IMMC.COM%282020%29568%20final.ENG.xhtml.1

EUROPEAN COMMISSION Brussels, 10.9.2020 COM(2020) 568 final

2020/0259(COD)

Proposal for a

REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on a temporary derogation from certain provisions of Directive 2002/58/EC of the European Parliament and of the Council as regards the use of technologies by number-independent interpersonal communications service providers for the processing of personal and other data for the purpose of combatting child sexual abuse online


EXPLANATORY MEMORANDUM

1.CONTEXT OF THE PROPOSAL

•Objectives of the proposal

Directive 2002/58/EC ("ePrivacy Directive") ensures the protection of private life, confidentiality of communications and personal data in the electronic communications sector. It implements Articles 7 and 8 of the Charter of Fundamental Rights of the European Union ("Charter") in secondary Union law. On 21 December 2020, with the entry into application of the European Electronic Communications Code (“EECC”), the definition of electronic communications services will be replaced by a new definition, which includes number-independent interpersonal communications services. From that date on, these services will, therefore, be covered by the ePrivacy Directive, which relies on the definition of the EECC. This change concerns communications services like webmail messaging services and internet telephony.

Certain providers of number-independent interpersonal communications services are already using specific technologies to detect child sexual abuse on their services and report it to law enforcement authorities and to organisations acting in the public interest against child sexual abuse, and/or to remove child sexual abuse material. These organisations refer to national hotlines for reporting child sexual abuse material, as well as organisations whose purpose is to reduce child sexual exploitation, and prevent child victimisation, located both within the EU and in third countries.

Child sexual abuse is a particularly serious crime that has wide-ranging and serious life-long consequences for victims. In hurting children, these crimes also cause significant and long-term social harm. The fight against child sexual abuse is a priority for the EU. On 24 July 2020, the European Commission adopted an EU strategy for a more effective fight against child sexual abuse, which aims to provide an effective response, at EU level, to the crime of child sexual abuse. The Commission announced that it will propose the necessary legislation to tackle child sexual abuse online effectively including by requiring relevant online services providers to detect known child sexual abuse material and oblige them to report that material to public authorities by the second quarter of 2021. The announced legislation will be intended to replace this Regulation, by putting in place mandatory measures to detect and report child sexual abuse, in order to bring more clarity and certainty to the work of both law enforcement and relevant actors in the private sector to tackle online abuse, while ensuring respect of the fundamental rights of the users, including in particular the right to freedom of expression and opinion, protection of personal data and privacy, and providing for mechanisms to ensure accountability and transparency. The providers of electronic communications services must comply with the ePrivacy Directive’s obligation to respect the confidentiality of communications and with the conditions for processing communications data. The current practices of some number-independent interpersonal communications services to detect child sexual abuse online could interfere with certain provisions of the ePrivacy Directive. The ePrivacy Directive does not contain an explicit legal basis for voluntary processing of content or traffic data for the purpose of detecting child sexual abuse online. Therefore, for the services falling within scope of the ePrivacy Directive, providers will be able to continue to apply such measures only if Member States adopt legislative measures justified on the grounds laid down in Article 15 of that Directive and meeting the requirements of that provision. In the absence of such national legislative measures and pending the adoption of the long-term legislation announced in the Commission Strategy of 24 July 2020, providers of number-independent interpersonal communications services would lack a legal basis for continuing to detect child sexual abuse on their services. Those voluntary activities play a valuable role in enabling the identification and rescue of victims, and reducing the further dissemination of child sexual abuse material, while also contributing to the identification and investigation of offenders, and the prevention of child sexual abuse offences. The Commission considers that it is essential to take immediate action. The present proposal therefore presents a narrow and targeted legislative interim solution with the sole objective of creating a temporary and strictly limited derogation from the applicability of Articles 5(1) and 6 of the ePrivacy Directive, which protect the confidentiality of communications and traffic data. This proposal respects the fundamental rights, including the rights to privacy and protection of personal data, while enabling providers of number-independent interpersonal communications services to continue using specific technologies and continue their current activities to the extent necessary to detect and report child sexual abuse online and remove child sexual abuse material on their services, pending the adoption of the announced long-term legislation. Voluntary efforts to detect solicitation of children for sexual purposes (“grooming”) also must be limited to the use of existing, state-of-the-art technology that corresponds to the safeguards set out. This Regulation should cease to apply in December 2025. In case the announced long-term legislation is adopted and enters into force prior to this date, that legislation should repeal the present Regulation. 2.LEGAL BASIS, SUBSIDIARITY AND PROPORTIONALITY

•Legal basis

The relevant legal bases are Article 16 and Article 114 of the Treaty on the Functioning of the European Union (‘TFEU’). Given that this Regulation provides for a temporary derogation from certain provisions of Directive 2002/58/EC, which was adopted on the basis of Article 95 of the Treaty establishing the European Community, it is appropriate to adopt this Regulation on the basis of the corresponding provision of Article 114 TFEU. In addition, not all Member States have adopted legislative measures in accordance with Article 15(1) of the ePrivacy Directive concerning the use of technologies by number-independent interpersonal communications service providers for the purpose of combatting child sexual abuse online, and the adoption of such measures involves a significant risk of fragmentation likely to negatively affect the internal market. Therefore, it is appropriate to adopt this Regulation on the basis of Article 114 TFEU.
Article 16 TFEU introduces a specific legal basis for the adoption of rules relating to the protection of individuals with regard to the processing of personal data by Union institutions, by Member States when carrying out activities falling within the scope of Union law, and rules relating to the free movement of such data. Since an electronic communication involving a natural person will normally qualify as personal data, this Regulation should also be based on Article 16 TFEU.

•Subsidiarity (for non-exclusive competence)

According to the principle of subsidiarity, EU action may only be taken if the envisaged aims cannot be achieved by Member States alone. EU intervention is needed to maintain the ability of providers of number-independent interpersonal communications services to voluntarily detect and report child sexual abuse online and remove child sexual abuse material, as well as to ensure a uniform and coherent legal framework for the activities in question throughout the internal market. Lack of Union action on this issue would risk creating fragmentation should Member States adopt diverging national legislation. In addition, such national solutions would most probably not be able to be adopted by 21 December 2020 in all Member States. Moreover, a Union wide derogation from the application of provisions of the ePrivacy Directive for certain processing activities can only be adopted by Union legislation. Therefore, the objective cannot be effectively reached by any Member State acting alone, or even Member States acting collectively.

•Proportionality

The proposal complies with the principle of proportionality as set out in Article 5 of the Treaty on European Union as it will not go beyond what is necessary for the achievement of the set objectives. It introduces a targeted and temporary derogation as regards certain aspects of changes to the current framework in order to ensure that certain measures remain permissible to the extent that they currently comply with Union law. In particular, the proposal creates a temporary and strictly limited derogation from the applicability of Articles 5 (1) and 6 of the ePrivacy Directive, with the sole aim of enabling providers of number-independent interpersonal communications services to continue using specific technologies and continue their current activities to the extent necessary to detect and report child sexual abuse online and remove child sexual abuse material on their services, pending the adoption of the announced long-term legislation. This derogation from the revised scope of the ePrivacy Directive has to be interpreted narrowly, in particular as number-independent interpersonal communications services will remain subject to the e-Privacy Directive with regard to all their other activities. The proposal therefore contains safeguards to ensure that technologies benefitting from the derogation meet the standards of the best practices currently applied, and thereby limits the intrusiveness to the confidentiality of communications and the risk of circumvention. The derogation is limited to technologies regularly used by number-independent interpersonal communications services for the purpose of detecting and reporting child sexual abuse online and removing child sexual abuse material before the entry into force of this Regulation and ensures that the types of technologies used are the least privacy-intrusive in accordance with the state of the art in the industry. The providers should also publish annual reports on the undertaken processing. The duration of the derogation is limited to a time period strictly necessary to adopt the long-term legislation.

•Choice of the instrument

The objectives of the present proposal can best be pursued through a Regulation. This will ensure direct applicability of the provisions and ensure a uniform and coherent approach throughout the internal market. This is of particular importance as companies’ actions to combat child sexual abuse online are applied in a uniform manner across their entire service; diverging national transposition measures might provide a disincentive when it comes to continuing the voluntary engagement. Moreover, only a Regulation appears to be able to meet the date of 21 December for entry into application.

3.RESULTS OF EX-POST EVALUATIONS, STAKEHOLDER CONSULTATIONS AND IMPACT ASSESSMENTS

•Ex-post evaluations/fitness checks of existing legislation

Not applicable

•Stakeholder consultations

Not applicable

•Collection and use of expertise

Not applicable

•Impact assessment

In view of the policy objective and the time-sensitive nature of the issue, there are no other materially different policy options available, and thus no impact assessment appropriate. In particular, the measure intends to introduce an interim and strictly limited derogation from the applicability of Articles 5(1) and 6 of the ePrivacy Directive to ensure that number-independent interpersonal communications service providers can continue to voluntarily using specific technologies to detect and report child sexual abuse online and to remove child sexual abuse material on their services after 20 December 2020, pending the adoption of long-term legislation. The long-term legislation will be proposed in the second quarter of 2021 as announced in the EU strategy for a more effective fight against child sexual abuse and will be accompanied by an impact assessment.

•Fundamental rights

The proposal takes full account of the fundamental rights and principles recognised by the Charter of Fundamental Rights of the European Union. In particular, the proposed measures take into account Article 7 of the Charter of Fundamental Rights of the European Union protects the fundamental right of everyone to the respect for his or her private and family life, home and communications, which includes the confidentiality of communications. In addition, the proposal takes into account Article 24(2) of the Charter which provides that, in all actions relating to children, whether taken by public authorities or private institutions, the child’s best interests must be a primary consideration. Moreover, to the extent that processing of electronic communications by number-independent interpersonal communications services for the sole purpose of detecting and reporting child sexual abuse online and removing child sexual abuse material falls into the scope of the derogation created by this proposal, the General Data Protection Regulation, which implements in secondary legislation Article 8(1) of the Charter, continues to apply to such processing.

4.BUDGETARY IMPLICATIONS

This proposal has no implications for the EU budget.

5.OTHER ELEMENTS

•Implementation plans and monitoring, evaluation and reporting arrangements

Not applicable

•Detailed explanation of the specific provisions of the proposal

Article 1 defines the objective of the proposal to create a temporary and strictly limited derogation from the application of certain obligations of Directive 2002/58/EC, with the sole objective of enabling providers of number-independent interpersonal communications services to continue the use of technologies for the processing of personal and other data to the extent necessary to detect and report child sexual abuse online and remove child sexual abuse material on their services. Article 2 refers to the definition of number-independent interpersonal communications services in Directive (EU) 2018/1972 (European Electronic Communications Code) and to certain definitions in Directive 2011/93/EU on combating the sexual abuse and sexual exploitation of children and child pornography, and replacing Council Framework Decision 2004/68/JHA. Article 3 sets the scope of the derogation by creating a limited exemption to the obligations set by Articles 5(1) and 6 of the ePrivacy Directive for the processing of personal and other data in connection with the provision of number-independent interpersonal communications services necessary for the use of technology, including, where necessary, any human review directly relating to the use of the technology, for the sole purpose of detecting or reporting child sexual abuse online to law enforcement authorities and to organisations acting in the public interest against child sexual abuse as well as removing child sexual abuse material, and sets a list of conditions for such a derogation to apply. Article 4 sets the dates for entering into force and into application of the Regulation and when or under which conditions the Regulation shall cease to apply.

2020/0259 (COD)

Proposal for a

REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on a temporary derogation from certain provisions of Directive 2002/58/EC of the European Parliament and of the Council as regards the use of technologies by number-independent interpersonal communications service providers for the processing of personal and other data for the purpose of combatting child sexual abuse online
THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION, Having regard to the Treaty on the Functioning of the European Union, and in particular Article 16(2), in conjunction with Article 114(1) thereof, Having regard to the proposal from the European Commission,

After transmission of the draft legislative act to the national parliaments,

Having regard to the opinion of the European Economic and Social Committee,

Acting in accordance with the ordinary legislative procedure,

Whereas:

(1)Directive 2002/58/EC of the European Parliament and of the Council lays down rules ensuring the right to privacy and confidentiality with respect to the processing of personal data in exchanges of data in the electronic communication sector. That Directive particularises and complements Regulation (EU) 2016/679 of the European Parliament and of the Council. (2) Directive 2002/58/EC applies to the processing of personal data in connection with the provision of publicly available electronic communication services. The definition of electronic communication service is currently to be found in Article 2, point (c), of Directive 2002/21/EC of the European Parliament and of the Council. Directive (EU) 2018/1972 of the European Parliament and of the Council repeals Directive 2002/21/EC with effect from 21 December 2020. From that date, the definition of electronic communications services will be replaced by a new definition, in Article 2(4) of Directive (EU) 2018/1972, which includes number-independent interpersonal communications services as defined in Article 2(7) of that Directive. Those services, which include, for example, voice over IP, messaging and web-based e-mail services, will therefore fall within the scope of Directive 2002/58/EC, as of 21 December 2020. (3)In accordance with Article 6(1) of the Treaty on European Union, the Union recognises the rights, freedoms and principles set out in the Charter of Fundamental Rights of the European Union. Article 7 of the Charter of Fundamental Rights of the European Union (“the Charter”) protects the fundamental right of everyone to the respect for his or her private and family life, home and communications, which includes the confidentiality of communications. Article 8 of the Charter contains the right to protection of personal data. Article 24(2) of the Charter provides that, in all actions relating to children, whether taken by public authorities or private institutions, the child’s best interests must be a primary consideration. (4)Sexual abuse and sexual exploitation of children constitute serious violations of human rights, in particular of the rights of children to be protected from all forms of violence, abuse and neglect, maltreatment or exploitation, including sexual abuse, as provided for by the 1989 United Nations Convention on the Rights of the Child and by the Charter. Digitisation has brought about many benefits for society and the economy, but also challenges including an increase of child sexual abuse online. The protection of children online is one of the Union's priorities. On 24 July 2020, the Commission adopted an EU strategy for a more effective fight against child sexual abuse (“the Strategy”), which aims to provide an effective response, at Union level, to the crime of child sexual abuse.
(5)Certain providers of number-independent interpersonal communications services, such as webmail and messaging services, are already using specific technologies to detect and report child sexual abuse online to law enforcement authorities and to organisations acting in the public interest against child sexual abuse, or to remove child sexual abuse material, on a voluntary basis. Those organisations refer to national hotlines for reporting child sexual abuse material, as well as to organisations whose purpose is to reduce child sexual exploitation, and prevent child victimisation, located both within the Union and in third countries. Collectively, those voluntary activities play a valuable role in enabling the identification and rescue of victims, and reducing the further dissemination of child sexual abuse material, while also contributing to the identification and investigation of offenders, and the prevention of child sexual abuse offences.

(6)Until 20 December 2020, the processing of personal data by providers of number-independent interpersonal communications services by means of voluntary measures for the purpose of detecting and reporting child sexual abuse online and removing child sexual abuse material is governed by Regulation (EU) 2016/679.

(7)Directive 2002/58/EC does not contain any specific provisions concerning the processing of personal and other data in connection with the provision of electronic communication services for the purpose of detecting and reporting child sexual abuse online and removing child sexual abuse material. However, pursuant to Article 15(1) of Directive 2002/58/EC, Member States may adopt legislative measures to restrict the scope of the rights and obligations provided for in, inter alia, Articles 5 and 6 of that Directive, which concern confidentiality of communications and traffic data, for the purpose of prevention, investigation, detection and prosecution of criminal offences linked to child sexual abuse. In the absence of such legislative measures, and pending the adoption of a new longer-term legal framework to tackle child sexual abuse effectively at Union level as announced in the Strategy, there would be no legal basis for providers of number-independent interpersonal communications services to continue to detect and report child sexual abuse online and remove child sexual abuse material in their services beyond 21 December 2020. (8)This Regulation therefore provides for a temporary derogation from Article 5(1) and Article 6 of Directive 2002/58/EC, which protect the confidentiality of communications and traffic data. Since Directive 2002/58/EC was adopted on the basis of Article 114 of the Treaty on the Functioning of the European Union, it is appropriate to adopt this Regulation on the same legal basis. Moreover, not all Member States have adopted legislative measures at national level to restrict the scope of the rights and obligations provided for in those provisions in accordance with Article 15(1) of Directive 2002/58/EC, and the adoption of such measures involves a significant risk of fragmentation likely to negatively affect the internal market. (9)Given that electronic communications involving natural persons will normally qualify as personal data, this Regulation should also be based on Article 16 of the Treaty, which provides a specific legal basis for the adoption of rules relating to the protection of individuals with regard to the processing of personal data by Union institutions and by the Member States when carrying out activities which fall within the scope of Union law, and rules relating to the free movement of such data. (10)To the extent that processing of personal data in connection with the provision of electronic communications services by number-independent interpersonal communications services for the sole purpose of detecting and reporting child sexual abuse online and removing child sexual abuse material falls within the scope of the derogation provided for by this Regulation, Regulation (EU) 2016/679 applies to such processing, including the requirement to carry out an assessment of the impact of the envisaged processing operations where appropriate pursuant to Article 35 of that Regulation prior to the deployment of the technologies concerned.

(11)Since the sole objective of this Regulation is to enable the continuation of certain existing activities aimed at combating child sexual abuse online, the derogation provided for by this Regulation should be limited to well-established technology that is regularly used by number-independent interpersonal communications services for the purpose of detecting and reporting child sexual abuse online and removing child sexual abuse material before the entry into force of this Regulation. The reference to the technology includes where necessary any human review directly relating to the use of the technology and overseeing it. The use of the technology in question should therefore be common in the industry, without it necessarily being required that all providers use the technology and without precluding the further evolution of the technology in a privacy-friendly manner. In this respect, it should be immaterial whether or not a particular provider that seeks to rely on this derogation itself already uses such technology on the date of entry into force of this Regulation. The types of technologies deployed should be the least privacy-intrusive in accordance with the state of the art in the industry and should not include systematic filtering and scanning of communications containing text but only look into specific communications in case of concrete elements of suspicion of child sexual abuse.

(12)In order to ensure accuracy and reliability as much as possible, the technology used should, in accordance with the state of the art in the industry, be such as to limit the error rate of false positives to the maximum extent possible and, where necessary, to rectify without delay any such errors that may nonetheless occur.

(13)The personal and other data used when carrying out the activities covered by the derogation set out in this Regulation, as well as the period during which the data is subsequently retained in case of positive results, should be minimised so as to ensure that the derogation remains limited to what is strictly necessary.

(14)In order to ensure transparency and accountability in respect of the activities undertaken pursuant to the derogation, the providers should publish reports on an annual basis on the processing falling within the scope of this Regulation, including on the type and volumes of data processed, number of cases identified, measures applied to select and improve key indicators, the numbers and ratios of errors (false positives) of the different technologies deployed, measures applied to limit the error rate and the error rate achieved, the retention policy and the data protection safeguards applied.

(15)This Regulation should enter into force on the third day following that of its publication in the Official Journal of the European Union, in order to ensure that it is applicable as from 21 December 2020.

(16)This Regulation restricts the right to protection of the confidentiality of communications and derogates from the decision taken in Directive (EU) 2018/1972 to subject number-independent interpersonal communications services to the same rules as all other electronic communications services as regards privacy. The period of application of this Regulation should, therefore, be limited until 31 December 2025, that is to say for a time period reasonably required for the adoption of a new long-term legal framework, with more elaborate safeguards. In case the long-term legislation is adopted and will enter into force before that date, that legislation should repeal this Regulation.

(17)Providers of number-independent interpersonal communications services should be subject to the specific obligations set out in Directive 2002/58/EC with regard to any other activities that fall within its scope.

(18)The objective of this Regulation is to create a temporary derogation from certain provisions of Directive 2002/58/EC without creating fragmentation in the Internal Market. In addition, national legislation would most probably not be adopted in time in all Member States. As this objective cannot be sufficiently achieved by the Member States, but can rather be better achieved at Union level, the Union may adopt measures, in accordance with the principle of subsidiarity as set out in Article 5 of the Treaty on European Union. In accordance with the principle of proportionality as set out in that Article, this Regulation does not go beyond what is necessary in order to achieve those objectives. It introduces a temporary and strictly limited derogation from the applicability of Articles 5 (1) and 6 of Directive 2002/58/EC, with a series of safeguards to ensure that it does not go beyond what is necessary for the achievement of the set objectives.
(19)The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council and delivered its opinion on […],

HAVE ADOPTED THIS REGULATION:

Article 1

Subject matter

This Regulation lays down temporary and strictly limited rules derogating from certain obligations laid down in Directive 2002/58/EC, with the sole objective of enabling providers of number-independent interpersonal communications services to continue the use of technologies for the processing of personal and other data to the extent necessary to detect and report child sexual abuse online and remove child sexual abuse material on their services.

Article 2

Definitions

For the purpose of this Regulation, the following definitions apply:

(1) ‘number-independent interpersonal communications service’ means a service as defined in Article 2(7) of Directive (EU) 2018/1972;

(2) ‘child sexual abuse online’ means:

(a) material constituting child pornography as defined in Article 2, point (c), of Directive 2011/93/EU of the European Parliament and of the Council;

(b) solicitation of children for the purpose of engaging in sexual activities with a child or of producing child pornography by any of the following:

(i) luring the child by means of offering gifts or other advantages;

(ii) threatening the child with a negative consequence likely to have a significant impact on the child;

(iii) presenting the child with pornographic materials or making them available to the child .

(c)‘pornographic performance’ as defined in Article 2(e) of Directive 2011/93/EU.

Article 3
Scope of the derogation

The specific obligations set out in Article 5(1) and Article 6 of Directive 2002/58/EC shall not apply to the processing of personal and other data in connection with the provision of number-independent interpersonal communications services strictly necessary for the use of technology for the sole purpose of removing child sexual abuse material and detecting or reporting child sexual abuse online to law enforcement authorities and to organisations acting in the public interest against child sexual abuse, provided that:

(a)the processing is proportionate and limited to well-established technologies regularly used by providers of number-independent interpersonal communications services for that purpose before the entry into force of this Regulation, and that are in accordance with the state of the art used in the industry and are the least privacy-intrusive;

(b)the technology used is in itself sufficiently reliable in that it limits to the maximum extent possible the rate of errors regarding the detection of content representing child sexual abuse, and where such occasional errors occur, their consequences are rectified without delay;

(c)the technology used to detect solicitation of children is limited to the use of relevant key indicators, such as keywords and objectively identified risk factors such as age difference, without prejudice to the right to human review;

(d)the processing is limited to what is strictly necessary for the purpose of detection and reporting of child sexual abuse online and removal of child sexual abuse material and, unless child sexual abuse online has been detected and confirmed as such, is erased immediately;

(e)the provider annually publishes a report on its related processing, including on the type and volumes of data processed, number of cases identified, measures applied to select and improve key indicators, numbers and ratios of errors (false positives) of the different technologies deployed, measures applied to limit the error rate and the error rate achieved, the retention policy and the data protection safeguards applied.

As regards point (d), where child sexual abuse online has been detected and confirmed as such, the relevant data may be retained solely for the following purposes and only for the time period necessary:

–for its reporting and to respond to proportionate requests by law enforcement and other relevant public authorities;

–for the blocking of the concerned user’s account;

–in relation to data reliably identified as child pornography, for the creation of a unique, non-reconvertible digital signature (‘hash’).

Article 4
Entry into force and application

This Regulation shall enter into force on the third day following that of its publication in the Official Journal of the European Union.

It shall apply from 21 December 2020 until 31 December 2025.

This Regulation shall be binding in its entirety and directly applicable in all Member States.

Done at Brussels,

For the European Parliament For the Council

The President The President

Similar Articles:

German Data Privacy Commissioner Says Article 13 Inevitably Leads to Filters, Which Inevitably Lead to Internet "Oligopoly"

German Data Privacy Commissioner Says Article 13 Inevitably Leads to Filters, Which Inevitably Lead to Internet "Oligopoly"

EPrivacy

EPrivacy

Facebook's plan to encrypt messages will makes it easier to share child abuse images, say MPs

Facebook's plan to encrypt messages will makes it easier to share child abuse images, say MPs

Letter to US Senate Judiciary Committee: Reject the EARN IT Act, S. 3398

Letter to US Senate Judiciary Committee: Reject the EARN IT Act, S. 3398