Data Protection Insider, Issue 74

EDPB EDPS Joint Opinion concerning Proposal on Preventing and Combatting Child Sexual Abuse

On 28th July, the EDPB and EDPS adopted their ‘Joint Opinion 04/2022 on the Proposal for a Regulation of the European Parliament and of the Council laying down rules to prevent and combat child sexual abuse’. The EDPB and EDPS begin by offering general comments. Whilst the EDPB and EDPS recognise the legitimacy of the purposes of the proposal, they also express concerns regarding potential interferences with fundamental rights – including concerns related to the essence of rights ‘in the area of privacy of electronic communications’. The EDPB and EDPS then go into detail and make a series of specific comments under the following headings: i) ‘Relationship with existing legislation’ – including highlighting concerns relating to Article 15(1) of the ePrivacy Directive; ii) ‘Lawful basis under the GDPR’ – including the observation that any legal basis will need to respect the ‘conditions set out in Article 52(1) of the Charter’; iii) ‘Risk assessment and mitigation obligations’ – including stressing ‘the need of a high level of legal certainty, clarity and foreseeability of the legislation in order to ensure that the proposed measures are genuinely effective in achieving the objective they pursue and at the same time are the least detrimental to the fundamental rights at stake’; iv) ‘Conditions for the issuance of detection orders’ – including noting that ‘the conditions for the issuance of a detection order are dominated by vague legal terms, such as ‘appreciable extent’, ‘significant number’, and are in part repetitive, as evidence of former abuse will often contribute to establishing the likelihood of future abuse’; v) ‘Analysis of the necessity and proportionality of the envisaged measures’ – including highlighting concerns that the procedural safeguards in the regulation may not always be adequate to address risks; vi) ‘Reporting obligations’ – including recommending complementing ‘the list of specific reporting requirements in Article 13 of the Proposal with a requirement to include in the report information on the specific technology that enabled the provider to become aware of the relevant abusive content, in case the provider became aware of the potential child sexual abuse following measures taken to execute a detection order issued in accordance with Article 7 of the Proposal’; vii) ‘Removal and blocking obligations’ – including considering the need to clarify ‘the powers of Coordinating Authorities with respect to the issuance of blocking orders’; viii) ‘Relevant technologies and safeguards’ – including recommending ‘that the proposed Regulation be amended to expressly allow providers to rely on parental control mechanisms in addition or as an alternative to age verification’; ix) ‘Preservation of information’ – including considering ‘that only those providers that use their own detection technologies should be allowed to retain data for improving the effectiveness and accuracy of the technologies’; x) ‘Impact on encryption’ – including highlighting that in order to ‘ensure that the proposed Regulation does not undermine the security or confidentiality of electronic communications of European citizens…the enacting terms of the Proposal should clearly state that nothing in the proposed Regulation should be interpreted as prohibiting or weakening encryption’; and xi) ‘Supervision, enforcement and cooperation’ – including observing the need for further consideration concerning the role of the EDPB in the legislative framework. There is a great deal of relevant information in the Opinion – not only concerning the specifics of the proposal – and the Opinion should make interesting reading for much of the data protection community.


EDPS Adopts Opinion on Proposal on Asset Recovery and Confiscation

On 19th July, the EDPS adopted ‘Opinion 16/2022 on the Proposal for a Directive of the European Parliament and of the Council on asset recovery and confiscation’. The EDPS begins with a series of general comments, including welcoming the emphasis on the significance of data protection in the proposal. The EDPS then goes on to make a series of more specific comments under the following headings: i) ‘Access to information by asset recovery offices’ – including making a number of positive observations concerning the limitations and safeguards foreseen in the proposal; ii) ‘Exchange of information between asset recovery offices’ – including recommending that certain listed ‘categories of sensitive personal data [be removed] from the scope of the Proposal, unless convincing objective arguments in support of their necessity and proportionality in the specific context of the Proposal can be presented to the co-legislator’; iii) ‘Establishment of centralised registries of frozen and confiscated property’ – including considering ‘that the national legislation transposing the Directive should designate the competent authority(ies) which will be responsible for the management of the registry and thus will take the role of data controller in accordance with Article 3(8) of the LED’; and iv) ‘Cooperation between asset recovery offices and EU agencies’ – including highlighting “that any exchange and further processing of personal data in the context of the envisaged cooperation must take place in strict compliance with the provisions of Chapter IX of the EUDPR and the specific data protection rules in the legal acts establishing the Union agencies”. The Opinion will most likely be of interest to those following developments in the area covered.

EDPB Adopts Letters and Article 65 Decision

On 29th July, the EDPB announced it had adopted the following letters and the following decision:

  • ‘[T]wo letters in response to Access Now and BEUC concerning TikTok. In these letters, the EDPB highlights the swift action taken by the Irish, Italian and Spanish Supervisory Authorities (SAs) following TikTok’s announcement that it would no longer seek users’ consent to send personalised advertisements, but that the legal basis for this would be the legitimate interest of TikTok and its partners. As a result of these actions, TikTok announced that it would pause the change in the legal basis used for personalised ads.’
  • ‘[A] dispute resolution decision on the basis of Art. 65 GDPR. The binding decision seeks to address the lack of consensus on certain aspects of a draft decision issued by the Irish SA as lead supervisory authority (LSA) regarding Instagram (Meta Platforms Ireland Limited (Meta IE)) and the subsequent objections expressed by some of the concerned supervisory authorities (CSAs).’

The letters are available on the EDPB’s website at the link below.




DPI Editorial Team

Dara Hallinan, Editor: Legal academic working at FIZ Karlsruhe. His specific focus is on the interaction between law, new technologies – particularly ICT and biotech – and society. He studied law in the UK and Germany, completed a Master’s in Human Rights and Democracy in Italy and Estonia and wrote his PhD at the Vrije Universiteit Brussel on the better regulation of genetic privacy in biobanks and genomic research through data protection law. He is also programme director for the annual Computers, Privacy and Data Protection conference.

Diana Dimitrova, Editor: Researcher at FIZ Karlsruhe. Focus on privacy and data protection, especially on rights of data subjects in the Area of Freedom, Security and Justice. Completed her PhD at the VUB on the topic of ‘Data Subject Rights: The rights of access and rectification in the AFSJ’. Previously, legal researcher at KU Leuven and trainee at EDPS. Holds LL.M. in European Law from Leiden University.

Leave a Reply