On 11 May, the European Commission presented a draft regulation to combat sexual abuse of children on the internet. This was open for public comment until 12 September and will now be discussed in the parliamentary procedure over a period of about two years.

The draft regulation can be downloaded here.

From the point of view of the Digital Opportunities Foundation, we comment on the draft as follows:

We expressly welcome the draft regulation since it is the first time a law in the EU follows a fundamental and comprehensive child rights approach focusing on the primacy of the best interests of the child according to the EU Charter of Fundamental Rights Art. 24 (2).

Among the options in consideration the EC has chosen the most far-reaching proposal (E) with regard to the protection of children, addressing detection, reporting and deletion of both known depictions of abuse and "new" material, as well as solicitation of children with sexual intent (grooming). The obligation to assess the risk of grooming within apps is a milestone in combatting child sexual abuse online.

The fight against CSAM must start with a risk assessment and risk mitigation measures by the service providers, since prevention is crucial. Only if and when these preventive operations turn out to be inefficient, the process potentially leading to a detection order will be initiated. The regulation outlines transparently the necessary steps before a detection order is issued and the safeguards to eliminate the violation of fundamental rights as far as possible. We appreciate detection orders being issued by a court or national authority based on a thorough validation process, any order will be limited in time and addressing only a certain type of content on the respective service. Research as well as law enforcement investigations give evidence that sexualised violence follows escalation pathways, the earlier these paths can be stopped the better.

We acknowledge the need to ensure the privacy of interpersonal communications, but the regulation needs to take into account private chats because this is where perpetrators initiate contact with children. The EC suggests scanning technologies look for behavioural patterns suggestive of abuse, but not to analyse the actual content of the communication at first. We trust in the structural safeguards already foreseen in the draft regulation to prevent surveillance of all personal communication without cause.

The draft recognizes end-to-end encryption as an effective means of ensuring the confidentiality of communications and explicitly does not exclude it as an instrument (para. 26). The draft leaves it up to providers to choose the appropriate technology, but makes it unequivocally clear that providers are obliged to detect CSAM and grooming in their services. Our expectation would be for service providers to invest in the development and deployment of such technology right now to have it operational when the parliamentarian process hopefully is finished in mid 2024 with the new regulation chiming into force.

We welcome the co-operational approach for the European Centre to prevent and counter child sexual abuse (EU Centre), which is an important component of the regulation. The tasks foreseen for the Centre must be addressed on a trans-national level without putting in question the work of national authorities. Only the time horizon of 8 years till it is fully operational is too long. We expect the EC to undertake preparational measures for the Centre to be ready to start in 2024. The centre must operate independent from law enforcement although in close co-operation with Europol.

The interim derogation is a strong example how to overcome the only seemingly insurmountable contradiction between privacy and child protection. Like all people also children have the inalienable right to privacy as laid down in the UN-CRC Art. 16. Art. Also they have the right to protection from any form of exploitation (Art. 34 - 36). The approach of the regulation is justified by General Comment 25 on children’s rights in relation to the digital environment esp. by a call for special protective measures on the part of the states in chapt. 12. Also it requires states in para 118 not to criminalise self-generated sexual content children possess or share with their consent and solely for their own private use. We suggest the EC reviews the draft to ensure it is fully compliant also with this para.

An open letter from civil society organisations on the draft regulation can be found at Sexual Abuse - Civil Society Open Letter to the EU