In formal comments on a draft law seeking to fight child sexual abuse material (CSAM), EU countries have highlighted end-to-end encryption, quick removals of such material, and preservation of evidence, according to internal comments seen by EURACTIV.

Fifteen European governments have given feedback regarding the draft law to fight CSAM in a commentary document dated 15 March. The commentary, albeit partial, indicates some of the most significant points of concern raised by the EU capitals.

The commentary was provided last month in the context of the ongoing discussion in the Law Enforcement Working Party, a technical body of the EU Council that paves the way for ministerial approval of legislative proposals.

End-to-end encryption

The European Commission’s CSAM proposal has spurred controversy as it introduces the possibility for judicial authorities to issue detection orders targeting communication services providers considered at significant risk of disseminating child sexual abuse material.

In other words, services like WhatsApp or Gmail might be asked to implement AI-driven tools to automatically scan their platform and flag the suspected content to the relevant authority.

This measure has been contested as it is at odds with end-to-end encryption, a technology based on the principle that only the people involved in the communication can read it.

Germany has consistently pushed back on anything compromising end-to-end encryption. In this regard, it asked for an addition to the text, reading that “no technologies will be used which disrupt, weaken, circumvent or modify encryption”.

Moreover, Berlin also has “serious concerns about the provisions on detection orders.”

EU Council discusses cross-border removal orders to fight child pornography

A new compromise text by the Czech EU Council presidency has expanded the original proposal for tackling online child sexual abuse material to include a mechanism for dealing with cross-border content removal.

Data retention

Estonia is concerned about the issue of data retention, saying that “to investigate the crime, it is necessary to obtain data which has been created long before the criminal content has been discovered at all”.

The Baltic country mentioned that if the service provider starts retaining the data, for instance, 24 hours or even a week after the material has been posted, at the moment when it is discovered there might not be enough data to pinpoint the person who published it.

Italy also suggested that the person reporting the suspected content should not be able to remain anonymous, as the authorities should be able to identify the whistleblower.

Slovakia, for its part, said there should be a minimum and a maximum time period for data retention.

Preservation of evidence

In a recent compromise proposal, the Swedish presidency of the EU Council proposed giving service providers the possibility to comment on the intent of judicial authority to remove content from their platform.

In this regard, Finland pointed out that “the proposed addition would mean that the service provider would have to store the material somewhere in order to be able to do this”. They raised the question of whether this is problematic in the case of CSAM material.

Ireland similarly raised concerns about preserving evidence.

LEAK: Commission to force scanning of communications to combat child pornography

The European Commission is to put forward a generalised scanning obligation for messaging services, according to a draft proposal obtained by EURACTIV.

Content removal

Opinions about the time frame within which the service provider should remove the material, once discovered, varied among the member states.

Estonia found 24 hours too long, while the Netherlands pointed out that not all SMEs have 24-hour staffing to make it possible to remove material within one hour, as has also been suggested.

According to Romania, for example, “if content is deemed harmful or illegal, then every hour it remains online could potentially cause further harm”. Therefore, they are in favour of the one-hour limit, and so is Malta.

Like some other countries, the Netherlands also pointed out that the reporting of suspect materials should be possible in a user-friendly manner.

Voice communication

The Netherlands stated its belief that “voice communication and text should remain outside the scope of the regulation” as they are highly critical of detecting voice communication.

The Hague pointed to “concerns about proportionality” and wanted to know the definition of content data in this case. According to the Dutch government, there is no mention of voice communication, only of images, videos and photographs.

Notifying the victims

The Netherlands also raised the question of whether the victims should be notified each time content is shared about them, noting that, in some cases, images have been reported more than two million times.

“Is it then intended that the victim should be notified in every incident? And isn’t the constant confrontation of this actually harmful to the victim?” the Dutch questioned.