Draft law to detect online child sexual abuse material stalled again

The draft law to detect and remove online child sexual abuse material (CSAM) was removed from the agenda of Thursday’s (20 June) meeting of the Committee of Permanent Representatives (COREPER), who were supposed to vote on it.

The vote was likely removed from the agenda due to disagreements about the regulation, which probably would not have secured a sufficient majority for it to pass.

While there are still some meetings scheduled until next month, the regulation is unlikely to reach COREPER again until Hungary takes over the rotating EU Council presidency on 1 July, people familiar with the matter said.

The file is not expected to be a priority under the Hungarian presidency and it remains unclear if Budapest will pick it up on a political or technical level.

A stuck file

The regulation which aims to create a system for detecting and reporting online child sexual abuse material (CSAM), faced criticism for potentially allowing judicial authorities to request the scanning of private messages on platforms like WhatsApp or Gmail.

The file has been stalled in the Council for several months due to opposition from Paris and Berlin.

The controversy lies mostly in its provisions regarding end-to-end encryption, a method of secure communication that prevents third parties from accessing data exchanged between users, keeping it private even from the platform provider, such as WhatsApp or Signal.

Some see tampering with encryption as a key measure to protect minors, while others protest that this move would harm data privacy.

As Euractiv reported at the end of May, Belgium, which currently chairs the EU Council presidency, sent a version of the text for approval to the COREPER, gathering 27 EU ambassadors. At the time, it seemed like the file could finally be resolved.

No one was happy

Child protection organisations and data privacy advocates usually do not see eye-to-eye on the file, especially regarding encryption. However, this time, neither was pleased to see it being sent to COREPER, though for different reasons.

The umbrella organisation ECLAG (Ending Child Sexual Abuse Online), consisting of child rights NGOs, sent a note to the EU ambassadors, dated 17 June, before Thursday’s meeting.

The organisation is concerned that the draft law “does not effectively protect children from all forms of sexual abuse online,” said ECLAG spokesperson and Internet Watch Foundation CEO Susie Hargreaves in connection to the note via an email sent to Euractiv.

“Unless all information sent to co-ordinating authorities by service providers can be acted upon and without a strengthened process for voluntary measures, the Council’s proposal risks setting children’s online safety back 15 years,” she said.

Bart Preneel, a professor at University of Leuven, wrote in a LinkedIn post ahead of the expected vote that “content scanning will lead to a vast number of false positives (resulting in a lot of human tragedies for innocent citizens) and will be easily circumvented by its real target, the disseminators of child sexual abuse images”.

He also shared an open letter signed by academics against the draft law.

Amnesty Tech also posted to warn that “it’s impossible to create a technological system that can scan the contents of private electronic communication while preserving the right to privacy”.

Andy Yen, founder and CEO of Proton, the company behind the end-to-end encrypted email service ProtonMail and Proton VPN, said “the proposal was untenable in the first place”.

“It was not only likely to be shot down by the courts for its lack of proportionality, but it would have technically been impossible to implement without putting European citizens at risk.”

Uncertainty

Uncertainty loomed over the COREPER vote already the day before.

While six member states were in favour, Germany was against, as it has been highly critical of the file, Italy was undecided and France did not take a strong position, Euractiv learned from sources familiar with the procedure. Others, such as the Czech Republic were planning to abstain from the vote.

The latest version of the law, seen and reported by Euractiv, excludes text communications and clarifies that detection orders apply only to visual content, such as images and video components or GIFs and stickers.

[Edited by Zoran Radosavljevic]

Read more with Euractiv