EUROPEAN COMMISSION

Brussels, 11.5.2022

SWD(2022) 209 final

COMMISSION STAFF WORKING DOCUMENT

IMPACT ASSESSMENT REPORT

Accompanying the document

Proposal  for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

laying down rules to prevent and combat child sexual abuse

{COM(2022) 209 final} - {SEC(2022) 209 final} - {SWD(2022) 210 final}

Contents

1.Introduction: political and legal context4

2.Problem definition

2.1What is the problem?7

2.2What are the problem drivers?5

2.3How likely is the problem to persist?8

3.Why should the EU act?0

3.1Legal basis0

3.2Subsidiarity: necessity of EU action1

3.3Subsidiarity: added value of EU action1

4.Objectives: What is to be achieved?3

4.1General objective3

4.2Specific objectives3

5.What are the available policy options?4

5.1What is the baseline from which options are assessed?4

5.2Description of the policy options1

5.3Measures discarded at an early stage3

6.What are the impacts of the policy options?

6.1Qualitative assessment

6.2Quantitative assessment0

7.How do the options compare?4

7.1Qualitative comparison4

7.2Quantitative comparison1

8.Preferred option2

8.1Main advantages3

8.2Main disadvantages4

8.3Trade-Offs4

8.4Application of the ‘one in, one out’ approach5

9.How will actual impacts be monitored and evaluated?5

ANNEXES………………………………………………………………………………………118

1.Introduction: political and legal context

Children face a number of risks in their daily lives, both online and offline, from which they cannot fully protect themselves. One of these risks is that of being sexually abused during childhood. The initiative assessed here aims to complement the existing EU framework by defining the responsibilities of certain online service providers to protect children against sexual abuse. In the absence of harmonised rules at EU level, providers of social media platforms, gaming services, and other hosting and online communications services find themselves faced with divergent rules across the internal market. The proliferation of rules is increasing, with recent legislative changes in the Netherlands and Germany, and at the same time there is evidence that current efforts at national level are insufficient to successfully address the underlying problem.

Children have the fundamental right to such protection and care as is necessary for their well-being, and their best interests must be a primary consideration in all actions relating to them 1 . Consequently, the fight against child sexual abuse (CSA) is a priority for the EU 2 . In the July 2020 EU strategy for a more effective fight against child sexual abuse, the Commission set out eight concrete actions, implementing and developing the right legal framework and catalysing multi-stakeholder efforts in relation to prevention and  investigation of these crimes and assistance to victims and survivors.

The legislative proposal that this impact assessment accompanies responds to the commitment undertaken in the strategy to propose the necessary legislation to tackle child sexual abuse effectively, online and offline 3 . In particular, this initiative:

1.sets out obligations to detect, report and remove child sexual abuse online to bring more clarity and certainty to the work of both law enforcement and relevant actors in the private sector to tackle online abuse 4 ; and

2.establishes an EU Centre to prevent and counter child sexual abuse to provide comprehensive support for the implementation of the proposed Regulation by service providers and to Member States, in the fight against child sexual abuse 5 .

The commitment and this initiative respond to the calls for action from the Council, the European Parliament, and the European Economic and Social Committee 6 , and globally in multiple forums 7 , including by online service providers 8 and in the media 9 , as it has become evident that current measures are falling short of effectively protecting the right of children to live free from sexual violence. This initiative is therefore expected, as the need to better prevent and combat child sexual abuse through additional legislation was already clear during the preparation of the 2020 strategy, and also during the inter-institutional negotiations of the Interim Regulation (see below).

The initiative aims to build on and complement the existing policy instruments in the fight against CSA, which can be grouped into legislation, coordination and funding 10 .

1.Legislation

The existing legal framework consists of measures in the areas of criminal law, protection of privacy and personal data, and the internal market, regulating online and telecommunications services and content moderation. It includes:

·horizontal instruments in the area of data protection and online privacy (e.g. GDPR 11 and e-Privacy Directive 12 and its proposed revision 13 ), and of the single market for digital services (e.g. e-Commerce Directive 14 and the proposed Digital Services Act 15 ),

·sector-specific legislation, such as the Child Sexual Abuse Directive 16 , the Europol Regulation 17 and its proposed revision 18 , the Interim Regulation derogating from the application of certain rights and obligations under the ePrivacy Directive 19 , and the Victims’ Rights Directive 20 .

Horizontal instruments

The General Data Protection Regulation (GDPR)

·What it does: the GDPR sets out rules on the processing of personal data relating to individuals, specifying the fundamental right to protection of personal data.

·How CSA-related responsibilities are distributed between EU and Member States: as a horizontal instrument, the GDPR does not contain CSA-specific provisions, but it applies to all activities of processing personal data, including those related to CSA, except for those carried out by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, which are covered by Directive 2016/680/EU 21 . Member States are notably responsible for enforcement through their data protection authorities, and the European Data Protection Board (EDPB) is tasked with the consistent application of the GDPR.

·How the proposed legislation builds on and interacts with the GDPR: the proposed legislation builds on the GDPR, including its Article 6 which allows, e.g., processing of personal data to comply with a legal obligation (Art. 6(1)(c)), or when processing is necessary for the purpose of legitimate interest (Art. 6(1)(f)).

The ePrivacy Directive and its proposed revision

·What it does: the ePrivacy Directive and the proposed Regulation for its revision harmonise national rules to ensure an equivalent level of protection of fundamental rights and freedoms, and in particular the right to privacy and confidentiality of communications, with respect to the processing of personal data in electronic communications services. These ePrivacy rules particularise and complement the GDPR.

·How CSA-related responsibilities are distributed between EU and Member States: as horizontal instruments, the ePrivacy Directive and the proposed successor Regulation do not contain CSA-specific provisions; they apply to any processing of specified data categories in electronic communications. Member States are responsible for enforcement through their competent national authorities.

·How the proposed legislation builds on and interacts with the ePrivacy Directive and its proposed revision: the proposed legislation would limit the scope of certain rights and obligations which are currently in the ePrivacy Directive, notably those on the confidentiality of communications and related data in order to enable companies to identify child sexual abuse taking place on their systems after the issuance of a detection order, subject to strict safeguards.

The eCommerce Directive

·What it does: the eCommerce Directive sets out a framework for the provision of information society services in the internal market. One of its key principles is a conditional liability exemption framework for providers of specific categories of information society services. In principle, providers may not be held liable for information (including illegal content) that they host (store), cache (temporarily store) or transmit during the provision of their services, subject to the conditions laid down in the Directive. For example, this means that providers of hosting services may not be held liable for information they host, unless they gain actual knowledge or awareness of the illegality and fail to act expeditiously. The Directive also prohibits Member States from imposing general obligations to monitor their services or to actively seek facts or circumstances indicating illegal activity. The eCommerce Directive does not establish a legal basis for any processing of personal data.  

·How CSA-related responsibilities are distributed between EU and Member States: as a horizontal instrument, the eCommerce Directive does not contain CSA-specific provisions. It governs activities of relevant service providers. Member States are responsible for enforcement through their national authorities.

·How the proposed legislation builds on and interacts with the eCommerce Directive: the proposed legislation imposes narrowly targeted obligations to detect, report and remove child sexual abuse online, based on specific indicators and requirements to ensure compatibility with the eCommerce Directive (see box 9).

The Digital Services Act proposal

·What it does: the Digital Services Act (DSA) proposal, if adopted as proposed, and building upon the eCommerce Directive’s framework, would provide a horizontal standard for content moderation by providers of intermediary services. It would remove a number of disincentives for providers’ voluntary efforts to detect, remove or disable access to illegal content (including child sexual abuse material, CSAM) and would create obligations for them to provide information on their content moderation efforts when requested by national authorities. The DSA would also create additional due diligence obligations tailored to specific categories of providers of intermediary services (e.g. hosting services, online platforms, very large online platforms) as well as transparency reporting obligations. For instance, it would require hosting services to put in place notice and action mechanisms enabling any user or entity to notify them of the presence of suspected illegal content. Furthermore, the DSA would oblige very large online platforms to implement risk mitigation measures on their services. The DSA would also establish rules on its implementation and enforcement, including as regards the cooperation of and coordination between the competent authorities. The DSA would not establish a legal basis for any processing of personal data.

·How CSA-related responsibilities are distributed between EU and Member States: as a horizontal instrument covering all types of illegal content, the DSA does not contain CSA-specific provisions. The DSA would create a framework at EU level for the notification of materials noticed by users to companies, with obligations for companies to respond to orders issued by public authorities in Member States, as well as additional due diligence requirements for very large platforms. For the very large platforms, a stronger role for the Commission in the enforcement process is also being considered during the ongoing inter-institutional negotiations at the time of writing.

·How the proposed legislation builds on and interacts with the DSA as proposed: the proposed legislation complements the DSA notably by specifying mandatory removal of CSAM when ordered and a comprehensive reporting obligation tailored to the specificities of CSA online, which often takes place hidden from public view and demands specific follow-up where identified. These specificities require a different approach from the horizontal one of the DSA. Finally, as the DSA aims to maintain some of the main principles of the eCommerce Directive, including the prohibition of general monitoring obligation and the unavailability of the liability exemption for hosting services if failing to act after obtaining actual knowledge or aware of the illegality of the content, the considerations above made for the eCommerce Directive also apply to the DSA.

The Victims’ Rights Directive

·What it does: the Victims’ Rights Directive establishes minimum standards on the rights of, support for and protection of victims of crime and ensures that they are recognised and treated with respect. They must also be granted access to justice.

·How CSA-related responsibilities are distributed between the EU and Member States:  as a horizontal instrument, the Victims’ Rights Directive, applicable to all victims of crime, does not contain CSA-specific provisions. The EU adopted specific rules for victims of child sexual abuse and sexual exploitation under the Child Sexual Abuse Directive (see below), to respond more directly to the specific needs of those victims.

·How the proposed legislation builds on and interacts with the Victims’ Rights Directive: whilst the proposed legislation focuses on strengthening the functioning of the internal market by setting common rules aimed at preventing and combating the misuse of online services for CSA-related purposes, it could also help support and facilitate the work of Member States on assistance to victims of CSA, notably through the creation of the EU Centre to prevent and counter CSA, which would facilitate research and the exchange of best practices among Member States. The proposed legislation does not create new obligations for Member States in this respect.

Sector-specific legislation

The Child Sexual Abuse Directive

·What it does: the Child Sexual Abuse (CSA) Directive’s main objective is to harmonise minimum criminal law rules at EU level concerning the definitions of child sexual abuse and exploitation offences and corresponding sanctions and to require the establishment of prevention measures in this area. It also requires Member States to ensure the provision of assistance and support to victims before, during and after the conclusion of criminal proceedings. In terms of websites disseminating CSAM, the Directive requires Member States to take necessary measures to ensure the prompt removal of webpages hosted in their territory and to endeavour to obtain the removal of such pages hosted outside their territory. It also enables Member States to take voluntary measures to block access to web pages containing or disseminating CSAM within their territory, while providing safeguards (restriction is limited to what is necessary and proportionate; users are informed of the reason for the restriction and of the possibility of judicial redress). The Child Sexual Abuse Directive does not establish a legal basis for any processing of personal data.

·How CSA-related responsibilities are distributed between EU and Member States: the Directive defines a minimum set of standards at EU level to define and sanction these crimes, prevent them and assist victims. Member States are required to comply with these minimum rules and may go beyond them if they consider it necessary. Similarly, the Directive defines the responsibilities of Member States but leaves to national authorities to comply with those responsibilities in the way that suits best the national specificities (e.g. on prevention programmes).

·How the proposed legislation builds on and interacts with the Child Sexual Abuse Directive: the former is intended to reinforce and complement the latter without creating unnecessary overlaps. Whereas the Directive focuses on defining the roles and responsibilities of Member States’ authorities in the fight against CSA using the tools of criminal law, the proposed legislation focuses, from an internal market angle, on defining the roles and responsibilities of private companies offering their services in the Single Market, notably concerning the detection, reporting and removal of CSA online. Nonetheless, the proposed legislation could help support and facilitate the efforts by Member States to meet the obligations defined in the CSA Directive relating to prevention and assistance to victims, notably through the creation of the EU Centre to prevent and combat CSA.

The proposed initiative cannot address remaining implementation issues with the Directive. A study has been launched to prepare the evaluation of the CSA Directive and at the moment there are ongoing infringement procedures against 21 Member States. The majority of the challenges Member States face in the implementation concern offline prevention measures (in particular prevention programmes for offenders and for people who fear that they might offend) and criminal law definitions. Exchanges between the Commission and Member States are ongoing to ensure that they swiftly address these remaining issues. The Commission has also organised dedicated expert workshops with Member States to facilitate the exchange of lessons learned and of best practices in national experiences in the implementation of the CSA Directive. That said, the present legislative initiative could indirectly have a positive effect on the implementation of the Directive, in particular through the EU Centre as an expert hub and facilitator of exchanges of knowledge and best practices.

The “Interim Regulation”

·What it does: voluntary detection of CSAM and grooming in certain online communication services like instant messenger and email has been made subject, as of 21 December 2020, to comply with the ePrivacy Directive’s rules on confidentiality of communications, due to changes in the definitions of the European Electronic Communications Code becoming effective and those services consequently fell under the ePrivacy Directive. To address this issue, the Commission proposed a temporary derogation from the application of certain rights and obligations under the ePrivacy Directive, for the sole purpose of detecting and reporting CSA and removing CSAM. The Interim Regulation 22 , which entered into force on 2 August 2021, enables those services to continue such practices on a voluntary basis, provided those practices are lawful and, in particular, meet a range of conditions. The Regulation ceases to apply three years after its entry into force. The Interim Regulation does not establish a legal basis for any processing of personal data.

·How CSA-related responsibilities are distributed between EU and Member States: the Commission is responsible for making a list of names and organisations acting in the public interest against CSA to which providers report CSA online, for requesting the European Data Protection Board (EDPB) to issue guidelines for the purpose of assisting the supervisory authorities in assessing whether processing falling within the scope of the Regulation complies with the GDPR, and for preparing a report on the implementation of the Regulation. Member States are notably responsible for enforcing the Regulation and for statistics related to the detection, reporting and follow up of the CSA reports.

·How the proposed legislation builds on and interacts with the Interim Regulation: the proposed legislation replaces the Interim Regulation, and uses it as a reference to present a long-term framework that maintains some of its elements and covers a wider range of services, including private communications.

The Europol Regulation and its proposed revision

·What it does: the Europol Regulation sets out the mandate of the European Union’s law enforcement agency, which is to support and strengthen action by competent authorities of the Member States and their mutual cooperation including in preventing and combating serious forms of crime, such as sexual abuse and sexual exploitation. Among other tasks, Europol’s current mandate allows the agency to collect, store, process, analyse and exchange information, including criminal intelligence; to notify the Member States of any information and connections between criminal offences concerning them and to coordinate, organise and implement investigative and operational actions to support and strengthen actions by the competent authorities of the Member States. The proposed revision of Europol’s mandate would notably allow it to receive data from private parties directly, subject to certain conditions.

·How CSA-related responsibilities are distributed between EU and Member States. Europol can support Member States' actions in preventing and combating CSA crimes. In particular, Europol receives reports from online service providers via the US National Centre for Missing and Exploited Children (NCMEC) for 19 Member States 23 , completes these reports with its own information (if any) and forwards them to the Member States’ authorities. 

·How the proposed legislation builds on and interacts with the Europol Regulation and its proposed revision. The proposed legislation creates an EU Centre to prevent and counter CSA, which will work closely with Europol. The Centre will receive the reports from online service providers, check that they are likely to be actionable, i.e. they are not manifestly unfounded and can thus in principle be acted upon, and forward them to Europol so that it can enrich the reports with additional criminal intelligence, as well as to national law enforcement agencies. This would ensure that Europol and national law enforcement resources are focused on key investigative tasks such as swiftly rescuing victims from ongoing abuse, rather than on e.g. filtering out the reports that are not relevant. The revised Europol mandate would complement the proposed legislation in particular on the ability for Europol to receive and process reports from the EU Centre originating from online service providers.

2.Coordination

The existing legal framework is complemented by practical efforts at EU level to step up the fight against CSA in all areas: investigations, prevention, and assistance to victims.

EU level cooperation in investigations

·What it does: Europol provides EU level coordination for investigation of cross-border cases. In addition, the EU policy cycle (EMPACT) 24  serves to coordinate the operational priorities of Member States’ law enforcement authorities in the area of combating CSA, to organise joint operations and strategic approaches to specific phenomena from a law enforcement perspective. Europol also helps coordinate investigations involving law enforcement agencies in third countries and in the Member States.

·How CSA-related responsibilities are distributed between EU and Member States: Europol supports operational action by law enforcement agencies in Member States at their request. Europol does not have executive powers (i.e. it is not a “European FBI”).

·How the proposed legislation builds on and interacts with existing EU level cooperation in investigations: the proposed legislation aims to support the existing cooperation in investigations by ensuring that the reports from online service providers that reach Europol and national law enforcement agencies are actionable and relevant. The EU Centre would not have any operational capability on investigations, but would support them indirectly by facilitating the process of detection, reporting and removal of CSA online by service providers.

EU level cooperation in prevention

·What it does: at the moment, EU level cooperation in prevention of CSA is fragmented and limited to ad hoc expert meetings organised by the Commission to support Member States in the implementation of the CSA Directive, initiatives on awareness raising under EMPACT and Europol. The 2020 CSA Strategy aimed to boost EU level efforts on prevention by making it one of its pillars. Specifically, the Strategy included the EU Centre to prevent and counter CSA, which will also carry out certain tasks relating to prevention. The Strategy also announced the launch of a prevention network of practitioners and researchers to support the EU Member States in putting in place usable, rigorously evaluated and effective prevention measures to decrease prevalence of child sexual abuse in the EU. The network will aim to give structure and regularity to exchanges of knowledge and best practices between Member States.

·How CSA-related responsibilities are distributed between EU and Member States. The CSA Directive requires Member States to implement provisions while leaving it to them to determine exactly what these measures or programmes are. The degree to which the requirements of the Directive are fulfilled vary among the Member States (see section 2.2.3.).

·How the proposed legislation builds on and interacts with existing EU level cooperation in prevention. The proposed legislation will establish the EU Centre, which will be the driving force of the work relating to preventing and combating CSA at EU level. Whilst the Centre would principally focus on its tasks set out in the envisaged legislation connected to the common rules for online service providers to combat CSA online, the Centre could also contribute to and facilitate Member States’ work relating to prevention, for instance through the involvement of multiple stakeholders and the sharing of best practices and lessons learned across Member States. The proposed legislation will not create new obligations for Member States on prevention.

EU level cooperation in assistance to victims

·What it does: EU level cooperation in assistance to victims takes place currently through the Victims’ Rights Platform 25 , which deals with horizontal issues relevant for victims’ rights. The platform brings together representatives of EU level networks, agencies, bodies and civil society organisations relevant for the implementation of the EU Strategy on victims’ rights.

·How CSA-related responsibilities are distributed between EU and Member States: the platform facilitates the implementation of the EU strategy on victims’ rights, which details key actions for the European Commission and for Member States. Also, the CSA Directive requires Member States to implement provisions related to assistance to victims, while leaving it to them to determine exactly what these measures are. The degree to which the requirements of the Directive are fulfilled varies among the Member States (see section 2.2.3.).

·How the proposed legislation builds on and interacts with existing EU level cooperation in assistance to victims: apart from its main tasks in the process of combating CSA online, the EU Centre could also facilitate and support Member States action in assistance to victims of CSA, specifically by serving as a hub of expertise to support evidence-based policy development, help develop research on assistance to victims, including victims’ needs and the effectiveness of short-term and long-term assistance programmes. The Centre will also support victims, at their request, in having their images and videos taken down by assisting them in exchanges with the relevant online service providers. The EU Centre could participate in the Victims’ Rights Platform to contribute to the discussion of horizontal issues concerning victims and to the implementation of the EU strategy on victims’ rights. The proposed legislation will not create new obligations for Member States on assistance to victims.

Multi-stakeholder cooperation at EU and global level

·What it does: at EU level, the Commission facilitates multi-stakeholder cooperation between service providers and national authorities in the fight against CSA online through the EU Internet Forum 26 , which brings together online service providers and ministers of interior of all Member States.

At global level, the Commission continues to contribute to increasing voluntary standards for the protection of children against sexual abuse by promoting multi-stakeholder cooperation, through the WeProtect Global Alliance to End Child Sexual Exploitation Online (WPGA) 27 .

·How CSA-related responsibilities are distributed between EU and Member States: at EU level, the Commission organises the EU Internet Forum, in which Member States participate at ministerial level (once a year), and at various levels in the technical discussions. Depending on the initiative, Member States and/or the Commission may be responsible for the execution.

At global level, the Commission participates in the policy board of the WPGA, as one of its founding members. Member States are WPGA members and notably participate in its biannual global summit (the next one will take place in Brussels in June 2022 and will be co-hosted by the Commission and the French Presidency of the Council of the EU).

·How the proposed legislation builds on and interacts with existing multi-stakeholder cooperation at EU and global level: the proposed legislation builds on the experience of the EU Internet Forum and the WPGA and aims to boost multi-stakeholder cooperation in the EU and globally in the fight against CSA, through the EU Centre. The Centre will be an independent facilitator that will bring together all the relevant actors in the EU and beyond in any aspect of the fight against CSA, including investigations, prevention and assistance to victims, to ultimately facilitate and support Member States’ action in those areas. The Centre will have a more operational focus than the EU Internet Forum and the WPGA, which are centred on policy and are not designed to play a role in facilitating day-to-day efforts on the ground.

3.Funding

·What it does: the 2020 strategy includes a commitment to continue providing funding for fighting child sexual abuse, e.g. to support the development of national capacities to keep up with technological developments. The Commission has organised regular calls for project proposals to fight the online and offline aspects of child sexual abuse, with a total value of 61 million euro in the last 10 years (funded under Horizon2020 and Internal Security Fund 28 ). Notable examples of EU-funded projects include:

oThe INHOPE network of hotlines, where users can report child sexual abuse materials they encounter online (formerly funded through the Connecting Europe Facility programme, and currently under the DIGITAL Europe programme). The content is analysed, and if assessed as illegal, hotlines notify the relevant online service providers requesting the swift removal of the content, and report the case to the relevant law enforcement agency for victim identification purposes. National hotlines are an important element of implementation of Article 25 of the CSA Directive, as a majority of Member States has chosen to implement most of this article through the hotlines. As of January 2022, the INHOPE network consists of 46 hotlines in 42 countries (including all Member States except Slovakia);

oThe International Child Sexual Exploitation (ICSE) database at Interpol, which is an important tool enabling law enforcement to identify victims globally. The database has helped identify 23,564 victims worldwide at the time of writing 29 .

The Commission has also financially supported the adoption of the Barnahus model of child-friendly, multidisciplinary protection of child victims during criminal proceedings, which includes limiting the number of interviews of child victims and conducting them by trained experts, as a standard in the EU.

·How CSA-related responsibilities are distributed between EU and Member States: the Commission manages the funding instruments mentioned above. That said, part of the Internal Security Fund is managed by Member States under the supervision of the Commission, and Member States also contribute own funding to the efforts, to a varying extent.

·How the proposed legislation builds on and interacts with existing funding mechanisms: the creation of the EU Centre requires dedicated EU funding, and no changes will be made to existing funding mechanisms. However, increased coordination and cooperation in prevention efforts facilitated by the EU Centre may also result in more targeted and higher-quality proposals during future funding rounds.

Relevant Sustainable Development Goals (SDGs)

The most relevant SDGs for this initiative are 5.2., eliminate all forms of violence against women and girls, and 16.2., end abuse, exploitation, trafficking and all forms of violence against children.

Other SDGs of particular relevance are those that address risk factors of CSA, such as SDG 1 on poverty (e.g. children forced by their parents to be sexually abused online), SDG 3 on health (e.g. given the short and long-term negative health consequences of CSA on children), SDG 4 on education (e.g. prevention campaigns to raise awareness of CSA online risks), and SDG 9 on industry, innovation and infrastructure (e.g. as the initiative aims to support service providers efforts to fight against CSA online, including through the EU Centre).

2.Problem definition

Table 1 shows the intervention logic (problem, drivers, objectives and options) that will be described and analysed in the impact assessment:

Table 1: problem, problem drivers, objectives and options (intervention logic)

2.1. What is the problem?

2.1.1. Definition and magnitude

The problem that this initiative tackles is that providers of certain online services offered in the EU face divergent rules at national level when it comes to their responsibility for preventing and combating child sexual abuse on their services. At the same time, the existing responses at national level to some child sexual abuse 30  crimes are proving insufficient. Challenges persist in detection, reporting and action by relevant service providers, as well as insufficient prevention, assistance to victims and cooperation. The divergence of national responses to the problem creates legal fragmentation which negatively affects the Internal Market. 

Prevalence

At least one in five children falls victim to sexual violence during childhood 31 . A global study of childhood experiences in 2021 found that than one in three respondents (34%) had been asked to do something sexually explicit online during their childhood, and more than half (54%) had experience a form of child sexual abuse online 32 . A recent survey in Spain concluded that two out five Spanish adults suffered sexual abuse when they were children 33 .

The majority of victims are girls, who are more than twice as likely to be abused than boys 34 .

Vulnerable children are more likely to fall victims of CSA online. In a recent survey about childhood experiences:

·59% of respondents who identified as transgender and non-binary experienced online sexual harm, compared to 47% of cisgender respondents;

·65% of respondents who identified as LGBQ+ experienced online sexual harm, compared to 46% non-LGBQ+ people;

·57% of disabled respondents experienced online sexual harm, compared to 48% of non-disabled respondents.

“Offline” and online CSA

The sexual abuse of children can take multiple forms, both offline (e.g. engaging in sexual activities with a child or exploiting a child for prostitution) and online (e.g. forcing a child to engage in sexual activities via live streaming, or viewing or distributing online child sexual abuse images and videos).

The offline and online aspects of the crimes have become increasingly intertwined, and most CSA cases today contain an online component 35 . For example, an offender may abuse a child offline, record the abuse, and share it online. Or the offender may establish a first contact with children online and then lure them to meet offline and sexually abuse them 36 . It is therefore not possible to separate categorically between online and offline.

That said, this initiative focuses on the online aspects of the crime with relation to detection, reporting and removal efforts, in particular by the providers of the services used. This is because the internet has become the main medium for sharing CSAM, as well as for contacting children with the aim of abusing them. The internet facilitates the creation of communities in which offenders share materials and experiences. The volume of CSAM shared online has grown exponentially in the last years, while sharing of such material offline, e.g. via mail services, remains at a very low level and was not signalled as a common issue encountered by law enforcement in CSA investigations during stakeholder consultations.

The Member States have sought to address this growing phenomenon through rules at the national level, reinforcing existing legislation or adopting new rules to improve the detection and follow-up on online child sexual abuse. This has inadvertently created a fragmentation of the internal market which negatively impacts the provision of certain online services, while at the same time failing to stem the proliferation of this particularly harmful content. Therefore, this initiative addresses the detection, reporting and removal in the online sphere, which enables and fuels offline and online abuse, as well as on prevention and assistance to victims, where the online and offline aspects are also closely related.

Interlinkages between detection, reporting and action, prevention, and assistance to victims

In addition to the online-offline interlinkages, all the different areas of the problem are also closely related: detection, reporting and action (i.e. follow up to the reports, including removal by service providers and action by law enforcement), prevention, and assistance to victims. In general, for public authorities to be able to act and assist the victim, the crime has to be detected and reported, which in turn may prevent future crimes from happening (e.g. if the offender is arrested and the victim is rescued). This also applies to detecting grooming and to stopping the circulation of CSAM (known and new), which are both criminal behaviours. In addition, the continued circulation of CSAM has a particularly harmful societal impact: the distribution of CSAM is a form of re-victimisation that occurs every time the images and videos are seen. The knowledge that the images and videos are being distributed is a continuous source of distress for victims. In addition, viewing of CSAM can lead to hands-on abuse as it supports potential offenders in normalising and rationalising their behaviour; recent surveys even indicate that this may often be the case 37 . When CSAM is detected by service providers and investigated by law enforcement, it frequently leads to stopping ongoing or future abuse of child victims by the offenders caught distributing CSAM and/or grooming the child (see box 1 below).

Box 1: importance of detection, reporting and action in prevention and assistance to victims

Detection, reporting and action

The proportion of cases where CSA is discovered in a timely manner and prevented or stopped is very limited. Oftentimes, children do not manage to seek help themselves, and those in their ‘circle of trust’ (i.e. family and other close contacts), in charge to provide protection and care, are often the abusers 41 . One in three victims will never tell anyone and at least four in five CSA cases are not reported to public authorities 42 . There are indications that the COVID-19 crisis has exacerbated the problem 43 , especially for children who live with their abusers 44 .

In this context, online service providers and in particular ‘online intermediaries’ 45 such as messaging services, online forums, and online platforms (such as video-sharing and media-sharing platforms, social networks, etc.) have acquired an important role.

First, online intermediaries are often the only ones to have any possibility to detect the ongoing abuse. Frequently, the abuse is only discovered thanks to the efforts of online service providers to detect CSAM on their services, and to protect children from being approached by predators online. The key role of these reports is evidenced by the fact that in some Member States, up to 80% of investigations are launched due to reports from service providers 46 . This is particularly the case in electronic (private individual or group) communications, which offenders frequently use to exchange CSAM and approach children, where the service provider is the only one that can detect the abuse. It is reflected in recent statistics showing that the vast majority of reports (more than 80% in 2020, up from 69% in 2019) originate in interpersonal communication services (e.g. messenger applications and email) 47 , and surveys. In a recent one, two-thirds of respondents who received sexually explicit material online as children from an adult they knew or someone they did not know, received it through a private messaging service (68%), most commonly on their own personal mobile device (62%) 48 .

Secondly, the internet has also given offenders a new way of approaching children. They contact children on social media, gaming platforms and chats and lure them into producing compromising images of themselves or into offline meetings. In addition, children are spending more time online than ever before 49 , increasing the risk of coming into contact with online predators 50 .

Third, offenders frequently record the sexual abuse for repeat viewing and sharing. Where CSAM is shared online, the harm is perpetuated. The exponential development of the digital world has facilitated the global sharing of materials and the creation of networks of offenders via online intermediaries. The images and videos of CSA continue to circulate long after the abuse itself, and survivors often find themselves powerless to ensure removal of online content depicting their abuse 51 . In some cases, offenders continue to traumatise victims long after the abuse has taken place by creating fake accounts with the actual names of the victims. These accounts typically do not contain illegal content but they attract offenders familiar with the CSAM depicting those victims, who discuss the past abuse and the current personal information of the victims (e.g. where they live, work or family situation) 52 .

It is estimated that, at any given moment, across the world there are more than 750 000 individuals online exchanging CSAM, streaming live abuse of children, extorting children to produce sexual material or grooming children for future sexual abuse 53 .

The problem and problem drivers considered in the impact assessment apply to the three main types of abuse: known CSAM, new CSAM and grooming, also referred to as a whole as CSA online.

Box 2: current system to detect and report CSA online in the EU

While still only very few companies engage in voluntary detection of child sexual abuse, the past few years have nonetheless seen a strong increase in reports of CSA online submitted by online service providers globally through NCMEC: from 1 million reports in 2010 to over 21 million in 2020. The number of reports concerning the EU (e.g. images exchanged in the EU, victims in the EU, etc.) has also dramatically increased: from 17 500 in 2010 to more than 1 million in 2020 59 . 

Figure 1: EU-related reports submitted by online service providers, 2010-2020

Box 3: new CSAM and self-generated content

The amount of grooming cases reported globally increased by 98% in 2020 compared to the previous year (37 872 in 2020 vs 19 147 in 2019), presumably due to the pandemic, when both children and offenders spent more time online and at home 64 .

The reports that service providers submitted in 2020 in relation to cases in the EU included 3.7 million images and videos of known CSAM, 528 000 images and videos of new CSAM, and more than 1 400 grooming cases 65 .

Reports indicate that some companies active and with servers in the EU have now become the largest hosts of CSAM globally (from hosting more than half of all CSAM detected in 2016 to 85% in 2020, with 77% in the Netherlands) 66 . 

Given the worsening situation, Member States have started to take action unilaterally, adopting sectoral rules to deal with the challenge, which are necessarily national in scope and risk further fragmenting the Internal Market (see problem driver section 2.2.2.).

Stakeholders’ views

EU citizens are concerned about these developments. 93% consider important the principle that children should be protected in the online environment, with 73% of respondents considering this principle very important for inclusion in a potential future list of EU digital principles 67 .

Prevention

Prevention is an essential component for tackling the problem at its roots.

There are two main types of prevention efforts:

1.Prevention efforts focused on children and their environment and on decreasing the likelihood that a child becomes a victim. Examples include awareness raising campaigns to help inform children, parents, carers and educators about risks and preventive mechanisms and procedures, as well as training, and efforts to detect and stop online grooming.

2.Prevention efforts focused on potential offenders and on decreasing the likelihood that a person offends 68 . Examples include prevention programmes for persons who fear that they might offend, and for persons who have already offended, to prevent recidivism 69 .

Setting out effective prevention programmes remains challenging. Resources are limited and lack coordination, and efforts, where present, are rarely evaluated to assess their effectiveness. (see section 2.2.3. on problem drivers).

Assistance to victims

Assistance to victims is essential to mitigate the harm and severe consequences for children’s physical and mental health caused by child sexual abuse (see section 2.1.3).

Victims require both immediate and long-term assistance, before, during and after criminal proceedings and taking into account the best interests of the child. This assistance must be specific, i.e. following an individual assessment of the special circumstances of each particular child victim, taking due account of the child’s views, needs and concerns 70 .

However, immediate and long-term assistance remains limited, not sufficiently coordinated between relevant actors within and between Member States and of unclear effectiveness (see section 2.2.3.). This leads to information gaps, hampers the sharing of best practices and lessons learnt and decreases the efficacy of efforts.

2.1.2. Why is it a problem?

The fact that some child sexual abuse crimes are not adequately addressed in the EU is a problem because it results in victims not being rescued and effectively assisted as soon as possible, children being less protected from crimes, and offenders enjoying impunity. It affects public security in the EU and infringes children’s fundamental rights under the Charter of Fundamental Rights of the EU (Charter) 71 , including the right to such protection and care as is necessary for their well-being, the right to human dignity and the right to privacy. The continued presence and dissemination of manifestly illegal images and videos online, and the very heterogeneous approach of service providers, affects private and public interests, hampering trust, innovation and growth in the single market for digital services, in particular due to the fragmentation created by divergent national approaches trying to address the problem of CSA online (see problem driver section 2.2.2.).

Additionally, CSA has societal and economic costs. In particular, it contributes to an increased risk of serious mental and physical health problems across the lifespan, and exerts a substantial economic burden on individuals, families, and societies. There are negative consequences at all stages:

·Before the crime is committed: in the absence of proper preventative interventions, individuals who could have been stopped from abusing children may become first-time offenders, offenders are more likely to re-offend, and children are more likely to become victims if they and their carers lack awareness of the threat when using online services.

·While the crime is being committed: the consequences of not detecting and addressing the crimes swiftly include prolonged suffering and harm for victims. In addition, it reinforces the perception of impunity, reducing deterrence and facilitating further offending.

·After the crime has been committed: the consequences of not acting effectively after the crime include the inability to provide proper immediate and long-term assistance to victims, with negative effects for victims and society as described above. In addition, it may not be possible to prosecute offenders, which reduces opportunities for rehabilitation before, during and after criminal proceedings to prevent reoffending.

2.1.3. Who is affected and how?

First, children in the EU and elsewhere, who may fall victim to sexual abuse and suffer its negative effects, both in the immediate and long-term 72 . Immediate effects include physical injuries and psychological consequences (e.g. shock, fear, anxiety, guilt, post-traumatic stress disorder, denial, withdrawal, isolation, and grief), sexual behaviour problems and over-sexualised behaviour, academic problems, substance abuse problems, increased likelihood of involvement in delinquency and crime, and increased likelihood of teen pregnancy 73 . Long-term effects include psychological and social adjustment problems that can carry over into adulthood and affect married life and parenthood. They include negative effects on sexual and overall physical health; mental health problems including depression, personality and psychotic disorders, post-traumatic stress disorder, self-mutilation, attempted or completed suicide; and relational and marital problems including fear of intimacy and spousal violence.

Secondly, online service providers. Member States’ efforts to tackle the challenge at national level create distortions in the single market for digital services (see problem driver section 2.2.2.), as providers have to comply with sector-specific rules under national laws at least in some of the jurisdictions where they are active, resulting in a more challenging business environment for companies, in particular for smaller companies that are already facing difficulties of competing with their largest counterparts.

Third, users of online services. The detection, reporting and removal of CSA online currently lacks clarity, legal certainty and transparency. As a consequence, the rights and interests of users can be negatively affected. This can occur, for instance, in relation to unjustified reporting or removals, which may affect not only the users initiating the communications in question but also those at the receiving end. The existing uncertainty may also have a ‘chilling effect’ on legitimate forms of communications or hamper the full participation of children in online services as their parents and carers become more and more aware of the risks but do not have access to transparent information about the levels of risk and about what measures services take to protect children.

Fourth, governments and public authorities. The competent public authorities (e.g. law enforcement or governments at national, regional and local levels) dedicate significant resources to act against CSA. In particular, they put in place prevention programmes and measures to assist victims, and conduct investigations after they become aware of possible CSA. Inefficiencies in the current system lead them to seek local solutions to incentivise and obtain more information from providers.

Finally, society in general, given that CSA has consequences not only for the victims, but also for society as a whole 74 . Social costs correspond to the non-monetary consequences of the criminal acts, and include diminished quality of life for society and increased feelings of insecurity among individuals. Economic costs include those of police and judicial services (e.g. criminal prosecution, correctional system), social services, victim support service and victim compensation programmes, education, health, and employment costs.

Box 4: estimated costs of child sexual abuse

2.2. What are the problem drivers?

2.2.1. Voluntary action by online service providers to detect online child sexual abuse has proven insufficient

Voluntary action varies significantly among companies

Online service providers are often the only entities capable of detecting that abuse involving their services is taking place. Because detection is voluntary, some online service providers take comprehensive action, others take some action, and there are providers that do not take any action against CSA at all. In addition, service providers often do not have access to reliable information on what content and behaviour is illegal in the EU to facilitate accurate detection, proactively and voluntarily, resulting in a risk of both over- and underreporting.

There are currently 1 630 companies registered to report to NCMEC, which is the main entity to receive reports of proactive searches that companies perform on their system, and the de facto global clearinghouse of reports of CSA online. This is a fraction of the online services used to commit these crimes. In 2020, of these 1 630 companies, one, Facebook, sent 95% of reports, 5 sent 99% of reports, and only 10% sent one report or more 79 . There is no evidence that 95% of all the current cases of CSA online (including sharing of known and new CSAM, and grooming) occur on the services of that single company. In fact, experts agree that comparable levels of abuse occur in similar services from other companies, and the difference in detection levels is rather due to the different intensity of detection efforts 80 . For example, some providers may make efforts to detect abuse only in certain services they provide, or may make efforts to detect only certain types of abuse. This would mean that there is a substantial amount of CSA online that remains undetected.

Figure 2: breakdown of reports submitted by online service providers globally in 2020 81  

In addition, a number of service providers take action against users for suspected sharing of CSAM, e.g. by banning user accounts, but do not report. For example, WhatsApp indicates that it bans around 300 000 accounts per month for this reason alone 82 . However, it has been reported that WhatsApp reports to NCMEC only about 10% of these cases, as the evidence recovered is circumstantial only and in line with US legislation is insufficient for a criminal investigation 83 . Where that is so, there is on the one hand a risk that users are banned on the basis of unclear and potentially insufficient evidence, while on the other hand actual abuse may not be reported and investigated. This can have a significant negative effect on the fundamental rights of users 84 , and on the affected children.

These different approaches and the related risks also create asymmetries in the single market for digital services, as they have prompted a number of Member States to adopt or consider national legislation to create a stronger and more effective approach (see problem driver section 2.2.2).

Voluntary action is susceptible to changes in companies’ policies.

Because detection is voluntary, companies may decide to change their policies at will. One example is Facebook’s decision to implement end-to-end encryption (E2EE) on its private messaging service by default.

Existing detection efforts risk being severely hampered by the introduction of encryption in online services, which in spite of its benefits for cybersecurity and the protection of users’ fundamental rights, such as freedom of expression, privacy, and data protection, also makes the detection of CSA online and the protection of fundamental rights of the victimised children more difficult 85 , when not impossible.

Box 5: end-to-end encryption, a policy change impacting child sexual abuse detection

In addition to affecting the detection of CSA online and the protection of fundamental rights of the victimised children, the use of E2EE without mitigating measures reduces the means to prevent and combat CSA overall by “turning-off the light” on a significant part of the problem, i.e. decreasing the evidence base, including data on the scale of detectable CSA online, which is essential to fight against overall CSA effectively through assistance to victims, investigations, and prevention. 97 In the absence of mitigating measures (e.g. tools that can detect CSA online in E2EE systems, see annex 9), currently the possible ways to detect CSA online in E2EE systems are:

1)user reports, i.e. either the child or the offender reports the abuse; and

2)metadata, i.e. the time of the online exchange, the user names, and data related to the online exchange other than its content. This also includes suspicious patterns of activity (e.g. if someone repeatedly sets up new profiles or messages a large number of people they do not know 98 ).

Relying on user reports implies that the responsibility of reporting will be borne solely by child victims of sexual abuse in grooming cases, who in many cases are shamed or threatened into silence (see section 2.1.1. on underreporting), as the offender will obviously not report the abuse. This is already evident from the low number of user reports today.

Service providers do not consider metadata as an effective tool in detecting CSAM 99 . In addition, the use of metadata is usually insufficient to initiate investigations 100 . Moreover, it is likely to generate a much lower number of reports than the detection of content, despite the level of abuse being the same (if not higher). As an example, consider WhatsApp (E2EE and therefore uses metadata as the basis of detection) and Facebook Messenger (not E2EE and therefore uses content as the basis of detection). Whereas WhatsApp has around 50% more users than Facebook Messenger (2 billion vs 1.3 billion 101 ), and therefore, presumably, higher level of abuse proportional to the number of users, there were around 35 times less reports from WhatsApp than from Facebook Messenger submitted to NCMEC in 2020 (400 000 vs 14 million) 102 .

Europol reports that the widespread use of encryption tools, including E2EE apps, has lowered the risk of detection for those who offend against children 103 . Offenders are well aware of the possibilities that E2EE present to hide their abuse. In an analysis of offender forums in the Darkweb, it was found that a majority of discussions focused on topics such as technical tools for direct messaging or how to securely acquire and store content 104 .

Voluntary action leaves decisions affecting fundamental rights to service providers and lacks harmonised safeguards

A voluntary system leaves private companies to make fundamental decisions with significant impact on users and their rights 105 . The challenges in this system are particularly evident when dealing with CSA, where there are fundamental rights and interests at stake on all sides – including the right to protection of their well-being and to privacy on the side of the child, the right to privacy and freedom of expression and information for all users. As a result, if the rights of the child are deemed important enough to justify interfering with the rights of all users and of service providers, then it may not be appropriate to leave the decision on whether and if so, how to do so to the service providers.

In addition, the current voluntary action by online service providers to detect CSA online lacks long-term perspective and harmonised safeguards applicable to all relevant service providers, including transparency. This is especially important as some of the voluntary measures that companies decide to take may interfere with users’ rights, including those to privacy and data protection. It is unclear which tools are in use and how they are used, or which procedures are in place to improve the tools and limit the number of false positives. While there is an obvious need not to warn off perpetrators or inadvertently provide guidance on how to avoid detection, there may be room for more information. As a result, users at present may have no effective redress in case of erroneous removals; the possibilities of scrutiny are limited; and there is no effective oversight by regulators. In addition, the existence and effectiveness of procedural safeguards differs widely across providers.

The Interim Regulation introduced a number of safeguards, such as annual transparency reports, consultation with data protection authorities on their processing to detect CSA online, and complaint mechanisms, so that content that has been removed erroneously can be reinstated (see section 1).

A number of important safeguards are contained in the DSA proposal, which lays down harmonized transparency requirements in case of content moderation based on providers own initiative 106 , as well as in relation to mechanisms for removal and related user complaints 107 .

Given the gravity of impact on both sides – for the child victims, materials depicting their abuse, and the risk of (further) abuse, and for the suspected user, an accusation of having circulated CSAM – the above safeguards form an important baseline but do not go far enough in the present context. In particular, the stakeholder consultations have shown the importance of a universal reporting obligation for CSA online for the providers, using dedicated secure and fast channels, as well as of additional requirements on the technologies employed for automatic detection to ensure that they are both effective in detecting abuse and also limit the number of false positives to the maximum extent technically possible.

Voluntary action has failed to remove victims’ images effectively

Victims are left on their own when images and videos of their abuse end up online. Under national criminal laws, hotlines in the EU are in principle not allowed to proactively search for images and videos of a given victim, on the victim’s behalf, to effect removal. For the same reason, victims themselves are also prohibited from searching for their own images and videos, as the possession of CSAM is illegal per se. Absent a requirement for relevant services providers to take proportionate measures to detect, report and remove specified content, an effective removal system has not developed 108 .

Box 6: Voluntary principles to counter online child sexual abuse

2.2.2. Inefficiencies in public-private cooperation between online service providers, civil society organisations and public authorities hamper an effective fight against CSA

This section describes the inefficiencies in public-private cooperation between the main actors in the fight against CSA, online and offline. In a majority of cases, the inefficiencies relate to regulatory issues.

Cooperation between public authorities and service providers

Cooperation between public authorities and service providers is of critical importance in the fight against CSA, particularly in relation to service providers’ efforts to detect and report CSA online and remove CSAM.

·Legal fragmentation affecting the Internal Market

Currently, although obligations under national law are increasingly introduced, companies offering online services in the EU still detect, report and remove CSA online from their services on a voluntary basis. There are at present no effective procedures under EU law for service providers to report to public authorities or to exchange information in a timely manner or swiftly react to requests and complaints. This hampers investigations and creates obstacles to addressing CSA and to protecting victims.

This has led to a number of Member States preparing and adopting individual legislative proposals at the national level to create stricter rules for providers who fail to cooperate with public authorities or do not put in sufficient efforts to detect and report CSAM. Some Member States adopted new legislation as recently as 2021 (e.g. Germany, 110 Austria) and others are currently preparing legislative proposals (e.g. Germany, France, the Netherlands) (see Annex 5). These efforts often involve establishing dedicated public authorities or designating existing authorities to enforce the new rules 111 , as well as strict time-limits for service providers to remove CSAM upon becoming aware, subject to fines if they fail to do so 112 . At the same time, the reach of these efforts varies and they are constrained by the national laws of the Member States. The scope of relevant national laws and their obligations differ in terms of the services covered. For instance, some focus on social networks in general 113 , others on hosting providers managing websites containing illegal content 114 and yet others on online platforms above a certain threshold (e.g. number of registered users and annual revenue) 115 . Approaches are by nature limited to national jurisdictions. Given the cross-border nature of the Internet, and by implication many service providers operating online as well as online CSA, such a fragmented approach hampers the proper functioning of the internal market. Moreover, such a fragmented approach cannot ensure the effective detection, reporting and removal of CSAM and the fight against grooming across the EU, beyond the borders of individual Member States having the above-mentioned national legislation in place. Compared to one horizontal framework established at EU level, such a Member State-based approach increases the costs of doing business in the EU as service providers have to adapt to various different sets of rules, which creates uncertainties and challenges in particular for smaller providers seeking to expand to new markets in the EU, and can stifle innovation and competition.

Box 7: the CSAM issue in the Netherlands

The national approaches create fragmentation on the Internal Market, hindering effective cooperation between public authorities and service providers in the fight against CSA. The continued presence and dissemination of CSAM, and the very heterogeneous approaches of service providers, affect both private and public interests, hampering trust, innovation and growth on the Internal Market (i.e. single market for digital services). Such fragmentation increases compliance and operational costs of the actions in the fight against CSA for stakeholders such as online service providers that operate in several Member States and may lead to legal uncertainty. Non-compliant service providers may move to and continue operating from Member States where national rules are less strict. Given the cross-border and international dimension of online service provision as well as child sexual abuse online, a patchwork of national measures does not effectively protect children, and creates distortions in the functioning of the single market for digital services. 

The proposed Digital Services Act will not be able to reduce this fragmentation to the extent necessary, given its horizontal nature and the specific challenges posed by CSA (see section 5.1.). For example, the DSA would not create removal obligations. Some Member States have already gone farther, like Germany, which for certain providers such as social networks has imposed removal obligations by law 116 , as well as reporting obligations in case of detection of CSAM, specifying the data to be reported to federal law enforcement, as well as an obligatory notification to the user and other aspects 117 .

·Varying quality of reports

While reports from service providers via NCMEC have led to many cases of children being rescued from ongoing abuse, and of offenders arrested, law enforcement authorities estimate that only around 75% of reports they receive from service providers are actionable 118 . The most common reason is that the report contains material that does not constitute child sexual abuse under the Member State’s law 119 . This is largely due to a simple fact: US-based service providers report to NCMEC material that may constitute CSA under US law 120 , which may include content that is not illegal in the EU and omit content that is illegal in the EU. For example, the CSA Directive leaves up to Member States to make illegal sexual abuse material involving individuals appearing to be a child but in fact older than 18, whereas US legislation requires that the material involve an “identifiable minor” to be illegal. On the other hand, the CSA Directive criminalizes grooming only when the child is below the age of sexual consent, whereas it is always illegal in the US for any person under 18 121 .

Further challenges arise as a result of a lack of unified reporting requirements which clearly set out the information to be included in reports. While US service providers are obliged to make reports to NCMEC, much of the information to be included in the report is left at the discretion of the provider 122 . The service that NCMEC provides for US-related reports (i.e. human review of the reports to ensure that they are actionable) is typically not available for EU-related reports, due to resource constraints. A lack of sufficient information is also one of the most common reasons cited by the law enforcement authorities of the Member States for a report not to be actionable 123 .

·Lack of resources in law enforcement agencies

Absent the support provided by NCMEC to US authorities, each national law enforcement authority is left to its own devices when analysing CSAM, despite the support provided by Europol to help coordinate cases. This requires a significant investment of resources and makes it very difficult to deal effectively with the large amount of reports these authorities receive, and prevents an effective public-private cooperation against CSA.

·Lack of feedback from public authorities to service providers.

Currently, there is no mechanism for systematic feedback from law enforcement to companies on their reports. Where providers report content that is not illegal under the law of the relevant Member State, the provider is not made aware of that fact. This increases the likelihood of the provider reporting the same or similar content again in the future.

·Challenges due to the international and cross-border nature of CSA

There are several international and cross-border aspects to the fight against CSA online. In many cases, these are inherent in the cross-border nature of the Internet. As a result, a single incident of online abuse may involve perpetrators and victims located in multiple jurisdictions. While certain minimum standards relating to CSA crimes have been widely adopted in criminal law in many countries, and within the EU the CSA Directive contains specific requirements providing for a degree of harmonisation, specific national definitions and offences differ from one country to another.

In addition, long-standing difficulties with regard to cross-border access to electronic evidence pose a particular problem for the investigation of CSA online. Law enforcement frequently needs additional information during investigations from service providers, which are often located in another Member State, or in a third country. Existing judicial cooperation is too slow and direct cooperation between service providers and public authorities is unreliable, inconsistent and lacks transparency and accountability. Several legislative proposals and other ongoing initiatives aim to address these issues (see box 2 in Annex 6).

Furthermore, due to the existing legal framework and the often important or even dominant market position of US service providers, Member States are heavily dependent in their fight against CSA on reports received from a third country, the US, through NCMEC.

Cooperation between civil society organisations and service providers

·Cooperation challenges in notice and action procedures.

When they receive a notice from civil society organisations requesting them to remove content, service providers in more than 25% of cases refuse to take action to remove the notified content or take a considerable time period to do so 124 . Whilst there can be justified reasons for not taking action or for some delays in individuals cases (for instance, because of uncertainty as to whether the notified content actually constitutes CSAM under the applicable laws), there is a particularly problematic group of providers known as ‘bulletproof hosting providers’, which refuse to assume any responsibility for content stored on their servers 125 . It should be recalled that, at present, EU law does not provide for an obligation for providers to report or act upon notified content, not even where it manifestly constitutes CSAM. Under the eCommerce Directive (Art. 14) and the proposed DSA (Art. 5, see section 5.1.), hosting service providers’ failure to act expeditiously to remove or disable access to illegal content (including CSAM) would lead to loss of the benefit of the liability exemption. In such cases, the service providers may – but not necessarily will – be liable under the applicable national laws of the Member States, depending on whether these national laws provide for liability for service providers. 

Cooperation between public authorities and civil society organisations

·Limited impact of hotlines’ action in the EU due to regulatory gaps.

Inability to search proactively. As noted, hotlines operating in Member States are under national criminal law in principle not allowed to search CSAM proactively. They therefore tend to rely exclusively on reports from the public, which are of limited number and fluctuating in quality. The number of user reports is significantly lower than those from proactive efforts, as the situations in which someone comes across CSAM unintentionally and reports it are limited 126 . Also, user reports are often inaccurate, in particular compared with reports from proactive searches 127 . For example, the only hotline that conducts proactive searches in Europe, IWF in the UK, reported that whereas about half of the reports it manages come from the public and half from proactive searches, only 10% of the total CSAM that it finds traces back to public reports vs 90% from proactive searches 128 .

·Inefficiencies in cooperation on assistance to victims.

For long-term assistance to victims, there is room for improvement in the cooperation between public authorities and NGOs to ensure that victims are aware of the resources available to them. In addition, currently there is no cooperation between public authorities and hotlines or other NGOs to support victims at their request in searching and taking down the material depicting them.

·Inefficiencies in cooperation on prevention.

Inefficiencies in cooperation exist notably on prevention programmes for offenders and for persons who fear that they might offend. In some Member States, NGOs carry out these programmes with limited support from public authorities 129 . In addition, the coordination between public authorities and NGOs on the programmes they respectively offer at different stages is also limited (e.g. between the programmes that public authorities offer in prisons and the reintegration programmes that NGOs offer after the offender leaves prison)  130 .

Cooperation between public authorities, service providers and civil society organisations

·Lack of legal certainty:

-For service providers. The Interim Regulation did not create an explicit legal basis for service providers to proactively detect CSA, and it only provided a temporary and strictly limited derogation from certain articles of the e-Privacy Directive to allow the continuation of the voluntary measures to detect CSA, provided that these are lawful. Whereas some service providers invoke legal bases provided for in the GDPR for the processing of personal data involved in them carrying out their voluntary actions to tackle CSA, others find the GDPR legal bases not explicit enough. The uncertainty thus deters some service providers from taking such voluntary action.

-For hotlines. The operation of hotlines is not explicitly provided for in EU law, and only five Member States explicitly regulate it 131 , with others relying on memorandums of understanding. This leads to the inability of hotlines to assess the content of reports from the public in some Member States, or to notify the service provider directly, leading to fragmentation and ineffectiveness across the EU 132 . 

·Lack of operational standards:

Law enforcement agencies, online service providers and civil society organisations have separate systems and standards used in the detection, reporting and removal of CSA online. They vary not only between the different types of stakeholders (e.g. between law enforcement and service providers) but also between the same type of stakeholder (e.g. between law enforcement agencies in different Member States). This includes the use of multiple, differing databases of hashes used in the detection of known CSAM. This hampers the collective ability to efficiently and effectively detect, report and remove CSAM, to identify and rescue victims, and to arrest offenders.

Stakeholders’ views

Public authorities 133  identified among the main challenges while investigating CSA cases: a) inefficiencies in public-private cooperation between service providers and public authorities, and b) inefficiencies/difficulties with access to evidence due to technical challenges. Over 80% referred to the increased volume of CSAM detected online in the last decade and further flagged that there are insufficient human and technical resources to deal with it. These same stakeholders state that a common baseline (also in terms of a common classification system and terminology) is required to support better law enforcement and judicial cooperation and information sharing consistent with the cross-border nature of offending in CSAM.

Civil society organisations stressed the need to improve cooperation between them and law enforcement authorities (74%) in the fight against CSA online (including by providing funding to enable cooperation, organizing joint trainings/meetings and ensuring better information sharing, as well as the need for legal recognition and a clear legal basis for the national hotlines). In addition, 73% of the respondents from civil society organisation pointed out that improved cooperation with service providers is needed.

Service providers highlighted the need for coordinated actions on a global level, and the importance of exchange of best practices.

2.2.3. Member States’ efforts to prevent child sexual abuse and to assist victims are limited, divergent and lack coordination and are of unclear effectiveness

Prevention efforts

·Limited. 

In relation to the two main types of prevention efforts described in section 2.1.:

oPrevention efforts to decrease the likelihood that a child becomes a victim. Awareness raising 134 and training is limited in availability, particularly to organisations and persons that come in regular and direct contact with children as part of their jobs or vocational activities, in addition to carers and parents. A vast majority of the abuse occurs in the circle of trust of the child. At the same time, those in regular and direct contact with children should have the knowledge and tools to ensure that children do not become victims, given their proximity to the child.

oPrevention efforts to decrease the likelihood that a person offends.

Research into what motivates individuals to become offenders is scarce and fragmented. This current lack of research makes it difficult to put in place effective programmes before a person offends for the first time, in the course of or after criminal proceedings, both inside and outside prison. As a result, there are currently very few programmes in place 135 .

·Uncoordinated. Multiple types of stakeholders need to take action to enact a preventive approach that delivers results. This includes public authorities, the research community, NGOs, and providers of online services used by children. The various types of practitioners in this field do not communicate sufficiently with each other and with researchers on the effectiveness of the programmes, lessons learned and best practices; language can be a further barrier. Expertise and resources to establish and implement such initiatives are not evenly distributed in the EU, and successful programmes are mostly local endeavours. There are overlapping efforts in some areas, e.g. Member States designing similar programmes and campaigns in parallel 136 , whereas other areas, such as reaching out to potential offenders, are not sufficiently addressed.

·Unclear effectiveness. The few programmes that exist are rarely evaluated to assess their effectiveness and usability 137 . A recent systematic review of the published empirical literature on child sexual abuse perpetration prevention interventions found only five published evaluation studies, and these were methodologically limited (e.g. four examined the same intervention only on adults in Germany, and the other one focused only on children aged 5 to 12) 138 .

Assistance to victims’ efforts

·Limited. Victims of CSA do not always receive the tailored and comprehensive assistance required 139 , such as support in trying to stop the sharing and distribution online of the images and videos depicting their abuse, which perpetuates the harm.

·Uncoordinated. Victims of CSA require comprehensive support that brings together all relevant sectors, including health, legal, child protection, education and employment. Such coordination between relevant actors within and between Member States is lacking. The existing initiatives do not systematically make use of existing best practices and lessons learned in other Member States or globally. This translates into information gaps on help resources, gaps in specialised support, and overall inefficiency of efforts.

·Unclear effectiveness. There is little data on whether survivors have access to appropriate support, and existing research suggests that the level of satisfaction with support received is low 140 .

Box 8: main sources of evidence on current efforts on prevention and assistance to victims

2.3. How likely is the problem to persist?

The problem of CSA is likely to continue worsening, driven by the issues identified in the problem drivers section.

Children will continue to spend more time online and thus be more exposed to predators operating online. Similarly, predators will most likely also be spending more time online than before, as teleworking arrangements expand and become part of the post-pandemic new normal, and in response to the increase in opportunities to encounter children online.

Relevant services will continue to be misused for the purpose of CSA, in particular those that do not adopt meaningful voluntary measures. It is unrealistic to expect that, in the absence of incentives or obligations, the relevant service providers would implement sufficient voluntary measures, given that many have failed to do so to date despite the evident proliferation of CSA online. Images and videos will continue to stay online. Smaller players in particular will continue to be dissuaded by the lack of legal certainty. The fragemented legal framework can also lead to high compliance and operational costs for all service providers offering their services in the EU, since their obligations might differ and be more burdensome in one Member State than in another.

In the absence of EU action, Member States will see a need to step up and fill the gap, as some have already done or are in the process of doing. The increasing legal fragmentation concerning obligations on service providers to detect and report CSA online (known and new material and grooming) and to remove that material, as well as the uneven application of voluntary measures, would continue, in particular after the Interim Regulation expires. There are already inefficiencies in public-private cooperation between online service providers and public authorities (such as law enforcement authorities) in exchanging information in a timely manner or swiftly reacting to requests and complaints. This hampers investigations and creates obstacles to addressing child sexual abuse online and to protecting victims. Such inefficiencies would continue and potentially escalate as the overall volume of illegal activity and content grows

The current technical solutions used to detect CSA online do not function in E2EE electronic communications. It is likely that more service providers would incorporate end-to-end encryption without effective measures to protect children. Encryption is an essential tool for ensuring cybersecurity and the protection of users’ fundamental rights such as freedom of expression, privacy and personal data, but at the same time makes the detection of CSA online (and therefore the protection of fundamental rights of the child) much more difficult, if not impossible. This could result in more online ‘safe havens’ where offenders can freely exchange CSAM without fear of discovery and reprisal, normalise these crimes, actively encourage others to abuse children to generate new material, and where children may be groomed and abused online.

It is unlikely that, across the board, companies will unilaterally divert investment into developing technical solutions that allow reliable detection of CSA in encrypted systems, as well as a high level of privacy and protection of other fundamental rights, security against unauthorised access and transparency (see Annex 9 for a possible set of assessment criteria for these technical solutions). Deployment of these technical solutions would require financial resources to develop the solution for feasible deployment at scale and align it with companies’ current infrastructures. Smaller companies with limited resources are especially likely to encounter more difficulties, since work in this area is relatively novel and technical tools although available, must be tailored to the specific service.

An example of the development of these tools is the announcement of new ‘Child Safety’ initiatives 143 by Apple. Apple is working towards deploying technical tools to detect known CSAM on users’ devices prior to encryption and storage in the cloud. The solution uses well-developed hashing technology to generate a hash of the image the user is uploading and match it against a database of hashes of verified CSAM (see Annex 8). This takes place on the user’s device prior to the image being encrypted, and does not interfere with the encryption safeguarding the transfer of data, preserving in this respect the privacy and security of data, and allowing detection of known CSAM.

However, a number of companies and privacy NGOs state that there is no possibility to deploy such tools to detect CSA in the context of encrypted electronic communications that would ensure protection of privacy and security of communications. While they do not interfere with the encryption as such, these tools are seen as violating the spirit of end-to-end encryption to the extent that it suggests a wholly private exchange where even illegal content is shielded, for the benefit of ensuring everyone’s privacy. It is therefore likely that spontaneous developments in encrypted communications that take into consideration children’s safety and privacy and all fundamental rights at stake will remain limited, given in particular the legal uncertainty and vocal opposition from some stakeholders.

As children will be increasingly exposed to predators online, prevention will play a particularly important role. Parents and children will need the knowledge and tools to protect themselves. Without a solid and structured approach to awareness raising and education to benefit children, parents and caregivers, children will continue to fall victim to sexual abuse in greater numbers. This concerns both online abuse, which may be followed by crimes committed offline, but it applies also to purely offline abuse. While awareness of the problem is currently on the rise in a number of Member States when it comes to abuse in organised sports or other activities targeting children, an effective and systematic prevention response is still lacking. Whether sexual abuse takes place offline or online, children will therefore often continue to lack information on where to seek help, and the adults around them will not be in a position to notice or remedy the problem.

On the opposite side of the problem, people who are attracted to children will continue using the online space to find victims. Those who may want to seek support to overcome this attraction will often not dare to come forward in fear of legal consequences and social stigma. Instead, they will likely continue to seek information online, and often become drawn in by other predators into committing crimes, rather than finding professional help. Therefore, initiatives addressing more apparent aspects of prevention, such as awareness raising initiatives, will not be enough to address the entire problem, and the CSA issue is likely to continue growing. While there are some initiatives that reach out to persons who fear they may offend, without EU-level support and coordination, they will likely continue to be limited, unevenly distributed and of varying effectiveness.

Increased online activity and consequent exposure of children to predators will unavoidably result in more victims. Victims will continue having difficulties to access long-term assistance. Without more developed support system in all EU Member States, the situation of victims will continue to vary. However, even in Member States with more advanced support systems, many victims will be left to face the psychological, physical and economic consequences of CSA without proper assistance, once the immediate proceedings around the crime are closed. In cases where the crime is never reported, victims and their families may not know where to seek help, or that they should be entitled to it.

Another problem that the victims will likely continue to face on their own are efforts to have their images and videos taken down swiftly and effectively. As this is rather a matter of practical action against illegal content rather than of harmonised criminal law, it could not adequately be addressed in a revision of the CSA Directive or the Victims’ Rights Directive 144 , and it is too specific of a problem to have been included in the DSA proposal. As long as there is no proactive search for these images and videos, they will often stay online.

3.Why should the EU act?

3.1. Legal basis

In accordance with settled case law by the Court of Justice of the EU, the legal basis of a legislative initiative has to be determined in light of the content and aim of the envisaged measures. Given that these measures are in part still under assessment, at this stage, no definitive conclusions can yet be drawn in this respect.

That said, given the problems that this impact assessment is addressing and the solutions proposed, Article 114 TFEU was identified as the most likely legal basis for an EU intervention. Article 114 TFEU is the basis for measures which have as their object the establishment and functioning of the internal market. In particular, Article 114 is the appropriate legal basis to address differences between provisions of Member States’ laws which are such as to obstruct the fundamental freedoms and thus have a direct effect on the functioning of the internal market, and to prevent the emergence of future obstacles to trade resulting from differences in the way national laws have developed 145 . 

This initiative aims to ensure the proper functioning of the internal market, including through the harmonisation of rules and obligations concerning certain online service providers in relation to providing services which are at high risk of being used for child sexual abuse and exploitation online. As highlighted above under Section 2.2.2, Member States have started taking action unilaterally, adopting or considering rules to deal with the challenge posed by child sexual abuse online, which are necessarily national in scope and risk fragmenting the Digital Single Market. This initiative aims to ensure common rules creating the best conditions for maintaining a safe online environment with responsible and accountable behaviour of service providers. At the same time, the intervention provides for the appropriate supervision of relevant service providers and cooperation between authorities at EU level, with the involvement and support of the EU Centre where appropriate. As such, the initiative should increase legal certainty, trust, innovation and growth in the single market for digital services.

Articles 82 and 83 TFEU, which constitute the legal basis for the CSA Directive, provide a basis for criminal law rules concerning, inter alia, the rights of victims of crime and the definition of criminal offences and sanctions in the areas of particularly serious crime with a cross-border dimension such as sexual exploitation of children. As the present initiative would not seek to harmonise criminal law, Articles 82 and 83 TFEU are not the appropriate legal basis.

3.2. Subsidiarity: necessity of EU action

A satisfactory improvement as regards the rules applicable to relevant online service providers active on the internal market aimed at stepping up the fight against CSA cannot be sufficiently achieved by Member States acting alone or in an uncoordinated way. In particular, a single Member State cannot effectively prevent or stop the circulation online of a CSA image or video, or the online grooming of a child, without the ability to cooperate and coordinate with the private entities who provide services in several (if not all) Member States. As presented above under Section 2.1., several Member States took, or in the process of taking, the initiative to adopt national laws in order to step up against the proliferation of CSA online. Although these approaches share the same objective, their way of achieving that objective is somewhat different, targeting for instance different types of services and introducing varying requirements and different enforcement measures.

In the absence of EU action, Member States would have to keep adopting individual national laws to respond to current and emerging challenges with the likely consequence of fragmentation and diverging laws likely to negatively affect the internal market, particularly with regard to online service providers active in more than one Member State (see problem driver section 2.2.2.). Individual action at Member State level would also fail to provide a unified system for cooperation in the fight against these crimes between public authorities and service providers, leaving them to deal with different legal systems and diverging rules instead of one harmonised approach.

This initiative would build on the DSA proposal, which creates a harmonised baseline for addressing all illegal content, to create a coherent system throughout the EU for the specific case of CSA content, which is characterised in particular by its non-public nature and the gravity of the crimes. Such a coherent system cannot be achieved at Member State level, as also set out in detail in the Impact Assessment accompanying the DSA proposal 146 . 

3.3. Subsidiarity: added value of EU action

Reduce fragmentation and compliance/operational costs, improving the functioning of the internal market

Legal fragmentation (divergence in national legislation to address these issues) increases compliance and operational costs of the actions in the fight against CSA for stakeholders such as online service providers that operate in several Member States and may lead to legal uncertainty in particular when the fragmentation also causes conflicts of laws. EU action would provide legal certainty and a coherent approach applicable to entities operating in several Member States, facilitating the scaling up and streamlining of their efforts in the fight against CSA and improving the functioning of the Digital Single Market.

Given the cross-border aspects of the problem, having regard to the inherent cross-border nature of the Internet and to the many services provided online, the number of policy areas concerned (single market for digital services policy, criminal law, economic issues, and fundamental rights including the rights of the child, freedom of expression, privacy and data protection), and the large range of stakeholders, the EU seems the most appropriate level to address the identified problems and limit legal fragmentation. As previously described, CSA, in particular in its online aspects, frequently involves situations where the victim, the abuser, and the online service provider are all under different national legal frameworks, within the EU and beyond. As a result, it can be very challenging for single countries to effectively define the role of and cooperation with online service providers without common rules and without fragmenting the Single Market (see problem driver section 2.2.2.).

Facilitate and support Member States’ action on prevention and assistance to victims to increase efficiency and effectiveness

While Member States are best placed to assess the gaps and needs, and implement action in their local context, they often lack information on what prevention and assistance to victims programmes are available, how effective they are, and how to approach their implementation in practice – who needs to be involved, what are the technical and legal pre-requisites and estimated costs. EU level action can provide a forum for exchange of necessary information and expertise to avoid duplication of efforts and blind spots. EU action can also help identify best practices and lessons learned at national level (from Member States or third countries) and incorporate them into EU-level initiatives, so that other Member States can benefit from them. This may also prevent a “whack-a-mole” effect in which a Member State successfully addresses a problem in its territory but the problem just moves to another Member State (e.g. hosting of CSAM online).

While some exchange in this area exists, the feedback from experts in the field indicates there is a need for a structured framework for such exchanges. EU level action promoting and disseminating research would help to enrich the evidence base in both areas and could possibly even link initiatives across Member States, boosting efforts. EU action could also include practical support to local interventions, e.g. translations of existing materials from another Member State, possibly leading to significant cost savings at national level.

The EU level action on prevention and assistance to victims at issue here would not impose any additional obligations beyond those included in the CSA Directive. Indeed, the main focus of the present initiative is on strengthening the functioning of the internal market by setting common rules aimed at combating the misuse of online services for CSA-related purposes. Nonetheless, the action could also contribute to facilitating and supporting Member States’ work to comply with the existing obligations, notably through the sharing of expertise and best practices benefitting from the central position it occupies in connection to its principal tasks regarding the detection and reporting of online CSA.

Reduce dependence on and facilitate cooperation with third countries

Currently, in practice, law enforcement authorities of the Member States depend almost entirely on NCMEC, a private organisation located in the US, as the main source of reports of CSA online. EU action could ensure, among others, that such dependence is reduced and that the detection, reporting and removal of CSA online is done through EU mechanisms that operate according to EU rules, including the necessary safeguards. In addition, EU mechanisms could be more closely linked to what is illegal in the EU and its Member States, rather than relying on definitions from third-country jurisdictions. This would enhance the precision of efforts, reduce the impact on third parties, and better target measures.

4.Objectives: What is to be achieved?

4.1. General objective

The general objective is to improve the functioning of the internal market by introducing clear, uniform and balanced EU rules to prevent and combat CSA, notably through imposing detection, reporting and removal obligations on certain online service providers.

4.2. Specific objectives

There are 3 specific objectives that address the problem drivers identified in section 2.2.: 

1.Ensure the effective detection, reporting and removal of online CSA where they are currently missing. This specific objective is of particular relevance to problem driver 1, as the current voluntary action by online service providers and under diverging national laws is insufficient to effectively detect, report and remove CSA online across the EU, i.e. by not detecting some crimes or by not being effective in dealing with those detected. It is also of relevance to problem driver 2, since part of the current inefficiencies in the detection, reporting and removal process are due to inefficiencies in public-private cooperation.

2.Improve legal certainty, transparency and accountability and ensure protection of fundamental rights. This specific objective is of particular relevance to problem driver 1, as the current voluntary action by online service providers and the action taken under diverging national laws is not sustained on a clear, uniform and balanced EU-level framework that provides long-term legal certainty, transparency and accountability and ensures protection of fundamental rights. This objective therefore reflects the need to create a clear framework, with the appropriate safeguards to ensure respect for children’s rights and all users’ rights, including the right to freedom of expression, right to private life and communications as well as data protection, and to provide regular information about its functioning, including e.g. transparency reports on technologies used for the identification of CSA content.

3.Reduce the proliferation and effects of CSA through harmonisation of rules and increased coordination of efforts. This specific objective is of particular relevance to problem drivers 2 and 3. Coordination issues are at the core of the inefficiencies in public-private cooperation in problem driver 2, and improved coordination could boost Member States’ efforts on prevention and assistance to victims.

Contribution to relevant SDGs

The three specific objectives directly contribute to achieving the most relevant SDGs for this initiative, 5.2., eliminate all forms of violence against women and girls, and 16.2., end abuse, exploitation, trafficking and all forms of violence against children.

Specific objectives 1 and 3 also directly contribute to achieving other SDGs of relevance, such as SDG 1 on poverty and SDG 3 on health, by reducing the proliferation and effects of CSA and ensure the detection, reporting and removal on CSA online where it is currently missing. Contributing to prevent and/or stop the abuse can reduce the negative consequences on health, including mental health, which may have a negative impact on the economic future of the child (e.g. through substance abuse or decreased productivity). Specific objective 3 helps achieve SDG 4 on education (e.g. through the awareness raising campaigns or the exchange of related best practices facilitated by the EU Centre). Finally, specific objective 2 helps achieve SDG 9 on industry, innovation and infrastructure (e.g. as the initiative aims to support service providers efforts to fight against CSA online, including through increasing legal certainty and the required safeguards that do not hamper innovation on the technologies to detect, report and remove CSA online).

5.What are the available policy options?

5.1. What is the baseline from which options are assessed?

In the baseline scenario no further EU policy action is taken. The following section assesses the most likely scenario in the absence of the initiative, i.e. how the existing and already planned policy instruments would address the problems and objectives for EU action identified:

1.Legislation

Existing and upcoming EU legislation is not likely to effectively address challenges in detection, reporting and removal of CSA online and prevention of CSA, and assistance to victims. The proliferation of CSA online would be expected to continue in line with current developments. Specifically, the added value (i.e. what it can achieve in preventing and combatting CSA) and the limitations of the existing and upcoming EU legal instruments are the following:

Horizontal instruments

The GDPR:

·What it can achieve in the fight against CSA: online service providers have relied on legal bases in the GDPR for the processing of personal data required in relation to their voluntary activities to combat CSA online, e.g. under e.g. legitimate interest (Art 6(1)(f)) or vital interest (Art. 6(1)(d)) considerations.

·Limitations: the GDPR as a horizontal instrument does not contain CSA-specific provisions, i.e. provisions that explicitly allow or mandate the processing of personal data for the purpose of combatting CSA online.

The ePrivacy Directive and its proposed revision

·What it can achieve in the fight against CSA: the ePrivacy Directive and its proposed revision allow restrictions of certain rights and obligations under their scope, inter alia to prevent or prosecute CSA. Such restrictions require a proportionate legislative measure, under national or EU law. With the entry into force of the Interim Regulation, subject to compliance with a set of conditions, certain rights and obligations are temporarily limited (Articles 5(1) and 6(1) of the ePrivacy Directive for certain providers of online communications services), for the sole purpose of detecting and reporting CSA online and removing CSAM.

·Limitations: As horizontal instruments, the ePrivacy Directive and its proposed revision do not contain CSA-specific provisions. Member States are notably responsible for enforcement through their competent national authorities (see also Interim Regulation below).

The eCommerce Directive

·What it can achieve in the fight against CSA: with regard to hosting services, the eCommerce Directive is notably the basis for the notice and action mechanism in which parties such as users or hotlines notify online service providers of the presence of CSAM available in their services, so that it can be removed.

·Limitations: the eCommerce Directive does not contain CSA-specific provisions, i.e. provisions that explicitly enable or oblige online service providers to detect, report or remove CSA online. Furthermore, as noted, while failure to act expeditiously can lead to the hosting service providers not being able to invoke the liability exemption (and could thus be held liable under national law), there is no legal obligation upon the service providers to act, even when notified of manifestly illegal CSA.

The Digital Services Act

·What it can achieve in the fight against CSA: the DSA proposal 147 , once adopted, will:

oprovide a horizontal standard of obligations for content moderation by providers of intermediary services; eliminate disincentives for these providers’ voluntary efforts to detect, identify and remove, or disable access to illegal content; and create obligations for them to provide information on their content moderation activities and on their users when requested by national authorities. These provisions are likely to encourage providers to implement voluntary measures and will also create more transparency and accountability for providers’ content moderation efforts in general;

ocreate due diligence obligations tailored to certain specific categories of providers (notice and action mechanism 148 , statement of reasons, internal complaint-handling system, reacting swiftly to notices issued by trusted flaggers, notification of suspicions of criminal offences etc.) and transparency reporting obligations. In particular, it will oblige very large platforms to assess risks and implement the necessary risk mitigation measures on their services. These measures will encourage users and trusted flaggers to report suspected illegal content and providers to follow-up on these reports more swiftly. The obligations on very large platforms are also likely to contribute to lessening the prevalence of illegal content online and users’ exposure to such content;

oestablish rules on its own implementation and enforcement, including as regards the cooperation of and coordination between the competent authorities. This can lead to faster and more efficient content moderation efforts across the EU, including with regard to CSAM.

·Limitations. Due to its general and horizontal nature and focus on public-facing content, the DSA only addresses the issue of CSA partially. Its approach is appropriate for the wide range of heterogeneous illegal content for which the DSA sets the overall baseline, but it does not fully address the particular issues concerning the detection, reporting and removal of CSA online. Specifically:

oVoluntary detection: the DSA does not specify the conditions for the processing of personal data for the purpose of voluntarily detecting CSA online;

oMandatory detection: the DSA does not include any obligation to detect CSA online. Obligations to carry out risk assessments and take effective risk mitigating measures, as applicable, apply only to the largest online platforms, consistent with their general nature;

oReporting: although it contains some provisions in this respect, the DSA does not provide for a comprehensive CSA reporting obligation, since it focuses on cases where an offence involving a threat to the life or safety of persons has taken place, is taking place or is likely to take place. Also, given the diverse nature of content that could be concerned, the DSA does not determine specific reporting requirements (i.e. what minimum information should the report contain) and does not provide for the involvement of a body like the EU Centre in the reporting process.

oRemoval: like the eCommerce Directive (see above), the DSA sets out liability exemptions that encourage removal, it but does not include any removal obligations 149 .

In particular, while the DSA, once adopted, should show significant impact especially when it comes to publicly accessible content, its effect is likely to be less pronounced on content exchanged secretly and in non-public channels (e.g. in interpersonal communications), as is typical for the majority of CSA online. Considering this and the above limitations, the DSA will not eliminate the risks of legal fragmentation introduced by the national initiatives on combatting CSA online. These are likely to provide a more specific and targeted approach than the DSA, and partially targeting different services, in order to ensure an effective and targeted response to CSA online.

The Victims’ Rights Directive

·What it can achieve in the fight against CSA: as a horizontal instrument, the Victims’ Rights Directive covers the assistance, support and protection to all victims of crime. The CSA Directive contains additional specific rules that respond more directly to the specific needs of CSA victims.

·Limitations: the Victims’ Rights Directive refers to the need to cooperate with other Member States to improve the access of victims to the rights set out in the Directive but it does not contain specific mechanisms to do so. And, as mentioned above, this Directive does not address only CSA victims, for which dedicated mechanisms to facilitate the exchange of best practices, which take into account their specific needs, may be required.

Sector-specific legislation

The Child Sexual Abuse Directive

·What it can achieve in the fight against CSA: the CSA Directive focuses on defining the role of Member States and their public authorities in preventing and combating these crimes, and to assist victims. Specifically, the Directive defines criminal behaviour online and offline, sets the minimum level of maximum sanctions, and requires Member States to ensure adequate assistance and support to victims, as well as to put in place prevention measures.

·Limitations: as a criminal law instrument, the CSA Directive does not aim to regulate online service providers and so it does not provide sufficient specification of the role of service providers and the procedures to apply. In addition, the scope of the actual obligation (as a criminal law instrument) has to be limited to the own territory, which makes it a less effective tool given the global nature of the Internet. 

The Interim Regulation 

·What it can achieve in the fight against CSA: it makes it possible for providers of number-independent interpersonal communications services to continue or resume their voluntary measures to detect and report CSA online and remove CSAM, provided they are lawful and, in particular, meet the conditions set.

·Limitations: as a temporary measure with the aim of bridging the period until long-term legislation (that is, the present initiative) is put in place, it applies only for three years (until 3 August 2024) and does not establish a legal basis for any processing of personal data. The service providers within the scope of the Interim Regulation would therefore not be able to continue their voluntary activities when the Regulation ceases to apply. In addition, the Interim Regulation is not suitable to offer a long-term solution, since it only addresses one specific part of the problem, for a limited subset of services (number independent interpersonal communication services), and relies fully on voluntary approaches.

The Europol Regulation and its proposed revision

·What it can achieve in the fight against CSA: the revised mandate of Europol should enable Europol, in cases where private parties hold information relevant for preventing and combatting crime, to directly receive, and in specific circumstances, exchange personal data with private parties. Europol would analyse this data to identify all Member States concerned and provide them with the information necessary to establish their jurisdiction. To this end, Europol should be able to receive personal data from private parties, inform such private parties of missing information, and ask Member States to request other private parties to share further additional information. These rules would also introduce the possibility for Europol to act as a technical channel for exchanges between Member States and private parties. Such a development would contribute to increasing the level of cooperation between the three aforementioned stakeholders, potentially improving the effectiveness of CSA investigations.

·Limitations: in and of itself, the revised mandate of Europol will not contribute to a comprehensive solution to address CSA online, which requires a multi-faceted approach. Enabling a more efficient exchange of personal data between Europol and private parties is a necessary but not a sufficient condition for achieving this objective.

2.Coordination

EU level cooperation in investigations

·What it can achieve in the fight against CSA: the existing EU level cooperation in investigations has produced significant successes in the fight against CSA 150 and will likely continue to do so.

·Limitations: the ability of Europol and law enforcement agencies in the EU to cooperate in investigations is limited by the resources that they can allocate to this crime area. For example, Europol has only been able to examine 20% of the 50 million unique CSAM images and videos in its database 151 . The EU Centre could play an important role in supporting Europol in these tasks.

EU level cooperation in prevention

·What it can achieve in the fight against CSA: the network of experts on prevention will continue developing and adding more members, both researchers and practitioners, mostly from the EU but also globally, so that it can ultimately support Member States in implementing the prevention articles of the CSA Directive.

·Limitations: currently, the Commission services themselves are supporting the work of the network by coordinating its work and providing a secretariat. However, there are limits to the level of support these services can provide to the network, in particular as the network expands. The activities of the network could therefore be constrained to a level that would not allow it to reach its full potential of support to Member States.

EU level cooperation in assistance to victims

·What it can achieve in the fight against CSA: the Victims’ Rights platform would faciliate the exchange of best practices mostly on horizontal issues related to victims’ rights, and mostly on policy-related issues,

·Limitations: the focus on horizontal issues could limit the effectiveness of the platform for CSA victims, given the specificities of these crimes and their short- and long-term effects on victims.

Multi-stakeholder cooperation at EU and global level

·What it can achieve in the fight against CSA: at EU level, the EU Internet Forum (EUIF) has faciliated discussion between public authorities and online service providers in the EU in the fight against CSA at all levels, from ministerial to technical (see annex 8 for an example of output of technical discussions under the EUIF). It is expected that similar discussions continue in the future.

At global level, the WPGA has advanced countries’ commitment towards a more coordinated response to the global fight against CSA, based on global threat assessments, and a model national response. These have helped to clarify the challenges and assist member countries in setting achievable practical goals, and it is expected that they will continue to do so in the future.

·Limitations: at EU level, the focus of the EUIF is to faciliate targeted exchanges between public authorities and online service providers. The forum is not designed for discussions with a wider variety of stakeholders, including practitioners. Moreover, participation is voluntary and there are no legally binding obligations.

At global level, the EU will continue supporting global efforts through the WPGA. In the absence of a single European information hub, exchanges of expertise and best practices with leading centres worldwide (e.g Australian Centre to Counter Child Exploitation, NCMEC, Canadian Centre for Child Protection) will be limited. This will in particular concern initiatives on prevention and assistance to victims, leaving EU Member States to their own devices.

3.Funding

·What it can achieve in the fight against CSA: action using EU funding is likely to continue in the current project-based form, both as calls for proposals as well as research projects. EU-funded projects will continue to facilitate development of e.g. relevant IT tools for law enforcement and interventions aimed at preventing CSA and helping victims.

·Limitations: the current project-based efforts would be extended from grant to grant without long-term sustainability. Such long-term perspective may be supported by individual Member States with a national focus, but a comprehensive EU-wide approach and reinforced framework will continue to be lacking. The risk of projects duplicating existing efforts, will still be high; moreover, the update of successful projects will likely remain limited to participating countries. 

***

In summary, the existence and magnitude of the problem suggests that the existing policy instruments in the fight against CSA (legislation, coordination and funding) are not sufficient to ensure an effective response:

·Legislation: the horizontal instruments (such as the eCommerce Directive, the ePrivacy Directive and its proposed revision or the DSA proposal) address some of the problems and challenges but, given the specific challenges of CSA, can only provide limited and partial solutions. The sectoral instruments (the CSA Directive, the Europol Regulation or the Interim Regulation) focus on particular aspects of the problem such as harmonisation of criminal laws or improving police investigations, which again by themselves are not able to provide a comprehensive EU-level solution. Also, none of these instruments define the role of service providers in combating child sexual abuse specifically enough to provide them with legal certainty and do not include effective obligations for the providers relevant to the fight against child sexual abuse.

·Coordination: inefficiencies persist despite the existing mechanisms, particularly in some areas of prevention and assistance to victims. The sharing of best practices and expertise between Member States is minimal and unsystematic. The current level of ambition and of collaboration between the various public and private stakeholders results in ad-hoc and temporary solutions and is rarely effective in addressing CSA. As a result, Member States have been facing difficulties in fulfilling some of their obligations under the CSA Directive, which ultimately means that prevention measures are not sufficient to protect children and stop offenders from committing crimes, and victims do not receive appropriate support.

·Funding: action using EU funding is mostly project-based, and the uptake of EU funding is not optimal. For example, some Member States do not always make use of the funds available to them to tackle CSA (e.g. through the Internal Security Fund national programmes), possibly due to lack of knowledge on what funding is available and where it could be applied. Projects that take place, either national or cross-border, run the risk of replicating what has already been done due to lack of coordination.

Considering the above, the most likely scenario in the absence of the initiative (long-term solution) would include the following:

·following the end of the period of application of the Interim Regulation (three years after its entry into force), and in the absence of other legislation of this kind at EU or Member State level, providers of number-independent interpersonal communications services would no longer be permitted to detect and report CSA, and would not be able to continue deploying their voluntary measures with the adequate safeguards protecting users’ fundamental rights, while the proliferation of CSA online would continue. As such service providers are currently the source of the majority of reports made by service providers 152 , the number of such reports (and therefore overall reports) could eventually decrease significantly;

·a similar drop in reports could be expected with the broader deployment of E2EE by default in these services;

·Member States’ law enforcement authorities would continue to receive the (fewer) reports through NCMEC, submitted by a small number of service providers and assessed in accordance with US law, which has different definitions of illegal content than EU law. The quality of the reports would remain at today’s levels;

·victims’ images and videos will continue to circulate online. Law enforcement authorities will be unaware of the undetected crimes and unable to identify and rescue victims and investigate and prosecute these cases;

·the full potential of the hotlines would remain underutilised as they would continue to lack a legal basis to search for CSAM proactively, despite the higher effectiveness compared to being totally dependent on users’ reports;

·without harmonised standards on the responsibilities and actions expected from service providers in the fight against CSA, their different approaches will fail to offer a reliable standard for the protection of users’ rights 153 ;

·the worsening situation would increase pressure on Member States to take action on a national level once the Interim Regulation expires to address the legal vacuum creating a risk of further fragmentation of the Single Market. A patchwork of national measures would not effectively protect children, given the cross-border and international dimension of the issues, and would create distortions in the functioning of the single market for digital services. While these will be partially addressed by the DSA, once adopted, a significant degree of fragmentation is expected to persist and possibly grow, given the manifestly illegal nature of CSAM and the specific channels for its dissemination and proliferation (see problem driver section 2.2.2.);

·without further EU facilitation of efforts, Member States’ action on prevention and assistance to CSA victims is not likely to significantly improve. The sharing of best practices between Member States will continue to be punctual and unstructured, an the current limitations in effectiveness of existing programmes are likely to persist, as well as the duplication of efforts.

Baseline costs

In the baseline scenario, no costs would be incurred by the creation and running of the Centre or any new organisation. However, the inefficiencies in the prevention, investigation and assistance to victims of child sexual abuse are expected to have a negative economic impact on society. A higher number of victims will experience a diminished quality of life, likely resulting also in productivity loss, and will require significant support, putting a strain on public services.

The economic impact on public authorities will depend upon the level of action taken by service providers, which will dictate the number of reports received by those authorities. The economic impact on service providers will depend on their level of engagement against these crimes. The existing legal fragmentation and legal uncertainty would remain and could act as a barrier to growth and innovation within the single market for digital services and hamper the fight against CSA. In the absence of a central hub fragmented efforts would continue, driving up the economic costs for individual entities.

As seen in box 4, the impact of CSA on its victims generates significant costs. Assuming similar costs and prevalence of CSA in the US as in the EU, adjusting for the larger population in the EU, the estimated annual CSA costs in the EU (and therefore the cost of no action) is EUR 13.8 billion 154 .

5.2. Description of the policy options

In the determination of available policy options, three main considerations played a decisive role.

First, there are important rights at stake: on the one side, the rights of the child to be protected and the interest in preventing the circulation of CSAM as illegal content violating the intimacy and right to privacy of the victim; on the other side, the rights of all users especially to freedom of expression, privacy of communications and data protection. Naturally, the rights and interests of the providers, such as freedom to conduct business, are to be taken into account as well.

Second, offenders have proven savvy at moving to services that are less effective in detecting CSA online. Consequently, the policy options need to ensure an even application of the rules, in order to avoid simply pushing the problem off from one platform and onto another.

Third, more effective measures may not amount to imposing a general obligation on providers of intermediary services to monitor the information which they transmit or store, nor actively to seek facts or circumstances indicating illegal activity. The Commission has recently confirmed its commitment to this principle, as reflected at present in Article 15(1) of the e-Commerce Directive 155 and in Article 7 of the DSA proposal.

Box 9: prohibition of general monitoring obligations

All policy options that can be considered therefore need to meet a number of specific requirements in order to limit any interference with fundamental rights to what is strictly necessary and to ensure proportionality and compliance with the prohibition of general monitoring obligation:

·Obligations have to be targeted to those services which are at risk of being used for sharing CSAM or for grooming children.

·They have to strike an appropriate balance between the interests and (fundamental) rights associated with ensuring an effective approach to combating CSA and protecting children and their rights, on the one hand, and on the other hand the interests and rights of all users, including freedom of expression, privacy of communications and data protection, as well as avoiding an excessive burden on the service provider.

·To ensure that balance, they have to contain appropriate conditions and safeguards to ensure proportionality, transparency and accountability. Given the significant impact on fundamental rights, the effectiveness of the measures and of these conditions and safeguards should be subject to dedicated monitoring and enforcement mechanisms.

In line with the above requirements, the policy options assessed take a graduated approach, addressing the problem drivers from different angles and in various degrees, with an increasing level of obligations and intrusiveness. This cumulative logic was chosen because the measures that form the options not only are not mutually exclusive, but are also complementary, presenting synergies that the combined options can benefit from.

As a result, in addition to the baseline, five options are retained for assessment, as first presented in the intervention logic in table 1. The building blocks of these options are the retained policy measures that resulted from scoping and analysing the full spectrum of possible EU intervention, from non-legislative action to legislative action.

Figure 3 below shows how the measures combine to form the retained policy options:

Figure 3: overview of policy options and corresponding measures 

The retained policy options were selected for their potential to contribute to creating a level playing field across the EU, lessening legal fragmentation, increasing efficiency in tackling the problem (e.g. by facilitating Member States action through sharing of expertise), and creating more balanced circumstances for all the affected providers, while also contributing to reducing their compliance and operational costs.

5.2.1. Option A: practical measures to enhance prevention, detection, reporting and removal, and assistance to victims, and establishing an EU Centre on prevention and assistance to victims

This option is non-legislative and includes practical measures to stimulate cross-sectorial cooperation among relevant stakeholders in prevention and assistance to victims, and enhance voluntary detection, reporting and removal of CSA online by relevant online service providers, within the boundaries of the existing legal framework (measure 1). This option also includes an EU Centre to support and facilitate information sharing on prevention and assistance to victims (measure 2).

1.Practical (i.e. non legislative) measures to enhance and support voluntary efforts of relevant information society service providers to detect, report and remove CSA online, and to enhance prevention and assistance to victims. Examples of practical measures to enhance detection, reporting and removal include developing codes of conduct and standardised reporting forms for service providers, improving feedback mechanisms and communication channels between public authorities and service providers, and facilitating the sharing of hashes and detection technologies between service providers. Examples of practical measures to enhance prevention and assistance to victims include facilitating research and the exchange of best practices, facilitating coordination, and serving as a hub of expertise to support evidence-based policy in prevention and assistance to victims.

2.EU Centre on prevention and assistance to victims.

This measure would create an EU-funded expertise hub, managed by the Commission with support from a contractor (similar to the Radicalisation Awareness Network, RAN 158 ). Among others, it would support Member States in implementing the relevant provisions of the CSA Directive (e.g. through expert workshops), and serve as a hub of expertise to support evidence-based policy and avoid duplication of efforts. It would also help develop and disseminate research and expertise, and facilitate dialogue among stakeholders. This would allow Member States to benefit from best practices and lessons learned in the EU and globally. Having both prevention and assistance to victims in the same hub would increase the possibilities for coherence and cross-fertilisation between both strands of work.

The purpose of prevention efforts led by the EU Centre would be to support Member States in putting in place tested and effective prevention measures that would decrease the prevalence of CSA in the EU and globally. The scope of these efforts would cover the two main types of prevention initiatives, i.e. 1) those that reduce the likelihood that a child becomes a victim (e.g. awareness raising and educational campaigns and materials for schools), and 2) those that reduce the likelihood that a person (re)offends. The Centre would facilitate Member States’ action on prevention by serving as a hub of expertise at the service of Member States, notably to help avoid duplication of efforts and to foster an evidence-based approach to prevention policies.

Under the lead of the EU Centre, a network of experts on prevention would facilitate the development of these efforts, the involvement of multiple stakeholders and the sharing of best practices and lessons learned across Member States. The network would enable a virtuous cycle of practice to research and research to practice, while enabling the cascading down of best practices and new developments from EU and global level to national and regional levels. The Centre would support the work of the network by e.g. hosting relevant repositories of best practices, providing statistics and other data relating to the prevalence of offending, offender profiles and pathways, and new crime trends particularly those relating to perpetrators’ use of technology to groom and abuse children.

The EU Centre will not have any power to impose any initiative on prevention to Member States, i.e. it will not coordinate in the sense of determining “which Member State is obliged to do what”. Its tasks in this respect will be ancillary to its principal tasks, which relate to the implementation of the detection and reporting processes.

With regard to assistance to victims, the Centre would play a similar role: facilitate the implementation of the practical measures on assistance to victims by serving as a hub of expertise to support the development of evidence-based policy and research on assistance to victims, including victims’ needs and the effectiveness of short and long-term assistance programmes. In addition, the Centre could provide resources to help victims find information on support that is available to them locally or online. The Centre would not provide assistance to victims directly when those services are already provided or would be best provided at national level, to avoid duplication of efforts. Also, the Centre would serve as a facilitator at the service of Member States, including by sharing best practices and existing initiatives across the Union. In that sense, it would facilitate the coordination of Member States’ efforts to increase effectiveness and efficiency. Similarly to prevention, the Centre will not have any power to impose any initiative on assistance to victims to Member States, including on issues concerning health, legal, child protection, education and employment.

The possibility to create an EU Centre on prevention and assistance to victims is further explored in Annex 10, as implementation choice A. As existing entities or networks cannot be expected to fulfil this role, a central entity is the most viable solution. The Centre could also help to improve the cooperation between service providers and civil society organisations focusing on prevention efforts.

5.2.2. Option B: option A + legislation 1) specifying the conditions for voluntary detection, 2) requiring mandatory reporting and removal of online child sexual abuse, and 3) expanding the EU Centre to also support detection, reporting and removal

This option combines the non-legislative option A with legislation to improve the detection, reporting and removal of CSA online, applicable to service providers offering their services in the EU. It would provide 1) a long-term regulatory framework for voluntary detection (measure 4); 2) put in place mandatory reporting in case CSA online is found (measure 5); and 3) set up an EU Centre to facilitate detection, reporting and removal of CSA online, as well as prevention and assistance to victims (measure 3).

1)Legal framework for voluntary detection of CSA online. This measure would build on and complement the DSA proposal, to address the specific challenges inherent in CSA that cannot be addressed with general systems building on notification by users and trusted flaggers as envisaged by the DSA, and provide a framework for relevant service providers to voluntarily detect CSA online, including known and new CSAM and grooming. It would replace the Interim Regulation, building on its safeguards in a more comprehensive framework, covering all relevant services, i.e. also those defined in the DSA and not only the electronic communications services within the scope of the Interim Regulation (i.e.. providers of instant messaging and email). The legal framework would provide increased legal certainty also when it comes to the basis and conditions for processing of personal data for the sole purpose of detection of CSA online.

Given in particular the impact on fundamental rights of users, such as personal data protection and confidentiality of communications, it would include a number of mandatory limits and safeguards for voluntary detection. These would notably include requiring service providers to use technologies and procedures that ensure accuracy, transparency and accountability, including supervision by designated national authorities. The legislation could set out the information rights of users and the mechanisms for complaints and legal redress.

Stakeholders’ views from the open public consultation on voluntary measures

The percentage of responses to the open public consultation from each of the main stakeholder groups that indicated that the upcoming legislation should include voluntary measures to detect, report and remove CSA online was the following: public authorities 25%, service providers 13%, NGOs 9%, and general public 10%. The support for voluntary measures was highest for known material and lowest for grooming (e.g. 11.3% for known material, 9.7% for new material and 6.5% for grooming in the NGO group).

2)Legal obligation to report CSA online. Relevant service providers would be required to report to the EU Centre any instance of suspected CSA that they become aware of, based on voluntary detection measures or other means, e.g. user reporting. This obligation would build on and complement the reporting obligation set out in Article 21 of the DSA proposal, covering the reporting of criminal offences beyond those involving a threat to the life or safety of persons (e.g. possession of CSAM). In order to enforce the reporting obligations, competent national authorities in the Member States would be designated. The legislation would also include a number of conditions (e.g. to ensure that the reports contain actionable information) and safeguards (e.g. to ensure transparency and protection of personal data, see section 5.2.3.).

Legal obligation to remove CSA online. As mentioned earlier, under the eCommerce Directive and the DSA proposal, hosting service providers are required to expeditiously remove (or disable access to) CSAM that they obtain actual knowledge or awareness of, or risk being held liable due to the resulting unavailability of the liability exemptions contained in those acts. Given that this system encourages but not legally ensures removal, it would be complemented by rules ensuring a removal obligation in cases of confirmed CSA online; where necessary, national authorities would be empowered to issue a removal order to the concerned providers requiring them to remove the specific CSAM on their services. The rules would be accompanied by the necessary conditions (e.g. to ensure that the removal does not interfere with ongoing investigations) and safeguards (e.g. to ensure transparency and protection of personal data and freedom of expression), including rules on redress. Member States’ national authorities would be competent for enforcement, relying where relevant also on the expertise of the Centre.

SMEs would also be required to report and remove in accordance with the above rules, benefiting however from additional support by the Commission and the Centre through:

·tools to facilitate the reporting and removal, made available by the EU Centre at no cost, for SMEs to use in their services if they wish, reducing their financial and operative burdens;

·guidance, to inform SMEs about the new legal framework and the obligations incumbent on them. This guidance could be disseminated with the help of industry associations; and

·specific training, delivered in collaboration with Europol and the national authorities.

3)EU Centre to prevent and counter CSA. The Centre would incorporate the supporting functions relating to prevention and assistance to victims of measure 2 and add the ability to support the detection, reporting and removal efforts, including by helping ensure transparency and accountability. Specifically, it would:

·facilitate detection by providing online services clear information on what is CSA in the EU through access to a database of CSA indicators (e.g. hashes, AI patterns/classifiers) to detect CSA in their services. The Centre would help create and maintain this database of indicators that would reliably enable the detection of what is defined as CSA according to EU rules (notably the CSA Directive), as determined by courts or other independent public authorities. The material would come from multiple sources including previous reports from service providers, concluded investigations by law enforcement, hotlines or direct reports from the public to the EU Centre (e.g. from survivors requesting the Centre for support to have materials depicting their abuse taken down). The Centre would also facilitate access (in particular to SMEs) to free-of-charge technology that meets the highest standards for the reliable, automatic detection of such content;

·facilitate reporting, by becoming the recipient of the reports of CSA concerning the EU that providers detect in their online services. The Centre would serve as an intermediary between service providers and other public authorities (notably law enforcement authorities), supporting the reporting process by 1) reviewing the reports to ensure that those other public authorities do not need to spend time filtering out reports that are not actionable and can make the most effective use of their resources; and 2) facilitating the communication between those other public authorities and service providers in case of requests for additional information from public authorities or requests for feedback from service providers (if needed);

·facilitate removal, by notifying in certain cases to the service providers materials considered to be known CSAM and requesting removal, as well as following up on these requests. This would entail supporting victims that request to have material that features them taken down; no such service exists to date. The Centre could also be given a mandate to conduct in certain cases searches of CSAM, using the databases of indicators 159 . The Centre could track whether the removal has taken place. Where removal is not effected in a timely manner, the Centre could refer to national authorities for action (e.g. issuing of removal orders).

Box 10: distribution of tasks between the EU Centre and Member States

Given the key functions above, the Centre would become a fundamental component of the legislation, as it would serve as a key safeguard, by acting both as the source of reliable information about what constitutes CSA online and as a control mechanism to help ensure the effective implementation of the legislation. The Centre would ensure transparency and accountability, by serving as a European hub for the detection, reporting and removal of CSA online. In receiving reports, the Centre would notably have visibility on the effectiveness of detection (including rates of false positives), reporting and removal measures, and on the spreading of CSAM and grooming across different platforms and jurisdictions.

Box 11: independence of the EU Centre

The Centre would also reduce the dependence on private organisations in third countries, such as NCMEC in the US, for the fight against CSA in the EU. The Centre would operate within the EU and under EU rules and would reduce the need for international transfers of personal data of EU residents to third countries, notably the US.

To be able to carry out its functions, specifically to support the process of detection, reporting and removal, the Centre would, in accordance with the EU’s personal data acquis, be provided with the appropriate legal basis to allow it to process personal data where needed. The Centre would be able to cooperate with service providers, law enforcement, EU institutions, but also with similar entities worldwide, such as NCMEC, given the global nature of CSA.

Discussion of the implementation choices for the Centre

This section summarises the process to determine the preferred implementation choice for the Centre, explained in detail in Annex 10.

The process had three stages: 1) mapping of possible implementation choices; 2) analysis of the choices and selection of the most promising ones for further analysis; 3) qualitative and quantitative analysis of the retained choices and determination of the preferred choice.

1) Mapping of possible implementation choices

Currently there is no entity in the EU or in Member States that could perform the intended functions for the Centre without significant legislative and operational changes, and therefore no obvious/immediate choice for the implementation of the Centre.

The process to determine the implementation choices started with a mapping of existing entities and their present functions and forms in order to identify possibilities to build on existing structures and make use of existing entities, or simple use them as possible references or benchmarks for setting up a new entity of the same type. For the mapping purposes, the examples were divided in two main types, depending on whether they required specific legislation to be set up:

1) entities that do not require specific legislation to be set up:

a)Centre embedded in a unit in the European Commission (DG HOME, e.g. Radicalisation and Awareness Network, RAN).

b)Entity similar to the EU centre of expertise for victims of terrorism.

2) entities that require specific legislation to be set up:

a)Centre fully embedded in an existing entity:

oEU body:

§Europol;

§Fundamental Rights Agency (FRA).

oOther:

§national entity (public or private such as an NGO);

§international entity (e.g. INHOPE network of hotlines).

b)Centre set up as a new entity:

oEU body:

§executive agency (e.g. European Research Executive Agency, REA, European Education and Culture Executive Agency (EACEA));

§decentralised agency (e.g. European Monitoring Centre for Drugs and Drug Addiction (EMCDDA), European Institute for Gender Equality (EIGE), European Union Intellectual Property Office (EUIPO)).

oOther:

§national entity:

·foundation set up under national law (e.g. Academy of European Law (ERA), set up under German law);

·Member State authority (e.g. new Dutch administrative authority to combat CSA and terrorist content online, under preparation).

§international entity:

·inter-governmental organisation (e.g. European Space Agency (ESA), European Organisation for the Safety of Air Navigation (EUROCONTROL));

·joint undertaking (public-private partnership, e.g. Innovative Medicines Initiative, Clean Sky Joint Undertaking);

·non-governmental organisation (e.g. CEN/CENELEC, EuroChild).

The mapping also included three relevant entities outside of the EU, which carry out similar functions to those intended for the EU centre, and which could provide useful references in some areas (e.g. costs, organisational issues, etc).

·US National Centre for Missing and Exploited Children (NCMEC);

·Canadian Centre for Child Protection (C3P); and

·Australian Centre to Counter Child Exploitation (ACCCE).

Finally, the mapping also included possible combinations of the above choices (i.e. functions distributed between several entities), in particular with Europol:

·Europol + a unit in the Commission;

·Europol + and NGO (e.g. a hotline);

·Europol + new national entity.

2) Analysis of the choices and selection of the most promising ones for further analysis

The analysis of the possible choices took into account the following criteria:

·Functions, i.e. the ability to effectively carry out the intended functions to contribute to achieving the specific objectives of the initiative. Specifically:

oFacilitate prevention efforts.

oFacilitate support to victims.

oFacilitate the detection, reporting and removal of CSA online, including by ensuring accountability and transparency.

·Forms, i.e. the form in which the Centre is set up, and the extent to which that form supports carrying out the intended functions. Specifically:

oLegal status: both the legal basis to set up the centre (if any) and the legislation to allow it to perform its functions (e.g. processing of personal data).

oFunding: the sources that would allow the centre to ensure long-term sustainability and independence of the centre, while avoiding conflict of interest.

oGovernance: it should ensure 1) proper oversight by the Commission, and other relevant EU institutions and Member States; 2) participation of relevant stakeholders from civil society organisations, industry, academia, other public bodies (in particular considering that the Centre would need to work very closely with Europol, the Fundamental Rights Agency, and national authorities); 3) ensuring independence and  neutrality of the centre from overriding private and political interests, to be able to maintain a fair and balanced view of all the rights at stake and to play its main role as facilitator.

Each of the possible implementation choices mapped earlier was analysed according to the above criteria. This detailed analysis led to discarding a number of possible choices, in particular having the Centre fully embedded in Europol, notably due to:

·Challenges to carry out certain tasks in connection to the assistance to victims and prevention, particularly by acting as a hub for information and expertise, some of which are significantly different from the core law enforcement mandate of Europol. Adding these tasks would require a revision of the mandate and significant capacity building efforts, with the risk that these tasks are eventually deprioritised compared to the core tasks of supporting investigations. While Europol has an explicit empowerment to set up centres under Art. 4 of the Europol Regulation, these centres are of a different nature and refer to internal departments focusing on implementing Europol’s existing mandate in relation to specific types of crime. This empowerment therefore cannot be used to expand Europol’s mandate to cover the new tasks.

·Constraints of being part of a larger entity. Being part of a larger entity could limit the ability of the centre to dispose of its own resources and dedicate them exclusively to the fight against CSA, as it could be constrained by other needs and priorities of the larger entity. It may also limit the visibility of the centre, as child sexual abuse is only one of the many types of crime Europol deals with. Moreover, embedding fully the Centre in Europol could create an imbalance and it would be difficult to justify that Europol expands its mandate to cover prevention and assistance to victims only in the area of child sexual abuse. This could lead to Europol gradually deviating from its core law-enforcement mandate and covering prevention and assistance to victims in multiple crime areas, becoming a “mega centre” of excessive complexity to be able to attend to the specificities of the different crime areas adequately.

·Difficulties to appear as an independent and neutral facilitator. The intended main role for the Centre is to serve as a facilitator to both service providers and law enforcement authorities of the process of detection, reporting and removal of CSA online. Europol’s core mandate, however, is to support law enforcement. This may prevent Europol from appearing to all parties involved as an independent and neutral facilitator in the entire detection, reporting and removal process. Furthermore, service providers expressed during the consultations legal concerns about working too closely with law enforcement on the detection obligations, in particular if they are required to use the database of CSA indicators made available by the Centre for these detection obligations. There is a risk that that content data of CSA online (i.e. images, videos and text) could not be used for prosecution in the US. This is due to the US legal framework (US Constitution) preventing from using content data detected by companies acting as “agents of the state” as it could be the case if the companies were mandated to detect content data using a database of indicators (e.g. hashes/AI classifiers) provided by law enforcement rather than by a non-law enforcement entity.

Another choice that was discarded following analysis was setting up the Centre as a private law body under the national law of the Member State hosting it. The main reason is that the Centre would not be able to carry out effectively the function of supporting the detection, reporting and removal of CSA online. These tasks imply implementing EU law, which in principle only Member States or the Commission can do.

The detailed analysis of all the possible implementation choices resulted in three “legislative” choices (i.e. that require legislation to set up the Centre) retained for the final assessment 160 :

1.Creating a self-standing, independent EU body (i.e. a dedicated decentralised agency) with all the intended centre functions: to support detection, reporting and removal of CSA online, and facilitate Member States’ efforts on prevention and assistance to victims.

2.Tasking Europol with supporting detection, reporting and removal of CSA online and creating an independent private-law entity (or tasking an existing one) for prevention and assistance to victims.

3.Tasking the Fundamental Rights Agency (FRA) with all functions.

3) Qualitative and quantitative analysis of the retained choices and determination of the preferred choice.

Qualitative analysis

1.Centre as a self-standing EU body (decentralised EU agency):

Arguments in favour:

·Independence, which would allow it to help ensure transparency and accountability of companies’ efforts to detect CSA online and serve as a major safeguard and a fundamental pillar of the long-term legislation. Independence is essential to the centre’s key function as facilitator and intermediary between private companies and public authorities. The legislation setting it up could be designed in a way that 1) guarantees the sustainability of the Centre through stable EU funding; 2) the governance is such that it ensures appropriate oversight by the Commission, and includes the participation of Member States and relevant stakeholders.

·Ability to dispose of its own resources, fully dedicated to the fight against CSA. Staff dedicated solely to the mandate of the Centre, rather than having to meet other objectives as part of a larger entity. Possibility to receive secured funding from the EU budget. Political accountability for its financial management would be ensured through the annual discharge procedure and other rules ordinarily applicable to decentralised agencies.

·Greater visibility of EU efforts in the fight against CSA, which would help facilitate the cooperation between the EU and stakeholders globally.

·Possibility to carry out all relevant functions in the same place (contribute to the detection of CSA online, support and assist victims and facilitate prevention) and liaise with all relevant stakeholder groups, which creates higher EU added value and a more effective and holistic response against CSA.

Arguments against:

·Annual costs would likely be slightly higher than in the other choices. These annual costs are indicative and could be higher or lower depending on the precise set-up and number of staff needed (see cost summary table in the quantitative assessment section below). The budget to cover this funding would need to be found within the scope of 2021-2027 Multiannual Financial Framework, from the Internal Security Fund budget.

·It will require significantly more time and effort to set up (including the decision on the seat of the agency) and get it fully operational as we cannot build on existing institutional legal frameworks (although these could serve as a reference) and would have to create a new mandate, and find, hire and train a number of dedicated non-law enforcement experts, including for management and control functions. The need for increased supervision would entail an increased workload at DG HOME and additional staff could be needed.

·The cooperation with Europol and national law enforcement would have to be created anew.

2.Part of the Centre within Europol and part as an independent entity:

Arguments in favour:

·The annual costs will most likely be lower than creating a new body as the Centre would benefit from economies of scale with Europol, (e.g. building, infrastructure, governance, management and control system), although building and governance costs could be offset by those of the new entity (see cost summary table below). 

·The part of the Centre as part of Europol could directly benefit from its expertise and established mechanisms (including concerning personal data protection) to deal with the reports from service providers.

Arguments against:

·The ability of the Centre to serve as a major player and safeguard in the detection and reporting process, a key feature of the long-term legislation, would appear limited as it would not be independent from law enforcement.

·In the case of false positives, companies would be reporting innocent persons to law enforcement directly.

·The ability of the Centre to dispose of its own resources and dedicate them to the fight against CSA may be limited by other needs and priorities of Europol in other crime areas. This could also jeopardize its ability to deliver on these additional and visible tasks.

·Europol would be dedicating a substantial amount of resources to tasks such as manually reviewing the reports from companies to filter false positives, determining the jurisdiction best placed to act, etc. That may not be the best use of law enforcement’s resources, which could be otherwise dedicated to conduct investigations leading to the rescue of victims and the arrest of offenders, given the limited availability of law enforcement officers.

·Less visibility of EU efforts in the fight against CSA, as these would be split between two entities, and Europol’s area of focus is vast, which could limit its ability to facilitate the cooperation between the EU and stakeholders globally.

3.Tasking the Fundamental Rights Agency (FRA) with all functions:

 Arguments in favour:

·Annual costs would most likely be slightly lower than creating a new body, as the centre could benefit from economies of scale with FRA (e.g. governance, management and control system). The initial costs would also be slightly lower than creating a new body or in the Europol+ option, thanks to the possibility to leverage the existing building and infrastructure (see cost summary table below).

·The focus of FRA on fundamental rights could reinforce the perception of independence, which is key to help ensure transparency and accountability of companies’ efforts to detect CSA online and of the outcome of the follow up of the reports by law enforcement. This would also allow FRA to serve as a major safeguard of the detection process.

·In the case of false positives, companies would not be reporting innocent persons to law enforcement directly.

·Possibility to carry out all relevant functions in the same place (contribute to the detection of CSA online, support victims and facilitate prevention) and liaise with all relevant stakeholder groups.

Arguments against:

·The ability of the Centre to dispose of its own resources and dedicate them to the fight against CSA may be limited by other needs and priorities of FRA. This could jeopardize its ability to deliver on these additional and visible tasks.

·Although it would be possible to build on the existing institutional framework to some extent, repurposing it may still entail significant effort to accommodate these new tasks in a long-existing and established entity.

·The setup of FRA and its governance structure are specific to its current mandate. Significant changes to that mandate and the governance structure would be required in order to integrate the EU Centre into FRA. Given past difficulties in revising the mandate of FRA, there would also be significant additional risks in reopening the relevant regulation.

·The cooperation with Europol and national law enforcement would have to be created anew.

·The annual and initial costs may be lower than creating a new body but they will still be substantial, e.g. to find, hire and train a number of dedicated non-law enforcement experts, and to carry out the centre functions (including manually reviewing the reports from companies to filter false positives, determining the jurisdiction best placed to act, and supporting Member States on prevention and assistance to victims). 

·There would be a significant imbalance in FRA’s mandate: as it would double in size, half of it would be dedicated to CSA and the other half to its current tasks.

Quantitative analysis

Costs.

The following table summarises the estimated costs for the three retained implementation choices of the EU Centre 161 :

Table 2: summary of estimated costs for the implementation options of the EU centre

As a reference, existing agencies of comparable size have the following actual annual costs:

As indicated above, 28 posts corresponding to the prevention and assistance to victims functions in all options could be non-EU staff and be covered by a call for proposals/grant. In particular, in the case of option 2, Europol + separate entity, the possibility to cover these posts through a call for proposals/grant would not remove the need for a separate entity, as the envisaged prevention and assistance functions are currently not carried out by any organisation. Even if an existing entity applied for the potential call for proposals/grant, it would need to expand to accommodate the 28 posts, with the estimated infrastructure costs of e.g. rental of buildings, IT systems and audits, and the operational expenditure costs of e.g. support to expert networks, translation and interpretation, dissemination of knowledge and communication (see Annex 10, section 4.2.). Furthermore, a single separate entity should deal with both the prevention and assistance to victims functions to ensure organisational efficiency, given the strong interlinkages between both functions.

Annex 4 includes additional information on the points considered in the above estimates.

Benefits.

The main quantitative benefits derive from savings as a result of reduction of CSA associated costs, i.e. savings relating to offenders (e.g. criminal proceedings), savings relating to victims (e.g. short and long-term assistance), and savings relating to society at large (e.g. productivity losses).

It is assumed that the implementation choice that is the most effective in fulfilling the functions of the Centre would also be the one helping achieve that highest reduction of CSA and therefore the one with the highest benefits. Annex 4 contains estimates of these benefits, to be taken into account for the sole purpose of comparing the options. As it is expected that a dedicated EU agency would be the most effective in fulfilling the Centre functions, it would also be the one generating the highest benefits.

Preferred option

The analytical assessment and comparison process above indicates that the preferred implementation option for the Centre would be a dedicated EU decentralised agency 163 . This is the option that would best contribute to achieve the specific objectives of the initiative, while respecting subsidiarity and proportionality and protecting fundamental rights. It will be possible to provide the EU agency with the necessary legal framework to carry out its functions, in particular those in relation to facilitating the detection, reporting and removal of CSA online.

The a dedicated and decentralised EU agency, in accordance with the common approach agreed by the European Commission, the European Parliament and the Council of the EU in 2012 164 . As an EU agency, it would be financially independent and be funded by the EU, which would further support the Centre’s independence.

In addition to the periodic reporting to the Commission and to the public described above, the Commission and Member States would further supervise the Centre and its activities, in accordance with the general rules applicable to decentralised EU agencies 165 . These rules include in particular a governance structure that supports both the independence of the agency and the participation of relevant stakeholders, notably through a management board with representatives of all Member States and the Commission, an executive board, and an executive director appointed following an open and transparent selection procedure.

In terms of organisation, the Centre would work closely with the European Police Agency (Europol), the EU Agency for Fundamental Rights (FRA) (e.g. in contributing to transparency and accountability as well as to assessments of the fundamental rights impact of new measures), national law enforcement and other relevant authorities, as well as the national hotlines. This setup would ensure that existing resources can be relied upon to the maximum extent possible while preserving the independence that is fundamental to the role of the Centre.

Box 12: relations between the Centre as a new EU agency and Europol

Box 13: European Parliament views on the EU Centre

Stakeholders’ views on the EU Centre to prevent and counter CSA

All the main stakeholder groups that responded to the open public consultation supported the creation of an EU Centre that would provide additional support at EU level in the fight against CSA online and offline, to maximize the efficient use of resources and avoid duplication of efforts. The support was highest among academia and research institutions (100% of responses), as well as public authorities and NGOs (85% of responses). 40% of the responses from service providers, business associations and the general public expressed explicit support.

More than half of the responses (51% of all responses to the consultation) indicated that the Centre could support Member States in putting in place usable, rigorously evaluated and effective multi-disciplinary prevention measures to decrease the prevalence of child sexual abuse in the EU. It could also support victims in ensuring removal of child sexual abuse material online depicting them. The Centre could serve as a hub for connecting, developing and disseminating research and expertise, as well as facilitating the communication and exchange of best practices between practitioners and researchers.

Public authorities pointed out that the Centre could maintain a single EU database of hashes of known CSAM in order to facilitate its detection in companies’ systems (76% of responses from this group). The Centre could also support taking down CSAM identified through hotlines (62% of responses from this group).

Service providers indicated in the targeted consultations that they would prefer to report to an EU Centre rather than to law enforcement directly, as they currently do in the US with NCMEC.

Stakeholders' views on new CSA legislation from the open public consultation

Respondents from public authorities (62% of the total responses from this group), companies (56%), business associations (60%) and civil society organisations (74%), supported new legislation to ensure legal certainty for those involved in the fight against CSA. In particular, the legislation should notably:

·provide the right incentives for the detection of CSAM;

·provide a clear legal basis for the processing of personal data to detect, report and remove CSA online;

·clarify and resolve conflicts and fragmentation in existing, pending and proposed legislation across Member States as well as at EU level; and

·be future-proof (i.e. that it remains effective despite future technological developments) 

5.2.3. Option C: option B + mandatory detection of known CSAM

This option builds on option B and imposes on relevant providers an obligation to perform a risk assessment on whether their services are likely to be used for the sharing of known CSAM and propose mitigating measures to reduce that risk. Where the risk assessment (after proposing the mitigating measures) reveals a level of risk that is not minor, national competent authorities would issue orders to detect material that has previously been reliably confirmed by courts or other independent public authorities as constituting CSAM. These orders would be limited in time and would apply regardless of the technology used in the online exchanges, including whether the service is encrypted, to ensure that the legislation is technology neutral. The obligation to detect would be limited to relevant service providers in this context, i.e. those identified as the main vectors for sharing and exchange of known CSAM. Only a subgroup of the providers required to submit a risk assessment would receive a detection order, based on the outcome of the risk assessment taking into account the proposed mitigating measures. The legislation would list possible risk factors that the providers should take into account when conducting the risk assessment. In addition, the Commission could issue guidelines to support the risk assessment process, after having conducted the necessary public consultations.

Known CSAM is the most common type of CSA online currently detected (in 2020 service providers reported seven times more known images and videos than new ones, and 2600 times more known images and videos than grooming cases, see section 2.1.1.). The detection of new CSAM and grooming would remain voluntary, whereas reporting and removal (upon the reception of a removal order) would be mandatory for all types of CSA online, as described in option B. In order to ensure its effectiveness, effective and proportionate sanctions would be instituted for providers who fail to comply with the obligation. These sanctions would be imposed by Member States’ competent national authorities. More specifically, the process would look as follows:

Mandatory risk assessment

Relevant service providers would be required to assess the risk that their services are misused to distribute known CSAM. The risk factors to consider could include, depending on the service concerned:

·the business model of the service provider,

·its corresponding user base, including whether the service is available directly to end users (as opposed to, e.g., providing services to businesses),

·the verification of user identity in the registration process,

·the possibility to share images and videos with other users, e.g. by message or through sharing of a link to resources hosted on the service provided,

·in services offering a chat/messaging functionality, the possibility to create closed groups, which can be joined upon invitation from a member only,

·the way in which the services are designed and operated,

·the ways in which the services are actually used, and any corresponding impact on the risk of distribution of known CSAM,

·previous detection of CSAM on the service or on a similar service with a comparable risk profile.

As part of the risk assessment, the service provider could request support from the Centre and/or competent national authorities in performing detection tests on representative anonymised samples, in order to establish the presence or not of known CSAM.

Providers would then be required to report to the competent national authority on the risk assessment and on any mitigating measures that they plan to adopt or have already adopted. The competent national authority would review the risk assessment and determine whether the assessment has been properly conducted and whether the mitigation measures proposed by the service provider are sufficient. If needed, the competent national authority could request the service provider to resubmit the risk assessment or additional information pertaining to it.

Detection order

On the basis of this risk assessment and the criteria laid down in the initiative, the competent national authority would decide whether a detection order for known CSAM should be issued to each specific service provider, by a court or an independent administrative authority (which could be the national authority if it meets the independence criteria). A service provider falls under the jurisdiction of the Member State in which it has its main establishment or in which – if it has no main establishment in the EU – it has designated a legal representative, building on the approach already adopted in the Terrorist Content Online Regulation 168 and proposed in the DSA. Competent national authorities would cooperate in a network to ensure harmonised application of the rules, building where possible on the structures to be put into place for the DSA. The detection order would be limited in time and renewable based on an updated risk assessment, and would be accompanied by specific supervisory powers for the authorities, including on the detection technology deployed, and by measures to ensure transparency. Suitable redress for affected service providers would be provided for.

Support by the EU Centre

The EU Centre would support service providers in three ways:

1)By providing practical or technical information to service providers that could help them giving effect to their legal obligations and contributing to the preparation of guidance and best practices documents where needed;

2)By making available to service providers a database of indicators of known material (e.g. hashes and URLs 169 ) that providers would be required to use to facilitate accurate detection of known CSAM. The indicators would correspond to material confirmed as illegal in the EU, as set out above.

In addition, the Centre would also facilitate access for service providers to free-of-charge detection tools. These tools would be automated and have a high accuracy rate, and have proven reliable for over a decade (see box 14 below and annex 8, section 1) 170 . Providers would not be mandated to use the tools provided by the Centre, as long as their tools meet the requirements (safeguards) specified in the legislation (see below). Responsibility for the use of these tools and any resulting decisions by the service providers would remain with the service provider themselves.

3)By reviewing the reports submitted by service providers to ensure accurate reporting to law enforcement, and providing support, including through feedback on accuracy, to further improve accuracy levels, to prevent imposing excessive obligations on the providers and in particular to avoid imposing the obligation to carry out an independent assessment of the illegality of the content detected. 

The support of the Centre would be particularly useful to SMEs, which would also be subject to the above requirements and could thus also receive a detection order from national authorities. The Centre and the Commission could provide additional support to SMEs in the form of guidance, to inform SMEs about the new legal framework and the obligations incumbent on them. This guidance could be disseminated with the help of industry associations. It may also be possible to provide specific training, in collaboration with Europol and the national authorities.

Box 14: hashing and URL detection tools

Stakeholders’ views from the open public consultation on mandatory detection

Public authorities that responded to the consultation were in favour (81% of respondents) of mandatory detection, including in encrypted systems.

Some companies (31%) and business associations (40%) supported that such obligation shall not apply regardless of whether these services use encryption. Business associations also stressed the role of encryption in ensuring the online safety and confidentiality of communications of marginalised groups and groups at risk, and that encryption should not be weakened.

Children’s rights NGOs were in favour of mandatory detection also in encrypted systems, while pointing out that it should be in line with applicable privacy and other laws.

Privacy rights NGOs stressed the need of preserving strong encryption, and opposed all solutions identified to detect CSA in encrypted systems.

Individuals stressed that service providers should not be obliged to detect CSA online in encrypted services.

Conditions and safeguards

The obligation to detect known CSAM would apply regardless of the technology deployed in the online exchanges. As described in the problem definition (section 2.2.1.), some technologies used in online exchanges require adaptation of existing detection technology to detect CSA online: for example, while the principal methodology of comparing hashes would remain unchanged, the point in time at which identification is performed would need to be adjusted in end-to-end encrypted communications, to take place outside the communication itself. In addition, a number of companies have developed tools that seek to identify CSA online using metadata. While these tools are not yet comparable to content-based analysis tools 180 in terms of accuracy, child protection and accountability, they could possibly develop to an equivalent standard in the future. Also, some providers have already deployed tools that perform content-based detection in the context of end-to-end encrypted communications, demonstrating the swift development of technologies in this area.

The legislative proposal should remain technology-neutral also when it comes to possible solutions to the challenge of preventing and detecting online child sexual abuse. Under this option, the obligation to detect known CSAM would therefore be an obligation of results, meaning that detection has to be of sufficient overall effectiveness regardless of the technology deployed. For example, in a test sample where a specified percentage of material constitutes known CSAM, the detection tool should correctly identify a comparable amount of CSAM, in line with the state of the art in detection technology when it comes to accuracy. This is to be demonstrated by the service providers. The legislation would set out conditions for the technologies deployed and corresponding supervision powers for national authorities, without however specifying the technologies that must be put in place to enable detection, to ensure that the legislation remains proportionate, technology neutral and future proof. Service providers would be free to implement the technical solutions that are most compatible with their services and infrastructures, provided they meet the standards (see below for details on standards).

The obligation to detect regardless of the technology used in the online exchanges is necessary to ensure not only that the services that, following the risk assessment, should be detecting known CSAM, can do so in practice, but also to prevent creating a negative incentive to put in place certain technologies solely to avoid the detection obligations. It would therefore ensure that the legislation achieves its general objective of improving detection, reporting and removal of CSA online.

The obligation to detect regardless of the technology used in the online exchanges, together with all the required safeguards (see below), is also necessary to help ensure a fair balance of the affected fundamental rights 181 .

Box 15: Detection of CSA online in end-to-end encrypted communications

While companies would be free to decide which technology to deploy, the competent national authority will be empowered and required to supervise. If needed, it could make use of the technical expertise of the EU Centre and/or independent experts to determine relevant technical or operational issues that may arise as part of the authority’s assessment whether the technology that a given service provider intends to use meets the requirements of the legislation. In particular, the competent national authorities would take into account the availability of the technologies in their decision to impose a detection order, ensuring the effective application of the obligation to detect. In the cases in which the technology to detect CSA online was not yet available to be deployed at scale, the legislation could foresee for the competent authorities the possibility to consider this circumstance when deciding the start date of application of the detection order on a case by case basis. The EU Centre and the Commission could facilitate the exchange of best practices and cooperation among providers in the deployment efforts of new technologies.

The legislation would specify the necessary safeguards to ensure proportionality and a fair balance between all the affected fundamental rights. In particular, as service providers put in place technical solutions that allow the detection of CSA online regardless of the technology used in the online exchanges, there is a need to regulate the deployment of these solutions, rather than leaving to the service providers the decision on what safeguards to put in place.

Service providers have strong incentives already to ensure that all tools they deploy are reliable and as accurate as possible, to limit false positives. In addition, safeguards are of particular importance to ensure the fair balance of fundamental rights in the context of interpersonal communications, where the level of interference with the relevant fundamental rights, such as those to privacy and personal data protection, is higher compared to e.g. public websites.

The legislation would set out three types of safeguards, on 1) what standards the technologies used must meet, 2) safeguards on how the technologies are deployed, and 3) EU Centre-related safeguards. They would, as far as possible, build on the detailed safeguards of the Interim Regulation, to ensure coherence and minimise disruption. These safeguards could include or be based on:

1) Standards the technologies must meet:

·be in accordance with the state of the art in the industry;

·be sufficiently reliable in that they limit to the maximum extent possible the rate of errors regarding the detection of CSA, subject to independent expert certification;

·be the least privacy-intrusive, including with regard to the principles of data protection by design and by default laid down in the GDPR;

·not be able to deduce the substance of the content of the communications but solely be able to detect patterns which point to possible CSA (i.e. only determine whether the content matches known CSAM, without assessing or extracting anything else);

·make use of the indicators provided by the EU Centre to detect known CSAM (see below on EU Centre-related safeguards);

2) How the technologies are deployed, i.e. when deploying these technologies the providers should:

·conduct a prior data protection impact assessment and a prior consultation procedure as referred to in the GDPR, to be repeated when the technologies are significantly modified;

·establish internal procedures to prevent abuse of, unauthorised access to, and unauthorised transfers of, personal and other data;

·ensure human oversight, where necessary. While the tools for detection of known CSAM are accurate to such a high degree that human review of each and every hit is not required, the oversight should encompass spot checks and tests to ensure the continued reliability and verify consistent accuracy rates;

·establish appropriate redress mechanisms to ensure that users can lodge complaints with them within a reasonable timeframe for the purpose of presenting their views;

·inform users in a clear, prominent and comprehensible way:

oof the fact that the service providers use technologies to detect known CSAM and how they use those technologies;

owhich consequences such use may have for the users and avenues for redress related thereto;

·retain the content data and related traffic data processed for the purpose of detecting known CSAM and its subsequent actions (reporting, removal and possible other consequences, redress, responding to competent law enforcement or judicial authorities’ requests) no longer than strictly necessary for those purposes, and no longer than the maximum period defined in the legislation;

·give competent authorities access to data, solely for supervisory purposes; and

·publish transparency reports on how the technologies used have been deployed, including operational indicators such as error rates (see section 9 on monitoring and evaluation).

3) EU Centre-related safeguards. The Centre would be a fundamental component of the legislation and will serve as a key safeguard by:

·making available to service providers the indicators that they should use to detect known CSAM according to EU rules (notably the CSA Directive), as determined by courts and other independent public authorities (see description of EU Centre under option B);

·reviewing the reports submitted by the companies and contributing to ensure that the error rate stays at a minimum in particular by making sure that possible reports submitted by mistake by service providers (i.e. do not contain CSA online) are not forwarded to law enforcement, and providing feedback to service providers on accuracy and potential false positives to enable continuous improvement;

·facilitating access to free-of-charge technology that meets the highest standards for the reliable, automated detection of CSA online;

·publishing annual transparency reports which could include the number and content of reports received, the outcome of the reports (i.e. whether law enforcement took action and if so, what was the outcome), and lists of service providers subject to detection orders, removal orders and sanctions (see section 9).

Given the key role of the Centre, the legislation should also include a set of safeguards to ensure its proper functioning. These could include:

·carrying out an independent and periodic expert auditing of the databases of indicators and its management thereof;

·carrying out independent expert verification or certification of tools to detect, report and remove CSA online that the Centre would make available to service providers;

·creating clear and specific legal bases for the processing of personal data, including sensitive personal data, necessary for the performance of the Centre’s functions, with the appropriate limitations and safeguards;

In addition, as a decentralised EU agency, the Centre would be subject to all corresponding transparency and accountability obligations that generally apply to such agencies, including supervision by the EU institutions.

Stakeholders’ views on safeguards from the open public consultation

Public authorities indicated that it is critical to implement robust technical and procedural safeguards in order to ensure transparency and accountability as regards the actions of service providers.

NGOs pointed out that the new legislation should provide legal certainty for all stakeholders (e.g. service providers, law enforcement and child protection organisations) involved in the fight against CSA online and improve transparency and accountability. Almost 75% of views from NGOs underlined that transparency reports should be obligatory and standardized in order to provide uniform quantitative and qualitative information to improve the understanding of the effectiveness of the technologies used as well as about the scale of CSA online. Legislation could foster the development of an EU-wide classifications of CSAM.

Business associations highlighted that it is critical to publish aggregated statistics on the number and types of reports of CSA online received in order to ensure transparency and accountability regarding actions of service providers (40% of their replies). Moreover, some respondents (including companies and business associations) reflected that fully harmonised definitions (beyond the minimum harmonisation provided by the CSA directive) would help reduce EU fragmentation.

Academic and research institutions also stated that transparency reports should be obligatory, and evaluated by an independent entity (75% of their replies). All of them stated that these reports need to be standardized in order to provide uniform quantitative and qualitative information to improve the understanding of the effectiveness of the technologies used as well as the scale of child sexual abuse online.

5.2.4. Option D: option C + mandatory detection of new CSAM

This option is the same as option C but adding mandatory detection of material that has not been previously verified as CSAM (i.e. ‘new’, as opposed to ‘known’, CSAM). As described in section 2.1.1., the detection of new content (i.e. not previously identified as CSAM) often reveals ongoing or recent abuse and therefore implies a heightened need to act as soon as possible to rescue the victim.

As in option C, to ensure that the legislation is technology neutral, the obligation would apply regardless of the technology used in the online exchanges.

The detection of grooming would remain voluntary, whereas reporting and removal of confirmed CSA would be mandatory for all types of CSA online, as described in option B.

Mandatory risk assessment

Expanding the risk assessment outlined in Option C, service providers of relevant services, notably providers of interpersonal communication and hosting services, would be required to also assess the risk that their services are misused to distribute new CSAM. As there is no difference between “known” and “new” CSAM beyond its having been seen and confirmed by an authority, the distribution vectors are typically identical. Hence, risks and experiences relating to the detection of known CSAM could be taken into account in this regard. However, the risk factors would also take into account the specificities of new CSAM, and in particular the risk that the service is used to distribute self-generated material (see box 3 in the problem definition, section 2.1.1.). For interpersonal communications services, the risk assessment should also include an analysis of objective factors that may point to a heightened likelihood of sharing of CSAM, which could possibly include group size, gender distribution, frequency of exchange and frequency and volume of images and videos shared. In addition, the risk assesment could be based, e.g., on spot checks, particularly in the absence of previous experience on the same or comparable services.

The service providers would be required to report to the competent national authority on the risk assessment, including the mitigating measures that they plan to adopt or have already adopted, and the same considerations as in option C would apply.

Detection order

Similarly to option C, on the basis of this risk assessment, the competent national authority would decide whether a detection order for new CSAM should be issued to a service provider, for one or more relevant services it provides. The order should be limited to the strictly necessary; where possible and technically feasible, particularly for interpersonal communications services based e.g. on the objective factors identified in the risk assessment, it should be limited to relevant parts of a given service. The detection order would be limited in time and renewable based on an updated risk assessment. Suitable redress for affected service providers would be provided for.

Support by the EU Centre

The EU Centre would support service providers in three ways:

1)By making available to providers the database of indicators of new material (e.g. AI classifiers) that providers would be required to use to detect new CSAM, while ensuring a technology neutral approach. The indicators would be based on material determined by courts or other independent public authorities as illegal under EU law.

2)By making available to providers, free-of-charge, technologies to facilitate detection. Providers would not be mandated to use the technologies provided by the Centre and would be able to use other tools, as long as they meet the standards and provide for the safeguards specified in the legislation (see below).

3)By reviewing the reports submitted by service providers to ensure accurate reporting to law enforcement, and providing support, including through feedback on accuracy, to prevent imposing excessive obligations on the providers and in particular to avoid imposing the obligation to carry out an in-depth assessment of the illegality of the content detected, which can be relevant in particular in borderline cases.  If possible CSAM is detected by the EU Centre, it will be added to the database of indicators of known CSAM only after public authorities have confirmed the illegality of the content. It could then also be used to improve the database of new CSAM indicators.

The support of the Centre would be particularly useful to SMEs, which would also be subject to the above requirements and could thus also receive a detection order from national authorities. the Centre and the Commission would provide additional support to SMEs in the form of guidance, to inform SMEs about the new legal framework and the obligations incumbent on them. This guidance could be disseminated with the help of industry associations. It may also be possible to provide specific training, in collaboration with Europol and the national authorities.

Box 16: technology to detect new CSAM

Conditions and safeguards

As in option C, the obligation to detect new CSAM would apply regardless of the technology deployed in the online exchanges, and as an obligation of results, to ensure that the legislation remains technology neutral and as future proof as possible.

Also, as in option C, the competent national authorities, on the basis of the risk assessment conducted by the service provider (including mitigating measures adopted), and, if needed, in consultation with the EU Centre and its technical experts on the technologies deployed, would determine whether a detection order should be issued to a given service provider. They would remain competent to verify the compliance with conditions and safeguards and to supervise the tools deployed, in cooperation with data protection authorities and the EU Centre’s technical experts, where appropriate.

The legislation would specify the necessary safeguards to ensure a fair balance between all the affected fundamental rights. The safeguards could include all those described in option C extended to new CSAM, on 1) the technologies used, 2) how they are deployed, and 3) EU Centre-related safeguards. Given the high but comparatively lesser accuracy rates that detection tools for new content can have, the tools should be deployed in such a manner as to limit the number of false positives to the extent possible. The final determination of whether an image or video constitutes CSAM has to be made by a court or independent national authority. In addition, the material used to prepare and improve the indicators (AI classifiers) made available by the EU Centre could be subject to periodic expert auditing to ensure the quality of the data used to train algorithms.

5.2.5. Option E: option D + mandatory detection of grooming

This option includes the policy measures of option D and adds mandatory detection of grooming for certain providers of interpersonal communications services as the key vectors for online grooming. It would therefore comprise the mandatory detection of the three main forms of CSA online: known and new CSAM and ‘grooming’ (solicitation of children), limited to the service providers relevant for each of the types of content, which are different for grooming: while CSAM can be shared in various ways, such as by message, sharing links to image hosts or other means, grooming requires a direct communication channel between the offender and the child. Whereas known and new CSAM depict crime scenes of abuses already committed, grooming can indicate abuse that is ongoing and/or about to happen and which therefore could be prevented or stopped, protecting the child from harm.

As in options C and D, to ensure that the legislation is technology neutral, the obligation would apply regardless of the technology used in the online exchanges. Reporting and removal (upon the reception of a removal order) would be mandatory for all types of CSA online, as described in option B.

The services in scope in options C, D and E could be:

·for the risk assessment, reporting and removal obligations: relevant providers that provide or facilitate access to services enabling the dissemination of CSAM and grooming;

·for the obligations to detect known and new CSAM: a more narrow category of relevant service providers, in particular providers of hosting and interpersonal communication services;

·for the obligation to detect grooming: interpersonal communications services.

Mandatory risk assessment

Expanding the risk assessment outlined in options C and D, relevant service providers would be required to also assess the risk that their services are misused for grooming. Subject to further assessment, the risk factors to consider specific to grooming could include:

·the user base, including whether the service is available directly to end users (as opposed to, e.g., providing services to businesses),

·the verification of user identity in the registration process,

·whether the services are likely to be accessed by children or otherwise where children make up a significant proportion of a service’s user base;

·the existence of functionalities of the service enabling adults to search for other users of the service (including children), e.g. if the profiles are searchable by default to all users;

·the existence of functionalities of the service enabling adults to contact other users (including children), in particular via private communications, e.g. if private messaging is enabled by default to all users and if private messaging is an integral part of the service;

·whether the services enable sharing images and videos via private communications for all users;

·whether robust age verification measures are in place (in particular to prevent adults from pretending to be children);

·whether the service offers grooming reporting tools that are effective, easily accessible and age appropriate;

·past experience with grooming on the same or a comparable service.

The service providers would then be required to report to the competent national authority the risk assessment, including any mitigating measures that they plan to adopt or have already adopted.

Detection order

Similarly to options C and D, on the basis of this risk assessment, the competent national authority would decide whether a detection order for grooming should be issued to a service provider, for one or more of its services. Where it is possible based on the risk assessment and technically feasible to limit the detection to a part of the service, the order should be limited to what is strictly necessary: for example, to perform detection only in one-on-one exchanges as opposed to groups. This detection order would also be limited in time and renewable based on an updated risk assessment. Suitable redress for affected service providers would be provided for.

Support by the EU Centre

The EU Centre would support service providers in three ways:

1)By making available to providers the database of indicators of grooming (e.g. AI classifiers) that providers would be required to use to detect grooming, while ensuring a technology neutral approach. The indicators would be based on grooming cases determined by courts or other independent public authorities.

2)By making available to providers, free-of-charge, technologies to facilitate detection. Providers would not be mandated to use the technologies provided by the Centre and would be able to use other tools, as long as they meet the requirements and provide for the safeguards specified in the legislation (see below).

3)By reviewing the reports submitted by service providers to ensure accurate reporting to law enforcement, and providing support, including through feedback on accuracy, to prevent imposing excessive obligations on the providers and in particular to avoid imposing the obligation to carry out an independent assessment of the illegality of the content detected. If possible grooming is detected by the EU Centre, it could be used to improve the database of grooming indicators, after public authorities have confirmed the illegality of the content.

The above three-way support of the Centre would be particularly useful to SMEs, which would also be subject to the above requirements and could thus also receive a detection order from national authorities. The Centre and the Commission would provide additional support to SMEs in the form of guidance, to inform SMEs about the new legal framework and the obligations incumbent on them. This guidance could be disseminated with the help of industry associations. It may also be possible to provide specific training, in collaboration with Europol and the national authorities.

Box 17: technology to detect grooming

Conditions and safeguards

As in options C and D, the obligation to detect grooming would apply regardless of the technology deployed in the online exchanges, and as an obligation of results, to ensure that the legislation remains technology neutral and as future proof as possible.

As in options C and D, the competent national authorities would be given the necessary competences for effective oversight to determine whether conditions and safeguards are respected, also in terms of the deployment of technologies.

The legislation would specify the necessary safeguards to ensure proportionality and a fair balance between all the affected fundamental rights. The safeguards could include all those described in option C extended to grooming, on 1) the technologies used, 2) how they are deployed, and 3) EU Centre-related safeguards. In addition,

·the material used to prepare and improve the grooming indicators (AI classifiers) made available by the EU Centre could be subject to periodic expert auditing to ensure the quality of the data used to train algorithms;

·the service provider could be obliged to report back to the competent data protection authority on the measures taken to comply with any written advice issued by the competent supervisory authority for technologies to detect grooming, following and in addition to the prior data protection impact assessment and consultation;

·the technologies used to detect grooming should be limited to the use of relevant key indicators and objectively identified risk factors such as one-on-one conversations (as grooming very rarely takes place in a group setting), age difference and the likely involvement of a child in the scanned communication.

Stakeholders’ views on mandatory detection from the open public consultation

Public authorities indicated that mandatory detection of known (71% of responses) and new CSAM (57%), and grooming (48%) should be covered by the possible legislation.

Child rights NGOs were in favour of mandatory detection and removal of known (78% of responses) and new CSAM (61%), and grooming (51%).

Privacy rights organisations opposed any mandatory detection measures and stressed the need to respect the requirements of necessity and proportionality to ensure the respect of fundamental rights of users, also with regard to privacy and confidentiality.

Service providers expressed little support for imposing legal obligations to detect known CSAM (12.5% of responses), new CSAM (6%) and grooming (6%). They flagged that, if there are any obligations, they should be formulated in terms of best reasonable efforts at the current state of technology, be in line with other EU legislation (e.g. e-commerce directive and DSA), and should not impose an excessive burden on SMEs. They raised questions of conflict of laws between the US and the EU emerging from detection and reporting obligations.

Individuals that responded to the open public consultation also expressed little support for imposing legal obligations for service providers to detect known CSAM (20% of responses), new CSAM (14%) and grooming (13%). At the same time, there was general support for a possible role of EU Centre managing a single EU database of known CSAM to facilitate detection.

Box 18: YouGov survey on citizens’ views on online child protection and privacy

5.3. Measures discarded at an early stage

The process of building the retained options started with scoping the widest spectrum of measures and discarding a number of them along the way, which included notably:

·Indefinite continuation of the Interim Regulation, i.e. extending indefinitely the current period of application of three years. This measure was discarded because it would not address in a satisfactory way the problem drivers, in particular problem driver 1, concerning the insufficient voluntary action by online service providers, and 2 on the lack of legal certainty (the Interim Regulation does not establish a legal basis for any processing of personal data). Also, the Interim Regulation only covers a subset of service providers whose services affected by CSA online. The possible combination of this measure with other options (including the practical measures in option A) would not be able to address these fundamental shortcomings.

·Obligations to detect CSA online (known and/or new CSAM, and/or grooming) limited to technologies that currently make possible such detection (e.g. unencrypted services). These measures were discarded because the legislation would not be effective in achieving the general objective of improving the functioning of the internal market by introducing harmonised EU rules for improving identification, protection and support for victims of CSA. Moreover, rather than improving the fight against CSA online, these measures could worsen it, by unintentionally creating an incentive for certain providers to use technologies in their services to avoid the new legal obligations, without taking effective measures to protect children on their services and to stem the dissemination of CSAM.

Annex 10 contains a further analysis of discarded options for the Centre.

6.What are the impacts of the policy options?

6.1. Qualitative assessment

The qualitative assessment of the policy measures (which form the policy options), is available in annex 4, section 1. This section focuses on the qualitative assessment of the policy options retained for analysis. It analyses the most relevant impacts, i.e. social, economic and fundamental rights, in addition to those related to the UN SDGs. The consistency of the options with climate law, the ‘do no significant harm’ principle and the ‘digital-by-default’ principle was taken into account throughout the assessment where relevant.

6.1.1. Social impact

All proposed measures except the baseline scenario would improve, to differing degrees, the protection of online users, particularly the young and vulnerable, and enhance the ability of authorities to prevent and respond to cases of online CSA.

6.1.1.1. Option A: practical measures to enhance prevention, detection, reporting and removal, and assistance to victims, and establishing an EU Centre on prevention and assistance to victims

The practical measures to enhance voluntary detection, removal and reporting of online CSA would improve the prevalence and effectiveness of voluntary measures to some extent, and would increase the number of related reports and investigations. The measures would also likely improve the efficiency and quality of reporting from service providers to law enforcement authorities, and allow more efficient use of resources by both. Uncertainty as to the legal basis for the necessary processing of personal data would remain, leading to fragmented efforts.

Establishing an EU Centre that could perform certain tasks relating to prevention and assistance to victims would help facilitate coordination and the implementation of practical measures in these areas. While these measures would to some extent improve efficiency in public-private cooperation, a number of difficulties would remain, in particular regarding a reliable source of hashes, a single European reporting point, accountability and transparency regarding providers’ efforts, and the need for clear and comprehensive information on the prevalence of CSA online.

Finally, this option would likely not be sufficient in providing effective assistance to victims of CSA, or to prevent CSA. While the practical measures included here may facilitate dialogue and exchange of information, they would not be sufficient to support the implementation of a holistic, evidence-based approach. The Centre’s impact would be limited, as it would be supported by minimal resources and the support it could offer would be restricted. In particular in view of the significant impact of providers’ efforts on the wellbeing of children and the rights of all users, the resulting continuation of a patchwork approach would fall short of the objectives.

Therefore, this option would not fully address the problem drivers.

6.1.1.2. Option B: option A + legislation 1) specifying the conditions for voluntary detection, 2) requiring mandatory reporting and removal of online child sexual abuse, and 3) expanding the EU Centre to also support detection, reporting and removal

This option would specify the conditions for service providers’ voluntary detection, reporting and removal of online CSA, eliminating key obstacles to voluntary efforts by providing legal certainty. This would allow services within the scope of the ePrivacy Directive (and its proposed revision) to adopt or continue voluntary efforts, following the lapsing of the Interim Regulation in 2024, as well as other relevant services. The reporting obligation would ensure both swift investigations to identify offenders and, where possible, identify and rescue victims, as well as independent verification of the illegality of the content.

The removal obligation would help ensure that service providers that have become aware of the existence of CSAM in their services take it down swiftly. This would limit revictimisation and would contribute to prevention efforts, given the effect that viewing CSAM has on increasing the probability of future offending (see box 1).

These obligations would also help create a level playing field for relevant providers active in the EU, as they would all need to comply with one framework for the detection, reporting and removal obligations.

The creation of EU-level databases of indicators of CSA online would facilitate service providers' determination of what constitutes CSA online under EU law. By maintaining a single, reliable database in the EU of indicators to facilitate detection of CSA online in companies’ systems, the Centre would lead to significant improvements in the relevance of reports received by EU law enforcement authorities, reducing the number of reports of materials that do not constitute CSA online under the laws of the relevant Member State, and further eliminating erroneous removals. An increase in the volume of reports can be expected with the introduction of mandatory reporting and the creation of an EU database. Importantly, the database and the support provided by the EU Centre can be expected to contribute to an improved quality of reports. This in turn can be expected to result in greater numbers of victims rescued and of perpetrators identified, prosecuted and convicted. The consequential deterrence effects can support the prevention of future offending. The Centre would also act as a central point for reporting in the EU, supporting both service providers and hotlines, reducing the reliance on reports from third country organisations, and improving the ability of relevant authorities to respond to cases of online CSA also in particular across jurisdictions.

In addition, the Centre could facilitate, directly and in cooperation with hotlines, the removal of CSAM relating to a victim, at the request of a victim, by conducting searches and by notifying providers of content requesting it to be removed. In addition, the creation of a dedicated EU Centre would send an important message about the dedication of the EU as a whole to combating child sexual abuse more effectively and to ensuring that rules apply online as they do offline. It would place the EU at one level with those leading the fight against child sexual abuse worldwide, and would reduce dependence on third-country entities, both for operational reports and for strategic and horizontal information about threats and trends, areas where the EU and its Member States to date have very limited visibility. The social impact of the creation of an EU Centre to prevent and counter child sexual abuse is described further in annex 10, sections 4-6.

However, there are also some drawbacks to this option from the perspective of social impacts. As described in Section 2, experience has shown that service providers’ voluntary action by itself has been insufficient. Only 12% of service providers responding to the open public consultation on the DSA reported that they used automated systems to detect illegal content they host 194 . This is reflected in the annual reports provided by NCMEC, which show that only a small percentage of providers registered to make reports to NCMEC have done so, that many of those who do make reports make very few of them, and that tools for the detection of CSA online are not widely used. Therefore, beyond ensuring that voluntary measures in interpersonal communications services can continue after the Interim Regulation expires, clarifications on the legal basis is unlikely to cause a significant increase in the use of voluntary measures.

Therefore, while option B would have a greater impact than option A through greater support for detection, reporting and removal efforts, it still would not fully address the problem drivers.

6.1.1.3. Option C: option B + mandatory detection of known CSAM

This option differs from Option B in two important aspects when it comes to its social impact. First, because it would introduce an obligation to detect known CSAM, and secondly because it would do so regardless of which technology is in use in the online exchanges.

The additional benefits of this option compared to Option B would be to ensure that the detection of known CSAM would no longer be dependent only on the voluntary action of providers. Detection would be focused on specific items of CSAM, which have earlier in an independent, reliable, specific and objective manner been found to be illegal. The detection would also be case-specific and limited in time, whilst assistance, safeguards and independent oversight would be provided for. Together with the aim of tackling particularly serious crimes, this all contributes to the conclusion that the obligation is in line with the prohibition on imposing general monitoring obligations. This option would also ensure that detection of known CSAM is performed regardless of the technology used. This would create a level playing field for relevant service providers, counteracting fragmentation and hence would have a positive effect on the realisation of the Single Market, building on the baseline harmonisation that the DSA is expected to provide.

In terms of the protection of children against the circulation of materials depicting their abuse, the obligation to detect is expected to have a positive impact. Over time, the overall number of images and videos depicting CSA available on services within scope should be reduced significantly, and, with it, the instances of secondary victimisation inherent in the continued viewing of the abuse. At the same time, it should entail a significant increase in the number of relevant service providers participating, in the volume of detection and reporting, and hence in the proportion of overall cases investigated and number of children identified and removed from abusive situations.

This would also have a positive impact on the overall confidence of users in services, as their exposure to CSAM would also be reduced. This positive impact would extend also to society’s expectation that services do not facilitate the sharing of CSAM. While the targeting of specific services would possibly somewhat reduce the overall effectiveness of the obligation which could be greater if more services were included in scope, this can be justified in light of the greater impact that such detection might have.

For the detection of known content, the availability of reliable indicators of what constitutes CSAM under EU law and of free-of-charge technologies facilitating automatic detection would support service providers in their identification of relevant content and help ensure proportionality of requirements. Known CSAM is the most common type of child sexual abuse online. The tools to detect it (see annex 8, section 1) have a high accuracy rate and have been reliably used for over a decade. The obligation to detect known material would level the playing field and ensure the detection of that content where is currently missing, with all the necessary safeguards. The EU Centre would make available the database of indicators of known material (e.g. hashes, URLs) that providers should use. The detection obligation might also encompass materials that victims have referred for detection and removal, or materials from concluded law enforcement investigations and that have been verified as CSAM by public authorities.

As a downside, such an obligation could result in occasional false positives, that is, in images and videos erroneously identified as CSAM. Given the gravity of an allegation of being involved in CSA, reporting could have a negative impact in the case of false positives and needs to be accompanied by safeguards ensuring that false positives are prevented as much as possible and that, where they occur, all data generated in relation to the false positives are erased, other than what is required for the improvement of automatic detection tools. Therefore, the Centre could provide an independent verification of the illegality of the content, eliminating manifestly unfounded reports, before forwarding reports that are not manifestly unfounded to Europol and national law enforcement authorities for action. Those authorities would, in addition, naturally still carry out their own assessments to determine whether further actions is necessary and appropriate in each individual case.

Given the impact on fundamental rights of all users, additional strict safeguards would apply, building on and going beyond those set out above for voluntary detection and for the reliability of the database of indicators. These could include independent expert auditing of the database of indicators and regular supervision and verification of the procedures of the Centre (with the involvement of data protection authorities as needed), independent expert certification of tools for automated detection to ensure accuracy, as well as additional transparency and accountability measures such as regular reporting. The legislation could also set out information rights of users and mechanisms for complaints and legal redress (see section 5.2.3.).

The application of an obligation regardless of the technology used in the online exchanges (including encryption) would ensure a level playing field regardless of service providers’ choice of technology and would likely significantly increase the effectiveness of the obligation. On the other hand, it could potentially limit the effective exercise of users’ right to privacy when it comes to the content of their communication and increases the burden on service providers as detection currently remains more challenging in E2EE communications. It is therefore only in light of the particularly egregious nature of CSA that such an obligation can be considered. This option would need to take into account the requirement of ensuring that the benefits of encryption for the privacy of all users are not compromised in the process of protecting children and identifying offenders. Technical solutions would therefore need to be carefully considered and tailored to balance these objectives. The obligation to detect would apply following a decision by the competent national authorities on a case by case basis, following the analysis of a risk assessment submitted by the service provider and taking into account technical feasibility.

The uniform application by all relevant online service providers to detect, report and remove known CSAM, regardless of the technology used in the online exchanges, would, over time, significantly affect the availability of CSAM on services falling within the scope of the initiative. It would decrease the blind spot caused by perpetrators’ use of certain technologies to share CSAM and abuse and exploit child victims. This would make private communications safer for children and help ensure that evidence of CSA can be found, leading to the identification of child victims.

6.1.1.4. Option D: option C + mandatory detection of new CSAM

The impacts of this option would be the same as option C, plus those of establishing a legal obligation for mandatory detection of new CSAM regardless of the technology used in the online exchanges.

The basic rationale for treating previously identified (i.e. known) and new CSAM the same is that both concern the same types of content, the difference between that the former has been independently confirmed as constituting illegal material under EU law whereas for the latter that has not (yet) occurred.

The additional challenge lies in the fact that detection of new CSAM relies on a different technology, which does not use hashes or URLs for individual images and videos but rather relies on pattern recognition, as set out in annex 8, section 2. The reliability and efficacy of such technologies is quite advanced, ensuring error rates in the low percentages, yet the burden on relevant service providers in ensuring the accuracy of efforts is significantly higher and would require an additional degree of human oversight and human confirmation of suspected CSAM.

Whereas the proportion of materials currently flagged as suspected new CSAM is significantly lower than that of known CSAM, new CSAM requires systematic human verification. The additional burden would need to be proportionate and compatible with the prohibition of general monitoring and active fact-finding as well as the need to strike a fair balance between the relevant fundamental rights at stake.

Such a balance may be supported by important objectives with respect to the interest of the child that would not otherwise be accomplished. Whereas the detection of known material reduces the re-victimisation of the child depicted in those images and videos and, at times, the investigation initiated with such a report may lead to uncovering ongoing abuses, this material depicts past abuse, which in some cases may be years old. By its nature, previously undetected CSAM usually depicts more recent and at times still ongoing abuse, provides particularly valuable leads, and is therefore treated as highest priority by law enforcement. The added value of detecting new CSAM in terms of the ability to identify and rescue children is significant. The positive social impact on children’s welfare consequently is significantly higher than in the case of detection of known content alone.

The prompt detection of new material also allows for prevention of its distribution, and the possibility of it ‘going viral’ in circles of abusers, by adding it to the databases of known material that feed the automated detection tools. The subsequent detection based on the comparison with these databases can also provide important information about the way in which CSAM is disseminated online and the circles of abusers, facilitating detection and effective action against such groups, which would have a significantly positive social impact of tackling the problem closer to its roots.

The application of an obligation to detect new CSAM regardless of the technology used in the online exchanges carries similar considerations as those laid out under Option C. It would ensure that obligations are applicable to all service providers regardless of choice of technology, which is likely to produce better effectiveness of the obligation to detect new CSAM. In particular, any solution used in this context would have to ensure both the benefits that encryption provides for privacy of all users and the protection of the fundamental rights of children. Solutions would need to be carefully considered and tailored to balance these objectives. This obligation is likely to increase the burden on service providers to deploy technical solutions that detect new CSAM in E2EE communications, including similar type of administrative burdens as to detection on new CSAM in un-encrypted communications to ensure accuracy, and mitigate error rates, including through human review.

Similarly to Option C, uniform application by all relevant online service providers to detect, report and remove new CSAM, regardless of the technology used in the online exchanges, would, over time, significantly affect availability of CSAM on services falling within the scope of the initiative.

6.1.1.5. Option E: option D + mandatory detection of grooming

The social impacts of this option would be the same as option D, plus those of establishing a legal obligation on relevant service providers for mandatory detection of grooming regardless of the technology used in the online exchanges.

Whereas the current number of reports of suspected grooming is significantly lower than that of CSAM, in particular known CSAM, grooming requires systematic human verification. The additional burden would need to be proportionate and compatible with the prohibition of general monitoring and active fact-finding as well as the need to strike a fair balance between the relevant fundamental rights at stake.

Such a balance may be supported by important objectives with respect to the interest of the child that would not otherwise be accomplished. Whereas the detection of known material reduces the re-victimisation of the child depicted in those images and videos and, at times, the investigation initiated with such a report may lead to uncovering ongoing abuses, this material depicts past abuse, which in some cases may be years old. In contrast, the identification and stopping of grooming is a measure that can serve to protect children from falling victim to imminent abuse, or to stop ongoing abuse. This is of particular relevance in the current situation in the pandemic, where children have been exposed to a significantly higher degree of unwanted approaches online including grooming. The positive social impact on children’s welfare consequently is significantly higher than in the case of detection of CSAM alone.

The detection of grooming typically relies on tools for automatic text analysis, which are trained on verified grooming conversations and assess a given exchange according to risk factors identified on the basis of the verified grooming cases. Such tools are at the moment slightly lower in accuracy than tools for the automatic detection of known or new CSAM (see box 16 in section 5.2.4.) and would therefore require additional conditions and safeguards to avoid reports of false positives. The comparably higher invasiveness of text analysis tools and lower accuracy rate therefore has to be weighed against the interest in more effective protection of the child, particularly in calibrating the tool to avoid false positives at the expense of increasing the number of false negatives. In addition, where detection can be limited to parts of a service, determined on the basis of objective factors, this further contributes to ensuring the appropriate balance.

6.1.2. Economic impact

The assessment of the economic impact of the different options focuses on the impact on service providers and public authorities concerned by the measures.

The quantitative assessment is included in section 6.2. For a detailed assessment of the economic impact of establishing the Centre see annex 10.

6.1.2.1. Option A: practical measures to enhance prevention, detection, reporting and removal, and assistance to victims, and establishing an EU Centre on prevention and assistance to victims

Compared to the baseline scenario, the practical measures to enhance the voluntary detection, removal and reporting of CSAM would to some extent improve the quality of procedures and the cooperation between the private and public sector. In particular, the training of EU practitioners and the sharing of guidelines and best practices should have a positive impact and generate efficiency savings both for providers and for public authorities.

The practical measures to enhance actions on prevention and assistance to victims, including establishing an EU Centre as a hub without legal personality, would generate limited costs to the EU budget. They would have a potential to limit expenses on the side of the Member States, which could make use of existing research and expertise. The Centre’s activities in the areas of prevention could lead to a reduction in relevant offences, while its victim support role could contribute to the recovery of victims, reducing the long-term impact of these crimes on victims and society. In all areas, the Centre’s work could reduce duplication of efforts. However, this positive impact would be limited and would depend on the willingness of actors to cooperate.

The practical measures addressed to authorities to improve cooperation with service providers (training, standardised forms, online portal) would generate some moderate costs for them, but also improve the quality of reports and should therefore lead to a net reduction of costs for both service providers and public authorities. Likewise, the set-up of a feedback mechanism and communication channel would cause some moderate integration and maintenance costs but the benefits of such mechanism are expected to outweigh the expenses.

The practical measures addressed to service providers (streamlining of policies) would similarly generate moderate costs for them, in particular if changes to procedures have to be implemented, but public authorities would have a clear point of entry, reducing transaction costs, and would not have to adapt to a variety of individual service providers' policies, leading to cost reductions for public authorities. The Application Programming Interfaces (APIs) that public authorities could make available to allow service providers to remotely check hashed images and videos from their service against databases of hashes would generate moderate integration and maintenance costs for relevant public entities. However, as mentioned above, using common APIs would reduce transaction costs and overall costs in the long-run.

Supporting measures, technology and expertise sharing across platforms could limit potential economic burdens on relevant online service providers. Similar to service providers, the public sector would also benefit from interoperable tools and increased cooperation. There will also be a positive economic impact on expenses related to victim support.

6.1.2.2. Option B: option A + legislation 1) specifying the conditions for voluntary detection, 2) requiring mandatory reporting and removal of online child sexual abuse, and 3) expanding the EU Centre to also support detection, reporting and removal

The economic impacts of this option are the same as in option A, plus those of clarifying the legal basis for the voluntary detection of CSA by relevant online service providers, a reporting and removal obligation, and the cost of establishing and maintaining an EU Centre.

Reporting obligations under this option could lead to:

·additional costs to law enforcement authorities, to adequately respond to the likely increase in reports from service providers. Furthermore, if law enforcement receives more reports where action is required due to more extensive and reliable datasets provided by the Centre, additional costs could be expected concerning identification of victims and offenders, investigations, criminal proceedings and support to victims and their families;

·additional costs to service providers, e.g. in technological developments and/or acquisition and maintenance, infrastructure expenditure and expert staff recruitment and training, in particular with regard to SMEs.

For both the public and the private sector, administrative and compliance costs could arise from implementing new legislation. On the other hand, the economic impact of (voluntary) earlier detection of CSA would be expected to be significantly positive with regard to the quality of life of survivors, their productivity, and reduced costs of lifelong victim support. In addition, a positive effect on the Single Market could result from additional legal clarity and certainty, thus limiting compliance costs.

Establishing an EU Centre would incur significant cost to the EU budget. However, the Centre would also contribute to limiting expenses for other stakeholders, including public authorities and service providers, by streamlining activities in an economic manner. The Centre’s activities would support both law enforcement authorities and online service providers in the detection and reporting of CSA online, leading to greater efficiencies. It would facilitate compliance and reduce the costs of complaints and associated judicial proceedings by making available reliable information on content that is illegal in the EU. The Centre would also help streamline and facilitate hotlines’ efforts, including with regard to proactive searches. In addition, more extensive and reliable datasets of e.g. hashes would help law enforcement prioritise their actions, reducing the time spent filtering out non-actionable reports. The Centre’s activities in the area of prevention could lead to a reduction in relevant offences, while its victim support role could contribute to the recovery of victims, reducing the long-term impact of these crimes on victims and society. In all areas, the Centre’s work could reduce duplication of efforts. In the long run, the Centre’s activities would therefore lead to a decrease in the economic costs of CSA.

6.1.2.3. Option C: option B + mandatory detection of known CSAM

The impacts of this option are those outlined for option B plus those derived from the obligation to detect known material. For both the public and the private sector, administrative and compliance costs would arise from implementing new legislation.

For service providers, the introduction and maintenance of systems for the detection, where applicable, and the new or increased generation of reports would result in costs, also in relation to follow-up requests for further relevant data from public authorities, and for handling complaints and requests for review by affected users. However, they would benefit from the fact that this option would limit further fragmentation of the Internal Market with regard to administrative procedures and obligations required from hosting service providers. A number of service providers could build on systems they already have in place. In addition, the Centre would provide important support in making available technologies that can then be adapted to the needs of the providers. Technologies for the detection of known CSAM have been available free of charge for years and have proven their reliability.

SMEs offering hosting services are particularly vulnerable to exploitation through illegal activities, including CSA, not least since they tend to have limited capacity to deploy state-of-the-art technological solutions to detect CSAM or specialised staff. Therefore, while they should not be exempted from any rules and obligations, it is of particular importance to ensure that measures are proportionate and do not place an undue burden on them. The free availability of reliable databases of known CSAM indicators as well as detection tools (made available by the Centre) are important in this regard. Even though companies may have unequal resources to integrate technologies for the detection of CSAM into their products, this negative effect is outweighed by the fact that excluding them from this obligation would create a safe space for child sexual abuse and therefore defeat the purpose of the proposal. To further mitigate the economic impact on smaller companies, the verification of the illegality of the reported material could be left to the expertise of the EU Centre, in cooperation with the national authorities and the network of hotlines where needed and appropriate, which would inform the provider whether the material did in fact constitute CSAM. Therefore, these service providers would not be forced to invest in additional human resources for confirmation of suspected CSAM.

The expected increase in reports from service providers would result in significant additional costs to public authorities, in particular law enforcement and judicial authorities, arising from the corresponding increase in investigations and prosecutions. However, this financial impact is expected to be outweighed by the positive economic impact on victim support measures and survivor quality of life and productivity.

A positive effect on the Single Market could result from additional legal clarity and certainty, thus limiting compliance costs. Furthermore, both the public and the private sector would benefit from a common framework creating more legal certainty and mutual trust between the public and the private sector.

6.1.2.4. Option D: option C + mandatory detection of new CSAM

The impacts of this option are those outlined for option C plus those derived from the obligation to also detect new material. For both the public and the private sector, administrative and compliance costs would arise from implementing new legislation. However, all of the legislative options could reduce the fragmentation of the Internal Market and reduce compliance costs on the long term.

The expansion to new material could further increase the workload of law enforcement, compared to the previous option. While the overall number of new materials detected is expected to be lower than that of known CSAM, it will likely still be significant, considering that the cases require urgent and detailed attention, given the greater likelihood of ongoing abuse and the need for victim identification. Therefore, this increase in the workload will be accompanied by additional costs to respond to reports, costs related to starting investigations as well as the criminal justice process.

As in option C, service providers could encounter additional costs related to the integration and maintenance of detection technology and follow-up requests from public authorities, among others. Expanding the safety policy to new CSAM might require service providers to invest in adapting the available technologies to their individual products and possibly in recruiting trained staff to verify new material before reporting it. This could affect smaller providers in particular. To mitigate this effect, technologies would be made available free of charge. In addition, in the case of SMEs the human review and verification would be left to the expertise of the EU Centre which, in cooperation with national authorities and the network of hotlines where needed and appropriate, would inform the provider whether the material constituted CSAM.

6.1.2.5. Option E: option D + mandatory detection of grooming   

The impacts of this option are those outlined for option D plus those derived from the obligation to also detect grooming. 

Expanding the obligation to detection of grooming would require relevant service providers to invest in integrating additional tools to detect this type of abuse. These costs could be mitigated by making available technologies free of charge via the EU Centre, limiting service providers’ expenses to the integration of such tools into their services, and by relying on the EU Centre for the confirmation of cases identified as suspected grooming. By contrast, staffing costs for the Centre would increase as such cases require immediate reaction in order to ensure the protection of victims. Where the relevant service providers choose to rely on the Centre for verification before taking action, swift turnaround would have to be ensured in order to inform the provider about the need to intervene in an interaction and to protect a child.

Law enforcement would incur higher costs related to processing reports, compared to option D. The number of additional reports is expected to be lower compared to known CSAM, but as for new CSAM, swift action is required to protect the victim. The same considerations on administrative costs for the implementation of legislation as set out above apply. The positive economic impact when it comes to victim support and quality of life would increase, as the number of children that do not fall victim to hands-on child sexual abuse because of the timely detection of grooming would increase. This could potentially reduce the impact on victim support systems, compared to the previous options, as well as having a decisive impact on the quality of life and future productivity of the children.

Stakeholders’ views on economic impacts

Service providers and business associations expressed in the open public consultation and the inception impact assessment their concerns regarding the economic impact for SMEs of possible legal obligations and that a ‘one-size-fits-all’ solution should be avoided. They also pointed out that the costs of deploying and maintaining technical solutions should not be underestimated.

Hotlines and public authorities indicated in the open public consultation and in the targeted consultations that increased reporting could result in increased costs for investigating, prosecuting, and managing offenders, and in assistance and support to victims.

6.1.3. Fundamental rights impact

According to Article 52(1) of the Charter of Fundamental Rights, any limitation on the exercise of the rights and freedoms recognised by the Charter must be provided for by law and respect the essence of those rights and freedoms. Subject to the principle of proportionality, limitations may be made only if they are necessary and genuinely meet objectives of general interest recognised by the Union or the need to protect the rights and freedoms of others.

The objective pursued by the envisaged proposal, i.e. preventing and combating CSA, which is a particularly serious crime 195 , constitutes an objective of general interest within the meaning of Article 52(1) of the Charter 196 . In addition, the proposal seeks to protect the rights of others, namely of children. It concerns in particular their fundamental rights to human dignity and to the integrity of the person, the prohibition of inhuman or degrading treatment, as well as the rights of the child 197 . It takes into account the fact that in all actions relating to children, whether taken by public authorities or private institutions, the child's best interests must be a primary consideration. Furthermore, the types of CSA at issue here – notably, the exchange of photos or videos depicting the abuse – can also affect the children’s rights to respect for private and family life and to protection of personal data 198 . In connection to combating criminal offences against minors the European Court of Justice has noted that at least some of the fundamental rights mentioned can give rise to positive obligations of the relevant public authorities, requiring them to adopt legal measures to protect the rights in question 199 .

At the same time, the envisaged measures affect, in the first place, the exercise of the fundamental rights of the users of the services at issue. Those rights include, in particular, the fundamental rights to respect for privacy (including confidentiality of communications, as part of the broader right to respect for private and family life), to protection of personal data and to freedom of expression and information 200 . Whilst of great importance, none of these rights is absolute and they must be considered in relation to their function in society 201 . As indicated above Article 52(1) of the Charter allows limitations to be placed on the exercise of those rights, subject to the conditions set out in that provision.

More specifically, the measures aim to achieve the aforementioned objective by regulating both ‘public-facing’ and ‘private’ services, including interpersonal communication services, which results in varying levels of intrusiveness regarding the fundamental rights of users. In the case of content that is accessible to the public, whilst there is an intrusion, the impact especially on the right to privacy is generally smaller given the role of these services as ‘virtual public spaces’ for expression and economic transactions. The impact on the right to privacy in relation to private communications will generally be greater. Such impact, where necessary to achieve the aforementioned objective, must be necessary and proportionate and be moderated by appropriate safeguards. The safeguards have to be differentiated and balanced in order to adapt inter alia to the varying level of intrusiveness depending on the nature of the communications services at issue.

Furthermore, the potential or actual removal of users’ content, in particular erroneous removal (on the mistaken assumption that it concerns CSAM), can potentially have a significant impact on users’ fundamental rights, especially to freedom of expression and information where content is removed erroneously. Such impact can depend inter alia on the service provider’s position in the Internet ‘stack’. Services lower in the Internet stack include those providing cloud infrastructure, web hosting, or content distribution network services. At the same time, content involving CSA that is left unremoved can have a significant negative impact on the aforementioned fundamental rights of the children, perpetuating harm for children and for society at large. Other factors to be taken into account in this regard include the nature of the user content in question (text, photos, videos), the accuracy of the technology concerned, as well as the ‘absolute’ nature of the prohibition to exchange CSAM (which is in principle not subject to any exceptions and is not context-sensitive).

In addition, the freedom to conduct a business of the providers covered by the proposal comes into play as well 202 . Broadly speaking, this fundamental right precludes economic operators from being made subject to excessive burdens. It includes the freedom to choose with whom to do business and the freedom of contract. However, this right is not absolute either; it allows for a broad range of interventions that may limit the exercise of economic activities in the public interest 203 .

The need to strike a fair balance between all of the fundamental rights at issue played an important role in the consideration of the various options. The initiative may not affect the essence of, or affect in an unjustified and disproportionate manner, the abovementioned fundamental rights. The options were pre-selected accordingly, and the main differences between the options relate to the extent of their effectiveness in safeguarding and balancing the various fundamental rights, considering their various degrees of interference, and the ability of the options to offer a more adequate response in light of both the current and the evolving risks emerging in a highly dynamic digital environment.

6.1.3.1. Option A: practical measures to enhance prevention, detection, reporting and removal, and assistance to victims, and establishing an EU Centre on prevention and assistance to victims

Compared to the baseline scenario, a limited positive impact on fundamental rights may be expected with respect to better coordination of efforts on prevention and assistance to victims of child sexual abuse with the support and facilitation of a newly established EU Centre, and on enhancing the voluntary detection, removal and reporting of child sexual abuse online.

A very limited impact on fundamental rights may be expected with respect to the cooperation between private and public authorities. Practical measures would ensure confidentiality of data sets, which may have a positive effect on the protection of privacy and personal data compared to the baseline scenario.

This option would furthermore increase transparency and accountability and would contribute to ensuring sound administration. There would be no change with regard to legal clarity and only a moderate impact on individuals' fundamental rights. This option would maintain the current framework of voluntary measures to address CSA and of cooperation with service providers. The rights and obligations of service providers would not be substantially affected.

6.1.3.2. Option B: option A + legislation 1) specifying the conditions for voluntary detection, 2) requiring mandatory reporting and removal of online child sexual abuse, and 3) expanding the EU Centre to also support detection, reporting and removal.

Measures need to be effective, necessary and proportionate to tackle the crimes at issue and to protect the fundamental rights of children, including to give effect to the State’s obligation to provide for the protection of children’s rights and well-being, as a vulnerable group requiring particular care, and the effective application of its laws. In line with what was said above, these rights and interests need to be balanced against the following rights in particular:

Users’ rights: when data is processed for the purposes of detection, this affects users’ rights to freedom of expression and information, to the protection of personal data, and, where applicable depending on the type of service, to the confidentiality of their communications. While the rights to freedom of expression and information do not extend to protecting illegal activities aimed at the destruction of any of the basic fundamental rights and freedoms, the detection would also need to check legal materials and exchanges for the presence of CSAM. As a result, a strong justification and strong safeguards would be needed to ensure an appropriate balance of the different fundamental rights. The justification consists essentially in the particularly serious crimes that the envisaged measures aim to prevent and combat and the protection of children that it aims to ensure. As described in section 5.2.3., the safeguards could include requiring service providers to use technologies and procedures that ensure accuracy, transparency and accountability, including supervision by designated authorities. In addition, the database of child sexual abuse indicators provided by the EU Centre would ensure a reliable basis for determining which content is illegal. The transparency and accountability that the Centre helps ensure could also help ensure that there are no erroneous takedowns or abuse of the search tools to detect legitimate content (including misuse of the tools for purposes other than the fight against child sexual abuse).

For interpersonal communications services, the users’ fundamental right to privacy of communications are also concerned in particular. Therefore, supplementary safeguards would be required, including targeting the voluntary detection of new material and grooming to services where children may be at high risk, and providing clear information to users, as well as possible information once suspected abuse has been detected, including possibilities for redress. An additional safeguard lies in the anonymised processing by technologies 204 , which ensures that the impact on the fundamental rights of users whose communications are processed would remain within reasonable limits and do not go beyond what is necessary, since no personal data deriving from their communications would be reviewed unless there is a justified suspicion of child sexual abuse (these technologies simply detect content like a virus scanner or spam filter, taking no records and not ‘understanding’ the substance of the communication, e.g. they answer the question ‘does this image contain CSA patterns?’ rather than ‘what is this image about?’).

Service providers’ rights: This option would have no impact on the rights of service providers who choose to take no action to proactively detect child sexual abuse involving their services. On the other hand, service providers who choose to do so would be subject to new requirements that have not applied previously, in addition to those arising from the DSA proposal, such as requirements on the reliability and accuracy of technologies and on reporting and removal. Such requirements however are important safeguards for the fundamental rights of users.

Regardless of whether service providers decide to take voluntary action to detect CSA, they would be subject to reporting and removal obligations in case they become aware of the existence of CSA online in their services. These obligations impact service providers’ rights but are necessary to safeguard the fundamental rights of victims.

As an additional important safeguard, the EU Centre would help improve transparency and accountability. The obligation to report would ensure that all instances of reported child sexual abuse online are independently verified, that action is taken to identify and rescue children, and that offenders are investigated. In addition, its existence would facilitate reporting to a Centre in the EU, thus limiting international transfers of personal data of EU citizens. By facilitating Member States’ action on prevention and supporting victims in removing CSAM, the Centre would have a significant positive impact on the fundamental rights of victims and children who may become victims. The Centre itself would also be subject to safeguards as described in section 5.2.3. to ensure that it carries out its responsibilities fully and in a transparent way.

On the whole, provided appropriate limits and safeguards are ensured, this option would thus fairly balance the various rights at stake.

6.1.3.3. Option C: option B + mandatory detection of known CSAM

The rights to be balanced are the same as in the previous option; the difference lies in the greater impact on rights resulting from a) the mandatory nature of the detection of known CSAM and b) its application potentially regardless of the technology used in the online exchanges.

This option, because of the expanded and more effective action against CSAM, would have a significantly positive impact on fundamental rights of victims whose images are circulating on the Internet, in particular on their right to the respect for private life, and to the rights as children.

At the same time, the mandatory nature of the detection has a notable impact on providers’ freedom to conduct their business. This can only be justified in view of the fundamental importance of tackling the particularly serious crimes at issue and more effective protection of children. Especially in the context of interpersonal communications, providers are the only ones that have visibility on the abuse taking place. Given that up to 80% of investigations in some Member States are possible only because of reports from providers, such a measure is objectively necessary 205 . In addition, providers would have access to free and verified detection tools. The obligation to detect known CSAM would level the playing field and ensure the detection thereof where it is currently missing, with all the necessary safeguards. It would be targeted, risk-based, limited in time and would not impose an undue burden on providers.

In addition, users’ rights (in particular freedom of expression, privacy and data protection) are concerned to a greater extent than under the previous option. The availability of reliable and verified tools could ensure that the impact on their rights does not go beyond what is strictly necessary, by limiting the interference and reducing the risk of false positives and the possibility of misuse. In particular, there would be no human interaction with interpersonal communications of users beyond the communications that have been automatically identified as containing CSAM.

On the whole, provided appropriate limits and safeguards are ensured, this option would thus fairly balance the various rights at stake.

Box 19: risk of misuse of tools to detect CSA online for other purposes

6.1.3.4. Option D: option C + mandatory detection of new CSAM

The rights to be balanced are the same as in the previous option; the difference lies in the greater impact on rights resulting from the mandatory detection of new CSAM.

This option would represent a higher impact on providers’ freedom to conduct a business and more interference into users’ right to privacy, personal data protection and freedom of expression. However, there is corresponding increase in the types of CSA that are tackled and, thus, to the achievement of the objective of combatting the particularly serious crimes at issue and protecting children. Moreover, stricter safeguards, remedies and transparency and accountability measures would be provided for to safeguard users’ rights.

Given the similar nature of the materials to be detected and the reliance on verified indicators to be provided by the EU Centre, the detection of new material would in principle have a comparable level of intrusiveness as the detection of known CSAM. However, given that accuracy levels of current tools, while still being well above 90%, are lower than for the detection of known CSAM, human confirmation is essential. This would add to the service providers’ burdens and increase intrusiveness, but is deemed necessary to avoid errors and the negative consequences that such errors might have, including for users’ rights. The need to rely on human confirmation could decrease as the technology develops, partly as a consequence of the obligations to detect new CSAM in this option. In addition, strict requirements and safeguards would apply, including on the reliability of indicators and independent supervision, and reliable detection tools made available free of charge.

Similarly to Option C, the identification of the specific providers in scope would be done through detection orders issued by Member States’ national authorities. This ensures a case-by-case, risk-based and time-limited approach, thus contributing to the proportionality of the approach. For the detection of new CSAM a specific, higher threshold would apply (as compared to detection orders for known CSAM), i.e. only services at a high and objective risk of being misused for the exchange and dissemination of new CSAM would be subject to a detection obligation.

In light of the new nature of most previously undetected CSAM, this option would have a positive impact on victims of ongoing abuse and would significantly enhance the possibility of safeguarding victims from additional abuse. In addition, the early detection and confirmation of new CSAM and the swift addition thereof to the database of known CSAM can help limit the spreading of CSAM across service providers.

Overall, the measures in this option would therefore fairly balance the affected fundamental rights while having a significantly greater positive effect on the rights of victims.

6.1.3.5. Option E: option D + mandatory detection of grooming 

The impacts of this option are the same as in Option D, with the important difference of the additional impact caused by requiring service providers to also detect grooming. The introduction of this obligation would have a higher impact on fundamental rights, which would be balanced by stricter personal data protection and privacy safeguards while providing redress, accountability and transparency.

Detecting grooming would have a positive impact on the fundamental rights of potential victims by contributing to the prevention of abuse. At the same time, the detection process would be the most intrusive one for users (compared to the detection of known and new CSAM) since it would involve searching text, including in interpersonal communications, as the most important vector for grooming. On the one hand, such searches have to be considered as necessary to combat grooming since the service provider is the only entity able to detect it. Automatic detection tools have acquired a high degree of accuracy 206 , and indicators are becoming more reliable with time as the algorithms learn, following human review. On the other hand, the detection of patterns in text-based communications may be more invasive into users’ rights than the analysis of an image or a video to detect CSAM, given the difference in the types of communications at issue and the mandatory human review of the online exchanges flagged as possible grooming by the tool.

This obligation would be restricted to only certain specific service providers (identified, on a case-by-case basis, through the detection orders of Member States’ national authorities), which are at high risk of being misused for grooming, which would further reduce the fundamental rights impact only to the users of those services and the providers concerned. This approach would contribute to ensure the required level of proportionality.

In this option, detection obligations would apply to the three main types of CSA online (known CSAM, new CSAM and grooming). Compared to voluntary detection, which leaves to private parties the decision of whether to detect, under this option the legislator is the one taking the decision on whether to detect all three types, given the particularly serious objective of public interest at stake, setting out the conditions and safeguards under which that detection should take place.

Overall, provided appropriate limits and safeguards are ensured, the measures in this option would therefore fairly balance the affected fundamental rights while having a significantly greater positive effect on the rights of victims.

6.1.4. UN SDGs impact

6.1.4.1. Option A: practical measures to enhance prevention, detection, reporting and removal, and assistance to victims, and establishing an EU Centre on prevention and assistance to victims

Enhancing voluntary detection, removal and reporting of online CSA and the creation of the EU Centre on prevention and assistance would to some extent contribute to relevant SDGs. Notably, limiting the likelihood of girls and children in general falling victims to CSA would positively impact SDG 5.2 (eliminate all forms of violence against women girls, as a majority of CSA victims are girls) and SDG 16.2 (end abuse, exploitation, trafficking and all forms of violence against children). This option would also help to minimise the short and long-term negative health consequences of CSA and support mental health for victims and offenders or people who fear that they might offend (SGD 3: health and well-being), and address SDG 4 (education) e.g. through prevention campaigns to raise awareness of CSA online risks. This option would also affect, to a lesser extent, SDG 1 on poverty (e.g. by supporting research on long-term economic effect of CSA).

However, the overall impact of this option would be limited, as the actions would remain fragmented, and the overall reduction of the circulating CSAM would be limited.

6.1.4.2. Option B: option A + legislation 1) specifying the conditions for voluntary detection, 2) requiring mandatory reporting and removal of online child sexual abuse, and 3) expanding the EU Centre to also support detection, reporting and removal

This option would clarify the legal basis for service providers’ voluntary detection of CSA online, which, along with the expansion of the EU Centre to a broader facilitator role covering also detection, reporting and removal of CSA online, would contribute to a reduction of the prevalence of CSA and consequently a reduction of victimisation of girls (SDG 5.2), and the sexual exploitation of children in general (SDG 16.2).

This option would also address to some extent SDG 3 on health and well-being, and SDG 4 on education, similarly to option A. It would also contribute to SDG 9 (industry, innovation and infrastructure), supporting service provider’s efforts to develop technology to fight CSA online.

6.1.4.3. Option C: option B + mandatory detection of known CSAM

This option would have a positive impact on the same SDGs as option B, but stronger. The obligation to detect is expected to significantly reduce the number of CSAM available online, which would lead to a more positive impact on all SGDs described in option B, in particular SDG 5.2, and SDG 16.2.

6.1.4.4. Option D: option C + mandatory detection of new CSAM

The impacts of this option would be the same as option C, plus those of establishing a legal obligation for mandatory detection of new CSAM. The obligation to detect new CSAM would further reduce the number of CSAM available, positively impacting all SGDs described in option B.

6.1.4.5. Option E: option D + mandatory detection of grooming

The impacts of this option would be the same as option D, plus those of establishing a legal obligation for mandatory detection of grooming. The obligation to detect grooming, with its positive effects on preventing imminent crimes (and stopping ongoing ones) could lower the prevalence of CSA, positively impacting all SGDs described in option B.

6.2. Quantitative assessment

The quantification of the costs and benefits of the policy measures/policy options is limited by the lack of data, in particular on the level of abuse on services which do not currently make significant numbers of reports, as it is unclear whether this indicates a lower level of abuse on those services, or less effective efforts to detect and report such abuse. This requires the use of a number of assumptions, described in detail along with the rest of the methodology used, in annex 4, sections 3-4. Given these limitations, the estimates in this section provide an idea of the order of magnitude of costs and benefits and therefore should not be taken as exact forecasts.

6.2.1. Costs

All the policy options under consideration would result in costs for public authorities, service providers, and the Centre. Each policy option includes measures relating to prevention, assistance to victims, and detection, reporting and removal of online child sexual abuse.    

In the area of prevention, costs would be incurred by the Commission as a result of the practical measures in Option A, under which the Commission would have responsibility for managing the Centre as a knowledge hub without legal personality. Under all other options, costs related to prevention measures would be borne by the Centre itself.

Costs in the area of assistance to victims would similarly by borne by either the Commission or the Centre, depending on the option chosen. In addition, measures to improve prevention and assistance to victims would likely give rise to costs for Member States.

Measures relating to the detection, reporting and removal of online CSA would entail administrative costs for service providers and public authorities under all options. These relate to the expense for service providers to implement measures to detect, report and remove online CSA, whether on a voluntary or mandatory basis, as well as the cost to both service providers and public authorities of processing each report. Under Options B to E, the Centre would also incur costs relating to the handling of reports, as well as costs for the creation and maintenance of an EU database of indicators of online child sexual abuse.

The cost model built to estimate the above costs first determined the composition of an average report today, based on the total amount of known and new CSAM files and grooming reports made in 2020. Then it estimated the cost of this average report, based on the estimated time that service providers and public authorities require for processing and following up on it (including investigations). It also estimated the number of reports in the coming years under the baseline scenario under voluntary detection, assuming that the number of reports would continue to grow in line with trends over recent years. It also assumed that the level of abuse detected and reported by Facebook, which is the top provider of reports to NCMEC, is indicative of the level of abuse that could potentially be detected and reported by other providers under mandatory detection. Finally, the model estimated the costs of each policy measure by estimating how the policy measure would change the composition of the average report and/or the number of reports compared to the baseline.

The estimated costs of each measure and option are presented in table 3 and table 4, below.

Table 3: cost estimates for the retained policy measures (EUR millions)