[To Eurosmart members only]

New detection obligations for cloud providers and messaging app providers

On 11 May, the European Commission proposed a Regulation to fight child sexual abuse. The proposed legislation establishes new obligations for providers of hosting services (e.g., cloud), providers of interpersonal communication services (e.g., messaging apps) and providers of internet access services. These new rules might impact end-to-end encryption as these actors will have to detect online child sexual abuse.

Please find below the link to the proposal and a summary of the relevant points.

Obligation to detect child sexual abuse material

A national competent authority may request a court or an independent national authority to issue a detection order requiring a provider of hosting services or a provider of interpersonal communications service -under the jurisdiction of that Member State- to detect online child sexual abuse on a specific service.

If they receive such an order, providers shall execute the order by installing and operating technologies to detect the dissemination of known or new child sexual abuse material or the solicitation of children.

The new EU Centre on Child Sexual Abuse will make technologies available free of charge for the sole purpose of executing the detection order. However, the provider shall not be required to use any specific technology.  

“The technologies shall be:

a) effective in detecting the dissemination of known or new child sexual abuse material or the solicitation of children, as applicable;

b) not be able to extract any other information from the relevant communications than the information strictly necessary to detect […] patterns pointing to the dissemination of known or new child sexual abuse material or the solicitation of children, as applicable;

c) in accordance with the state of the art in the industry and the least intrusive in terms of the impact on the users’ rights to private and family life, including the confidentiality of communication, and to protection of personal data;

d) sufficiently reliable, in that they limit to the maximum extent possible the rate of errors regarding the detection.”

The provider shall clearly inform users that it operates technologies to detect online child sexual abuse to execute the detection order.

Identifying the risk of child solicitation

Providers of interpersonal communication services that identified the risk of use of their services for the solicitation of children shall take measures to verify the age of their users.

The text also covers software application stores. They shall identify the applications for which there is a significant risk of using the service for the solicitation of children. Accordingly, they shall take the necessary age verification measures to prevent child users from accessing those software applications.

Next steps

The European Parliament and the Council will examine the text. They will make their respective amendments to the proposal.

Once adopted, the Regulation will replace the current interim Regulation. 

If you have any questions on this topic, please contact Camille Dornier - Policy Manager: camille.dornier@eurosmart.com