ePrivacy: Proposed EU Legislation to allow Companies to Tackle Child Sexual Abuse Online
On 29 April 2021, the Council of the European Union (the “Council”) and the European Parliament reached political agreement on rules regarding the detection of child sexual abuse online by electronic communications services. In this briefing, we examine the background to the draft interim Regulation, as well as some of the key aspects of the proposed text.
The interim Regulation is intended to address an unfortunate by-product of the European Electronic Communications Code (the “Code”), which came into effect on 21 December 2020.
Among other things, the Code changed the definition of an “electronic communications service” (“ECS”) to include internet access services, “interpersonal communications” services, and services consisting wholly or mainly in the conveyance of signals such as transmission services used for the provision of machine-to-machine services and for broadcasting. In turn, it broadly defined an “interpersonal communications” service as “a service normally provided for remuneration that enables direct interpersonal and interactive exchange of information via electronic communications networks between a finite number of persons, whereby the persons initiating or participating in the communication determine its recipient(s) and does not include services which enable interpersonal and interactive communication merely as a minor ancillary feature that is intrinsically linked to another service.”
The immediate implication of this change to the Framework Directive was an expansion of the scope of many provisions of the ePrivacy Directive, such as Article 5(1), which requires Member States to ensure the confidentiality of ECS communications and related traffic data, and to prohibit the “listening, tapping, storage or other kinds of interception or surveillance of communications and the related traffic data…without the consent of users, except where legally authorised to do so in accordance with Article 15(1)”. Further, Article 6 of the ePrivacy Directive places limitations on the retention of traffic data, requiring that it be erased or made anonymous when it is no longer needed to transmit a communication (subject to certain exemptions).
As a result, in the absence of user consent or specific legislative authorisation, many webmail and messaging services which voluntarily use technologies to fight child sexual abuse on their platforms are likely to be technically in breach of the ePrivacy Directive.
Plugging the Gap
On foot of widespread calls for a stopgap solution, the European Commission proposed an amendment to the ePrivacy Directive in September 2020, and the European Parliament adopted its mandate for negotiations for an interim regulation in December 2020.
On 29 April, 2021 the European Council and the European Parliament agreed that the interim Regulation should provide for strictly defined derogations from Article 5(1) and Article 6 of the ePrivacy Directive, solely to allow ECS to continue the important work of removing child sexual abuse material from their platforms and to continue detecting / reporting child sexual abuse online to relevant authorities and organisations. The importance of human oversight (particularly before reporting to law enforcement authorities) was agreed, as was the need for a complaint mechanism to ensure the replacement of any material erroneously removed.
It was agreed that the interim Regulation should only apply for three years, thereby allowing for long-term legislation to be adopted which will ultimately supersede the interim Regulation. It was further agreed that relevant ECS would be required to consult with data protection authorities on their activities, and that the European Commission should publish a register of organisations acting in the public interest against child sexual abuse, with which ECS providers could share personal data arising from their voluntary activities.
Key Elements of the Interim Regulation
The current draft of the interim Regulation contains a number of notable provisions.
Definition of Child Sexual Abuse
The interim Regulation will follow existing EU law in defining ‘child sexual abuse online’ to include relevant material and the solicitation of children.
The interim Regulation provides that the use of technology by ECS should be the least privacy intrusive option, with high levels of reliability, limiting the error rate of false positives and rectifying the consequences of any mistakes without delay.
Further, the interim Regulation provides that technology used to detect the solicitation of children should be limited to the use of relevant key indicators, such as keywords and objectively identified risk factors, with scope for human review.
Data Protection Safeguards
In line with GDPR principles, the processing of personal data should be limited to what is strictly necessary for the purpose of detecting, removing and reporting on material pertaining to child sexual abuse online. Further, personal data must be “erased immediately” unless child sexual abuse has been detected online and confirmed as such, and it may only be retained for prescribed limited purposes for the shortest possible time.
To ensure transparency and accountability, it is also envisaged that ECS will be required to publish annual reports on their processing activities.
What are the next steps?
As part of the ordinary legislative procedure, the European Parliament and the Council will need to formally adopt the interim Regulation before it can take effect.
The European Commission has indicated that it will propose new superseding legislation later this year, with detailed safeguards and long-term rules to protect children from sexual abuse (both online and offline).
In respect of the broader ePrivacy landscape, although EU governments reached an agreement on the ePrivacy Regulation in February, it seems that progress will continue to be slow, with very different views emerging on key issues.
The authors would like to thank Glyn McCormack for his contribution to this article.