emergency measures for children’s protection

EU approves emergency measures for children’s protection

Temporary emergency measures for children’s protection have just been adopted by European Parliament.


Temporary emergency measures for children’s protection were adopted by European Parliament on July 6th. This regulation will allow electronic communication service providers to scan private online messages containing any display of child sex abuse. The European Commission reported that almost 4 million visual media files containing child abuse were reported last year. There were also 1,500 reports of grooming of minors by sexual predators. Over the past 15 years, reports of this kind have increased by 15,000%. 


This new regulation, which is intended to be executed using AI, has raised some questions regarding privacy. 


Electronic communication service providers are being given the green light to voluntarily scan private conversations and flag content which may contain any display of child sex abuse. This scanning procedure will detect content for flagging using AI, under human supervision. They will also be able to utilize anti-grooming technologies once consultations with data protection authorities are complete. These mechanisms have received some pushback due to privacy concerns. Last year, the EDPB published a non-binding opinion which questioned whether these measures would threaten the fundamental right to privacy. 


Critics argue that this law will not prevent child abuse but will rather make it more difficult to detect and potentially expose legitimate communication between adults. 


This controversial legislation drafted in September 2020, at the peak of the global pandemic, which saw a spike in reports of minors being targeted by predators online, enables companies to voluntarily monitor material related to child sexual abuse. However, it does not require companies to take action. Still, several privacy concerns were raised regarding its implementation, particularly around exposing legitimate conversation between adults which may contain nude material, violating their privacy and potentially opening them up to some form of abuse. During the negotiations, changes were made to include the need to inform users of the possibility of scanning their communications, as well as dictating data retention periods and limitations on the execution of this technology. Despite this, the initiative was criticized, citing that automated tools often flag non relevant material in the majority of cases. Concerns were raised about the possible effect this may have on channels for confidential counseling. Ultimately, critics believe that this will not prevent child abuse, but will rather make it harder to discover it, as it would encourage more hidden tactics. 


This new EU law for children’s protection is a temporary solution for dealing with the ongoing problem of child sexual abuse. 


From the start of 2021, the definition of electronic communications has been changed under EU law to include messaging services. As a result private messaging, which was previously regulated by the GDPR, is now regulated by the ePrivacy directive. Unlike the GDPR, the ePrivacy directive did not include measures to detect child sexual abuse. As a result, voluntary reporting by online providers fell dramatically with the aforementioned change. Negotiations have stalled for several years on revising the ePrivacy directive to include protection against child sexual abuse. This new EU law for children’s protection is but a temporary measure, intended to last until December 2025, or until the revised ePrivacy directive enters into force. 


Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR, Law Enforcement Directive and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

ICO fines CDRNN Ltd

The ICO Imposed the Maximum fine of £500,000 on Scottish Company, CRDNN Ltd for Automated Nuisance Calls.

The ICO has recently imposed the maximum fine of £500,000 on a Scottish company, CRDNN Ltd for making nearly 200 million automated nuisance calls.

After receiving over 3000 complaints about CRDNN Ltd, formerly known as Contact Reach Digital Ltd, the ICO launched an investigation which resulted in a fine of £500,000 for unlawful marketing in the form of automated nuisance calls. Of those calls made, over 63.5 million connected. Some were even made to Network Fall’s Banavie Control Centre, clogging the line meant for drivers and pedestrians at unsupervised rail crossings, potentially putting lives at risk.

The investigation was launched after a raid by the ICO, of the company’s headquarters in Clydebank where computer equipment and documents were seized. The investigation revealed that over 1.6 million calls per day were being made between June 1st and October 1st of 2018. The calls were for the purpose of direct marketing and they were made from so-called ‘spoofed’ numbers. This means that people who received the calls could not identify who was making them, which is against Article 14 GDPR.

In a statement by the ICO’s head of investigations, Andy Curry, he reveals that not only were these calls unsolicited, but consumers who attempted to opt out of those calls were simply bombarded with even more as a result. Mr Curry goes on to explain that CRDNN incurred the maximum fine due to the fact that the company’s directors “knowingly operated the business with complete disregard for the law” and did all in their power to avoid detection, even going as far as transferring the operation abroad, and attempting to liquidate.

The ICO has issued an enforcement notice to the CRDNN Ltd, ordering them to comply with the privacy and electronic communications regulations laws within 35 days of their receipt of this notice. This enforcement notice, issued on February 26th 2020, states that CRDNN’s actions violated regulations 19 and 24 of PECR.

We recently reported on two fines issued by the Italian DPA (Garante) on TIM Spa ,and Eni Gas E Luce, for Euro 27.8 million and 11.5 million respectively. The ICO has now taken a stand against data mismanagement with this new fine. With officials cracking down on companies which mismanage their data, it is imperative that companies ensure that they are in line with the GDPR, PECR 2013, and the DPA 2018.

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR and UK Data Protection Act? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Gmail is not telecommunications, rules ECJ

To the relief of Europe’s tech community, European Court of Justice rules that Gmail is not electronic communications service and does not fall under the EU regulatory framework for telecommunications.

European regulatory Framework on electronic communications (or telecommunications) imposes a number of public law rights and obligations on the providers of services that consist ‘wholly or mainly’ in the conveyance of signals on electronic communications networks. According to German regulator BNetzA, whose decision was upheld by the Administrative Court in Cologne, Gmail satisfied this definition.
Whereas Google operates its own internet-connected network infrastructure in Germany, in particular several high-speed links between metropolitan areas, that was according to the Administrative Court not decisive: “The fact that the conveyance of signals occurs essentially over the open internet and thus that it is the internet access providers (‘IAPs’) which convey those signals and not Google itself does not preclude the classification of Gmail as a telecommunications service.” The signal conveyance service may be attributed to Google based on its ‘appropriation’ of “the signal conveyance service for its own purposes and, in particular, on the ground that it makes an essential contribution to the functioning of the telecommunications process with its electronic processing services.”
What does the ECJ say about Gmail?
According to the ECJ, however, Article 2(c) of Directive 2002/21/EC of the European Parliament and of the Council of 7 March 2002 on a common regulatory framework for electronic communications networks and services (Framework Directive), as amended by Directive 2009/140/EC, “must be interpreted as meaning that a web-based email service which does not itself provide internet access, such as the Gmail service provided by Google LLC, does not consist wholly or mainly in the conveyance of signals on electronic communications networks and therefore does not constitute an ‘electronic communications service’ within the meaning of that provision.”
According to the ECJ, the fact that Google “actively participates in the sending and receipt of messages, whether by assigning to the email addresses the IP addresses of the corresponding terminal devices or by splitting those messages into data packets and uploading them to, or receiving them from, the open internet for the purposes of transmitting them to their recipients,” does not appear to be sufficient to meet the ‘wholly or mainly’ criterion.
What is next for OTT communications?
Whereas the decision can be seen as a relief and is in line with the views of BEREC, the top body of European telecoms regulators, it is not future-proof. Notably, the new definition of ‘interpersonal communications services’ of the European Electronic Communications Code (EECC) can still be seen as potential future game-changer, aiming for so-called ‘level-playing field’ between traditional telecoms and OTTs. In addition, Gmail decision needs to be read in conjunction with the recent Skype Out decision, whereby a software service allowing calls to traditional telephones is deemed an electronic communications service.

Are you worried about the impact Gmail and Skype Out decisions might have on your OTT business? Aphaia provides regulatory policy advice to some of the world’s top OTT providers.

5G Privacy Risks addressed by the European Commission

Commission Recommendation on Cybersecurity of 5G networks sets an action plan for the Member States. We explore the main sources of 5G privacy risks.

According to Commission Recommendation on Cybersecurity of 5G networks, EU Member States should by the 30th June 2019 carry out a risk assessment of 5G network infrastructure, including identifying the most sensitive elements where security breaches would have a significant negative impact. By the same date, Member States should also review the security requirements and the risk management methods applicable at national level, to take into account cybersecurity threats that may arise from (i) technical factors, such as the specific technical characteristics of 5G networks, and (ii) other factors such as the legal and policy framework to which suppliers of information and communications technologies equipment may be subject in third countries.

A toolbox will further be agreed at the EU level that will include a risk inventory and a set of possible mitigating measures (e.g. third-party certification for hardware, software or services, formal hardware and software tests or conformity checks, processes to ensure access controls exist and are enforced, identifying products, services or suppliers that are considered potentially not secure, etc.).

5G vs 4G privacy risks

Since we all already use 4G and 3G mobile networks, the key practical question is the comparison between 5G vs 4G privacy risks. Are there fundamental differences? Whereas there might be few qualitative differences, one can think of higher density of 5G cells that enable more precise user location information or the impact of potential network management decentralisation e.g. in relation to locally available 5G services. Mobile location issues are addressed by the EU ePrivacy Directive, soon to become ePrivacy Regulation.

According to Vesna Prodnik Pepevnik, CEO of Vafer and 5G mobile network expert, the main challenges will be linked to vertical applications, from autonomous vehicles and healthcare to energy and monitoring systems with various omnipresent sensors. “The more systems and therefore data are processed by 5G networks, the higher the risk.” In her view, the Commission’s 5G security proposals are currently vague, which might even prove to be an obstacle for certain 5G use cases and therefore the EU’s ambitions in relation to 5G.

It, therefore, remains to be seen to what extent will the proposed measures, including the expected toolbox, provide the necessary safeguards for the industry and trust for the end-users, which are both essential for 5G becoming a major driver for IoT applications.

Aphaia provides Data Protection Impact Assessment, including in relation to ePrivacy, and Telecommunications Policy and Regulation services