Chat control: 10 principles to defend children in the digital age

On 9 February 2022, EDRi releases our 10 principles for derogating from the ePrivacy Directive for the purpose of detecting online child sexual abuse material (CSAM). Our goal is to make sure that any EU proposal to detect online child sexual abuse material (CSAM) is in line with the EU’s fundamental rights obligations, in particular that measures are based on law, serve a legitimate aim in a democratic society, and are objectively necessary and proportionate to that aim. We reiterate these obligations ahead of the European Commission’s proposal for a long-term law to derogate from the ePrivacy Directive for the purpose of detecting online child sexual abuse material (CSAM), which is expected at the end of Q1 2022.

In accordance with EU fundamental rights law, the surveillance or interception of private communications or their metadata for detecting, investigating or prosecuting online CSAM must be limited to genuine suspects against whom there is reasonable suspicion, must be duly justified and specifically warranted, and must follow national and EU rules on policing, due process, good administration, non-discrimination and fundamental rights safeguards.

We therefore propose 10 indivisible principles to ensure that vital efforts to investigate and prosecute those who spread CSAM can be undertaken in a way that is democratic, compatible with European rules and values, and therefore the most likely to achieve justice for victims. This is underpinned by our call for respect for the democratic process, and a reminder that many Member States still need to take action on numerous existing recommendations to address CSAM, including resulting from their unmet obligations under the 2011 Directive.

The 10 cumulative principles:

1. No mass surveillance: meaning that there must never be the generalised, automated scanning of everyone’s private communications;
2. Interventions must be targeted on the basis of individual-level suspicion: which requires that any interception of private communications is made on the basis of specific, reasonable, individual-level suspicion;
3. Interventions must be lawful: meaning that they have a publicly-accessible, clear, precise, comprehensive and non-arbitrary legal basis, and must not be discriminatory;
4. Interventions must be specifically warranted: any investigation of private communications must be specifically and individually warranted by a judge;
5. Measures must be the least privacy-invasive and limited to detecting CSAM only: and in order to ensure this, the European Data Protection Board (EDPB) should provide guidance;
6. Independent oversight and scrutiny: there must be rigorous oversight by national data protection authorities, as well as independent audits and reporting obligations;
7. Security: there must be independent security reviews of scanning methods, and those which undermine the security of people’s devices, like Client Side Scanning (CSS), must not be allowed;
8. Measures must protect encryption: encryption is vital to democratic society and must be protected. We note that CSS undermines end-to-end encryption;
9. Invest in tackling complex social issues in context: the grave issue of child abuse and exploitation is a complex issue which requires a comprehensive approach to prevention, education and survivor support; and
10. Multi-stakeholder dialogue: with sufficient weight given to the risks to data protection and privacy.

Read the report in German.

You can also learn more about exactly why this is such an important issue in EDRi’s blog series, A beginner’s guide to EU rules on scanning private communications, part 1 and part 2.

This article is also available in German here.

(Contribution by:)