EU rules on scanning online communications: ‘CSA Regulation’ Document Pool
This document pool contains analyses, updates and resources relating to EU rules on scanning private online communications ('chat control'), upload filters, online anonymity and other threats to human rights in the context of the proposed 'Regulation laying down rules to prevent and combat child sexual abuse' (CSA Regulation)
Content warning: this page and these resources contain discussions of child sexual abuse and exploitation
"Privacy and safety are mutually enforcing rights. People’s ability to communicate without unjustified intrusion - whether online or offline - is vital for their rights and freedoms, as well as for the development of vibrant and secure communities, civil society and industry."
In this document pool we list articles and documents related to EU rules on scanning private online communications, in particular the ‘Regulation laying down rules to prevent and combat child sexual abuse’ (2022/0155(COD)). This will allow you to follow the developments of measures and regulatory actions.
Contents
- Latest updates from EDRi
- EDRi’s position on the scanning of online communications
- EDRi’s background to the file
- Civil society open letters
- Key dates and official documents
- Other useful resources
- Terminology
- Contact us
1. Latest updates from EDRi
-
European Commission must uphold privacy, security and free expression by withdrawing new law, say civil society
In May, the European Commission proposed a new law: the CSA Regulation. If passed, this law would turn the internet into a space that is dangerous for everyone’s privacy, security and free expression. EDRi is one of 134 organisations calling instead for tailored, effective, rights-compliant and technically-feasible alternatives to tackle this grave issue.
Read more
-
Private and secure communications attacked by European Commission’s latest proposal
On 11 May, the European Commission put forward a proposal for a ‘Regulation laying down rules to prevent and combat child sexual abuse’ to replace the interim legislation that EDRi fought against last year. In our immediate reaction, EDRi warned that the new proposal creates major risks for the privacy, security and integrity of private communications, not just in the EU, but globally. Here, we unpack a bit more about the legislative proposal, and why we are so concerned.
Read more
-
European Commission’s online CSAM proposal fails to find right solutions to tackle child sexual abuse
Today, 11 May, is a worrying day for every person in the EU who wants to send a message privately without exposing their personal information, like chats and photos, to private companies and governments. The European Commission has adopted its “Regulation laying down rules to prevent and combat child sexual abuse” material online, including measures which put the vital integrity of secure communications at risk.
Read more
2. EDRi’s position on the scanning of online private communications
- (English) ‘EDRi’s principles for derogating from the ePrivacy Directive for the purpose of detecting online child sexual abuse material (CSAM)‘ (09.02.2022)
- (German) ‘Prinzipien von EDRi für Ausnahmen von der Datenschutzrichtlinie für elektronische Kommunikation zum Zweck der Entdeckung von online verbreiteten Darstellungen des sexuellen Missbrauchs von Kindern (CSAM)‘ (09.02.2022)
3. EDRi’s background to the file
- Looking for insights into which rules currently govern the scanning of private online communications in the EU, as well as past EU efforts to tackle CSAM online? Read ‘A beginner’s guide to EU rules on scanning private communications: Part 1‘ (15.12.2021)
- Want to understand why future EU rules on scanning private online communications for the purpose of detecting CSAM are a digital rights issue? Read ‘A beginner’s guide to EU rules on scanning private communications: Part 2‘ (02.02.2022)
- Searching for further analysis about what we expect in the forthcoming proposal? Read ‘Private communications are a cornerstone of democratic society and must be protected in online CSAM legislation‘ (17.03.2022)
- Future EU rules on scanning provide online communications for the purpose of detecting CSAM are being proposed to replace the 2021 short term ePrivacy derogation for the purpose of tackling CSAM. To understand EDRi’s criticisms at the time that the short-term / interim law was passed, read ‘Open Letter: Civil society views on defending privacy while preventing criminal acts‘ (27.10.2020)
- The below resources contain further information about the upcoming proposal as well as the interim regulation:
-
European Commission’s online CSAM proposal fails to find right solutions to tackle child sexual abuse
Today, 11 May, is a worrying day for every person in the EU who wants to send a message privately without exposing their personal information, like chats and photos, to private companies and governments. The European Commission has adopted its “Regulation laying down rules to prevent and combat child sexual abuse” material online, including measures which put the vital integrity of secure communications at risk.
Read more
-
The European Commission might put a stop to end-to-end encryption
The European Commission is working on a bill that requires platforms to monitor all your chats. This would undermine the essence of end-to-end encryption. What's up with that?
Read more
-
Private communications are a cornerstone of democratic society and must be protected in online CSAM legislation
On 17 March 2022, EDRi and 34 other civil society organisations jointly raised our voices to the European Commission to demand that the forthcoming EU ‘Legislation to effectively tackle child sexual abuse’ complies with EU fundamental rights and freedoms. We are seriously concerned that the draft law does not meet the requirements of proportionality and legitimacy that are rightly required of all EU laws, and would set a dangerous precedent for mass spying on private communications.
Read more
-
A beginner’s guide to EU rules on scanning private communications: Part 2
Vital EU rules on human rights and on due process protect all of us from unfair, arbitrary or discriminatory interference with our privacy by states and companies. As we await the European Commission’s proposal for a law which we fear may make it mandatory for online chat and email services to scan every person’s private messages all the time, which may constitute mass surveillance, this blog explores what rights-respecting investigations into child sexual abuse material (CSAM) should look like instead.
Read more
-
A beginner’s guide to EU rules on scanning private communications: Part 1
In July 2021, the European Parliament and EU Council agreed temporary rules to allow webmail and messenger services to scan everyone’s private online communications. In 2022, the European Commission will propose a long-term version of these rules. In the first installment of this EDRi blog series on online ‘CSAM’ detection, we explore the history of the file, and why it is relevant for everyone’s digital rights.
Read more
-
It’s official. Your private communications can (and will) be spied on
On 6 July, the European Parliament adopted in a final vote the derogation to the main piece of EU legislation protecting privacy, the ePrivacy Directive, to allow Big Tech to scan your emails, messages and other online communications.
Read more
-
iSpy with my little eye: Apple’s u-turn on privacy sets a precedent and threatens everyone’s security
Apple has just announced significant changes to their privacy settings for messaging and cloud services: first, it will scan all images sent by child accounts; second, it will scan all photos as they are being uploaded to iCloud. With these changes, Apple is threatening everyone’s privacy, security and confidentiality.
Read more
-
Wiretapping children’s private communications: Four sets of fundamental rights problems for children (and everyone else)
On 27 July 2020, the European Commission published a Communication on an EU strategy for a more effective fight against child sexual abuse material (CSAM). As a long-term proposal is expected to be released by this summer, we review some of the fundamental rights issues posed by the initiatives that push for the scan of all private communications.
Read more
-
Is surveilling children really protecting them? Our concerns on the interim CSAM regulation
On 27 July, the European Commission published a Communication on an EU strategy for a more effective fight against child sexual abuse material (CSAM). The Communication indicated several worrying measures that could have devastating effects for your privacy online. The first of these measures is out now.
Read more
-
Keep private communications private
On 27 July, the European Commission published a Communication on a EU strategy for a more effective fight against child sexual abuse material (CSAM). The Communication indicates that messaging services (WhatsApp, Facebook Messenger…) may see their privacy protections undermined under new legislation that will be proposed this week.
Read more
The legislative procedure
4. Civil society open letters and demands
-
European Commission must uphold privacy, security and free expression by withdrawing new law, say civil society
In May, the European Commission proposed a new law: the CSA Regulation. If passed, this law would turn the internet into a space that is dangerous for everyone’s privacy, security and free expression. EDRi is one of 134 organisations calling instead for tailored, effective, rights-compliant and technically-feasible alternatives to tackle this grave issue.
Read more
-
Open letter: Protecting digital rights and freedoms in the Legislation to effectively tackle child abuse
EDRi is one of 52 civil society organisations jointly raising our voices to the European Commission to demand that the proposed EU Regulation on child sexual abuse complies with EU fundamental rights and freedoms. You can still add your voice now!
Read more
-
Chat control: 10 principles to defend children in the digital age
The automated scanning of everyone’s private communications, all of the time, constitutes a disproportionate interference with the very essence of the fundamental right to privacy. It can constitute a form of undemocratic mass surveillance, and can have severe and unjustified repercussions on many other fundamental rights and freedoms, too.
Read more
-
Internal documents revealed the worst for private communications in the EU; how will the Commissioners respond?
EDRi, Europe's biggest network for rights and freedoms across Europe and beyond, urge the European Commission to not put forward a CSAM proposal that would undermine the CJEU prohibition of general monitoring or subject Europeans to monitoring that would turn their devices into spyware.
Read more
5. Key dates and official documents
- The ‘Regulation laying down rules to prevent and combat child sexual abuse‘ (2022/0155(COD)) was adopted by the European Commission on Wednesday 11 May 2020.
- It was accompanied by a press release, Q&A document, as well as by a separate, but complementary, ‘New EU strategy to protect and empower children in the Digital world‘
The forthcoming 2022 ‘Legislation to effectively tackle child sexual abuse’ is expected to be proposed by the European Commission in May 2022 according to an interview (n.b. link goes directly to a YouTube video) given by the European Commissioner in charge, Ylva Johansson. On 29 March, Politico further reported that a new draft agenda shows the proposal is scheduled for 11 May 2022- On February 15 2022, the proposal passed the internal Regulatory Scrutiny Board (RSB) “with reservations” as a result of “significant shortcomings” (RSB Opinion leaked by Contexte) and also showing that the draft proposal had failed its review in 2021.
The proposal was previously scheduled for 27 April 2022The proposal was previously scheduled for 30 March 2022The proposal was previously scheduled for October 2021
- The new Regulation will replace the temporary ePrivacy derogation for the purpose of tackling child sexual abuse, which was adopted by the European Parliament and Council on 14 July 2021:
- The new Regulation is also ‘lex specialis’ to the Digital Services Act (DSA), which was adopted by the European Parliament in July 2022, meaning that it builds on and particularises certain parts of the DSA (those relevant to tackling child sexual abuse material).
- Read the Opinion of the European Data Protection Supervisor (EDPS) on the proposed temporary ePrivacy derogation, 10 November 2020:
6. Other useful resources
On the importance of privacy, data protection and encryption for children and young people:
- ‘UN General comment No. 25 (2021) on children’s rights in relation to the digital environment‘, United Nations (2021)
- ‘What is encryption and why does it matter for children?‘, Summary Note by UNICEF’s Cross-divisional Working Group on Child Online Protection (2020)
- ‘Encryption, Privacy and Children’s Right to Protection from Harm‘, UNICEF Office of Research – Innocenti Working Paper (October 2020)
On the technical issues, cybersecurity risks and fundamental rights risks of generalised scanning tools and methods:
- ‘Why Adding Client-Side Scanning Breaks End-to-End Encryption‘, EFF (2019)
- ‘Bugs in Our Pockets: the Risks of Client-Side Scanning‘, Abelson et al (October 2021)
From the European Parliament:
- MEP Patrick Breyer, ‘Chat Control: The End of the Privacy of Digital Correspondence‘
- European Parliamentary Research Service (EPRS) ‘Targeted substitute impact assessment on the Commission proposal on the temporary derogation from the e-Privacy Directive for the purpose of fighting online child sexual abuse‘ (February 2021)
7. Terminology
Chat control is a term used to refer to the EU’s approach to CSAM and the ePrivacy derogation(s). It is used because, purportedly to tackle online CSAM, the EU has adopted laws which allow for everybody’s supposedly private chats to be surveilled. Read more thanks to MEP Patrick Breyer here.
‘CSAM’ stands for ‘Child Sexual Abuse Material’. It’s a term used to refer to videos, photos, and sometimes written or audio content, which depict the sexual solicitation, abuse and exploitation of under-18s. Generally, CSAM is about the online sharing of such material, for example via messages, or in materials that are uploaded to a cloud server. EU laws and policies which address CSAM have thus tended to focus on tackling the online dimensions of the issue. Some countries refer to the online dimension specifically using the term ‘OCSEA material’ (Online Child Sexual Exploitation and Abuse material) but this is not yet a common term in EU policy debate.
‘CSEA’ stands for ‘Child Sexual Exploitation and Abuse’, and is sometimes also referred to as ‘CSE’ (Child Sexual Exploitation).
A derogation is an exception, passed via a legislative process, to carve out provisions of another law that will no longer apply in the specific context in which the derogation operates. The ‘Legislation to effectively tackle child sexual abuse’ will derogate from the EU’s ePrivacy Directive.
Wikipedia describes lex specialis as follows: “Lex specialis, in legal theory and practice, is a doctrine relating to the interpretation of laws and can apply in both domestic and international law contexts. The doctrine states that if two laws govern the same factual situation, a law governing a specific subject matter (lex specialis) overrides a law governing only general matters (lex generalis).“
8. Contact us
Want to know more? Contact our advisors working on this file:
Ella Jakubowska
Policy Advisor
E-Mail: ella.jakubowska [at] edri [dot] org
PGP: 8B92 3E96 4E53 83F3 2F92 240A F53D 739E CFDA 2711
Twitter: @ellajakubowska1
Diego Naranjo
Head of Policy
E-Mail: diego.naranjo [at] edri [dot] org
PGP: 9A62 189E DB31 1798 6A8E FD45 E320 B10D 3493 8C21
Twitter: @DNBSevilla