Negotiations on the EU’s regulation to combat the dissemination of child sexual abuse material (CSAM) online have been stalled in the Council for some time. Previous drafts proposed mandatory detection measures for known CSAM, enforced through detection orders. These orders could be issued against hosting services and interpersonal communication service providers deemed high-risk under the regulation. However, these measures faced strong opposition from privacy advocates and industry players, who warned they could undermine end-to-end encryption and be misused for government surveillance.
What’s new?
A leaked draft from the Polish Council Presidency significantly scales back these controversial measures in an effort to reach a compromise:
- Removal of detection orders: The new draft eliminates the highly contentious provisions allowing detection orders against high-risk hosting or communication service providers.
- Deferred decision on mandatory detection: Instead of immediate obligations, the draft requires the European Commission to submit a report within three years on the feasibility and necessity of mandatory detection measures.
- No obligation to scan content: The revised proposal explicitly states that service providers are not required to implement generalised or indiscriminate CSAM detection.
- Extended voluntary measures with safeguards: The regulation would make permanent some temporary derogations from the EU ePrivacy Directive, currently set to expire in April 2026. However, additional safeguards have been introduced, including:
- Providers must ensure their voluntary CSAM detection measures do not create unmitigated cybersecurity risks.
- Providers must keep detailed logs of their activities for internal and external review, as well as for potential criminal or disciplinary proceedings.
What remains?
Some key elements from earlier drafts remain unchanged:
- End-to-end encryption protections: The proposal retains language stating that the regulation must not prohibit, weaken, circumvent, or undermine cybersecurity measures, particularly encryption, including end-to-end encryption. It also clarifies that providers are not required to decrypt data or create access to encrypted data.
- Risk-based classification of services: The regulation still categorises hosting and communication services into low-, medium-, and high-risk tiers, with varying compliance obligations. For example:
- Risk assessments must be updated annually for high-risk services but only every three years for lower-risk ones.
- A user notification mechanism for reporting potential CSAM is mandatory only for high-risk services.
- High-risk service providers must contribute to the development of detection technologies, in line with their financial, technical, and operational capacity.
- Broader scope of ‘interpersonal communications services’: The regulation’s definition of these services remains broader than that in the EU Electronic Communications Code, covering platforms where direct messaging is only a minor, ancillary feature that is intrinsically linked to another service.
- Delisting obligations for providers of search engines: While mandatory detection has been removed for hosting and communication services, delisting orders remain in place for search engines. These include detailed cross-border enforcement procedures.
- Software application store obligations: Providers of app stores must still implement measures such as age verification and assessment.
What’s next?
Member State attachés will meet on 5 February 2025 to discuss the compromise. The success of the revised proposal will depend on whether shifting the focus from mandatory detection orders to voluntary measures gains enough support in the Council.
