In 2022, the European Commission published a proposal for a Regulation to prevent and combat child sex abuse. It proposes that certain online service providers (including those providing hosting, interpersonal communications, software app store and internet access services) would be required to take steps to address any online child sexual abuse (“online CSA”) that may take place on their services. Online CSA includes child sexual abuse material (CSAM) and the solicitation of children for sexual purposes (grooming), and CSAM includes both “new” CSAM (i.e. previously unknown material) as well “known” CSAM (material previously detected and confirmed as constituting CSAM much of which is contained in databases against which searches can be made). Obligations include conducting risk assessments, adopting reasonable mitigation measures to address the identified risks, reporting online CSA to authorities, enabling users to report online CSA to the service provider and complying with orders to remove CSAM. The authorities would have the power to issue detection orders where there is evidence of a significant risk of a service being used for the purposes of online CSA which would require the provider, during the period specified by the order, to take certain specified measures to install and operate technology for the detection of online CSA.

Concerns have been raised by industry and other stakeholders that the provisions concerning detection orders would require service providers to scan private communications and undermine end-to-end encryption, weakening data security and privacy rights, as well as the considerable technical and operational difficulties involved in detecting new CSAM and the solicitation of children. The latest set of amendments to the Commission proposals for detection orders have come from the European Parliament’s lead Committee on this proposal (LIBE) which published their final amendments to the Regulation on 16 November 2023. On detection orders specifically, the Committee proposes that they should be a last resort when all mitigation measures have been exhausted (or have not been implemented), should only apply to CSAM and not to the solicitation of children, must be targeted to individual users or a group of users where there are reasonable grounds to suspect a link with CSAM (the significant risk test has been deleted), and should not apply to end-to-end encrypted communications.

The Committee’s amendments now need to be endorsed by the European Parliament in plenary. Once the Council of the EU adopts its final position, negotiations can commence to agree the final text of the new law.

For more information, click here and here.