On 10 September 2020, the European Commission proposed an interim regulation designed to enable online communications service providers to combat child sexual abuse online. Once in force, this regulation will provide a legal basis for providers to voluntarily scan communications or traffic data on their services for the limited purpose of detecting child sexual abuse material online.

When the European Electronic Communications Code comes into force on 21 December 2020, it will replace the definition of electronic communications services in Directive 2002/58/EC (the ePrivacy Directive) with a new definition that includes online communications services—referred to as “number-independent interpersonal communications services.” Services such as voice-over-IP, webmail, and messaging services will at that point fall within scope of the ePrivacy Directive.

Articles 5(1) and 6 of the ePrivacy Directive impose strict confidentiality obligations on service providers processing communications and traffic data. The Directive does not provide an explicit legal basis for service providers to scan these data for the purpose of detecting child sexual abuse material. As a result, current practices employed by many online service providers to detect and prevent the dissemination of such material may breach their obligations under the ePrivacy Directive.

The proposed regulation proposes a “temporary and strictly limited” derogation from Articles 5(1) and 6 of the Directive, with the sole objective of enabling these service providers to use technologies for the processing of data “to the extent necessary to detect and report child sexual abuse online and remove child sexual abuse material on their services.” The proposed regulation also contains a number of rules on how such technologies may be deployed and imposes reporting obligations as well. The GDPR will continue to apply to any processing that falls within the scope of this derogation.

Once approved by the European Parliament and the Council, the regulation will be in force from 21 December 2020 until 31 December 2025. Meanwhile, the Commission recently announced plans to introduce legislation by the second quarter of 2021 requiring online service providers to detect child sexual abuse material and report it to public authorities. If this legislation enters into force before 31 December 2025, it should repeal the interim regulation.


This post was written with assistance from Stacy Young, a trainee solicitor in the London office.