On 26 November, the Danish Presidency of the Council of the EU is due to seek the green light from the Member States for a mandate to negotiate with the European Parliament on the Regulation on the removal of child sexual abuse material (CSAM) online.
While it was initially planning to ask for this mandate on 19 November, a few remaining parliamentary reserves pushed back the timetable by a week, sources explained.
Nevertheless, the Presidency is likely to move towards a positive outcome after three years of controversy on this issue, particularly after the removal in the latest compromises of any reference to mandatory injunctions to detect paedocriminal content, imposed on web platforms and service providers, particularly in private communications via services such as WhatsApp.
At the end of October, the Presidency had decided to abandon this mandatory requirement, and on 6 November received support for the presentation of a final text free of these detection obligations (see EUROPE 13746/12).
This negotiating mandate - which is only partial, as the location of the future headquarters of the EU agency responsible for managing the handling of CSAM, is not yet known - was to be approved without discussion, according to a provisional EU Council agenda.
In the meantime, several key Member States - such as Germany, which had previously opposed the proposal – are now said to be in favour of the text on the table.
For supporters of the Commission’s original text and of mandatory detection orders, this solution is disappointing, but is still considered the lesser evil if a legal vacuum is to be avoided.
Next April will see the expiry of the current derogatory ‘voluntary detection’ regime, which currently authorises the web giants to detect such content on a voluntary basis. Negotiations with the European Parliament are still ongoing, so it may be necessary to extend this derogation until the new regulation comes into force.
In its latest text, dated 13 November and published by Netzpolitik, the Danish Presidency specifies in the general provisions that “cybersecurity and encryption are protected in a comprehensive way”.
With regard to risk assessment and mitigation obligations, an enhanced risk assessment and categorisation is put in place for services to determine the risk associated with specific services based on a set of objective criteria (related to the basic type and architecture of the service, provider policies, built-in security features and an analysis of user trends).
Following the outcome of this risk categorisation process, systems or parts thereof will be classified as ‘high risk’, a ‘medium risk’ or a ‘low risk’. And certain high risk service providers will be required to take steps to develop appropriate technologies to mitigate the risk of sexual abuse of minors identified on their services.
A revision clause is added, requiring the Commission to assess, three years after the entry into force of the Regulation, the need for and feasibility of subsequently incorporating detection obligations, in particular through a factual assessment of the reliability and accuracy of the relevant available technologies.
Link to the draft mandate: https://aeur.eu/f/jhr (Original version in French by Solenn Paulic)