On July 6, 2021, the European Parliament approved legislation allowing online service providers to continue scanning their services for child sexual abuse material (CSAM). The legislation creates a temporary exemption from provisions of Directive 2002/58/EC (the ePrivacy Directive) so that providers can voluntarily detect CSAM without violating the ePrivacy Directive. We expect the legislation will face legal challenges in the coming months.
The legality of scanning for CSAM came into question in December 2020, when the ePrivacy Directive was expanded to cover providers like platforms, online messaging services, and email services. Entities subject to the ePrivacy Directive may not tap, store, or otherwise intercept or surveil communications without a user’s consent. There is no exception for scanning communications in order to detect CSAM and report it to law enforcement. Thus, such scanning by platforms, online messaging services, and email providers became a violation of the ePrivacy Directive.
Recognizing the value of detecting and reporting CSAM, the European Commission proposed the exemption that was approved by the European Parliament. Providers that invoke this legislation can continue to scan communications and related traffic data (i.e., data necessary to transmit communications) within the EU in order to detect and report CSAM. Among other requirements, providers must use minimally invasive measures, establish procedures to ensure that data is not used for unauthorized purposes, and provide certain information to users, such as the fact that their communications are being scanned. The legislation will remain in effect until 2024. In the meantime, the European Commission may consider more lasting measures to enable CSAM detection.
While the legislation is welcome news to many providers, it may face legal challenges. The European Data Protection Board criticized the legislation soon after it was proposed for interfering with privacy rights, and both privacy advocates and members of the European Parliament have reportedly stated that the legislation is legally flawed. But for now, providers can continue voluntarily detecting CSAM if they meet the requirements of the new legislation. Providers should, however, monitor any challenges to the legislation so that they are prepared to change their practices if such challenges are successful.