European Commission must uphold privacy, security and free expression by withdrawing new law, say civil society

In May, the European Commission proposed a new law: the CSA Regulation. If passed, this law would turn the internet into a space that is dangerous for everyone’s privacy, security and free expression. EDRi is one of 134 organisations calling instead for tailored, effective, rights-compliant and technically-feasible alternatives to tackle this grave issue.

By EDRi · June 8, 2022

"When you fundamentally undermine how the internet works, you make it less safe for everyone. If passed, this law will turn the internet into a space that is dangerous for everyone’s privacy, security and free expression. This includes the very children that the legislation aims to protect."

- 134 civil society & professional groups

A group of people, including a woman using a phone, a journalist and a protester are surveilled by pairs of eyes following their digital activity.

EDRi is one of 134 civil society organisations and professional bodies in writing to the European Commission with a strong demand: “European Commission: uphold privacy, security and free expression by withdrawing new law“. We caution EU politicians and governments that when you fundamentally undermine how the internet works, you make it less safe for everyone.

The 134 signatories of this letter are made up of a broad range of groups working across human rights – including the digital rights of adults and young people; the protection of journalists and media freedom; lawyers; whistle-blowers; gender justice; democracy and peace; workers; children’s health, and more. We share a commitment to protecting online privacy, security and freedom of expression for everyone (including children) globally.

These rights allow us to do our jobs, raise our voices and hold power to account without arbitrary intrusion, persecution or repression. These rights are also important for providing confidential support to survivors, for developing our autonomy and sense of self, and for accessing and enjoying almost all our other human and civil rights.

The signatories of the letter warn that the European Commission’s proposed CSA Regulation is likely to do far more harm than good. In the important fight against child sexual abuse and exploitation, we support measures that are targeted, effective and proportionate. Many of us have previously spoken out about how to ensure that measures to keep children safe online are done according to existing human rights, the rule of law, and due process frameworks. In our work, we have direct experience of how such rules and principles are essential to uphold democracy, access to justice and the presumption of innocence.

Unfortunately, we do not believe that such measures are to be found in the proposed legislation. In fact, the proposal relies on technologies that are not able to do what the Regulation claims, and instead will attack encrypted communications, open internet spaces and online anonymity. That’s why we want the Commission to do better to tackle this critically-important issue in a way that respects privacy, security and free expression.

Read the full letter:

Dear European Commissioners,

When you fundamentally undermine how the internet works, you make it less safe for everyone.

We write to you as 134 civil society and professional (trade union) organisations working across human rights, media freedom, technology and democracy in the digital age. Collectively, we call on you to withdraw the ‘Regulation laying down rules to prevent and combat child sexual abuse (CSA Regulation) and to pursue an alternative which is compatible with EU fundamental rights.

It is not possible to have private and secure communications whilst building in direct access for governments and companies. This will also open the door for all types of malicious actors. It is not possible to have a safe internet infrastructure which promotes free expression and autonomy if internet users can be subjected to generalised scanning and filtering, and denied anonymity.

The proposed CSA Regulation has made a political decision to consider scanning and surveillance technologies safe despite widespread expert opinion to the contrary. If passed, this law will turn the internet into a space that is dangerous for everyone’s privacy, security and free expression.1 This includes the very children that this legislation aims to protect.

These rules will make social media companies liable for the private messages shared by their users. It will force providers to use risky and inaccurate tools in order to be in control of what all of us are typing and sharing at all times. The Impact Assessment accompanying the proposal encourages companies to deploy Client-Side Scanning to surveil their users despite recognising that service providers will be reluctant to do so over security concerns. This would constitute an unprecedented attack on our rights to private communications and the presumption of innocence.

It is not just adults that rely on privacy and security. As the United Nations and UNICEF state, online privacy is vital for young people’s development and self-expression, and they should not be subjected to generalised surveillance. The UK Royal College of Psychiatrists highlights that snooping is harmful for children, and that policies based in empowerment and education are more effective.

The CSA Regulation will cause severe harm in a wide variety of ways :

  • A child abuse survivor who wants to confide in a trusted adult about their abuse could have their private message flagged, passed on to a social media company employee for review, then to law enforcement to investigate. This could disempower survivors, infringe on their dignity, and strongly disincentivise them from taking steps to seek help at their own pace;
  • Whistleblowers and sources wanting to anonymously share stories of government corruption would no longer be able to trust online communications services, as end-to-end encryption would be compromised. Efforts to hold power to account would become much more difficult;
  • A young-looking adult lawfully sending intimate pictures to their partner could have those highly-personal images mistakenly flagged by the AI tools, revealed to a social media employee, and then passed on to law enforcement;
  • These inevitable false flags will over-burden law enforcement who already lack the resources to deal with existing cases. This would allocate their limited capacities towards sifting through huge volumes of lawful communications, instead of deleting abuse material and pursuing investigations into suspects and perpetrators;
  • Secure messenger service (like Signal) would be forced to technically alter their services, with users unable to access secure alternatives. This would put anyone that relies on them at risk: lawyers, journalists, human rights defenders, NGO workers (including those who help victims), governments and more. If the service wanted to keep its messages secure, it would be fined 6% of its global turnover; or would be forced to withdraw from the EU market;
  • By undermining the end-to-end encryption that journalists rely on to communicate securely with sources, the regulation will also seriously jeopardise source protection, weaken digital security for journalists and have a severe chilling effect on media freedom;
  • Once this technology has been implemented, governments around the world could pass laws forcing companies to scan for evidence of political opposition, of activism, of labour unions that are organising, of people seeking abortions in places where it is criminalised, or any other behaviours that a government wants to suppress.
  • These threats pose an even greater risk to disenfranchised, persecuted and marginalised groups around the world.

In recent years, the EU has fought to be a beacon of the human rights to privacy and data protection, setting a global standard. But with the proposed CSA Regulation, the European Commission has signalled a U-turn towards authoritarianism, control, and the destruction of online freedom. This will set a dangerous precedent for mass surveillance around the world.

In order to protect free expression, privacy and security online, we the undersigned 129 organisations call on you as the College of Commissioners to withdraw this Regulation.

We call instead for tailored, effective, rights-compliant and technically feasible alternatives to tackle the grave issue of child abuse. Any such approaches must respect the EU Digital Decade commitment to a “safe and secure” digital environment for everyone – and that includes children.

Signed,

  1. 5th of July Foundation – Sweden
  2. Access Now – International
  3. Agora Association – Turkey
  4. AlgoRace – Spain/ Europe
  5. Alternatif Bilisim (AiA-Alternative Informatics Association) – International
  6. APADOR-CH – Romania
  7. ApTI Romania – Romania
  8. ArGE Tübingen – Germany
  9. ARTICLE 19 – International
  10. Aspiration – United States
  11. Associação Nacional para o Software Livre (ANSOL) – Portugal
  12. Associação Portuguesa para a Promoção da Segurança da Informação (AP2SI) – Europe
  13. Association for Support of Marginalized Workers STAR-STAR Skopje – Republic of North Macedonia
  14. Attac Austria – Austria
  15. Aufstehn.at – Austria
  16. Austrian Chamber of Labour – Austria
  17. Berlin Strippers Collective – Germany
  18. Big Brother Watch – United Kingdom
  19. Bits of Freedom – Netherlands
  20. Bündnis für humane Bildung – Germany
  21. Center for Civil and Human Rights (Poradňa) – Slovakia
  22. Center for Democracy & Technology – Europe
  23. Centrum Cyfrowe – Europe
  24. Chaos Computer Club – Germany
  25. Citizen D / Državljan D – Slovenia
  26. Civil Liberties Union for Europe – Europe
  27. CloudPirat – Germany
  28. Committee to Protect Journalists – EU/International
  29. COMMUNIA Association for the Public Domain – Europe
  30. comun.al – Latin America
  31. Council of European Informatics Societies (CEPIS) – Europe
  32. D3 Defesa dos Direitos Digitais – Portugal
  33. D64 – Zentrum für Digitalen Fortschritt – Germany
  34. Danes je nov – Slovenia
  35. Dataföreningen västra kretsen (The Swedish Computer Society) – Sweden
  36. Dataskydd.net – Sweden
  37. Defend Democracy – International
  38. Defend Digital Me – United Kingdom
  39. Democracy in Europe Movement 2025 (DiEM25) – Europe
  40. Deutsche Vereinigung für Datenschutz (DVD) – Germany
  41. DFRI – Sweden
  42. Digital Advisor– The Nederlands
  43. Digital Rights Ireland – Ireland
  44. Digitalcourage – Germany
  45. Digitale Gesellschaft – Germany
  46. Digitale Gesellschaft / Digital Society – Switzerland
  47. Electronic Frontier Finland – Finland
  48. Electronic Frontier Foundation (EFF) – United States
  49. Elektronisk Forpost Norge (EFN) – Norway
  50. epicenter.works for digital rights – Austria
  51. Equipo Decenio Afrodescendiente – Spain
  52. ESOP Associação de Empresas de Software Open Source Portuguesas – Portugal
  53. Eticas Foundation – International
  54. European Center for Not-For-Profit Law (ECNL) – Europe
  55. European Digital Rights (EDRi) – Europe
  56. European Sex Workers’ Rights Alliance (ESWA) – Europe and Central Asia
  57. Fight for the Future – US/International
  58. Fitug e.V. – Germany
  59. Free Software Foundation Europe – European
  60. Fundación Karisma – Colombia
  61. GAT – Grupo de Ativistas em Tratamentos – Portugal
  62. Gesellschaft für Bildung und Wissen e.V. – Germany
  63. Gesellschaft für Informatik / German Informatics Society (GI) – Germany/EU
  64. Global Forum for Media Development – International
  65. Hermes Center for Transparency and Digital Human Rights – Italy
  66. Homo Digitalis – Greece
  67. Human Rights House Zagreb – Croatia
  68. imaniti.org – Czech Republic
  69. iNGO European Media Platform – Europe
  70. Institute of Communication Studies – Republic of Macedoni
  71. International Press Institute (IPI) – International
  72. Internet Governance Project – International
  73. Internet Society – International
  74. Internet Society Catalan Chapter (ISOC-CAT) – Europe
  75. Interpeer gUG (gemeinnützig) – Europe
  76. Irish Council for Civil Liberties – Ireland
  77. ISOC Brazil – Brazilian Chapter of the Internet Society – Brazil
  78. ISOC Portugal Chapter – Portugal
  79. ISOC UK England – UK
  80. IT-Pol – Denmark
  81. Iuridicum Remedium, z.s – Czech Republic
  82. JAKKLAC iniciativa – Latin America
  83. La Quadrature du Net – France
  84. Legal Legion (loyalty) NPO – Cyprus
  85. Ligue des droits humains –Belgium
  86. LOAD e.V. – Germany
  87. Lobby4kids – Kinderlobby– Austria
  88. Medienkompetenz Team e.V. – Deutschland
  89. MetaGer, SUMA-EV – German
  90. National Ugly Mugs (NUM) – United Kingdom
  91. Netherlands Helsinki Committee – The Netherlands
  92. Nordic Privacy Center – Nordics
  93. Norway Chapter of the Internet Society – Norway
  94. Norwegian Unix User Group – Norway
  95. Open Knowledge Foundation – International
  96. Open Rights Group – United Kingdom
  97. Österreichischer Rechtsanwaltskammertag – Austria
  98. Panoptykon Foundation – Poland
  99. Peace Institute – Slovenia
  100. PIC Amsterdam – Netherlands
  101. Platform Burgerrechten – The Netherlands
  102. Presseclub Concordia – Austria
  103. Privacy First – Netherlands
  104. Privacy International – International
  105. quintessenz – Verein zur Wiederherstellung der Bürgerrechte im Informationszeitalter – Austria
  106. Ranking Digital Rights – International
  107. Red Umbrella – Sweden
  108. SaveTheInternet – Europe
  109. SekswerkExpertise – Netherlands
  110. Sex Workers Alliance Ireland –Ireland
  111. Sex Workers’ Empowerment Network – Greece
  112. Social Media Exchange – Middle East and North Africa (MENA)
  113. StatewatchEU – Europe
  114. Stichting Stop Online Shaming – the Netherlands
  115. Stowarzyszenie Nasze Imaginarium – Poland
  116. SZEXE – Association of Hungarian Sex-Workers – Hungary
  117. Teckids e.V. – Germany
  118. The Civil Affairs Institute (Instytut Spraw Obywatelskich) – Poland
  119. The Commoners – Spain
  120. The Document Foundation – Global
  121. The Electronic Privacy Information Center (EPIC) – International
  122. The European Federation of Journalists (EFJ) – Europe
  123. The Foundation for Information Policy Research (FIPR) – UK/Europe
  124. The Surveillance Technology Oversight Project – S.T.O.P. – United States
  125. Voices4 Berlin – International
  126. Vrijschrift.org – The Netherlands
  127. West Africa ICT Action Network – Liberia / West Africa
  128. Whistleblower-Netzwerk – Germany
  129. Whose Knowledge? – International
  130. Wikimedia – International
  131. Wikimedia Deutschland e.V. – Germany
  132. Women’s Link Worldwide –Europe
  133. WorkerInfoExchange –International
  134. Xnet – Spain

You can still add your organisation’s signature to the open letter by filling out this form.

This letter is intended for groups / organisations. Are you an individual wanting to express your opposition to the CSA Regulation? You can now sign the people’s petition here

Please note that this letter was originally published on 8 June 2022 with 73 signatories. As new signatories are added on a rolling basis, it will be updated periodically to reflect the new count as well as the additional organisations that have signed on. As of 26 April 2023, the new total is 134 signatories.

1 Former UN Special Rapporteur on Freedom of Expression, David Kaye, reaffirms that: “encryption and anonymity enable individuals to exercise their rights to freedom of opinion and expression in the digital age”.