EU child protection automatic scan proposals ‘must not come at expense of encryption’

Andre Walter of Pinsent Masons said the plans put forward by the European Commission, which could include obligations on platforms to automatically scan the content of individual messages – known as ‘client-side scanning’ – were well-intentioned but flawed. “Requirements for client-side scanning must not come at the expense of strong end-to-end encryption, which is an essential part of a secure and reliable internet. Such measures, even for the most defendable purposes, must meet a good proportionality test before being introduced.”

The process of end-to-end encryption is designed to prevent data being intercepted and read or secretly modified by parties other than the sender and the intended recipients. Platforms that use the technology allow a user to send encrypted messages that only their recipients can decrypt. Since the Commission’s proposals were first published in May 2022, a number of concerns have been raised over their implications for privacy.

Walter’s comments came after a coalition of civil society organisations, business leaders, security experts and internet advocates participated in Global Encryption Day 2022. In a statement following the event, the Global Encryption Coalition said strong encryption “underpins online trust, protects members of vulnerable communities, and safeguards the data of governments, businesses, and citizens from criminals and other malicious actors.” It warned that attempts to weaken encryption would “compromise the security and privacy of billions of people” around the world and called on governments and the private sector to reject such efforts.

Meanwhile, in an opinion piece for Politico last week, Markéta Gregorová, member of the European parliament (MEP) for the Czech Republic, described the proposed regulations as a “gross violation of privacy”. She argued that platforms lacked the technology to screen content “effectively and safely” without “undermining the security provided by end-to-end encryption.” Gregorová said plans to fine tech companies up to 6% of their global turnover for failure to comply with the regulations would encourage firms to be “overzealous”, thereby increasing the risk of “devastating” consequences for innocent people.

In July, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) said the draft legislation left “too much room for potential abuse” and concluded that it would be disproportionate to require internet service providers to decrypt online communications in order to identify and block those containing child sexual abuse material. The watchdogs said that any limitations on the rights to private life and data protection must “respect the essence of these fundamental rights” and “remain limited to what is strictly necessary and proportionate.”

They pointed out that encryption technologies “contribute in a fundamental way to the respect for private life and confidentiality of communications, freedom of expression” as well as to “innovation and the growth of the digital economy”, which, they said, “relies on the high level of trust and confidence that such technologies provide.” They recommended that the Commission’s draft legislation be amended to make clear that nothing in the proposed regulation “should be interpreted as prohibiting or weakening encryption.”

Nienke Kingma of Pinsent Masons said: “The proposed measures force providers of email, messaging, and chat services to search all private messages – even in the absence of any suspicion. This client-side scanning results in the messages no longer being private between the sender and receiver, breaking the end-to-end encryption trust model. It is, of course, important to emphasise that the Commission’s proposals are still only draft legislation. In the light of the concerns that have been raised, it remains to be seen whether the plans will stay the same, or whether amendments will be included to reassure critics.”