knowledge 29 August 2022 |

EDPB and EDPS opine on proposed further online content regulation to prevent and combat child sexual abuse

This proposed Regulation is intended to replace Regulation (EU) 2021/1232, the “Interim Regulation”, which came into force in 2021 as a temporary measure to enable certain categories of service providers to detect and report online child sexual abuse and to remove online child sexual abuse material from their services in compliance with European data protection and e-Privacy law.  The Interim Regulation enables such activities to be conducted on a voluntary basis, however the proposed Regulation will oblige certain categories of service providers to actively combat online child sexual abuse, as part of a growing trend towards the imposition of more responsibilities on service providers to take a proactive approach to tackling illegal online content.  In the Opinion, the EDPB and EDPS share their views on challenging issue of how to strike the right balance between the protection of data protection and privacy rights and efforts to tackle online child sexual abuse.

Background

The proposed Regulation will impose obligations on providers of hosting services and of interpersonal communication services concerning the detection, reporting, removing and blocking of known and new online child sexual abuse material (“CSAM”), as well as the solicitation of children. Such providers will be obliged to assess and mitigate the risk of misuse of their services and any measures taken must be proportionate and subject to adequate safeguards. The proposed Regulation will also establish an EU Centre on Child Sexual Abuse (the “EU Centre”) and national Coordinating Authorities, which will facilitate the implementation of the proposed Regulation.  Since the proposed Regulation will require service providers to whom it applies to engage in activities that would otherwise be contrary to data protection and e-Privacy law, particularly regarding interference with the confidentiality of communications, the EDPB and EDPS focus on the impact of such obligations on the protection of the fundamental rights to privacy and to the protection of personal data. 

EDPB and EDPS Criticisms

The EDPB and EDPS raise a number of concerns regarding the proposed Regulation in their Opinion, particularly as to whether the interferences with fundamental rights it provides for are ‘necessary’ and ‘proportionate’ as those terms are to be interpreted in this context. In doing so the EDPB and EDPS cite noteworthy decisions of the CJEU regarding legislative measures which infringe on fundamental rights in areas such as criminal justice and national security, including the Digital Rights Ireland, Tele2Sverige and Watson, Schrems and La Quadrature du Net cases. Criticisms of the proposed Regulation set out in the Opinion include the following:

• Relationship with existing legislation
  
  The EDPB and EDPS note that the proposed Regulation would repeal the Interim Regulation and eliminate the current regime whereby processing personal data for the purpose of detecting and removing online child sexual abuse on a voluntary basis is permitted, replacing it with a mandatory regime.  They recommend that it be made clear that, in such circumstances, service providers who will not be obliged to engage in such processing under the proposed Regulation will no longer have a basis to do so on a voluntary basis, unless this is provided for in national laws applicable to them that transpose the e-Privacy Directive. Multinational organisations who currently engage in such processing activities on a voluntary basis (from an EU law perspective) will be particularly keen to understand what will be mandatory or otherwise permitted under laws applicable in the EU in this regard, so that they can consider whether the European regime will be aligned with how they operate in light of laws in other jurisdictions (such as the United States).

• Risk assessment and mitigation obligations
  
  The EDPB and EDPS believe that provisions regarding risk assessments to be conducted by service providers are insufficiently detailed and precise to meet the requirements of certainty, clarity and foreseeability in respect of legislation that provides for interferences with and restrictions on fundamental rights. They are particularly critical of the provisions governing the procedure for targeted detection orders to be issued to a service provider.

• Analysis of the necessity and proportionality of the envisaged measures
  
  The EDPB and EDPS express strong concern regarding the measures envisaged for the detection of unknown CSAM and solicitation of children due to “their intrusiveness because of potential granting of access to content of communications on a generalised basis, their probabilistic nature and the error rates associated with such technologies”¹. The Opinion notes that technologies for detecting new or unknown CSAM, as opposed to known CSAM, have significantly higher error rates and their use could therefore have a disproportionate impact on fundamental rights (due to false positives).

• Impact on Encryption
  
  The EDPB and EDPS note that the regime that will apply to detection orders might make service providers who will be subject to the proposed Regulation inclined to stop using end to end encryption or to otherwise reduce the effectiveness of their encryption arrangements. The EDPB and EDPS emphasise that European data protection authorities favour strong encryption tools and are opposed to any type of ‘backdoors’, regardless of the public interest that might be cited as a justification for a backdoor. On this basis, they are opposed to the inclusion of any measures in the proposed Regulation that might, even indirectly, weaken encryption practices.  

• Relevant technologies and safeguards
  
  The EDPB and EDPS are particularly critical of the proposal that the Regulation would provide for the scanning of audio communications for the purpose of child grooming detection (which is not permitted by the Interim Regulation). They note in the Opinion that this would require ongoing and live interception, which is particularly intrusive. They further expressed scepticism towards the proposed use of age verification measures to identify child users of services, as they acknowledge that there is currently no technological solution capable of assessing age with certainty, with the result the service provider might be incentivised to exclude young looking adults from accessing the services, or the deployment of very intrusive age verification measures.

What’s next?

The EDPB and EDPS conclude that the proposed Regulation raises serious data protection and privacy concerns and call upon the EU legislature to amend it in order to address the deficiencies identified in the Opinion, particularly regarding satisfying the necessity and proportionality tests. The proposed Regulation still has some distance to travel in the EU legislative process and it remains to be seen how many of the changes recommended by the EDPB and EDPS will be implemented and what technological steps service providers to whom the Regulation will apply might be required to implement in the future. In the meantime, service providers whose services may be used to share online child sexual abuse or for the online solicitation of children may continue to seek to tackle such activities on a voluntary basis under the Interim Regulation.