With 85 million pictures and videos depicting child sexual abuse reported worldwide in 2021 alone and a 64% increase in detections of such child pornography compared to 2020, the European Commission, on Wednesday 11 May, presented a proposal for a regulation to prevent and combat such online child sexual abuse and make the EU the world leader in the fight against online child pornography.
As anticipated in a provisional draft (see EUROPE 12949/7), this regulation will thus oblige providers and hosts of interpersonal communication services to carry out risk assessments and possibly apply mitigating measures and to report to competent authorities designated by the Member States. These providers will have to scrutinise the circulation of photos or videos, already identified in the past or newly produced, but also to monitor the practices of soliciting sexual services.
Software application developers are also covered by this regulation.
It will then be up to these authorities to decide, on the basis of these assessments, whether the risk is great enough to issue a mandatory detection and subsequent blocking or removal order to the company concerned or its representative in the Member State concerned.
This regulation also proposes to create a new European Centre dedicated to combating the distribution of child pornography online, which will assist Member States and companies in the implementation of the regulation.
It will provide the indicators for tracking such illegal content, with the designation of whether material is illegal or not being the responsibility of the provider, and will operate “databases of indicators of online child sexual abuse that providers will be required to use to comply with detection obligations”. Working in close cooperation with the police cooperation agency Europol, the new European centre will logically be based in The Hague and hosted by the Agency.
“You are not alone”, the Commissioner for Home Affairs, Ylva Johannson, told thousands of abused children on Wednesday, as one in five children worldwide is estimated to be affected by child abuse. “It is our duty to protect children”, she added, aware that this legislation will not please the companies involved.
Having met some of them, notably in Dublin, the Commissioner has already been able to see that “they don't like” this text, she had already told a group of journalists on 10 May.
Least “intrusive” technologies
The proposed regulation replaces the temporary derogation from the e-privacy directive proposed in 2020 stipulating that providers can derogate from privacy rules and thus look at users’ communications, both to monitor spam and malware, but also to detect child pornography.
The 11 May Regulation establishes permanent legislation for images and videos of abused children, but does not tell companies how they should conduct this monitoring.
“The proposal is technology-neutral”, the Commissioner said, insisting that these means of detection should be “the least privacy-intrusive”. Fixing specific technologies to track this material would also be counterproductive, the Commissioner said, as things were “evolving fast”. The technologies promoted could quickly “become outdated”.
The proposal therefore leaves it to the providers to determine both the monitoring tools and the risk mitigation tools.
On end-to-end encryption technology, the Commission seems uncomfortable. It states that this technology is essential to ensure the privacy of users and communications, but it must also meet the requirements of the regulation.
“Encryption is an important tool for the protection of cybersecurity and confidentiality of communications. At the same time, its use as a secure channel could be abused of by criminals to hide their actions, thereby impeding efforts to bring perpetrators of child sexual abuse to justice”, writes the Commission.
“If such services were to be exempt from requirements to protect children and to take action against the circulation of child sexual abuse images and videos via their services, the consequences would be severe for children”, it added.
The regulation also provides for sanctions against suppliers who fail to comply with their obligations, with fines not to exceed 6% of the provider’s annual income or global turnover in the last financial year.
Criticism
“11 May is a worrying day for all EU citizens who want to send a message privately without exposing their personal information, such as chats and photos, to private companies and governments”, reacted the European Digital Rights (EDRi) association.
The proposal contains measures that “appear - at a minimum - to allow for widespread scanning of individuals’ private communications and, in some cases, will go further to force scanning and deletions”.
“In addition, the proposal will discourage the use of end-to-end encryption and provide a strong incentive for providers to take the most intrusive measures possible to avoid legal consequences”, EDRi adds.
For the MEP Patrick Breyer (Greens/EFA, Germany), “chat control threatens to put an end to the secrecy of digital correspondence and secure encryption”.
Link to the regulation: https://aeur.eu/f/1l1 (Original version in French by Solenn Paulic)