Legal provisions of COM(2020)568 - Derogation from directive on use of technologies by number-independent interpersonal communications service providers for the purpose of combatting child sexual abuse online - Main contents

Please note

This page contains a limited version of this dossier in the EU Monitor.

dossier	COM(2020)568 - Derogation from directive on use of technologies by number-independent interpersonal communications service providers for ...
document	COM(2020)568
date	July 14, 2021

Article 1

Subject matter and scope

1. This Regulation lays down temporary and strictly limited rules derogating from certain obligations laid down in Directive 2002/58/EC, with the sole objective of enabling providers of certain number-independent interpersonal communications services (‘providers’) to use, without prejudice to Regulation (EU) 2016/679, specific technologies for the processing of personal and other data to the extent strictly necessary to detect online child sexual abuse on their services and report it and to remove online child sexual abuse material from their services.

2. This Regulation does not apply to the scanning of audio communications.

Article 2

Definitions

For the purposes of this Regulation, the following definitions apply:

(1)	‘number-independent interpersonal communications service’ means a number-independent interpersonal communications service as defined in Article 2, point (7), of Directive (EU) 2018/1972;

(2)

‘online child sexual abuse material’ means:

(a)	child pornography as defined in Article 2, point (c), of Directive 2011/93/EU;

(b)	pornographic performance as defined in Article 2, point (e), of Directive 2011/93/EU;

(3)	‘solicitation of children’ means any intentional conduct constituting a criminal offence under Article 6 of Directive 2011/93/EU;

(4)	‘online child sexual abuse’ means online child sexual abuse material and solicitation of children.

Article 3

Scope of the derogation

1. Articles 5(1) and 6(1) of Directive 2002/58/EC shall not apply to the confidentiality of communications involving the processing by providers of personal and other data in connection with the provision of number-independent interpersonal communications services provided that:

(a)

the processing is:

(i)

strictly necessary for the use of specific technology for the sole purpose of detecting and removing online child sexual abuse material and reporting it to law enforcement authorities and to organisations acting in the public interest against child sexual abuse and of detecting solicitation of children and reporting it to law enforcement authorities or organisations acting in the public interest against child sexual abuse;

(ii)	proportionate and limited to technologies used by providers for the purpose set out in point (i);

(iii)

limited to content data and related traffic data that are strictly necessary for the purpose set out in point (i);

(iv)	limited to what is strictly necessary for the purpose set out in point (i);

(b)

the technologies used for the purpose set out in point (a)(i) of this paragraph are in accordance with the state of the art in the industry and are the least privacy-intrusive, including with regard to the principle of data protection by design and by default laid down in Article 25 of Regulation (EU) 2016/679 and, to the extent that they are used to scan text in communications, they are not able to deduce the substance of the content of the communications but are solely able to detect patterns which point to possible online child sexual abuse;

(c)

in respect of any specific technology used for the purpose set out in point (a)(i) of this paragraph, a prior data protection impact assessment as referred to in Article 35 of Regulation (EU) 2016/679 and a prior consultation procedure as referred to in Article 36 of that Regulation have been conducted;

(d)

with regard to new technology, meaning technology used for the purpose of detecting online child sexual abuse mat erial that has not been used by any provider in relation to services provided to users of number-independent interpersonal communications services (‘users’) in the Union before 2 August 2021, and with regard to technology used for the purpose of identifying possible solicitation of children, the provider reports back to the competent authority on the measures taken to demonstrate compliance with written advice issued in accordance with Article 36(2) of Regulation (EU) 2016/679 by the competent supervisory authority designated pursuant to Chapter VI, Section 1, of that Regulation (‘supervisory authority’) in the course of the prior consultation procedure;

(e)	the technologies used are sufficiently reliable in that they limit to the maximum extent possible the rate of errors regarding the detection of content representing online child sexual abuse and, where such occasional errors occur, their consequences are rectified without delay;

(f)

the technologies used to detect patterns of possible solicitation of children are limited to the use of relevant key indicators and objectively identified risk factors such as age difference and the likely involvement of a child in the scanned communication, without prejudice to the right to human review.

(g)

the providers:

(i)	have established internal procedures to prevent abuse of, unauthorised access to, and unauthorised transfers of, personal and other data;

(ii)	ensure human oversight of and, where necessary, human intervention in the processing of personal and other data using technologies falling under this Regulation;

(iii)

ensure that material not previously identified as online child sexual abuse material, or solicitation of children, is not reported to law enforcement authorities or organisations acting in the public interest against child sexual abuse without prior human confirmation;

(iv)	have established appropriate procedures and redress mechanisms to ensure that users can lodge complaints with them within a reasonable timeframe for the purpose of presenting their views;

(v)

inform users in a clear, prominent and comprehensible way of the fact that they have invoked, in accordance with this Regulation, the derogation from Articles 5(1) and 6(1) of Directive 2002/58/EC concerning the confidentiality of users’ communications for the sole purpose set out in point (a)(i) of this paragraph, the logic behind the measures they have taken under the derogation and the impact on the confidentiality of users’ communications, including the possibility that personal data are shared with law enforcement authorities and organisations acting in the public interest against child sexual abuse;

(vi)

inform users of the following, where their content has been removed or their account has been blocked or a service offered to them has been suspended:

(1)	the avenues for seeking redress from them;

(2)	the possibility of lodging a complaint with a supervisory authority; and

(3)	the right to a judicial remedy;

(vii)

by 3 February 2022, and by 31 January every year thereafter, publish and submit to the competent supervisory authority and to the Commission a report on the processing of personal data under this Regulation, including on:

(1)	the type and volumes of data processed;

(2)	the specific ground relied on for the processing pursuant to Regulation (EU) 2016/679;

(3)	the ground relied on for transfers of personal data outside the Union pursuant to Chapter V of Regulation (EU) 2016/679, where applicable;

(4)	the number of cases of online child sexual abuse identified, differentiating between online child sexual abuse material and solicitation of children;

(5)	the number of cases in which a user has lodged a complaint with the internal redress mechanism or with a judicial authority and the outcome of such complaints;

(6)	the numbers and ratios of errors (false positives) of the different technologies used;

(7)	the measures applied to limit the error rate and the error rate achieved;

(8)	the retention policy and the data protection safeguards applied pursuant to Regulation (EU) 2016/679;

(9)	the names of the organisations acting in the public interest against child sexual abuse with which data has been shared pursuant to this Regulation;

(h)

where suspected online child sexual abuse has been identified, the content data and related traffic data processed for the purpose set out in point (a)(i), and personal data generated through such processing are stored in a secure manner, solely for the purposes of:

(i)	reporting, without delay, the suspected online child sexual abuse to the competent law enforcement and judicial authorities or organisations acting in the public interest against child sexual abuse;

(ii)	blocking the account of, or suspending or terminating the provision of the service to, the user concerned;

(iii)

creating a unique, non-reconvertible digital signature (‘hash’) of data reliably identified as online child sexual abuse material;

(iv)	enabling the user concerned to seek redress from the provider or pursue administrative review or judicial remedies on matters related to the suspected online child sexual abuse; or

(v)	responding to requests issued by competent law enforcement and judicial authorities in accordance with the applicable law to provide them with the necessary data for the prevention, detection, investigation or prosecution of criminal offences as set out in Directive 2011/93/EU;

(i)	the data are stored no longer than strictly necessary for the relevant purpose set out in point (h) and, in any event, no longer than 12 months from the date of the identification of the suspected online child sexual abuse;

(j)	every case of a reasoned and verified suspicion of online child sexual abuse is reported without delay to the competent national law enforcement authorities or to organisations acting in the public interest against child sexual abuse.

2. Until 3 April 2022, the condition set out in paragraph 1, point (c), shall not apply to providers that:

(a)	were using a specific technology before 2 August 2021 for the purpose set out in paragraph 1, point (a)(i), without having completed a prior consultation procedure in respect of that technology;

(b)	start a prior consultation procedure before 3 September 2021; and

(c)	duly cooperate with the competent supervisory authority in connection with the prior consultation procedure referred to in point (b).

3. Until 3 April 2022, the condition set out in paragraph 1, point (d), shall not apply to providers that:

(a)	were using a technology as referred to in paragraph 1, point (d), before 2 August 2021 without having completed a prior consultation procedure in respect of that technology;

(b)	start a procedure as referred to in paragraph 1, point (d), before 3 September 2021; and

(c)	duly cooperate with the competent supervisory authority in connection with the procedure referred to in paragraph 1, point (d).

Article 4

European Data Protection Board guidelines

By 3 September 2021, and pursuant to Article 70 of Regulation (EU) 2016/679, the Commission shall request the European Data Protection Board to issue guidelines for the purpose of assisting the supervisory authorities in assessing whether processing falling within the scope of this Regulation, for existing and new technologies used for the purpose set out in Article 3(1), point (a)(i), of this Regulation, complies with Regulation (EU) 2016/679.

Article 5

Effective judicial remedies

In accordance with Article 79 of Regulation (EU) 2016/679 and Article 15(2) of Directive 2002/58/EC, users shall have the right to an effective judicial remedy where they consider that their rights have been infringed as a result of the processing of personal and other data for the purpose set out in Article 3(1), point (a)(i), of this Regulation.

Article 6

Supervisory authorities

The supervisory authorities designated pursuant to Chapter VI, Section 1, of Regulation (EU) 2016/679 shall monitor the processing falling within the scope of this Regulation in accordance with their competences and powers under that Chapter.

Article 7

Public list of organisations acting in the public interest against child sexual abuse

1. By 3 September 2021, providers shall communicate to the Commission a list of the names of organisations acting in the public interest against child sexual abuse to which they report online child sexual abuse under this Regulation. Providers shall communicate any changes to that list to the Commission on a regular basis.

2. By 3 October 2021, the Commission shall make public a list of the names of organisations acting in the public interest against child sexual abuse communicated to it under the paragraph 1. The Commission shall keep that public list up to date.

Article 8

Statistics

1. By 3 August 2022, and on an annual basis thereafter, the Member States shall make publicly available and submit to the Commission reports with statistics on the following:

(a)

the total number of reports of detected online child sexual abuse that have been submitted by providers and organisations acting in the public interest against child sexual abuse to the competent national law enforcement authorities, differentiating, where such information is available, between the absolute number of cases and those cases reported several times and the type of provider on whose service the online child sexual abuse was detected;

(b)	the number of children identified through actions pursuant to Article 3, differentiated by gender;

(c)	the number of perpetrators convicted.

2. The Commission shall aggregate the statistics referred to in paragraph 1 of this Article and shall take them into account when preparing the implementation report pursuant to Article 9.

Article 9

Implementation report

1. On the basis of the reports submitted pursuant to Article 3(1), point (g)(vii), and the statistics provided pursuant to Article 8, the Commission shall, by 3 August 2023, prepare a report on the implementation of this Regulation and submit and present it to the European Parliament and to Council.

2. In the implementation report, the Commission shall consider, in particular:

(a)	the conditions for the processing of personal data and other data set out in Article 3(1), point (a)(ii), and points (b), (c) and (d);

(b)	the proportionality of the derogation provided for by this Regulation, including an assessment of the statistics submitted by the Member States pursuant to Article 8;

(c)	developments in technological progress regarding the activities covered by this Regulation, and the extent to which such developments improve accuracy and reduce the numbers and ratios of errors (false positives).

Article 10

Entry into force and application

This Regulation shall enter into force on the third day following that of its publication in the Official Journal of the European Union.

It shall apply until 3 August 2024.

This Regulation shall be binding in its entirety and directly applicable in all Member States.