The European Commission has been asked again to provide greater disclosure of its dealings with private technology companies and other stakeholders over a controversial piece of technology policy that could lead to a law requiring the scanning of EU citizens’ private messages to detect sexual material Child Abuse (CSAM).
The issue is significant as concerns have been raised that tech industry lobbying could influence the Commission’s draft of the controversial CSAM scanning proposal. Some of the withheld information relates to correspondence between the EU and private companies that could be potential suppliers of CSAM scanning technology – meaning they could benefit economically from an EU-wide law requiring message scanning.
EU Ombudsman Emily O’Reilly’s preliminary finding of maladministration was made on Friday and published on her website yesterday. Back in January, the Ombudsman came to a similar conclusion and called on the Commission to respond to his concerns. The latest findings take into account the EU executive’s responses and call on the Commission to respond to its recommendations with a “detailed opinion” by July 26 – so the saga is not over yet.
Meanwhile, the draft law on CSAM scanning remains on the table with EU lawmakers – despite a warning from the Council’s legal service that the proposed approach is unlawful. The European Data Protection Supervisor and civil society groups have also warned that the proposal represents a watershed moment for democratic rights in the EU. While back in October, MEPs in the European Parliament, who are also against the Commission’s approach, proposed a fundamentally revised draft aimed at limiting the scope of the scan. However, the ball is in the Council’s court as member state governments have not yet agreed on their own negotiating position on the dossier.
Despite growing concerns and opposition from a number of EU institutions, the Commission continues to stand behind the controversial CSAM detection orders. The law ignores critics’ warnings and could force platforms to use client-side scanning, which would have devastating consequences for European web users’ privacy and security.
A continued lack of transparency around the EU executive’s decision-making process in drafting the controversial law is hardly helping – fueling concerns that certain vested commercial interests may have played a role in shaping the original proposal.
Since December, the EU Ombudsman has been investigating a complaint from a journalist who requested access to documents related to the CSAM regulation and the EU’s “related decision-making process”.
Having examined the information withheld by the Commission and its justification for non-disclosure, the Ombudsman remains largely unimpressed by the level of transparency shown.
Following the journalist’s request for public access, the commission released some data, but withheld 28 documents entirely and partially redacted the information on another five – citing a number of exceptions to the refusal to disclose, including the public interest in public safety ; the need to protect personal data; the need to protect commercial interests; the need to protect legal advice; and the need to protect its decision-making.
According to the Ombudsman, five of the documents linked to the complaint are “exchanges with technology industry stakeholders.” It does not list which companies corresponded with the commission, but US-based Thorn, a maker of AI-based child safety technology, was linked to lobbying on the issue in a BalkanInsights investigative report last September.
Other documents in the package that the Commission has either withheld or redacted include drafts of its legislative impact assessment; and comments from his legal service.
When it comes to information relating to the EU’s correspondence with technology companies, the Ombudsman questions many of the Commission’s justifications for withholding the data, noting, for example, in the case of one of these documents, that the EU’s decision to redact details Although not valid, the exchange of information between law enforcement and a number of unnamed companies may be justified on public safety grounds. There is no clear reason to withhold the names of the companies themselves.
“It is not immediately clear how disclosing the names of the affected companies could potentially jeopardize public safety by redacting the information exchanged between the companies and law enforcement,” the ombudsman wrote.
In another case, the Ombudsman appears to criticize the Commission’s selective disclosure of information based on contributions from representatives of the technology industry, writing: “For the very general reasons for non-disclosure given by the Commission in its confirmatory decision, it is not clear why.” it took into account what was withheld “preliminary options” to be more sensitive than those she intended to disclose to the complainant.”
The Ombudsman’s conclusion at this point in the inquiry reiterates his earlier finding of maladministration by the Commission for refusing to grant “wide public access” to the 33 documents. In her recommendation, O’Reilly also writes: “The European Commission should reconsider its position on the access request in order to significantly improve access, taking into account the Ombudsman’s considerations set out in this recommendation.”
The Commission was contacted regarding the Ombudsman’s latest findings on the complaint but had not responded at the time of going to press.