![Sample our Law journals, sign in here to start your FREE access for 14 days]({"type":"image" , "src" : "/sda/5942/TOC-Subject-Sample-2021-Law.jpg"})
ABSTRACT
Protecting children online is a priority for the EU legislator. Since July 2021, an interim regulation allows service providers to derogate from confidentiality safeguards in the e-privacy Directive to fight child sexual abuse online. The European Commission aims to repeal this legislation with a proposal of May 2022. This Regulation will require providers to monitor users’ content communication for online child sexual abuse, among other things. Privacy experts worry that confidentiality standards (i.e. end-to-end encryption) will be weakened and that the Regulation will serve as a basis for indiscriminate interception of content communications. However, the implications of the proposal go beyond privacy and data protection and will impact criminal justice rights too.
Therefore, this contribution presents a comprehensive analysis of the proposal from a privacy, data protection and criminal justice perspective. It examines the proportionality of the measure and its implications within the Area of Freedom, Security, and Justice (AFSJ). Specifically, it looks at purpose limitation issues in data exchanges and the admissibility of such evidence in criminal proceedings. The aim is to show that the EU, while aiming at increasing data circulation in the AFSJ, might not be ready for this challenge from an infrastructural and fundamental rights standpoint.
Disclosure statement
No potential conflict of interest was reported by the author(s).
Notes
1 Regulation 2021/1232/EU of the European Parliament and of the Council of 14 July 2021 on a temporary derogation from certain provisions of Directive 2002/58/EC as regards the use of technologies by providers of number-independent interpersonal communications services for the processing of personal and other data for the purposes of combatting online child sexual abuse (the interim Regulation).
2 Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) OJ L 201, 31.7.2002, p. 37–47.
3 It should be noted that, however, the European Parliament has recently adopted a draft position to extend the validity of the interim Regulation until 3 May 2025. See (European Parliament Citation2024).
4 Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL laying down rules to prevent and combat child sexual abuse COM/2022/209 final.
5 One major example of a surveillance regime at the EU level is the PNR system, set up with the Directive (EU) 2016/681 of the European Parliament and of the Council of 27 April 2016 on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime, OJ L 119, 4.5.2016, p. 132–149. Interoperability mechanisms have instead been established between Entry/Exit System (EES), the Visa Information System (VIS), the European Travel Information and Authorisation System (ETIAS), Eurodac, the Schengen Information System (SIS), and the European Criminal Records Information System for third-country nationals (ECRIS-TCN) with the Regulation (EU) 2019/818 of the European Parliament and of the Council of 20 May 2019 on establishing a framework for interoperability between EU information systems in the field of police and judicial cooperation, asylum and migration and amending Regulations (EU) 2018/1726, (EU) 2018/1862 and (EU) 2019/816, OJ L 135, 22.5.2019, p. 85–135.
6 An example of hash scanning technologies is PhotoDNA by Microsoft, which has very low false positive rates.
7 These technologies still work with significant false positive rates. A relevant example is Thorn, a software provided by the US-based company Safer.
8 Specifically, the risk assessment and the mitigation measures adopted by the provider constitute relevant factors to evaluate the existence of significant risk justifying the detection order (Art. 4(second sentence)(a)).
9 On the reasons why detection orders should be considered a general – and not targeted – surveillance measure, see below 3.3.
10 Here the ‘quality of the law’ doctrine of the ECtHR (see, e.g., Zakharov v. Russia, §§228, 233) shall be considered (European Data Protection Supervisor Citation2019, 7, note 11).
11 Cf. Recitals 75 and 76 of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance) OJ L 119, 4.5.2016, p. 1–88 (hereinafter: GDPR).
12 Treaty on the Functioning of the European Union OJ C 115, 9.5.2008, p. 80–81.
13 It appears, however, that the Commission has a different view, as it distinguishes the retention of data analysed in the CJEU case law, from detection orders operating on a ‘hit/not hit’ model. The initial screening of data does not seem to raise, from the Commission’s perspective, a self-standing interference on privacy and data protection rights. See (Vajda Citation2023, 33).
14 Cf., for a similar argument, (European Parliament. Directorate General for Parliamentary Research Services Citation2023, 59).
15 Although experts’ opinions are contradictory on the matter (European Parliament. Directorate General for Parliamentary Research Services Citation2023, 22-23).
16 Cf. Digital Rights Ireland, §60.
17 Article 8 of the Directive 2011/93/EU of the European Parliament and of the Council of 13 December 2011 on combating the sexual abuse and sexual exploitation of children and child pornography, and replacing Council Framework Decision 2004/68/JHA.
18 Article 53(2).
19 Under the Europol Regulation, the Agency is allowed to process only the categories of personal data defined in Annex II of the same Regulation. According to Europol, ‘data subject categorisation’ is the process through which suspects, potential future criminals, contacts and associates, victims, witnesses and informants linked to criminal activities are identified in raw databases (EUROPOL Citation2022).
20 Article 19(1) of the Regulation (EU) 2022/991 of the European Parliament and of the Council of 8 June 2022 amending Regulation (EU) 2016/794, as regards Europol’s cooperation with private parties, the processing of personal data by Europol in support of criminal investigations, and Europol’s role in research and innovation OJ L 169, 27.6.2022, p. 1–42.
21 Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA, OJ L 119, 4.5.2016, p. 89–131.
22 Relevant examples are the European Investigation Order Directive and the EPPO Regulation.
23 This emerges, even if in a more ambiguous way, from WebMindLicenses. From the wording of the Court indeed, the exclusion of the evidence does not follow necessarily from the legality check. Rather, this is the mandatory outcome only if the review of the evidence was not carried out in an adversarial procedure.
24 Spetsializirana prokuratura, Case C–350/21, 17.11.2022, para 75.