assess those requests and only transmit personal data to the EU Centre where strictly necessary and proportionate to the required purpose. Article 10(6) on Europol’s role in informing users following implementation of a detection order 134. The EDPB and EDPS welcome the requirement, as laid down in Article 10(6) of the Proposal, for providers to inform users whose personal data may be concerned by the execution of a detection order. This information is to be provided to users only after obtaining confirmation from Europol or the national law enforcement authority of a Member State that received the report pusuant to Article 48 of the Proposal that providing information to users would not interfere with activities for the prevention, detection, investigation and prosecution of child sexual abuse offences. 135. There is a lack of specificity, however, regarding the practical implementation of this provision. Where reports are forwarded to both Europol and a Member State law enforcement authority, the Proposal does not stipulate whether confirmation is required from one or both recipients, nor are the procedures/modalities for obtaining this confirmation spelled out in the Proposal (e.g. whether confirmations are to be channelled through the EU Centre). Taking into account the high volume of CSAM that Europol and national law enforcement authorities could be required to process, and the lack of a precise time limit for providing confirmation (‘without undue delay’), the EDPB and EDPS recommend clarifying the applicable procedures in order to ensure the realisation of this safeguard in practice. Furthermore, the obligation to inform users should also include information regarding the recipients of the personal data concerned. On data collection and transparency reporting (Article 83) 136. Article 83(3) of the Proposal provides for the EU Centre to collect data and generate statistics relating to a number of its tasks under the proposed Regulation. For monitoring purposes, the EDPB and EDPS recommend adding to this list statistics on the number of reports forwarded to Europol in accordance with Article 48, as well as the number of access requests received by Europol under Article 46(4) and 46(5), including the number of those requests granted and refused by the EU Centre.
5. CONCLUSION 137. While the EDPB and EDPS welcome the Commission’s efforts to ensure effective action against child sexual abuse online, they consider that the Proposal raises serious data protection and privacy concerns. Therefore, the EDPB and EDPS would invite the co-legislators to amend the proposed Regulation, in particular to ensure that the envisaged detection obligations meet the applicable necessity and proportionality standards and do not result in the weakening or degrading of encryption on a general level. The EDPB and EDPS remain available to offer their support during the legislative process, should their input be deemed necessary to address the concerns highlighted in the present joint opinion.
For the European Data Protection Supervisor
For the European Data Protection Board
The European Data Protection Supervisor
The Chair
(Wojciech Wiewiorowski)
(Andrea Jelinek)
Adopted
36