Temporary ePrivacy derogation: Companies like Facebook must never indiscriminately scan people’s private messages

In response to the European Commission’s public consultation on the extension of the interim ePrivacy derogation, EDRi warns that even when they are ‘voluntary’, any measures for digital platforms to indiscriminately scan people’s private messages are an unacceptable interference with our human rights.

By EDRi · February 12, 2024

On 8 February, the EDRi network responded to the European Commission’s public consultation on their proposal to extend the ‘temporary exception from certain parts of the e-Privacy Directive’. This proposal means that the controversial current rules, which have been coined Chat Control 1.0, could remain in force for an extra two years.Read the submissionThe currently in-force temporary ePrivacy derogation aims to enable companies to detect online child sexual abuse material (CSAM). However, in order to do this, it permits companies to conduct mass scanning of everyone’s private messages and chats, rather than limiting surveillance to those against whom there is reasonable, lawful suspicion.

The general and indiscriminate scanning of people’s private messages, regardless of whether it is voluntary or not, represents a significant violation of fundamental rights such as privacy, data protection, and free expression of a large number of individuals.

Furthermore, voluntary measures may undermine the claim that these measures are legitimate in the eyes of the law. If despite all the concerns raised, the legislator still deems these measures to be essential and effective, then commercial entities should be required to implement them. To be legally consistent, measures that allow such an intrusion into people’s digital private lives of individuals cannot be left to the discretion of tech companies such as Facebook, Microsoft, Apple, Thorn, or any other. They already hold too much power over our online lives, and EU law should not make this even worse!

We are also very concerned that the European Commission continues to be unable to provide evidence of the effectiveness of the temporary derogation. Evidence is a key part of EU lawmaking, and without it, we are being asked to simply trust the EU’s authorities. However, EDRi has long warned that any form of mass scanning is technically flawed and ineffective. The implementation report, however, reiterates unsubstantiated and widely contested claims from suppliers that their technologies have a high rate of accuracy and draws bizarre conclusions which are not supported by the data.

Read the submission

What’s the bigger legislative context of this extension?

On 10 January 2017, the European Commission launched a long-awaited proposal to update the main law that protects people’s privacy online: the Directive on Privacy and aElectronic Communications, which was adopted in 2002 (ePrivacy Directive).

However, even after several years, the proposed update remains stuck in negotiations, leaving our online privacy stuck in 2002. Then, in August 2021, EU lawmakers controversially agreed to new rules to temporarily suspend certain parts of the 2002 ePrivacy Directive in order to allow the use of technologies to combat online child abuse.

This exemption allowed electronic communications services, such as chat or webmail services, to conduct automated scanning of everyone’s private communications, all the time, instead of limiting surveillance to genuine suspects and in line with due process. Such generalised scanning practices are a form of mass surveillance and lack a proper legal basis, which is why these rules are the subject of two lawsuits in Germany, and widespread criticism from legal experts. As it stands, the temporary exception from the ePrivacy Directive is set to expire on August 3, 2024.

Although the Commission planned to have the long-term version of the law, the Child Sexual Abuse Regulation (CSAR), adopted before the European elections in June 2024 to replace the temporary exemption, it is now almost impossible that the CSAR, particularly the sections on detection orders, could be adopted before August 2024. As a result, the European Commission has decided to extend the temporary exception until CSAR is adopted. Yet the essential problems that have plagued the temporary derogation have not been solved in the draft CSAR. The European Commission’s misleading claims and naive faith in commercial technologies, however, endure.