As expected, on Thursday 12 December, the EU27 Ministers for Home Affairs were unable to give the green light to the Hungarian Presidency of the EU Council’s latest compromise on the Regulation on the removal of online child sexual abuse material (‘CSAM’).
Whereas nine countries (Germany, the Netherlands, Luxembourg, Austria, Poland, Slovenia, the Czech Republic, Estonia and Finland) had formed a blocking minority on this issue on 6 December (see EUROPE 13540/8), the ministers from these countries reiterated their blocking position during a public session, all expressing their unease at the technologies used to detect child sexual abuse material in private communications and announcing their abstention.
They also expressed doubts about the ‘client-side analysis’ technique, which would allow encryption to be respected, but would have implications for cybersecurity.
Germany’s Minister of the Interior, Nancy Faeser, said she was determined to combat these “despicable” crimes and welcomed the fact that the text on the table created more rights for victims, including reparations. “But it’s not a good solution to filter millions of private communications just for one person under suspicion”, she added. The minister called on her colleagues to continue to seek an acceptable solution, taking the same line as Austria, which, through Minister Gerhard Karner, had also raised the issue of constitutional difficulties.
Slovenia pointed to excessive interference in the right to privacy and private communications. For this country, a solution is needed that will enable the text to pass the test of the Court of Justice of the EU.
The Luxembourg minister, Leon Gloden, said that it was not possible to accept the solution on the table when the legal service of the Council of the EU had established a risk of generalised and undifferentiated surveillance of communications. The proportionality requirement has not been met, he added, calling on his partners to work on a “viable” text. Client-side analysis technology, which is used to protect encryption, has also been criticised for its implications for cybersecurity, he stressed.
While Estonia said that it wants to work on a text that “genuinely protects children and privacy” Poland, through the voice of Minister Tomasz Siemoniak, said that it does not have a “100% guarantee” that the risks of widespread scanning of communications have been eliminated.
The Hungarian Interior Minister, Sándor Pintér, acknowledged that more work was needed to reach an agreement.
Conclusions on police access to data. In addition, on 12 December, the Council of the EU issued conclusions inviting the EU institutions, bodies and agencies, as well as the Member States, to take account of the lessons learned by the High-Level Group on effective and lawful access to data for judicial and law enforcement authorities.
The EU Council “calls on the Commission, the Member States and all interested stakeholders, including the EU Counter-Terrorism Coordinator and relevant JHA agencies, to support through a common communication narrative the explanation of the needs of law enforcement operating within legal frameworks to protect society, to encourage service providers to cooperate with public authorities, and to contribute constructively to the public discourse”.
The EU Council also invites the Commission to present, by the second quarter of 2025, a roadmap for the implementation of relevant measures, including legislation, if considered necessary following a thorough and comprehensive impact assessment, in order to ensure lawful and effective access for law enforcement authorities to data, which need to be addressed as a matter of urgency, while excluding any interference with national security.
The EU Council said it understands that this roadmap is to be a comprehensive document based on the work of the High-Level Group (HLG) and its recommendations, containing a precise timetable for each measure.
Among other things, the HLG calls on the Commission to publish in 2025 “a recommendation on real-time access to data”, which “clarifies the concept of lawful interception for providers of electronic communications services and details the different requirements that may apply to the lawful interception of available content and non-content data, in full respect of cybersecurity, data protection and privacy, without compromising encryption”.
Links to the conclusions and the high-level report: https://aeur.eu/f/erz ; https://aeur.eu/f/ern (Original version in French by Solenn Paulic)