In the last couple of weeks, a new piece of legislation -the ePrivacy Derogation – was passed by the EU Parliament. This has drawn a lot of attention and became a thorny topic among data protection professionals; welcomed by some, boohooed by others. 

On 10 September 2020, the Commission published a Proposal for a Regulation on a temporary derogation from certain provisions of the ePrivacy Directive 2002/58/EC as regards the use of technologies by communications service providers to process personal data for the purpose of combatting child sexual abuse online, and more specifically, for removing child sexual abuse material and detecting or reporting child sexual abuse online to authorities. The derogation concerns Articles 5(1) and 6 of the ePrivacy Directive. 

The ePrivacy Derogation passed on the 6th of July 2021 and is a temporary solution with a duration of 3 years and will allow service providers to apply voluntary measures to detect, remove and report child sexual abuse content. 

Why yes?

Given that the volume of child abuse materials circulating on the internet has increased dramatically during the pandemic, the House backed (with 537 votes in favour, 133 against and 24 abstentions) a piece of legislation to protect children more effectively from sexual abuse and exploitation when using webmail, chat and messaging services. Last year, according to the EU Commission, nearly four million images and videos containing child abuse were reported, along with 1,500 grooming reports.

How it will work

Online material linked to child sexual abuse is detected using specific technologies that scan content, such as images and text, or traffic data. Hashing technology will be used for images and videos, while classifiers and artificial intelligence will be used to analyse text or traffic data to detect cyber grooming.

The rules set forth by the ePrivacy Derogation will not apply to the scanning of audio communication.

The voices against

Undoubtedly this is a good cause. But does the end justify the means in this case? Let’s see it in more detail. The ePrivacy Derogation will allow providers of e-mail and messaging services to automatically search all personal messages of each citizen for presumed suspect content and report suspected cases to the police. 

That will basically allow companies to scan for messages and will open the door for them to monitor other communications. In November 2020, the European Data Protection Supervisor highlighted that: 

• The measures envisaged by the Proposal would constitute an interference with the fundamental rights to respect for private life and data protection of all users of very popular electronic communications services, such as instant messaging platforms and applications.
• Even voluntary measures by private companies constitute an interference with the right to confidentiality of communications – which is a cornerstone of the fundamental rights, when the measures involve the monitoring and analysis of the content of communications and processing of personal data.
• The issues at stake are not specific to the fight against child abuse but to any initiative aiming at collaboration of the private sector for law enforcement purposes. If adopted, the Proposal will inevitably serve as a precedent for future legislation in this field. The EDPS therefore considered it essential that the Proposal is not adopted, even in the form of a temporary derogation, unless necessary safeguards are integrated.

Safeguards adopted

National data protection authorities will have better oversight of the technologies used by the service providers through prior impact assessment and consultation procedures. Members of the European Parliaments also insisted that there will be procedures in place to ensure that concerned data subjects can lodge a complaint with their DPA if they think their rights are being violated.

Next steps

The regulation still has to be formally adopted by the Council and will then be published in the Official Journal. It will enter into force on the third day following its publication, while the EU Commission has already announced a follow-up regulation to provide a more permanent solution in 2021.