Here is the leaked document

The document shows amendments made by the @Europarl_EN & the @EUCouncil on the text of the #ePrivacy Regulation compared to the @EU_Commission original proposal
The document now directly references the right of the child to "be protected from all forms of violence, abuse and neglect, maltreatment or exploitation, including sexual abuse, as provided for by the 1989 United Nations Convention on the Rights of the Child and by the Charter"
Reference is made to the voluntary technical measures taken to detect and prevent CSAM (child sexual abuse material) by "by scanning either the content, such as images and text, or the traffic data of communications "
While supporting the rights of the child & acknowledging voluntary measures, the document acknowledges that "these activities constitute an interference with the fundamental rights to respect for private and family life and protection of personal data"
and stresses that "Any limitation to the fundamental right to respect for private and family life, including the confidentiality of communications, cannot be justified merely on the ground that certain technologies were previously deployed when the services concerned did not,
from a legal perspective, constitute electronic communications services."

"Such interference is only possible under certain conditions. It needs to be provided for by law, respect the essence of the rights to private and family life and to the protection of personal data and,
in compliance with the principle of proportionality, be necessary and genuinely meet objectives of general interest recognised by the Union or the need to protect the rights and freedoms of others as enshrined in Article 52 (1) of the Charter" (
Reflecting case law on mass surveillance, the @Europarl_EN want this text included "Where such measures permanently involve a general and indiscriminate monitoring and analysis of communications of all users, they violate the right to confidentiality of communications"
The text refers to Directive (EU) 2018/1972 (the Electronic Communications Code) bringing "number-independent interpersonal communications services" (such as Skype or WhatsApp for example) into the scope of the current ePrivacy Directive 2002/58EC (as amended).
And here for me is a key aspect of the text. "pursuant to Article 15(1) of Directive 2002/58/EC, Member States may adopt LEGISLATIVE MEASURES to restrict the scope of the rights and obligations provided for in, inter alia, Articles 5 and 6 of that Directive, [MY EMPHASIS]
"In the absence of such national legislative measures and pending the adoption of a longer-term legal framework to tackle child sexual abuse .. those voluntary measures of providers of number-independent interpersonal communications services can no longer rely on Article 6 of
Regulation (EU) 2016/679 to continue to detect and report online child sexual abuse online and remove online child sexual abuse material from in their services beyond 21 December 2020."

"This Regulation does not provide for a legal ground for the processing of personal data by
number-independent interpersonal communications services for the sole purpose of detecting & reporting online child sexual abuse and removing online child sexual abuse material from their services, but it provides for [a derogation from certain provisions of Directive 2002/58/EC/
a restriction of certain rights and obligations laid down in Directive 2002/58/EC]." <so, the interference with the right to the confidentiality of communications needs to have a legal basis
But, notwithstanding that the restriction of rights and obligations of the privacy/confidentiality of communications (& associated data) requires legislative measures, the compromise text, proposes that IT provides a "temporary derogation" 🤔🤔
It proposes that the temporary derogation (not sure how the Regulation itself amounts to a legislative measure by an MS) permits the "voluntary use by providers of number-independent interpersonal communications services of technologies for the processing of personal
[and other data] to the extent necessary to detect and report online child sexual abuse and remove online child sexual abuse material"

So long as the measures comply with provisions set out in the proposed #ePrivacy Regulation, and which includes ........
- using "the least privacy-intrusive [technologies] in accordance with the state of the art in the industry." 🤔
- not using technologies "for systematic filtering and scanning of text in communications other than solely to detect patterns which point to possible concrete
elements of suspicion of online child sexual abuse without being able to understand the substance of the content." 🤔 So, AI? Automated decision making etc etc?
- "In the case of technology used for identifying solicitation, such concrete elements of suspicion exist only where a
child below the age of sexual consent is involved in the scanned communications.Therefore, the technology used for identifying solicitation should be based on objectively identified risk factors such as the involvement of a child in the scanned communication"
- Appropriate procedures and redress mechanisms should be in place to ensure that individuals can lodge complaints with the provider of a number-independent interpersonal communications service. <would they know they'd been flagged but dismissed etc?
- the technology "should, in accordance with the state of the art in the industry, be such as to limit the error rate of false positives to the maximum extent possible and, where necessary, to rectify without delay any such errors that may nonetheless occur"
BUT as I scan "3rd Trilogue (09/03/2021)"End-to-end encryption is an important tool to guarantee secure & confidential communications ... Nothing in this Regulation should therefore be interpreted as prohibiting or weakening end-to-end encryption."
End to End Encryption - page 41 of 92

Also, I would expect providers to conduct detailed and meaningful data protection impact assessments that reflect a range of fundamental rights and freedoms. BUT ....
You can follow @PrivacyMatters.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled: