Article 5(1) of the 2002 ePrivacy Directive requires member states to ensure the confidentiality of electronic communications services and related traffic data, and to prohibit the listening, tapping, storage or other kinds of interception or surveillance of communications and related traffic data without the consent of users, except where legally authorised to do so (e.g. for national security). In 2020, the European Electronic Communications Code came into force and changed the definition of “electronic communications service” that applies to the ePrivacy Directive which resulted in an expansion to the scope of article 5(1). The effect of that was that many online services, which had been voluntarily using technology to detect and report online child sexual abuse, found themselves likely to be technically in breach of article 5(1).

A new EU Regulation, known as the “Interim Regulation”, was agreed in 2021 permitting derogations from article 5(1), subject to certain conditions, for the sole purpose of processing personal and other data to the extent necessary to detect, report and remove online child sexual abuse. The Regulation, which was a temporary solution, is due to expire on 3 August 2024. The long-term solution for addressing online child sex abuse is the Commission’s proposed Regulation to prevent and combat child sexual abuse. As reported by Wiggin, this is currently passing through the EU legislative process and is not likely to come into force before the Interim Regulation expires.

On 30 November, the Commission published a proposal for a new Regulation extending the term of the Interim Regulation to 3 August 2026. This must also now pass through the EU legislative process but, given that it does nothing but change the term of the Interim Regulation, it should be able to do in a short timeframe.

For more information, click here.