Press Release: The EU’s Internal Market Committee votes for protecting encryption in the CSA Regulation

Today, 29 June, the European Union’s Internal Market and Consumer Protection (IMCO) Committee becomes the fourth European Parliament Committee to adopt an opinion on the European Union Child Sexual Abuse (CSA) Regulation, voting to protect encryption and rule out unacceptably risky technologies. Their position must be taken into account in the final position of the lead Civil Liberties (LIBE) committee.

EDRi has argued many times that technology is not a silver bullet and cannot be used to resolve complex societal problems. The IMCO opinion adopted today rejects measures that would undermine end-to-end encryption and requires that technologies must be sufficiently effective. As stipulated by the Court of Justice, IMCO MEPs say that tools must be able to distinguish between lawful and unlawful content without the need for independent human assessment. In practice, this would mean that many scanning tools cannot be used.

What also stands out in the opinion is the proposed deletion of the grooming detection from the scanning rules. As EDRi and child rights specialists have warned, such technologies are not fit for purpose, with the Committee proposing safety by-design measures instead.

Encryption             

The proposed law by the European Commission treats all internet users in the EU as potential child sexual abuse perpetrators, creating conditions whereby any device in the EU that runs an encrypted app could be monitored by a distributed form of spyware (client-side scanning).

However, IMCO has confirmed a strong level of protection for end-to-end encryption. This means that the Committee recognises the importance of protecting people’s private communications, ensuring that the law is not allowed to open any backdoors for snooping into people’s private spaces online.

Age verification   

 The Committee has removed the mandatory age verification requirement which is a positive step because, as EDRi has warned, age verification tools are a threat to both children and adults. These tools can expose people to manipulative surveillance advertising and make digital identity mandatory for participation in social life and access to online services.

Instead, the opinion adds several safeguards if providers decide to use age verification or assurance methods – including respecting the data of young people, avoiding biometric processing, and preventing social exclusion, for example for those without identity documents.

Detection Orders    

The IMCO opinion moves a step away from the European Commission’s proposal, recognising that the suggested detection orders are problematic and warning against general monitoring obligations. However, the Committee does not go far enough, as its suggestion for targeting detection orders still falls short of the necessary individual-level suspicion to justify such an intrusion into a person’s private life. Without this change, the proposal still amounts to mass surveillance and must be rejected.

What’s additionally concerning in the IMCO opinion is the space that it creates for voluntary detection. According to the opinion, some forms of scanning may be allowed to happen without proper safeguards. Therefore, we would all face the risk of upload filters which would enable the surveillance of all content online and censorship.

What’s Next   

In September, the European Parliament’s LIBE Committee will vote on their position, which is currently being negotiated, and which the IMCO opinion will influence.

In October, the whole Parliament will vote on whether to adopt this as the official negotiating position of the European Parliament.

The current amendments of the LIBE Committee show a clear majority for fully protecting the integrity of encryption and a strong will from MEPs from six political groups to fully target Detection Orders to only those against whom there is reasonable suspicion.