With internet-based communications services becoming subject to the strict confidentiality requirements of the EU privacy framework end-December 2020, the European Commission presented a proposal to allow tech companies to derogate from these rules, with the aim to enable them to continue detecting and removing child sexual abuse material online on a voluntary basis.

Due to definitional dependency, the e-Privacy Directive (and its transposition acts) became applicable to 'number-independent interpersonal communications services' (NI-ICS) such as webmail, chat service, and internet telephony, when the recast EU telecommunication framework (European Electronic Communications Code, EECC) took effect on 21 December 2020. Where Member States failed to meet the transposition deadline of the EECC, the national privacy rules must nevertheless be interpreted to the same effect following the expiration of the deadline, insofar as this is possible and does not, for instance, conflict with the explicit wording of domestic laws ('indirect effect of directives'). The explicit applicability of the e-Privacy Directive cast doubt on the privacy compliance of NI-ICS’ voluntary practices of using dedicated technologies to scan internet-based communications for child sexual abuse material in order to report and remove it. To accommodate these practices after the EECC took effect, the Commission tabled a proposal for a temporary derogation from the e-Privacy Directive. These changes are without prejudice to the applicability of GDPR and the lawfulness and proportionality of such detection methods remains uncertain under the GDPR.

In the European Parliament (EP), the file was assigned to LIBE (Rapporteur: Birgit Sippel, Germany, S&D), which published a first draft report, i.a. emphasising the impact on fundamental rights, excluding the scanning of text and audio communications (anti-grooming technology) from the scope and introducing more specific and strict requirements for the applicability of the derogation. After negotiations between the political groups, LIBE adopted a proposal that contained additional safeguards to protect privacy and reintroduced anti-grooming technology in the scope.

On 28 October 2020, the Member States’ deputy ambassadors agreed on a mandate for negotiations with the European Parliament on the interim proposal.

The co-legislators were not able to adopt a text before the transposition deadline of the EECC on 21 December 2020. On 29 April 2021 the Council and the European Parliament reached a provisional agreement. The act was adopted on 14 July 2021 and entered into force on 02 August 2021. Parliament was able to secure privacy-preserving points such as the exclusion of audio communications from the regulation's scope, a mandatory data protection impact assessment for all technologies, compulsory human review prior to submitting reports to other organisations, reporting on the GDPR legal basis relied upon for data processing, and statistical reports from Member States. Conversely, it conceded on the sensitive issues of allowing systematic scanning of text in communications to detect child sexual abuse patterns and on the omission of maximum error rates for search algorithms. This temporary derogation was originally set to apply until 3 August 2024, or until an earlier date if another proposal for a regulation was adopted by the legislators and repealed this temporary measure.

On 11 May 2022 the Commission tabled a proposal on permanent rules, which were intended to replace the interim regulation by 3 August 2024 at the latest. Since the co-legislators did not find an agreement in time, they reached a provisional agreement on 15 February 2024 to extend the interim regulation until 3 April 2026. Parliament approved the agreement on 10, and Council on 29 April 2024.

Permitting providers to use specific technology to combat child sexual abuse online was already subject to Council debates regarding the proposal for an e-Privacy Regulation. As the e-privacy reform was stalled in the Council, the Commission tabled a separate, targeted and temporary solution that would enable providers the use of this technology, beyond the date on which the Electronic Communications Code becomes applicable. It remains unclear, whether this issue has been permanently or temporarily separated from the broader e-Privacy reform efforts. The fact that the Commission tabled the proposal for a long-term legislation on 11 May 2022, suggests that it will remain apart. These efforts form part of the broader EU strategy for a more effective fight against child sexual abuse.

See also our files 'New legislation to fight child sexual abuse online', 'Proposal for a revision of the combating child sexual abuse Directive (2011/93/EU)', and 'EU Strategy for a more effective fight against child sexual abuse' in the same train, as well as our file 'e-Privacy Regulation' in the train 'A Europe fit for the digital age'.

References:

• EUR-Lex, Regulation (EU) 2021/1232 of the European Parliament and of the Council of 14 July 2021 on a temporary derogation from certain provisions of Directive 2002/58/EC as regards the use of technologies by providers of number-independent interpersonal communications services for the processing of personal and other data for the purpose of combating online child sexual abuse, 14 July 2021
• EP Legislative Observatory, Procedure File on the Proposal for a Regulation "Use of technologies by number-independent interpersonal communications service providers for the processing of personal and other data for the purpose of combating child sexual abuse online (temporary derogation from certain provisions of Directive 2002/58/EC)" (Interim Regulation), 2020/0259 (COD)
• EP Legislative Observatory, Procedure File on the Proposal for a Regulation “Respect for private life and the protection of personal data in electronic communications” (e-Privacy Regulation), 2017/0003 (COD)
• EUR-Lex, Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (e-Privacy Directive)
• EUR-Lex, Directive (EU) 2018/1972 of the European Parliament and of the Council of 11 December 2018 establishing the European Electronic Communications Code (European Electronic Communications Code)
• Council of the EU, Presidency, Mandate for negotiations with the European Parliament, 23 October 2020
• European Data Protection Supervisor, Opinion7/2020 on the Proposal for temporary derogations from Directive 2002/58/EC for the purpose of combatting child sexual abuse online, 10 November 2020
• Child sexual abuse online: current rules extended until April 2026, Press release, European Parliament, April 2024

Further Reading:

• European Parliament,Study on the Commission proposal on the temporary derogation from the e-Privacy Directive for the purpose of fighting online child sexual abuse: Targeted substitute impact assessment, Ex-Ante Impact Assessment Unit, European Parliamentary Research Service, February 2021
• European Parliament, Squaring privacy rules with measures to combat child sexual abuse online, European Parliamentary Research Service, July 2021

Author: Hendrik Mildebrath, Members' Research Service, legislative-train@europarl.europa.eu