New EU online privacy law may increase risk of child sexual exploitation


London, UK – 1 December 2018 – Campaign groups say that proposed changes to European Union laws that govern Internet privacy could make it more difficult to identify online child sexual abuse imagery, which in the long-term could hamper efforts to track offenders and rescue victims.

More than 30 child rights NGOs, including ECPAT International and eight ECPAT member groups from across the European Union, want the wording of the draft Regulation on Privacy and Electronic Communications (e-Privacy Regulation) currently under consideration in Brussels, to be changed before it is adopted. In a letter to EU President Junkers, Vice President Ansip, and the Austrian Presidency of the EU, they warn that the new rules in their current form are likely to seriously endanger the safety and well-being of children. They argue that the proposed regulation will make it difficult for businesses to deploy software that detects this kind of material in online traffic – so it can be flagged and removed – and are asking EU ministers for a specific exemption so that this type of technology can still legally operate.

“Technology, such as Microsoft PhotoDNA and similar applications are currently used by businesses and network providers across the EU,” says Robbert van den Berg, Executive Director of ECPAT. “These programmes enable businesses to locate child sex abuse imagery on their systems so it can be reported to appropriate authorities, such as law enforcement, and deleted from servers. In the last few years, this technology has found and removed tens of millions of images, thwarting offenders and preventing the re-victimization of children. The draft regulation threatens to withdraw the permissible use of this successful technology and further imperil the victims of this crime.”

Many EU businesses currently use PhotoDNA and similar software on a voluntary basis to rid their networks of child sex abuse material. However, this will change if the new e-Privacy Regulation is adopted. The regulation is due to go before an EU ministerial meeting for discussion on 3 and 4 December.

“It is way beyond the capacity of law enforcement agencies to address the volumes now circulating online,” cautions the letter. “Police in all parts of the world have therefore repeatedly called on the private sector to do more to help, and they are committed to and playing their role.  Deploying applications like PhotoDNA is exactly the kind of thing they have in mind. Yet the e-Privacy Regulation appears to threaten this wholly beneficial status quo.  We are at a loss to understand why the EU feels it is necessary to step-in and disrupt effective and established practices which self-evidently work so well.”

8.7 million images identified

In October Facebook indicated that in the third quarter of this year, PhotoDNA and comparable products helped it identify 8.7 million images that breached its child nudity policy and most of this content was removed before anyone even saw it. In the past, Google has also indicated that 99 percent of all the illegal content it removed from its services had first been identified using this technology. Similarly, the US based National Center for Missing and Exploited Children recently said it is on track to receive more than 20 million reports of illegal child sex abuse images by the end of 2018, with the overwhelming majority of that imagery detected because of technology companies’ use of PhotoDNA. Indeed, PhotoDNA has helped or will help find some 99 percent of this material.

However, the use of PhotoDNA and similar software would be banned in the EU under the proposed new ePrivacy Regulation. If these new rules are passed, customers would have to be asked for ‘consent’ before certain types of information can be accessed by service providers – an unworkable prospect in the context of illegal child sexual abuse imagery.

“It is ridiculous to imagine that child sex offenders would be willing to give their consent to being monitored,” says John Carr, senior advisor to ECPAT. “Adopting this regulation would be a huge gaffe for children’s rights. I’m sure the drafters did not intend to outlaw, reduce or limit the scope for companies to deploy these tools to identify child sex abuse material. We need to put this right.”

Could affect all EU Member States

The proposed laws would affect all EU Member States unless they individually decide to derogate from the new rules, which ECPAT says would inevitably lead to a patchwork of national laws.

“This makes no sense at all when dealing with international platforms,” says Carr. “The current arrangements are working well. They should leave them alone. I suspect that the current sloppy wording in the proposed regulation was written by someone who did not think it through. Any confusion surrounding the use of PhotoDNA and similar technology could be rapidly and easily cleared up.”

The regulation (the full name of which is: Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC”) is intended to apply to all businesses providing online communication services that use online tracking technologies, or that engage in electronic direct marketing. It would repeal a previous directive from 2002 and is meant to complement the recently passed General Data Protection Regulation.