on paper, largely disconnected from the digital reality where everyday human life now occurs.

References

Canada

• Forced Unlocking Amounts to Self-Incrimination – Canadian Technology Law Association
• Ontario court refuses to order accused to unlock his smartphone – Privacy Lawyer
• The Right to Silence Carries the Right to Keep Passwords Secret – McCarthy Tétrault LLP

Netherlands

• Cybersecurity Laws and Regulations Report 2026 Netherlands – ICLG.com

Germany

• Bundesverfassungsgericht – Decisions search – Judgment of 27 February 2008
• Grundrecht auf Gewährleistung der Vertraulichkeit und Integrität informationstechnischer Systeme – Wikipedia

Biometric Unlock (Various Jurisdictions)

• The Fifth Amendment, Decryption and Biometric Passcodes – Lawfare
• Biometrics vs. the Fifth Amendment – New America
• Do Compelled Biometrics Violate the Fifth Amendment? A Deepening Split Among Lower Courts – The Federalist Society
• Does the Fifth Amendment Protect Biometrics? – Purdue Global Law School
• When Your Fingers Do the Talking: D.C. Circuit Rules That Compelled Opening of Cellphone With Fingerprint Violates the Fifth Amendment – Arnold & Porter