After proposing a temporary derogation from EU internet privacy rules in 2021 to allow call, messaging or email services to combat child pornography (see EUROPE 12557/13), on Wednesday 11 May the Commission will present a draft regulation on the subject, obliging companies to carry out risk assessments and take mitigating measures. In other words, to monitor their users’ communications to a greater extent.
The 135-page draft regulation, seen by EUROPE and eagerly awaited by those involved in data protection and communications privacy, tackles a phenomenon that affects one in five children worldwide. And while the pandemic has further aggravated the phenomenon, the 2011 directive on child sexual abuse is no longer adequate to counter the phenomenon, the Commission explains.
While some “providers already voluntarily use technologies to detect, report and remove online child sexual abuse on their services”, the measures taken by providers vary considerably. “The vast majority of reports [come] from a handful of providers, and a significant number take no action”, the text says.
The regulation therefore imposes obligations on providers to detect, report, remove and block material relating to the sexual exploitation of children and the solicitation of children, regardless of the technology used in online exchanges.
At the same time, it creates a new ‘European Centre to prevent and counter child sexual abuse’ which will work in conjunction with Europol and will logically be based in The Hague.
Providers of hosting or interpersonal communication services will first be obliged to carry out risk assessments.
They will then have to adopt “appropriate and proportionate” measures to mitigate the risks identified and report “to the Coordinating Authorities designated by the Member States”.
End-to-end encryption
The providers mentioned will be free to choose the mitigation measures and in particular the technology they wish to use, as the regulation does not impose any particular method and does not wish to encourage or discourage the use of any particular technology, such as end-to-end encryption.
“This Regulation leaves to the provider concerned the choice of the technologies to be operated to comply effectively with detection orders and should not be understood as incentivising or disincentivising the use of any given technology, provided that the technologies and accompanying measures meet the requirements of this Regulation. That includes the use of end-to-end encryption technology”, the text says.
National Coordinating Authorities that become aware of evidence that a specific hosting or interpersonal communication service poses a significant risk may request the competent judicial or administrative authority to issue an order obliging the provider concerned to detect the type of online child sexual abuse or to block or remove such material.
The competent authorities may also ask the judicial or administrative authority to issue an order for the removal of the material from a provider, which must be carried out within 24 hours at the latest. It will also be possible to challenge this removal decision, as well as the detection order.
Providers who are otherwise aware, even without a detection order, of any potential abuse on their services will also have to report it immediately to the EU Centre.
Criticism
German MEP Patrick Breyer (Greens/EFA) is already criticising a draft that opens up “massive control of communications” and jeopardises end-to-end encryption technology while “the German child protection association says that the majority of child pornography is shared via platforms and forums”.
Link to the draft regulation: https://aeur.eu/f/1ku (Original version in French by Solenn Paulic)