Online child sexual abuse: New compromise stresses risk assessment, detection, reporting
The new compromise text, dated 27 March, was sent to the Law Enforcement Working Party, responsible for tasks concerning legislation and operational issues associated with cross-border policing.
The draft legislation currently considered will have member states’ authorities assess the risk of online service providers, such as social media platforms. Based on this risk categorisation, authorities will have to implement appropriate monitoring and mitigation measures, as well as issue detection orders.
Member states must designate competent authorities to implement the legislation, one acting as the Coordinating Authority. Competent authorities are national juristical authorities, while the Coordinating Authority in each EU country oversees risk assessments and mitigation measures, as well as efforts to detect, report, and remove CSAM.
Detection orders
The new text proposes excluding non-public electronic services, such as those for national security, from the regulation. These services have lower CSAM risk and data protection concerns, the draft says.
The draft empowers Coordinating Authorities to adjust risk measures for hosting and communication providers without impeding their investigative powers, possibly through fines. Providers can transparently inform users of their compliance.
Another Belgian presidency document, reported on by Euractiv, gives details of the risk classifications that will guide mitigation measures and detection orders.
A previous text by the presidency outlined the Coordinated Authorities’ roles when it comes to risk categorisation or detection orders, some of which were now included in the compromise text.
In the latest iteration of the legislation, detection orders, issued by the Coordinating Authority, exclude calls via public communication services.
Risk assessment
Risk assessments must be updated regularly, with low-risk services reviewed every three years, medium-risk every two years, and high-risk annually. Authorities can mandate reassessments every six months.
Assessments must identify specific risks within online services to enable targeted mitigation. Service providers can display a “reduced risk” sign if authorised, but it must be clear to users that this does not eliminate all risks. A previous provision on labelling has been removed from the regulation.
If a detection order is overturned, service providers must restore access promptly.
Belgian EU presidency presents new risk assessment methodology for child sexual abuse law
A new document written by the Belgian EU Council presidency and seen by Euractiv outlines key details for the risk assessment that will form the backbone of a draft law to detect and remove online child sexual abuse material (CSAM).
Reporting
An expedited reporting process is proposed for cases indicating imminent danger, prioritising essential information and swift action by the EU Centre, a central hub created by the legislation to fight CSAM.
Providers can report urgent situations beneficial to investigations but not requiring immediate action. Provisions on “emergency reporting” were removed from the latest text.
Reporting targets repeat offenders, with providers disclosing responses to orders and providing voluntary information.
Competent authorities designated by member states can request removal, blocking, or delisting orders. Cross-border removal orders can be issued as well, but only if deemed necessary by the Coordinating Authority and they may be suspended upon notification.
National judicial authorities can issue delisting orders to search engines, informing affected users about the redress.
EU Centre and Europol
The text proposes a collaboration between Europol, the EU law enforcement cooperation agency, and the EU Centre, with the EU Centre managing a database of CSAM reports and Europol integrating these reports for investigative purposes.
The Centre will grant access to its database when needed and establish a ‘victims board’ to provide assistance and advice.
The text allows for a transition period during which certain provisions will not apply until measures are fully implemented, such as blocking orders without access to the EU Centre’s database.
Child sexual abuse: New approach puts focus on Coordinating Authority’s roles
A new approach by the Belgian Presidency of the EU Council to the draft law to detect and remove online child sexual abuse material puts focus on the Coordinating Authority’s roles, such as risk categorisation or detection orders.
Data protection
The document clarifies that it does not ban end-to-end encryption (E2EE), a method of secure communication that prevents third parties from accessing data exchanged between users.
Providers are allowed to offer services using E2EE, and the draft law cannot compel them to grant access to encrypted data. Providers must analyse and mitigate potential cybersecurity risks arising from the technologies employed to execute detection orders.
The Belgian presidency suggests that the Commission should have the power to approve technologies suitable for executing such orders.
Age verification measures must prioritise privacy and the child’s interests, without user profiling or biometric identification. The text also emphasises data protection by design, especially in safeguarding children’s data and promoting a secure online space, while ensuring that the procedures are non-discriminatory and accessible.
Mitigation measures
The latest text proposes adjusting online platform functionalities as a mitigation measure. This includes implementing easy reporting tools, age-appropriate features, and privacy settings.
Platforms may inform users about potential abuse, direct them to support services, and collect statistical data for risk assessment.
If a provider fails to meet requirements for high or medium-risk services, the Coordinating Authority instructs necessary actions, such as updating risk assessments or implementing new measures.
Read more with Euractiv
