Regulation (EU) 2021/1232 of the European Parliament and of the Council of 14 July 2021 on a temporary derogation from certain provisions of Directive 2002/58/EC as regards the use of technologies by providers of number-independent interpersonal communications services for the processing of personal and other data for the purpose of combating online child sexual abuse (Text with EEA relevance)
Modified by
- Regulation (EU) 2024/1307 of the European Parliament and of the Councilof 29 April 2024amending Regulation (EU) 2021/1232 on a temporary derogation from certain provisions of Directive 2002/58/EC as regards the use of technologies by providers of number-independent interpersonal communications services for the processing of personal and other data for the purpose of combating online child sexual abuse(Text with EEA relevance), 32024R1307, May 14, 2024
(1) "number-independent interpersonal communications service" means a number-independent interpersonal communications service as defined in Article 2, point (7), of Directive (EU) 2018/1972; (2) "online child sexual abuse material" means: (a) child pornography as defined in Article 2, point (c), of Directive 2011/93/EU; (b) pornographic performance as defined in Article 2, point (e), of Directive 2011/93/EU;
(3) "solicitation of children" means any intentional conduct constituting a criminal offence under Article 6 of Directive 2011/93/EU; (4) "online child sexual abuse" means online child sexual abuse material and solicitation of children.
(a) the processing is: (i) strictly necessary for the use of specific technology for the sole purpose of detecting and removing online child sexual abuse material and reporting it to law enforcement authorities and to organisations acting in the public interest against child sexual abuse and of detecting solicitation of children and reporting it to law enforcement authorities or organisations acting in the public interest against child sexual abuse; (ii) proportionate and limited to technologies used by providers for the purpose set out in point (i); (iii) limited to content data and related traffic data that are strictly necessary for the purpose set out in point (i); (iv) limited to what is strictly necessary for the purpose set out in point (i);
(b) the technologies used for the purpose set out in point (a)(i) of this paragraph are in accordance with the state of the art in the industry and are the least privacy-intrusive, including with regard to the principle of data protection by design and by default laid down in Article 25 of Regulation (EU) 2016/679 and, to the extent that they are used to scan text in communications, they are not able to deduce the substance of the content of the communications but are solely able to detect patterns which point to possible online child sexual abuse; (c) in respect of any specific technology used for the purpose set out in point (a)(i) of this paragraph, a prior data protection impact assessment as referred to in Article 35 of Regulation (EU) 2016/679 and a prior consultation procedure as referred to in Article 36 of that Regulation have been conducted; (d) with regard to new technology, meaning technology used for the purpose of detecting online child sexual abuse mat erial that has not been used by any provider in relation to services provided to users of number-independent interpersonal communications services ("users") in the Union before 2 August 2021 , and with regard to technology used for the purpose of identifying possible solicitation of children, the provider reports back to the competent authority on the measures taken to demonstrate compliance with written advice issued in accordance with Article 36(2) of Regulation (EU) 2016/679 by the competent supervisory authority designated pursuant to Chapter VI, Section 1, of that Regulation ("supervisory authority") in the course of the prior consultation procedure;(e) the technologies used are sufficiently reliable in that they limit to the maximum extent possible the rate of errors regarding the detection of content representing online child sexual abuse and, where such occasional errors occur, their consequences are rectified without delay; (f) the technologies used to detect patterns of possible solicitation of children are limited to the use of relevant key indicators and objectively identified risk factors such as age difference and the likely involvement of a child in the scanned communication, without prejudice to the right to human review. (g) the providers: (i) have established internal procedures to prevent abuse of, unauthorised access to, and unauthorised transfers of, personal and other data; (ii) ensure human oversight of and, where necessary, human intervention in the processing of personal and other data using technologies falling under this Regulation; (iii) ensure that material not previously identified as online child sexual abuse material, or solicitation of children, is not reported to law enforcement authorities or organisations acting in the public interest against child sexual abuse without prior human confirmation; (iv) have established appropriate procedures and redress mechanisms to ensure that users can lodge complaints with them within a reasonable timeframe for the purpose of presenting their views; (v) inform users in a clear, prominent and comprehensible way of the fact that they have invoked, in accordance with this Regulation, the derogation from Articles 5(1) and 6(1) of Directive 2002/58/EC concerning the confidentiality of users’ communications for the sole purpose set out in point (a)(i) of this paragraph, the logic behind the measures they have taken under the derogation and the impact on the confidentiality of users’ communications, including the possibility that personal data are shared with law enforcement authorities and organisations acting in the public interest against child sexual abuse; (vi) inform users of the following, where their content has been removed or their account has been blocked or a service offered to them has been suspended: (1) the avenues for seeking redress from them; (2) the possibility of lodging a complaint with a supervisory authority; and (3) the right to a judicial remedy;
(vii) by 3 February 2022 , and by 31 January every year thereafter, publish and submit to the competent supervisory authority and to the Commission a report on the processing of personal data under this Regulation, including on:(1) the type and volumes of data processed; (2) the specific ground relied on for the processing pursuant to Regulation (EU) 2016/679; (3) the ground relied on for transfers of personal data outside the Union pursuant to Chapter V of Regulation (EU) 2016/679, where applicable; (4) the number of cases of online child sexual abuse identified, differentiating between online child sexual abuse material and solicitation of children; (5) the number of cases in which a user has lodged a complaint with the internal redress mechanism or with a judicial authority and the outcome of such complaints; (6) the numbers and ratios of errors (false positives) of the different technologies used; (7) the measures applied to limit the error rate and the error rate achieved; (8) the retention policy and the data protection safeguards applied pursuant to Regulation (EU) 2016/679; (9) the names of the organisations acting in the public interest against child sexual abuse with which data has been shared pursuant to this Regulation;
(h) where suspected online child sexual abuse has been identified, the content data and related traffic data processed for the purpose set out in point (a)(i), and personal data generated through such processing are stored in a secure manner, solely for the purposes of: (i) reporting, without delay, the suspected online child sexual abuse to the competent law enforcement and judicial authorities or organisations acting in the public interest against child sexual abuse; (ii) blocking the account of, or suspending or terminating the provision of the service to, the user concerned; (iii) creating a unique, non-reconvertible digital signature ("hash") of data reliably identified as online child sexual abuse material; (iv) enabling the user concerned to seek redress from the provider or pursue administrative review or judicial remedies on matters related to the suspected online child sexual abuse; or (v) responding to requests issued by competent law enforcement and judicial authorities in accordance with the applicable law to provide them with the necessary data for the prevention, detection, investigation or prosecution of criminal offences as set out in Directive 2011/93/EU;
(i) the data are stored no longer than strictly necessary for the relevant purpose set out in point (h) and, in any event, no longer than 12 months from the date of the identification of the suspected online child sexual abuse; (j) every case of a reasoned and verified suspicion of online child sexual abuse is reported without delay to the competent national law enforcement authorities or to organisations acting in the public interest against child sexual abuse.
(a) were using a specific technology before 2 August 2021 for the purpose set out in paragraph 1, point (a)(i), without having completed a prior consultation procedure in respect of that technology;(b) start a prior consultation procedure before 3 September 2021 ; and(c) duly cooperate with the competent supervisory authority in connection with the prior consultation procedure referred to in point (b).
(a) were using a technology as referred to in paragraph 1, point (d), before 2 August 2021 without having completed a prior consultation procedure in respect of that technology;(b) start a procedure as referred to in paragraph 1, point (d), before 3 September 2021 ; and(c) duly cooperate with the competent supervisory authority in connection with the procedure referred to in paragraph 1, point (d).
(a) the total number of reports of detected online child sexual abuse that have been submitted by providers and organisations acting in the public interest against child sexual abuse to the competent national law enforcement authorities, differentiating, where such information is available, between the absolute number of cases and those cases reported several times and the type of provider on whose service the online child sexual abuse was detected; (b) the number of children identified through actions pursuant to Article 3, differentiated by gender; (c) the number of perpetrators convicted.
(a) the conditions for the processing of personal data and other data set out in Article 3(1), point (a)(ii), and points (b), (c) and (d); (b) the proportionality of the derogation provided for by this Regulation, including an assessment of the statistics submitted by the Member States pursuant to Article 8; (c) developments in technological progress regarding the activities covered by this Regulation, and the extent to which such developments improve accuracy and reduce the numbers and ratios of errors (false positives).
Loading ...