Explanatory Memorandum to COM(2020)568 - Derogation from directive on use of technologies by number-independent interpersonal communications service providers for the purpose of combatting child sexual abuse online - Main contents
Please note
This page contains a limited version of this dossier in the EU Monitor.
| dossier | COM(2020)568 - Derogation from directive on use of technologies by number-independent interpersonal communications service providers for ... |
|---|---|
| source | COM(2020)568  |
| date | 10-09-2020 |
1. CONTEXT OF THE PROPOSAL
• Objectives of the proposal
Directive 2002/58/EC ("ePrivacy Directive") 1 ensures the protection of private life, confidentiality of communications and personal data in the electronic communications sector. It implements Articles 7 and 8 of the Charter of Fundamental Rights of the European Union ("Charter") in secondary Union law.
On 21 December 2020, with the entry into application of the European Electronic Communications Code (“EECC”) 2 , the definition of electronic communications services will be replaced by a new definition, which includes number-independent interpersonal communications services. From that date on, these services will, therefore, be covered by the ePrivacy Directive, which relies on the definition of the EECC. This change concerns communications services like webmail messaging services and internet telephony.
Certain providers of number-independent interpersonal communications services are already using specific technologies to detect child sexual abuse on their services and report it to law enforcement authorities and to organisations acting in the public interest against child sexual abuse, and/or to remove child sexual abuse material. These organisations refer to national hotlines for reporting child sexual abuse material, as well as organisations whose purpose is to reduce child sexual exploitation, and prevent child victimisation, located both within the EU and in third countries.
Child sexual abuse is a particularly serious crime that has wide-ranging and serious life-long consequences for victims. In hurting children, these crimes also cause significant and long-term social harm. The fight against child sexual abuse is a priority for the EU. On 24 July 2020, the European Commission adopted an EU strategy for a more effective fight against child sexual abuse 3 , which aims to provide an effective response, at EU level, to the crime of child sexual abuse. The Commission announced that it will propose the necessary legislation to tackle child sexual abuse online effectively including by requiring relevant online services providers to detect known child sexual abuse material and oblige them to report that material to public authorities by the second quarter of 2021. The announced legislation will be intended to replace this Regulation, by putting in place mandatory measures to detect and report child sexual abuse, in order to bring more clarity and certainty to the work of both law enforcement and relevant actors in the private sector to tackle online abuse, while ensuring respect of the fundamental rights of the users, including in particular the right to freedom of expression and opinion, protection of personal data and privacy, and providing for mechanisms to ensure accountability and transparency.
The providers of electronic communications services must comply with the ePrivacy Directive’s obligation to respect the confidentiality of communications and with the conditions for processing communications data. The current practices of some number-independent interpersonal communications services to detect child sexual abuse online could interfere with certain provisions of the ePrivacy Directive. The ePrivacy Directive does not contain an explicit legal basis for voluntary processing of content or traffic data for the purpose of detecting child sexual abuse online. Therefore, for the services falling within scope of the ePrivacy Directive, providers will be able to continue to apply such measures only if Member States adopt legislative measures justified on the grounds laid down in Article 15 of that Directive and meeting the requirements of that provision. In the absence of such national legislative measures and pending the adoption of the long-term legislation announced in the Commission Strategy of 24 July 2020, providers of number-independent interpersonal communications services would lack a legal basis for continuing to detect child sexual abuse on their services. Those voluntary activities play a valuable role in enabling the identification and rescue of victims, and reducing the further dissemination of child sexual abuse material, while also contributing to the identification and investigation of offenders, and the prevention of child sexual abuse offences.
The Commission considers that it is essential to take immediate action. The present proposal therefore presents a narrow and targeted legislative interim solution with the sole objective of creating a temporary and strictly limited derogation from the applicability of Articles 5(1) and 6 of the ePrivacy Directive, which protect the confidentiality of communications and traffic data. This proposal respects the fundamental rights, including the rights to privacy and protection of personal data, while enabling providers of number-independent interpersonal communications services to continue using specific technologies and continue their current activities to the extent necessary to detect and report child sexual abuse online and remove child sexual abuse material on their services, pending the adoption of the announced long-term legislation. Voluntary efforts to detect solicitation of children for sexual purposes (“grooming”) also must be limited to the use of existing, state-of-the-art technology that corresponds to the safeguards set out. This Regulation should cease to apply in December 2025. In case the announced long-term legislation is adopted and enters into force prior to this date, that legislation should repeal the present Regulation.
2. LEGAL BASIS, SUBSIDIARITY AND PROPORTIONALITY
• Legal basis
The relevant legal bases are Article 16 and Article 114 of the Treaty on the Functioning of the European Union (‘TFEU’).
Given that this Regulation provides for a temporary derogation from certain provisions of Directive 2002/58/EC, which was adopted on the basis of Article 95 of the Treaty establishing the European Community, it is appropriate to adopt this Regulation on the basis of the corresponding provision of Article 114 TFEU. In addition, not all Member States have adopted legislative measures in accordance with Article 15(1) of the ePrivacy Directive concerning the use of technologies by number-independent interpersonal communications service providers for the purpose of combatting child sexual abuse online, and the adoption of such measures involves a significant risk of fragmentation likely to negatively affect the internal market. Therefore, it is appropriate to adopt this Regulation on the basis of Article 114 TFEU.
Article 16 TFEU introduces a specific legal basis for the adoption of rules relating to the protection of individuals with regard to the processing of personal data by Union institutions, by Member States when carrying out activities falling within the scope of Union law, and rules relating to the free movement of such data. Since an electronic communication involving a natural person will normally qualify as personal data, this Regulation should also be based on Article 16 TFEU.
• Subsidiarity (for non-exclusive competence)
According to the principle of subsidiarity, EU action may only be taken if the envisaged aims cannot be achieved by Member States alone. EU intervention is needed to maintain the ability of providers of number-independent interpersonal communications services to voluntarily detect and report child sexual abuse online and remove child sexual abuse material, as well as to ensure a uniform and coherent legal framework for the activities in question throughout the internal market. Lack of Union action on this issue would risk creating fragmentation should Member States adopt diverging national legislation. In addition, such national solutions would most probably not be able to be adopted by 21 December 2020 in all Member States. Moreover, a Union wide derogation from the application of provisions of the ePrivacy Directive for certain processing activities can only be adopted by Union legislation. Therefore, the objective cannot be effectively reached by any Member State acting alone, or even Member States acting collectively.
• Proportionality
The proposal complies with the principle of proportionality as set out in Article 5 of the Treaty on European Union as it will not go beyond what is necessary for the achievement of the set objectives. It introduces a targeted and temporary derogation as regards certain aspects of changes to the current framework in order to ensure that certain measures remain permissible to the extent that they currently comply with Union law. In particular, the proposal creates a temporary and strictly limited derogation from the applicability of Articles 5 (1) and 6 of the ePrivacy Directive, with the sole aim of enabling providers of number-independent interpersonal communications services to continue using specific technologies and continue their current activities to the extent necessary to detect and report child sexual abuse online and remove child sexual abuse material on their services, pending the adoption of the announced long-term legislation. This derogation from the revised scope of the ePrivacy Directive has to be interpreted narrowly, in particular as number-independent interpersonal communications services will remain subject to the e-Privacy Directive with regard to all their other activities. The proposal therefore contains safeguards to ensure that technologies benefitting from the derogation meet the standards of the best practices currently applied, and thereby limits the intrusiveness to the confidentiality of communications and the risk of circumvention. The derogation is limited to technologies regularly used by number-independent interpersonal communications services for the purpose of detecting and reporting child sexual abuse online and removing child sexual abuse material before the entry into force of this Regulation and ensures that the types of technologies used are the least privacy-intrusive in accordance with the state of the art in the industry. The providers should also publish annual reports on the undertaken processing. The duration of the derogation is limited to a time period strictly necessary to adopt the long-term legislation.
• Choice of the instrument
The objectives of the present proposal can best be pursued through a Regulation. This will ensure direct applicability of the provisions and ensure a uniform and coherent approach throughout the internal market. This is of particular importance as companies’ actions to combat child sexual abuse online are applied in a uniform manner across their entire service; diverging national transposition measures might provide a disincentive when it comes to continuing the voluntary engagement. Moreover, only a Regulation appears to be able to meet the date of 21 December for entry into application.
3. RESULTS OF EX-POST EVALUATIONS, STAKEHOLDER CONSULTATIONS AND IMPACT ASSESSMENTS
• Ex-post evaluations/fitness checks of existing legislation
• Stakeholder consultations
• Collection and use of expertise
• Impact assessment
In view of the policy objective and the time-sensitive nature of the issue, there are no other materially different policy options available, and thus no impact assessment appropriate. In particular, the measure intends to introduce an interim and strictly limited derogation from the applicability of Articles 5(1) and 6 of the ePrivacy Directive to ensure that number-independent interpersonal communications service providers can continue to voluntarily using specific technologies to detect and report child sexual abuse online and to remove child sexual abuse material on their services after 20 December 2020, pending the adoption of long-term legislation. The long-term legislation will be proposed in the second quarter of 2021 as announced in the EU strategy for a more effective fight against child sexual abuse and will be accompanied by an impact assessment.
• Fundamental rights
The proposal takes full account of the fundamental rights and principles recognised by the Charter of Fundamental Rights of the European Union. In particular, the proposed measures take into account Article 7 of the Charter of Fundamental Rights of the European Union protects the fundamental right of everyone to the respect for his or her private and family life, home and communications, which includes the confidentiality of communications. In addition, the proposal takes into account Article 24(2) of the Charter which provides that, in all actions relating to children, whether taken by public authorities or private institutions, the child’s best interests must be a primary consideration. Moreover, to the extent that processing of electronic communications by number-independent interpersonal communications services for the sole purpose of detecting and reporting child sexual abuse online and removing child sexual abuse material falls into the scope of the derogation created by this proposal, the General Data Protection Regulation, which implements in secondary legislation Article 8(1) of the Charter, continues to apply to such processing.
4. BUDGETARY IMPLICATIONS
This proposal has no implications for the EU budget.
5. OTHER ELEMENTS
• Implementation plans and monitoring, evaluation and reporting arrangements
• Detailed explanation of the specific provisions of the proposal
Article 1 defines the objective of the proposal to create a temporary and strictly limited derogation from the application of certain obligations of Directive 2002/58/EC, with the sole objective of enabling providers of number-independent interpersonal communications services to continue the use of technologies for the processing of personal and other data to the extent necessary to detect and report child sexual abuse online and remove child sexual abuse material on their services.
Article 2 refers to the definition of number-independent interpersonal communications services in Directive (EU) 2018/1972 (European Electronic Communications Code) and to certain definitions in Directive 2011/93/EU on combating the sexual abuse and sexual exploitation of children and child pornography, and replacing Council Framework Decision 2004/68/JHA.
Article 3 sets the scope of the derogation by creating a limited exemption to the obligations set by Articles 5(1) and 6 of the ePrivacy Directive for the processing of personal and other data in connection with the provision of number-independent interpersonal communications services necessary for the use of technology, including, where necessary, any human review directly relating to the use of the technology, for the sole purpose of detecting or reporting child sexual abuse online to law enforcement authorities and to organisations acting in the public interest against child sexual abuse as well as removing child sexual abuse material, and sets a list of conditions for such a derogation to apply.
Article 4 sets the dates for entering into force and into application of the Regulation and when or under which conditions the Regulation shall cease to apply.