The CSAM Regulation still requires a lot of work

In August, the European Data Protection Board and the European Data Protection Supervisor issued a joint opinion on the European Commission’s proposal for legislation to prevent and combat child sexual abuse. They emphasised the seriousness of these crimes, but in its current form, the proposal could pose greater risks to individuals and society than to criminals.

In Finland, the Office of the Data Protection Ombudsman communicated the opinion. The opinion states that “there can be no doubt that child sexual abuse is a most abhorrent crime that demands swift and effective action, but the Proposal as it stands contains some serious shortcomings. It includes vague notions which may lead to diverging implementations across the EU, in particular regarding detection orders. As currently proposed, these orders may, in fact, even harm those they seek to protect. They could substantially impair the confidentiality of communication, exposing children who use these services to monitoring or eavesdropping.

The European Commission surely did not intend its proposal to be harmful to children. Nonetheless, as the staunch objections raised by the data protection authorities aptly demonstrate, the proposal was far from refined and complete.

Concern about the impact of the measures on privacy and personal data protection

The proposed regulation conflicts with other EU regulations in many ways. The proposal’s wide-ranging scope would also cover service providers with no real chance of fulfilling the obligations of the regulation. These include providers of conventional person-to-person communications services based on numbers (text messages and phone calls), as well as certain cloud infrastructure operators.

The European Data Protection Board and European Data Protection Supervisor were especially troubled by the measures envisaged to detect unknown material and child solicitation because the use of technologies like artificial intelligence to scan communications is likely to generate errors and invade the privacy of citizens.

FiCom, the Finnish Ministry of Transport and Communications, and the Finnish Transport and Communications Agency (Traficom) highlighted similar concerns when the proposal was put before a Parliamentary Committee.

The prerequisites for issuing detection orders for grooming and unknown child sexual abuse material require further specification.

Regulation calls for means well beyond Western legal praxis

FiCom’s members and the entire ICT sector in Finland are committed to preventing and combating sexual violence against children, but the regulation does not achieve this in the form proposed.

For example, if a website is blocked, there will always be a workaround, and illegality does not suddenly stop when it is out of view of the general public. In addition, the regulation calls for service providers to block certain individual URLs, requiring them to use Deep Packet Inspection (DPI) to analyse all the data packets sent over their networks. Western states governed by the rule of law have traditionally considered such extreme means unlawful in terms of net neutrality and data protection. The measures required by the proposed regulation are used mainly in China and perhaps Russia.

Many amendments still need to be made to the articles concerning blocking orders to ensure data protection and online security.

Criticism from several EU countries

The proposed regulation has come in for criticism along the same lines throughout Europe. FiCom is a member of EuroISPA, an association of Internet service providers whose members in various EU countries raised the same concerns as the European data protection authorities.

Child sexual abuse is one of the most deplorable crimes, worthy of a well-prepared regulation. Instead, the Commission has proposed a bundle of technically impossible and unsustainable measures, such as breaking encryption. In its current form, the regulation jeopardises the fundamental rights and autonomy of all European citizens, as well as the protection of business secrets and innovations.

Asko Metsola, Legal Affairs, FiCom