The draft law on detecting and reporting online child sexual abuse material (CSAM), sparking criticism and tension in the past, remains one of the important yet incomplete tech files of the EU, highlighting its significance as it risks being abandoned amid legislative gridlock.
The almost complete 2019-2024 legislative term saw a surge of tech policy passing through the EU Parliament. Since February, member states have urged prioritising the implementation of existing digital policy over creating new bills, with the exception of the CSAM draft.
Despite numerous compromise texts published by the Belgian Presidency of the Council of the EU, a general approach is unlikely to be reached by the end of its term in June.
The Hungarian presidency will have to take over the file in July, but it is not expected to be a priority during its tenure.
Meanwhile, potential shifts in the Parliament’s political alignment after the June elections are not likely to significantly impact its fate, as it has already agreed on the regulation.
The EU legislature reached an agreement on the file last October, but the draft law has been stuck in the Council, blocked by Germany and France. Due to the lack of progress, some predict it might “die out” entirely, similar to the ePrivacy Directive, which has faced prolonged delays.
The controversy lies in its provisions regarding end-to-end encryption (E2EE), a method of secure communication that prevents third parties from accessing data exchanged between users.
The draft law
Some see tampering with E2EE as a key measure to protect minors, while others protest that this move will unduly harm data privacy.
The original form of the legislation attracted criticism as it would have empowered judicial authorities to ask communication platforms like WhatsApp or Gmail to scan users’ private messages to find suspected content.
The current draft does not prohibit E2EE but leaves the door open for authorities to access users’ encrypted communications.
Accusations of improper behaviour
The proposed CSAM regulation has been riddled with accusations of impropriety against the Commission.
Data protection authorities have investigated the Commission’s use of microtargeting to promote the CSAM law, citing concerns that the EU executive has violated EU’s data protection rules, the GDPR.
Non-profit organisation European Center for Digital Rights, or NOYB, filed a similar complaint on microtargeting against the Commission’s Directorate General for Migration and Home Affairs to the European Data Protection Supervisor (EDPS).
NOYB said the Commission used sensitive data, including political orientation and religious beliefs, in its microtargeting to target individuals with ads promoting the law.
In October last year, Commissioner for Home Affairs Ylva Johansson attended a Civil Liberties Committee (LIBE) hearing in the Parliament and was questioned about microtargeting ads on X.
The EU Ombudsman said in November 2023 that the Commission committed maladministration when it refused to release a list of experts with whom they worked to draft the regulation.
Prior to the Ombudsman’s conclusion, the Commission denied such a list existed but German Member of the European Parliament (MEP) Patrick Breyer (Greens/EFA) made the list public shortly after the Ombudsman’s opinion.
Revolving door
In October 2023, an article by Balkan Insight revealed close links, including possible financial interests, between the Commission and child protection organisations that are supporting the draft law.
In January 2024, the EU Ombudsman announced an investigation into potential conflicts of interest of two former Europol officials who joined the child protection organisation Thorn, which, Balkan Insight claimed, has a commercial interest in mandatory scanning proposed in CSAM.
A complaint to the Ombudsman described a “revolving door” between Thorn, Europol and the Commission as two employees from Europol and some from Commission employees had taken positions at Thorn.
The Commission’s Directorate-General on Migration and Home Affairs (DG HOME) provided communications between Thorn and other child protection organisations to the LIBE Committee following a request in 2023.
MEPs said at the time that Europol was lobbying for the Commission by supporting the proposal.
[Edited by Eliza Gkritsi/Rajnish Singh/Alice Taylor]
