Last chance to amend the much-criticised CSAM draft

The European Commission’s draft regulation on rules to prevent and combat child sexual abuse is probably one of the most criticised EU legislative proposals of all time. Although the European Commission and other EU institutions have good intentions, they are riding roughshod over Europeans’ fundamental rights, sovereignty, and protections of business secrets and innovations, as the EU is, in practice, demanding the decryption of communications.

The objective of the regulation is absolutely worthy of support, as it tackles heinous crimes that require fast and effective intervention. However, some of the obligations and measures proposed in the regulation are technically infeasible or incompatible with the regulation’s objectives.

The Legal Service of the Council of the European Union issued an opinion on 26 April 2023 stating that a detection order applying to an encrypted environment “would imply that the providers would have to consider (i) abandoning effective end-to-end encryption or (ii) introducing some form of “back-door” to access encrypted content or (iii) accessing the content on the device of the user before it is encrypted”. According to the Legal Service, “the generalised screening of content of communications to detect any kind of CSA material would require de facto prohibiting, weakening or otherwise circumventing cybersecurity measures (in particular end-to-end encryption) to make such screening possible”. This would lead to a serious interference with fundamental and human rights and an additional interference with other legitimate objectives, such as ensuring information security. The European Parliament’s complementary impact assessment reached the same conclusion.

Similarly, Joint Opinion 4/2022 of the European Data Protection Supervisor and the European Data Protection Board called on the European Commission to clarify the conditions for issuing detection orders related to abuse material and solicitation of children (grooming). In their statement, the European Data Protection Supervisor and Board expressed serious concern over measures intended to detect unknown CSAM and grooming. According to the European Data Protection Supervisor and the European Data Protection Board, the proposed regulations could “even harm the people they seek to protect. They could substantially impair the confidentiality of communication, exposing children who use these services to monitoring or eavesdropping.

Unusual amount of criticism for the regulation from all parties

Numerous survivors of sexual violence have criticised the proposal, as have victim-support organisations in Germany and Spain, online crime reporting services in Germany and the Netherlands, the German child protection organisation, the FBI, Edward Snowden, nearly 500 scientists and researchers in the field of cybersecurity and data protection, 47 human rights organisations, and the Council of European Professional Informatics Societies (CEPIS). And many more besides: the list from European Data Rights (EDRi) is breathtaking.

In the latest addition to the list, FiCom and other European industry associations have published a joint industry statement calling on EU policymakers to 1) defend the rights to privacy and confidentiality of communications by ensuring the encryption of communications; 2) make sure that detection orders are a last resort measure; and 3) limit detection orders to those with the ability to implement them.

Time is running out

The European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) will confirm its views on the draft regulation on 9 October 2023 ahead of the Parliament vote during the plenary session from 16 to 19 October 2023. The position adopted by the Parliament’s Committee on the Internal Market and Consumer Protection (IMCO) on 29 June 2023 required a limitation on detection orders, removed number-dependent service providers from the scope of the regulation with respect to detection orders, and confirmed the protection of encryption of communications. Unfortunately, LIBE, the responsible committee, will likely push its own policy.

Spain, currently chairing the European Council, will seek a general understanding by 28 September 2023 to enable trilogue negotiations to begin in October once the Parliament’s position has been confirmed. The battle is not yet lost, but time is running out. Negotiated outcomes have already been reached on some articles, although Finland is still considering its own viewpoint.

FiCom has raised issues with the draft regulation and proposed solutions since the outset, but the discussion in Finland has been alarmingly muted apart from this. Germany and Austria have unequivocally opposed the loss of end-to-end encryption, while Finland has prevaricated on clear statements.

It goes without saying that Finland cannot accept legislation that would lead to the decryption of communications.

Asko Metsola, Legal Affairs, FiCom