SPAIN
(E2EE, END TO END ENCRYPTION)
1. To what extent can encrypted CSA material be affected by a detection order? Are you in
favour of including some wording in the Regulation excluding the weakening of E2EE (see, for
example, recital 25 of Regulation (EU) 2021/1232)?
If a detection order is issued in connection with the use of encrypted CSA material, the encrypted
material may be significantly affected. First, in many cases, the ISP will be able to access encrypted data. This means that the provider may have the ability to decrypt the encrypted CSA material.
Secondly, the Law Enforcement Authority (LEA) could request access to the encrypted material
and, if the internet service provider refuses to provide it, the LEA could present a judicial order to
obtain access to the encrypted data. If the judicial order is issued, then the encrypted material could
be decrypted.
Ideally, in our view, it would be desirable to legislatively prevent EU-based service providers from
implementing end-to-end encryption.
This is highly controversial, proposing as a solution that encryption with automatic decryption be
carried out at some intermediate server of the communication. Obviously, this endpoint should be
informed to the user, being an automatic detection not accessible to the user, being an automatic
detection not accessible to any human operator.
There is no specific wording in Regulation (EU) 2021/1232 that explicitly refers to E2EE
weakening. However, recital 25 of Regulation (EU) 2021/1232 concerns the protection of personal
data through the adoption of appropriate technical and organisational measures, including
information security. Therefore, language excluding E2EE weakening could be discouraged to
ensure an adequate level of protection of other personal data, even to the detriment of early
detection of CSA. However, the exact level of E2EE weakening that would be excluded should be
determined by EU Member States according to their national regulations.
Law enforcement authorities must have the means to be able to continue to fulfil their legal
obligations now that many criminals have moved to the virtual world.
It is imperative that we have access to the data - for which they must be retained - and it is equally
imperative that we have the capacity to analyse them, no matter how large the volume.
It is our obligation, this is not an option: we must have the necessary technical, human, innovation
and training resources. And among those resources we need to, at least, maintain our current levels
of effectiveness against crime, as well as an advanced, flexible and balanced legal framework that
encourages innovation while fully respecting the citizens' rights and freedoms.
2. Are you in favour of exploring if voluntary detection should be continued? If so, would you
rather prolong the Temporary Regulation (EU) 2021/1232, or include its content in the CSA
proposal?
Yes, we are in favour of continuing voluntary screening by service providers. It is interesting to
extend the Temporary Regulation (EU) 2021/1232 to give companies and organisations more time
to adapt to the requirements of CFS detection. This would allow for a gradual transition and allow agencies to adapt to the new requirements without undue pressure.
Regarding this question, we support the Czech delegation's statement. The idea of developing this
new proposal is due to the weaknesses presented by the voluntary content of the temporary
regulation.
3. Are you in favour of including audio communications in the scope of the CSA proposal, or
would you rather exclude it as in Regulation (EU) 2021/1232?
We do agree on including audio communications in the scope of the CSA proposal. We believe that,
as proposed by the Hungarian Delegation, the Proposal should delete the concrete references to the
different kind of materials (images, texts, videos or audios) and be more general so the proposal
tackles any kind of CSA-related material online.
We would like to highlight that Article 3(1) of the 1989 UN Convention on the Rights of the Child
and Article 24(2) of the EU Charter of Fundamental Rights states that in all actions related to
children, whether undertaken by public authorities or private institutions, the best interests of the
child shall be a primary consideration. It is also noted that the definition of child pornography was
already outlined by the Council of Europe in 1989 as "any audio or visual material in which a child
is used in a sexual context" (Recommendation (91) 11). This debate is something that should have
been resolved, bearing in mind the latest technological developments.
4. With a view to detecting CSA, do you wish that detection be performed on interpersonal
communications and publicly accessible content, or be limited to publicly accessible content?
As it is done by major service providers in the US, automatic content detection in interpersonal
communications is the key. Automatic detection informed to the user in the terms of use of the
services, so as not to infringe the user's right to privacy.
It is recommended that detection is carried out both in interpersonal communications and in
publicly accessible content. This would help to ensure that any CSA-related content is identified
and appropriate assistance is provided to victims. We reiterate what was reported in Question 1.
Cualquier medida que sea susceptible de limitar el ejercicio de los derechos y libertades reconocidos en la Carta solo podrá imponerse si está prevista por ley y respeta tales derechos o libertades https://t.co/J2BZCug9t9
— Guillermo Ruiz Zapatero (@ruiz_zapatero) September 10, 2023
Artículo 100
Salvaguardias de derechos fundamentales
1. Las medidas nacionales relativas al acceso o al uso por parte de los usuarios finales de los servicios y las aplicaciones a través de redes de comunicaciones electrónicas respetarán la Carta de los Derechos Fundamentales de la Unión Europea (en lo sucesivo, «Carta») y los principios generales del Derecho de la Unión.
2. Cualquier medida relativa al acceso o al uso por parte de los usuarios finales de los servicios y las aplicaciones a través de redes de comunicaciones electrónicas, que sea susceptible de limitar el ejercicio de los derechos y libertades reconocidos en la Carta solo podrá imponerse si está prevista por ley y respeta tales derechos o libertades, es proporcionada, necesaria, y responde efectivamente a objetivos de interés general reconocidos por el Derecho de la Unión o a la necesidad de protección de los derechos y libertades de los demás en línea con el artículo 52, apartado 1, de la Carta y con los principios generales del Derecho de la Unión, que incluyen el derecho a la tutela judicial efectiva y a un juicio justo. Por lo tanto, dichas medidas solo podrán ser adoptadas respetando debidamente el principio de presunción de inocencia y el derecho a la intimidad. Se garantizará un procedimiento previo, justo e imparcial, que incluirá el derecho de los interesados a ser oídos, sin perjuicio de que concurran las condiciones y los arreglos procesales adecuados en los casos de urgencia debidamente justificados, de conformidad con la Carta.
https://eur-lex.europa.eu/legal-content/ES/TXT/?uri=celex%3A32018L1972
Stevi y The New York Times/Comisión Asunto T-36/23 https://t.co/MqW7Q3cxHr
— Guillermo Ruiz Zapatero (@ruiz_zapatero) September 10, 2023
The New York Times is taking the #EuropeanCommission to court over the executive institution’s failure to release #textmessages between its president Ursula #vonderLeyen and Pfizer CEO Albert #Bourla
No comments:
Post a Comment