EU Proposes Legislation Targeting Online Child Sexual Abuse Material

The new regulation would apply alongside the Digital Services Act
August.10.2022

On 11 May, 2022, the European Commission announced a proposed regulation aimed at combating and preventing the sexual abuse of children online (the Regulation of the European Parliament and of the Council laying down rules to prevent and combat child sexual abuse, or the “Regulation”). The use of online services to perpetrate crimes against children has increased over the past few years and the Commission considers that voluntary preventive measures adopted by online service providers have proven insufficient to address the misuse of their services for these purposes.

The proposed Regulation seeks to establish a harmonized legal framework for preventing and combating online child sexual abuse by providing legal certainty to service providers regarding their responsibilities to assess, mitigate, detect and report the use of their services for abuse.

At the end of July, the European Data Protection Board (“EDPB”) and the European Data Protection Supervisor (“EDPS”) issued a joint opinion regarding the proposal, noting in particular that it “raises serious concerns” regarding the necessity and proportionality of the interference and limitations to the protection of privacy rights and the protection of personal data.

This note sets out a summary of some of the draft Regulation’s central obligations.

Key Takeaway:

The draft Regulation is at an early stage of the legislative process, and its content will evolve. However, once adopted, it will apply in parallel to the EU Digital Services Act (“DSA”), and cover a large number of different online service providers. Companies that are developing their DSA compliance strategies should have this on their horizon.

Who is covered:

The rules will apply to hosting services (as defined by the EU Digital Services Act), interpersonal electronic communications services (such as email), software applications and software application stores (both as defined by the EU Digital Markets Act), and internet access services.

If a covered service has an establishment in Europe, or targets its activities towards one or more Member States, then it will have to comply with the Regulation. Non-EU covered services will also be obligated to appoint a European representative to serve as a point of contact for regulators.

Key Provisions:

This is a non-exhaustive summary of the some of the proposed obligations:

Mandatory Risk Assessment. Hosting services and providers of interpersonal electronic communications services will be required to conduct a risk assessment relating to the use of their services for ‘online child sexual abuse’ (this covers the online dissemination of child sexual abuse material and the solicitation of children for sexual purposes). This assessment is to be conducted after the Regulation comes into force and then at least once every three years.
Risk Mitigation Measures. Hosting services and providers of interpersonal electronic communications services will have to adopt mitigation measures that are targeted to address the identified risks. No specific measures are set out in the draft Regulation, but they must be targeted, proportionate, applied in a nondiscriminatory manner and effective. The same parties will also have to submit regular risk reports to the nominated national authority.
Obligations of Software App Stores. App stores will have to make reasonable efforts to assess, if possible with the relevant application provider, whether each service offered through the platform presents a risk of being used for the purpose of the solicitation of children. They will also have to adopt reasonable measures to prevent child users (under 17 years of age) from accessing the software applications in relation to which they have identified a significant risk and use the necessary age verification and age assessment measures to reliably identify child users on their services.
Detection Orders. National authorities will be empowered to issue orders to hosting service providers and/or providers of interpersonal electronic communications services to take measures to detect online sexual abuse on a specific service – subject to certain control and oversight measures (for instance, there must be a “significant” risk identified and in accordance with formal requirements set out in the Regulation). Parties that receive a Detection Order will be required to execute it by installing and operating technologies to detect the dissemination of known or new child sexual abuse material, or the solicitation of children.
Reporting Obligations. Hosting services and/or providers of interpersonal communications services that becomes aware of any information indicating potential online child sexual abuse on its services must submit a report to the EU Centre (see below), containing certain mandatory information. The service provider must also inform the user concerned, including in relation to the user’s right to complain to the national authority.
Preservation of Information. Providers of hosting services and providers of interpersonal communications services must preserve the content data and other data processed in connection to the measures taken to comply with the Regulation and the personal data generated through such processing, for 12 months or longer if so ordered by the national authority or a court.
Victim’s Rights. The Regulation recognizes a victim’s right to information from the national authority regarding whether the dissemination of known child sexual abuse material depicting them has been reported to the EU Centre. Victims will also have a right of assistance and support for removal of such content.
New European Agency. The Regulation provides for the creation of the EU Centre on Child Sexual Abuse, responsible for overseeing implementation of the Regulation and facilitating the cooperation and coordination of national authorities. The EU Centre will be based in The Hague, in the Netherlands.
Enforcement & Sanctions. National authorities can apply to courts for removal and blocking orders. Penalties for noncompliance will be set by the Member States, but fines shall not exceed 6% of annual income or global turnover in the preceding year.

Responses to the Regulation:

A number of civil society organizations involved in the protection of children’s rights have welcomed the proposed legislation, calling it “timely and historic.” However, in addition to the joint opinion of the EDPB and the EDPS, concerns have been raised by privacy associations regarding the potential privacy and security implications associated with technological measures adopted to comply with detection orders.

Next Steps:

The text of the regulation is open to public consultation until late August.

Read the regulation text here

Authors

Julia Apostle パートナー, Technology Transactions, Cyber, Privacy & Data Innovation

パリ

See my bio

D:+33153537500
E: [email protected]

Practice:

Technology & Innovation Sector
Technology Transactions
Cyber, Privacy & Data Innovation
Technology & Innovation

vCard

See full bio

Julia Apostle パートナー

パリ

Julia counsels on compliance issues in relation to European and French tech and data regulations, including the GDPR, the Digital Services Act, the regulation of AI, the Data Act and other new and emerging legislation impacting online platforms, technology developers, and eCommerce businesses. She advises companies of all sizes on a wide range of compliance matters, ranging the drafting of internal policies, to assisting with regulatory investigations, and product counseling.

In the context of strategic transactions covering significant and complex technological issues, she is involved in the drafting and negotiation of agreements relating to data transfer, IT, software, content and brand licensing.

Qualified to practice in the UK and France, Julia is deeply familiar with the commercial considerations’ clients face, having practiced in-house at Twitter, Financial Times and CBS for more than a decade prior to joining Orrick.

Kelly Hagedorn パートナー, Cyber, Privacy & Data Innovation, Global Compliance & Regulatory

ロンドン

See my bio

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Global Compliance & Regulatory
Fintech
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Kelly Hagedorn パートナー

ロンドン

Kelly provides comprehensive regulatory advisory services to clients, including counseling on the General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018. She has designed and implemented data protection compliance programmes for clients in a range of sectors, including technology, gaming, manufacturing, and private equity.

Kelly has worked with companies to respond to data incidents that range from small-scale issues that do not attract regulatory attention to large, multi-jurisdictional breaches requiring coordination across numerous different regulatory regimes. She has also advised extensively on litigation matters involving allegations of fraud and financial crime, and in connection with securities laws.

During her career, Kelly has undertaken secondments to the Serious Fraud Office and a major telecommunications company. At the Serious Fraud Office, she worked on a number of cases dealing with restraint and confiscation matters. During her time with the telecommunications company, she helped develop and implement the company’s group-wide anti-bribery compliance programme security associated with data retention, processing, and transfer.

Meg Hennessey オブ・カウンセル, Global Compliance & Regulatory, 政府による調査および強制措置

サンフランシスコ; オレンジ・カウンティ

See my bio

D:+1 415 773 5764
E: [email protected]

Practice:

Global Compliance & Regulatory
政府による調査および強制措置
Cyber, Privacy & Data Innovation
倫理およびコンプライアンス
Strategic Advisory & Government Enforcement (SAGE)
内部調査

vCard

See full bio

Meg Hennessey オブ・カウンセル

サンフランシスコ; オレンジ・カウンティ

Meg has experience leading diverse teams of lawyers and consultants conducting internal and other compliance-related investigations in the online trust and safety, and corporate ethics spaces. She has strong project management skills and assists multinational clients in responding to complex and sensitive investigations initiated by enforcement authorities and regulators in the United States (U.S.) and United Kingdom (UK), including the Department of Justice (DOJ), the Securities and Exchange Commission (SEC), the Federal Trade Commission (FTC), the Office of Inspector General (OIG), state attorney generals, Congress, the UK Office of Communications (Ofcom) and UK Parliament. Her experience on both sides of corporate Monitorships similarly provides her with a unique perspective when advising clients facing regulatory scrutiny in the U.S. and the UK on best practices to be used in the assessment or development of compliance programs that will be acceptable to those enforcement authorities. A snapshot of her varied and unique experience is set forth below.

Online Safety

Advising online service providers, social media platforms, and companies with an online presence on online safety-related obligations and in relation to potentially harmful content (e.g., instances of suspected child abuse, sexual exploitation, terrorist and hate speech)
Conducting online trust and safety compliance risk assessments and preparing and implementing related policies and procedures - for internal and external audiences - related to identity verification, content moderation, transparency reporting, and reporting to law enforcement.
Responding on behalf of a client to UK Parliament inquiries related to the UK's Online Safety Act.
Representing a client through a multi-year voluntary online safety monitorship.

Regulatory

Representing global IoT device maker in investigations by the FTC and multiple state attorneys general involving alleged unfair and deceptive acts and practices related to marketing and data security.
Representing multiple companies responding to Civil Investigation Demands and responding to investigations into violations of the False Claims Act (FCA).

Anti-Corruption Compliance and Internal Investigations

Serving on the Monitor teams for two DOJ and SEC-appointed Foreign Corrupt Practices Act (FCPA) Monitorships, as well as representing two multinational corporations under the review of independent Compliance Monitors.
Conducting anti-corruption compliance risk assessments and preparing and implementing related policies and procedures for internal and external audiences.
Conducting internal investigations in Argentina, Brazil, China, Columbia, India, Indonesia, Italy, Japan, Mexico, South Africa and Thailand.
Conducting pre- and post-acquisition anti-corruption due diligence and assisting in remediation.
Representing individuals and companies in connection with criminal investigations conducted by the DOJ FCPA Unit, Healthcare & Government Fraud Unit, as well as several individuals in connection with criminal investigations conducted by the DOJ Antitrust Division into the automotive parts industry.
Responding to Civil Investigative Demands issued by the DOJ and OIG for companies responding to FCA allegations.
Representing a company in relation to multiple congressional inquiries conducted by the Senate Committee on the Judiciary and the House Committee on Energy and Commerce.