European Union: Adopted EDPS opinion on the proposal for a Regulation extending derogation from the ePrivacy Directive to support the detection of child sexual abuse

On 24 January 2024, the European Data Protection Supervisor (EDPS) adopted its opinion on the extension of the derogation from the ePrivacy Directive to support the detection of child sexual abuse (Regulation 2021/1232) of the ePrivacy Directive (2002/58/EC). The Regulation allows providers of interpersonal communications services to voluntarily use technologies to detect child sexual abuse material (CSAM) on their services. The extension is proposed to avoid interruptions in combating CSAM while negotiations on a long-term Regulation continue. However, the EDPS considers the extension non-trivial, as its previous recommendations on necessity, proportionality, and safeguards against general monitoring have not been addressed. The EDPS noted that it remains concerned about the lack of clarity on the applicable GDPR legal basis and the lack of specificity on permitted data categories, reiterating the need for human review safeguards. The EDPS also draws attention to the significant risks from automated content analysis, especially the high error rates in detecting new CSAM and grooming. Given the listed concerns, the EDPS recommends not adopting the extension proposal until necessary safeguards are integrated.