Brussels, 29 July – The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) adopted a Joint Opinion on the Proposal for a Regulation to prevent and combat child sexual abuse. The Proposal aims to impose obligations related to detecting, reporting, removing and blocking known and new online child sexual abuse material (CSAM), as well as the solicitation of children, on providers of hosting services, interpersonal communication services, software application stores, internet access services and other relevant services.
The EDPB and EDPS consider child sexual abuse as a particularly serious and heinous crime. Limitations to the rights to private life and data protection must, however, respect the essence of these fundamental rights and remain limited to what is strictly necessary and proportionate. The EDPB and EDPS consider that the Proposal, in its current form, may present more risks to individuals, and, by extension, to society at large, than to the criminals pursued for CSAM. Whilst supporting the goals and intentions behind the Proposal, the EDPS and EDPB express serious concerns about the impact of the envisaged measures on individuals’ privacy and personal data. The lack of detail, clarity and precision of the conditions for issuing a detection order for CSAM and child solicitation does not ensure that only a targeted approach to CSAM detection will effectively take place. There is a risk that the Proposal could become the basis for a generalised and indiscriminate scanning of content of virtually all types of electronic communications. The EDPB and EDPS advise that the conditions for issuing a detection order should be further clarified.
EDPB Deputy Chair, Ventsislav Karadjov, said: “There can be no doubt that child sexual abuse is a most abhorrent crime that demands swift and effective action, but the Proposal as it stands contains some serious shortcomings. It lacks legal certainty on multiple points and includes vague notions which may lead to diverging implementations across the EU, in particular regarding detection orders. As currently proposed, these orders may in fact even harm those they seek to protect. They could cause a substantial degradation of the confidentiality of communication, which would expose children using these services to monitoring or eavesdropping.”
In addition, the EDPB and EDPS are concerned about the measures envisaged for the detection of unknown CSAM and the solicitation of children in interpersonal communication services. The use of technologies to scan users’ communications, such as artificial intelligence, are likely to generate errors, and represent a high level of intrusiveness into the privacy of individuals.
EDPS Supervisor, Wojciech Wiewiórowski, said: “Measures allowing public authorities to have access to the content of communications, on a generalised basis, affect the essence of the right to private life. Even if the technology used is limited to the use of indicators, the negative impact of monitoring the text and audio communications of individuals on a generalised basis is so severe that it cannot be justified under the EU Charter of Fundamental Rights. The proposed measures related to the detection of solicitation of children in interpersonal communication services are extremely concerning.”
In their Joint Opinion, the EDPB and EDPS highlight that encryption contributes in a fundamental way to the respect of private life and to the confidentiality of communications, freedom of expression, innovation and growth of the digital economy. In particular, the EDPB and EDPS underscore the importance of end-to-end encryption, a commonly used tool that has strong technical and privacy safeguards. In light of this, the EDPB and EDPS make it clear that preventing or discouraging, in any way, the use of end-to-end encryption would seriously weaken the role of encryption in general.
A potential future EU Centre and a network of national Coordinating Authorities for child sexual abuse issues will be created under the new Proposal. The EDPB and EDPS welcome that this new structure will not affect the powers and competences of the data protection authorities. Nevertheless, the EDPB and EDPS recommend that the relationship between the tasks of the national Coordinating Authorities and national data protection authorities are better regulated. The Proposal should clarify the purpose, and process, for which the EDPB’s Opinion on technologies used to execute detection orders may be requested.
On a similar note, the EDPB and EDPS take note of the envisaged close cooperation between the EU Centre and Europol, the EU’s law enforcement agency combatting serious forms of crime. According to the Proposal, the two agencies’ cooperation would involve the full access to relevant information systems of individuals’ personal data, for the purpose of combatting child sexual abuse. Amongst several of their recommendations, the EDPB and EDPS recommend that instead of giving direct access to data, transmitting personal data between the EU Centre and Europol should take place only on a case-by-case basis, following a thorough assessment of the request to access data in the information systems, via a secure communication tool.