The European Parliament on Tuesday approved a controversial law that would allow digital companies to detect and report child sexual abuse on their platforms for the next three years.
Tuesday’s vote was the final hurdle for the bill, and will allow companies to scan their platforms for explicit material without fear of violating Europe’s strict privacy laws. The bill pitted the European Commission, who proposed the bill, and children’s rights activists against the Parliament and Europe’s privacy regulators, who fear the bill could undermine the EU’s privacy rules.
The results showed 537 MEPs voted in favor of the bill, with 133 against and 24 abstaining. Despite the result, European lawmakers warned that the rules are „legally flawed“ and could crumble in front of a court.
MEPs also decried the pressure they were under to approve the bill, calling it „moral blackmail.“
“Whenever we asked critical questions about the legislative proposals, immediately the suggestion was created that I wasn’t sufficiently committed to fighting child sexual abuse,” Dutch MEP Sophie in ‘t Veld said a day before the vote.
It’s not over
EU lawmakers were working under an unusually short deadline. The European Commission realized that the EU’s new rules for private messaging would make it illegal for tech companies to voluntarily look for illegal content like child pornography, and proposed a temporary bill to allow for scanning and reporting until new permanent rules were in place.
Soon after the Commission published its proposal in September, it immediately pressured the European Parliament to approve the new rules by December, which lawmakers did not do.
The bill was stalled because of a provision that allowed companies to also scan for grooming, which does not constitute abuse, per se, but does include text and audio messages that indicate children are being manipulated by an offender. Parliament members fretted that allowing companies to scan for messages opens the door for them to monitor other communications. That view was enforced by Europe’s data protection regulators, who also warned that the rules would undermine the EU’s privacy rules.
Meanwhile, British, Canadian, and American ministers — and the U.S. actor Ashton Kutcher, who is also a children’s rights activist — sided with the Commission and urged the Parliament to pass the bill. In the meantime, Facebook said it had stopped scanning its platforms for illicit material.
Center-left MEP Birgit Sippel, who worked on the bill, said, “There has been a lot of pressure just to do something very, very quickly and to come to an agreement.”
Despite the bill’s approval, In ‘t Veld warned that the legislation would not withstand court scrutiny given Europe’s strict privacy laws. Addressing Home Affairs Commissioner Ylva Johansson on Monday, she said, “I think we both know that the result on the table is legally flawed.”
MEPs also said that the blanket scanning of private messages of European citizens to look for evidence of child grooming could clash with another set of privacy rules protecting personal data, the GDPR.
To allay the Parliament’s concerns, EU countries agreed to modify the Commission’s law to add additional safeguards, including bringing in Europe’s network of privacy watchdogs to advise on what technologies should be used to do the scanning, and how they should be used. They also left out audio messages from the bill. The changes prompted Sippel, who was negotiating on behalf of the Parliament, to sign off on the bill.
What comes next
The temporary rules are only supposed to be applied for three years. But privacy activists are already worried about the permanent rules that will come next.
With most of the child trafficking and abuse done through encrypted communications on apps like WhatsApp and Telegram, the Commission wants to limit how secure those communications can be. Johansson, who’s in charge of tackling illegal content online, has warned Facebook that its plan to introduce encryption could “give haven to the pedophiles.“
That’s a plan that is also unlikely to go down well with digital activists, who fear mass surveillance by law enforcement and private companies.
“Encrypted communications and services must be preserved and protected,” said Diego Naranjo, EDRi’s head of policy, in an interview.
He said that the Commission’s plan will create an incentive for Big Tech to break, or not develop, encryption, and will tempt companies to comb through private communications.
Children’s rights activists are more optimistic about being able to assuage privacy activists‘ concerns.
“Children’s advocates and children’s groups need to engage more closely with the privacy community, so they understand the realities of children’s rights and don’t treat all of these privacy questions as some kind of highly theoretical issue,” said John Carr, secretary of the UK Children’s Charities’ Coalition on Internet Safety, in an interview.
Lawmakers in Parliament expressed their hope for “a significantly improved proposal” with data protection guarantees.
“We really need targeted solutions when dealing with these private communications; otherwise this won’t hold up before national or European courts,” said Sippel.
CORRECTION: A previous version of this article misstated the number of votes against the bill: 133 MEPs voted no.