In a closed-door meeting with EU lawmakers, the European Data Protection Supervisor criticised the proposal to fight Child Sexual Abuse Material as trying to mask breaches of fundamental rights.
The European Data Protection Supervisor (EDPS), the authority responsible for advising EU institutions on privacy matters, took an outspoken, critical stance on the draft law in a joint opinion with the European Data Protection Board.
When the European Commission published the proposal to fight the dissemination of Child Sexual Abuse Material (CSAM) in May, it was criticised as the legislation includes the possibility for judges to issue detection orders for interpersonal communication services.
Based on the proposal, if a judicial authority finds a significant risk of a messaging app or email service being used to disseminate CSAM, it will have the power to request the relevant providers to put in place a tool to scan communications to detect suspicious content automatically.
This measure prompted concerns from privacy advocates, which accused it of being disproportionate and de facto breaking End-to-End Encryption, a technology whereby only the senders and receivers of the communications can see the content.
In the joint opinion, the two EU bodies noted that the broad scope of these detection orders, which might apply to the entire communications service and up to two years, will practically result in general and indiscriminate monitoring rather than a targeted one.
In December, in a private discussion with the EU lawmakers that follow the file in the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs, the EDPS Wojciech Wiewiórowski was much more explicit in his criticism of the proposal.
Wiewiórowski said this type of indiscriminate scanning of private communications “will always be illegal under the Charter of Fundamental Rights (and probably under several national constitutional laws as well),” according to a written version of the opening statement obtained by EURACTIV.
The EU privacy watchdog went even further, stating that “the detection order comes in the guise of an individually targeted measure” and the proposal “creates an illusion of legality by introducing numerous procedural “safeguards” which, however, do not fundamentally change the substance.”
A spokesperson confirmed to EURACTIV that that is the EDPS position on the file. However, asked whether the term ‘illusion’ implied an accusation that the Commission drafted the proposal in an intentionally misleading way, the EDPS representative denied that was the case.
Still, as potentially all users of the affected platforms could be touched by a detection order, Wiewiórowski considers that the proposal procedurally blurs the difference between the unknown criminal, the service provider and the innocent users whose fundamental rights are affected.
“When the essence of a fundamental right is affected, it is not possible to remedy it and ensure proportionality by adducing safeguards,” he added, pointing to legal precedents such as the Tele2 Sverige and Digital Rights Irelands verdicts of the EU Court of Justice.
In other words, the EDPS considers that no safeguards could be sufficient to remedy the disproportionate access that the detection orders would provide to law enforcement agencies on private communications. Hence the measure is due to be annulled in court.
In the civil liberties committee, a draft report on the draft regulation is expected in April. In the internal market and consumer protection committee, which is set to issue an opinion as an associated committee, the deadline for amendments is Tuesday (7 March).
Article: EU watchdog: Online child abuse draft law creates ‘illusion of legality’