It seems you're browsing from a mobile device.
Would you like to access the mobile version of our website?

Yes, please No, thanks
2010/0064(COD) - 10/05/2010 Document attached to the procedure

Opinion of the European Data Protection Supervisor on the proposal for a Directive of the European Parliament and of the Council on combating the sexual abuse, sexual exploitation of children and child pornography, repealing Framework Decision 2004/68/JHA.

To recall:on 29 March 2010, the Commission adopted a proposal for a Directive of the European Parliament and of the Council on combating the sexual abuse, sexual exploitation of children and child pornography, repealing Framework Decision 2004/68/JHA. The proposal intends to repeal a Framework Decision adopted on 22 December 2003, due to some shortcomings of this previous legislation. The new text would improve the fight against child abuse with regard to the following aspects: criminalisation of serious forms of child abuse in relation for instance to child sex tourism, protection of unaccompanied children; criminal investigation and coordination of prosecution; new criminal offences in the IT environment; protection of victims; prevention of offences.

With regard to the objective to prevent offences, one of the tools would be the restriction of access to child pornography on the internet.

The EDPS has noted the main purpose of the proposal. His intention is not to question the need to put in place a better framework providing for adequate measures to protect children against abuses. He nevertheless wishes to stress the impact of some of the measures envisaged in the proposal, such as the blocking of websites and the setting- up of hotlines, on the fundamental rights to privacy and data protection of different individuals involved. For this reason, he has decided to submit this brief opinion at his own initiative.

Analysis of the proposal

The data protection issues relate to two aspects of the proposal, which are not specific to the fight against child abuse but to any initiative aiming at the collaboration of the private sector for law enforcement purposes. These issues have already been analysed by the EDPS in different contexts, especially related to the fight against illegal content on the Internet.

With regard to the proposal, the two elements of concern may be described as follows:

(1) The role of service providers with regard to the blocking of websites: the proposal foresees two possible alternatives to block access from the Unions' territory to internet pages identified as containing or disseminating child pornography: mechanisms to facilitate blocking by order of competent judicial or police authorities, or voluntary actions by Internet Service Providers to block the internet pages on the basis of codes of conducts or guidelines.

The EDPS questions the criteria and conditions leading to a blocking decision: while he could support actions taken by police or judicial authorities in a well defined legal framework, he has strong doubts about the legal certainty of any blocking operated by private parties.

He questions first of all the possible monitoring of the internet which could lead to such blocking. Monitoring and blocking may imply different activities, including scanning the internet, identifying unlawful or suspect websites and blocking access to end users, but also monitoring online behaviour of end-users who are trying to access or download such content.

These surveillance activities have consequences in terms of data protection, as personal data of various individuals will be processed, be it information about victims, witnesses, users or content providers.

In this context, the EDPS:

  • underlines that monitoring the network and blocking sites would constitute a purpose unrelated to the commercial purpose of ISPs: this would raise issues with regard to lawful  processing and compatible use of personal data under the Data Protection Directive;
  • questions the criteria for blocking and stresses that a code of conduct or voluntary guidelines would not bring enough legal certainty in this respect;
  • underlines the risks linked with possible blacklisting of individuals and their possibilities of redress before an independent authority.

The EDPS has already stated at several occasions that ‘the monitoring of Internet user's behaviour and further collection of their IP addresses amounts to an interference with their rights to respect for their private life and their correspondence. Considering this interference, more appropriate safeguards are needed to ensure that monitoring and/or blocking will only be done in a strictly targeted way and under judicial control, and that misuse of this mechanism is prevented by adequate security measures.

(2) The setting-up of a network of hotlines: a network of hotlines is foreseen by the Safer Internet Programme on which the EDPS has issued the opinion referred to above. One of the comments of the EDPS relate precisely to the conditions according to which information would be collected, centralised and exchanged: there is a need for a precise description of what should be considered as illegal or harmful content, who is enabled to collect and keep information and under what specific safeguards. This is particularly important considering the consequences of reporting: in addition to the information related to children, personal data of any individual connected in some way with the information circulating on the network could be at stake, including for instance information on a person suspected of misbehaviour, be it an internet user or a content provider, but also information on a person reporting a suspicious content or the victim of the abuse. The rights of all these individuals should not be overlooked when developing reporting procedures: they should be taken into account in compliance with the existing data protection framework.

The information collected by these hotlines will also most probably be used for prosecution during the judicial stage of the case. In terms of quality and integrity requirements, additional safeguards should be implemented in order to guarantee that this information considered as digital evidence has been properly collected and preserved and will therefore be admissible before a court.

Guarantees related to the supervision of the system, in principle by law enforcement authorities, are decisive elements to comply with. Transparency and independent redress possibilities available to individuals are other essential elements to be integrated in such a scheme.

Conclusion: while the EDPS has no reason to challenge the development of a strong and effective framework to fight against sexual abuse, sexual exploitation of children and child pornography, he insists on the need to ensure legal certainty with regard to all actors involved, including Internet Service Providers and individuals using the network. The mentioning in the proposal of the need to take into account the fundamental rights of end users is welcome but not sufficient: it should be complemented by an obligation for Member States to ensure harmonised, clear and detailed procedures when fighting illegal content, under the supervision of independent public authorities.