Johansson’s address to MEPs shows why the CSA law will fail the children meant to benefit from it

On 10 October 2022, EU Commissioner for Home Affairs, Ylva Johansson, addresses the European Parliament’s Civil Liberties (LIBE) Committee about the proposed EU Child Sexual Abuse Regulation (2022/0155). The address follows months of criticism from civil liberties groups, data protection authorities and even governments due to the risks it poses to everyone’s privacy, security and free expression online.

By EDRi · October 10, 2022

In the name of protecting children, the EU wants to surveil people’s private messages – even using dangerous tech which will break encryption – and to block people from accessing legitimate online services.

The proposed EU Child Sexual Abuse Regulation is a draft law which is supposed to help tackle the spread of child sexual abuse material. Instead, it will force the providers of all our digital chats, messages and emails to know what we are typing and sharing at all times. It will remove the possibility of anonymity from many legitimate online spaces. And it may also require dangerous software to be downloaded onto every digital device.

As the UN’s top human rights authority confirms, the right to a private life keeps everyone safe. This includes journalists, human rights defenders, minoritised groups and – of course – children themselves.

For young people, the EU’s proposed law will mandate the violation of their privacy and security (for example by building in dangerous encryption backdoors) which will lead to all sorts of harms. It will take away essential digital private spaces for survivors of child sexual abuse, as well as for young people that face high levels of abuse online, such as young activists.

It risks further excluding marginalised young people, like undocumented or Roma teenagers, from accessing message services. It will report young people that are consensually and lawfully exploring their sexual self-expression, with particular harms for LGBTQ+ young people. And it may require service providers to censor social media uploads, and may make children’s (and everyone’s) phones more vulnerable to attackers.


114 organisations call on EU lawmakers to uphold privacy, security and free expression by rejecting the CSA Regulation.

Read more

For children whose abuser is a family member, they could be locked out of digital communications that could help them escape their abuse. Child protection experts point out that 90% of child abuse survivors are abused by someone known to them. Survivor Alexander Hanff warns that surveillance measures will disincentivise children from reporting their abuse.

The gravity of the horrific crime of child sexual abuse doesn’t mean that the proposed EU rules are the right ones to tackle this problem.

The issue is so serious that it is vital that EU lawmakers get it right. A leaked document from the European Commission’s own review board showed that they are aware that the proposal may amount to illegal general monitoring. It also fails to meet important human rights standards of necessity and proportionality.

That’s because the proposed measures are deeply invasive, and treat every single person that uses the internet as suspicious, instead of focusing on those against whom there is evidence of illegal conduct. This undermines the presumption of innocence and other key tenets of the rule of law. It’s very likely that if passed, the new law would be struck down by the Court of Justice – bringing us right back to square one. That won’t help anyone.

The proposed rules are not technologically neutral, but technologically naive, and cannot be implemented in the way that the European Commission’s proposal claims.

The CSA Regulation relies on accuracy claims which have been provided by private companies, with no independent validation or scrutiny. The small amount of publicly-available evidence suggests that these statics are not credible and that the new rules will lead to vast amounts of false alarms. European police forces are frequently unable to deal with the volumes of reports of CSA that they already receive; our upcoming position paper will explain how the CSA Regulation will only exacerbate this problem.

The proposal could require even end-to-end encrypted message providers to scan the content of people’s private messages. The assessment of technical experts around the world is very clear: this simply cannot be done in a way that is safe, secure or respects the integrity of encryption, and may even violate the essence of the right to privacy.

To ensure a safe internet for all – including children – the EU must pursue better alternatives to the CSA Regulation. That’s why 114 civil society groups call on the EU to withdraw the proposal.

Young people need to be educated and empowered to navigate the digital worlds safely, not constantly surveilled and deprived of their digital privacy. Many child rights groups encourage increasing children’s access to reporting hotlines as well as institutional support. They also highlight the need for increasing investment in child protection, anti-poverty measures, survivor support and other forms of welfare.

Vital reforms are needed to ensure that police and judicial authorities across Europe are properly equipped to deal with CSA, including enabling survivors to access justice. More investment also needs to be made in prevention, in enforcing existing rules (such as the 2011 Child Sexual Abuse Directive) and other common-sense measures, rather than resorting to unrealistic technological ‘quick fixes’. As the EU’s top data protection authority confirms, these measures may even “harm those they seek to protect”.

Contribution by:

Ella Jakubowska

Senior Policy Advisor

Twitter: @ellajakubowska1