As reported by Wiggin previously, on 30 November 2023, the European Commission published a proposal for a new Regulation amending Regulation (EU) 2021/1232 on a temporary derogation from certain provisions of the E-Privacy Directive (2002/58/EC) to combat child sexual abuse online (“Interim Regulation”). The Interim Regulation essentially allows online communications service providers to use technology (on a voluntary basis) to detect, report and remove online child sexual abuse material (“CSAM”) and the solicitation of children without being in breach of the confidentiality obligations under the E-Privacy Directive. The Interim Regulation expires on 3 August 2024 and the proposed new Regulation seeks to extend that term for two years until a long-term solution for addressing CSAM is established under the proposed Regulation laying down rules to prevent and combat child sexual abuse, which is currently passing through the EU legislative process.

The European Data Protection Supervisor (“EDPS”) is an independent body which advises on, and ensures that EU institutions respect, data protection rules, and with which the Commission must consult on proposed new data protection legislation. On 24 January 2024, the EDPS published an opinion on the proposed Regulation. In it, the EDPS refers to its previous Opinion of 10 November 2020 on the proposal for the Interim Regulation in which it stated the view that the proposal should not be adopted, and that the concerns raised in the 2020 Opinion have not been fully addressed in the Interim Regulation.

Specifically, the Interim Regulation does not clarify which legal basis of the GDPR is applicable to the voluntary processing of content or traffic data for the purpose of detecting child sexual abuse online. The EDPS also remains of the opinion that the general, indiscriminate and automated analysis of all text-based communications with a view to identifying potential infringements does not respect the principle of necessity and proportionality even if the technology used is limited to the use of “relevant key indicators”. Although the Interim Regulation refers to strict necessity and proportionality, it does not provide specific and effective safeguards against general and indiscriminate monitoring.

The EDPS also notes that the Interim Regulation refers to “content data and related traffic data” in very general terms and does not specify which data categories may be processed for which purpose. The EDPS had further expressed concerns that the reporting of individuals and blocking of the concerned user’s account might not be strictly necessary and proportionate in all instances, for example in the case of unsolicited receipt of CSAM. The EDPS had also previously urged the co-legislators to provide further clarity as to when the right to human review would become applicable and which entity would be in charge of carrying out this review, clarification not currently provided by the Interim Regulation. The EDPS notes that, depending on the circumstances under which human review is required, the use of detection technologies could result in automated decision-making.

Finally, the technologies used to detect known CSAM, new CSAM and grooming are based on the automated processing of data, involving technologies that may not be fully comprehensible to users and which are known to have relatively high error rates, with the risk of a significant number of innocent people being reported to law enforcement authorities. In a Joint Opinion given with the European Data Protection Board on the proposed CSAM Regulation (currently going through the legislative process) in July 2022, it was considered that, with such high-risk processing, even a 12% failure rate presents a high risk to data subjects who have been subject to false positives, even when there are safeguards in place to prevent false reports to law enforcement.

The EDPS recommends that the proposed Regulation is not adopted until all such issues are addressed. It remains to be seen, therefore, if the Regulation will be adopted before the end of the EU’s current legislative mandate. If not, voluntary detection of CSAM following expiry of the Interim Regulation may amount to breach of the ePrivacy Directive.

For more information, click here.