15 Amendments of Johan NISSINEN related to 2022/0155(COD)
Amendment 308 #
Proposal for a regulation
Recital 5
Recital 5
(5) In order to achieve the objectives of this Regulation, it should cover providers of services that have the potential to be misused for the purpose of online child sexual abuse. As they are increasingly misused for that purpose, those services should include publicly available interpersonal communications services, such as messaging services and web-based e-mail services, in so far as those service as publicly available. As services which enable direct interpersonal and interactive exchange of information merely as a minor ancillary feature that is intrinsically linked to another service, such as chat and similar functions as part of gaming, image-sharing and video-hosting are equally at risk of misuse, they should also be covered by this Regulation. Online search engines and other artificial intelligence services should also be covered. However, given the inherent differences between the various relevant information society services covered by this Regulation and the related varying risks that those services are misused for the purpose of online child sexual abuse and varying ability of the providers concerned to prevent and combat such abuse, the obligations imposed on the providers of those services should be differentiated in an appropriate mannerand targeted manner. Considering the fundamental importance of the right to respect for private life and the right to protection of personal data, as guaranteed by the Charter of Fundamental Rights, nothing in this regulation should be interpreted as prohibiting or compromising the integrity and confidentiality of end-to-end encrypted content and communications.
Amendment 333 #
Proposal for a regulation
Recital 16
Recital 16
(16) In order to prevent and combat online child sexual abuse effectively, providers of hosting services and providers of publicly available interpersonal communications services should take effective and reasonable measures to mitigate the risk of their services being misused for such abuse, as identified through the risk assessment. Providers subject to an obligation to adopt mitigation measures pursuant to Regulation (EU) …/… [on a Single Market For Digital Services (Digital Services Act) and amending Directive 2000/31/EC] may consider to which extent mitigation measures2022/2065 may consider to which extent mitigation measures adopted to comply with that obligation. Mitigation measures necessary for the fulfilment of the obligations in this regulation may include the design of online interfaces or parts thereof with the highest level of privacy, safety and security for children by default, the adoapted to comply with that obligation, which may includeation of standards for protection of children, participation in codes of conduct for protecting children, targeted measures to protect the rights of the child, including age verification and-appropriate parental control tools, may also. Enabling flagging and/or notifying mechanisms and self-reporting functionalities, where possible with the use of AI, shall serve to address the risk identified in the specific risk assessment pursuant to this Regulation, and to which extent further targeted mitigation measures may be required to comply with this Regulation.
Amendment 353 #
Proposal for a regulation
Recital 20
Recital 20
(20) With a view to ensuring effective prevention and fight against online child sexual abuse, when mitigating measures are deemed insufficientthe provider refuses to cooperate by putting in place the mitigating measures aimed to limit the risk of misuse of a certain service for the purpose of online child sexual abuse, the Coordinating Authorities designated by Member States under this Regulation should be empowered to request, as a measure of last resort, the issuance of detection orders. In order to avoid any undue interference with fundamental rights and to ensure proportionality, that power should be subject to a carefully balanced set of limits and safeguards. For instance, considering that child sexual abuse material tends to be disseminated through hosting services and publicly available interpersonal communications services, and that solicitation of children mostly takes place in publicly available interpersonal communications services, it should only be possible to address detection orders to providers of such services. Such detection orders shall be issued with regards to the technical capacity of the provider, and shall in no way be intrepreted as prohibiting, or compromising the integrity and confidentiality of, end-to-end encrypted content and communications.
Amendment 373 #
Proposal for a regulation
Recital 23
Recital 23
(23) In addition, to avoid undue interference with fundamental rights and ensure proportionality, when it is established that those requirements have been met and a detection order is to be issued, it should still be ensured that the detection order is targeted and specifiedjustified, proportionate and related only to an identifiable part of the specific service, user or group of users, as well as targeted and limited in time so as to ensure that any such negative consequences for affected parties do not go beyond what is strictly necessary to effectively address the significant risk identified. This should concern, in particular, a limitation to an identifiable part or component of the service where possible without prejudice to the effectiveness of the measure, such as specific types of channels of a publicly available interpersonal communications service, or to specific users or specific groups of users, to the extent that they can be taken in isolation for the purpose of detection, as well as the specification of the safeguards additional to the ones already expressly specified in this Regulation, such as independent auditing, the provision of additional information or access to data, or reinforced human oversight and review, and the further limitation of the duration of application of the detection order that the Coordinating Authority deems necessary. To avoid unreasonable or disproportionate outcomes, such requirements should be set after an objective and diligent assessment conducted on a case-by-case basis.
Amendment 383 #
Proposal for a regulation
Recital 26
Recital 26
(26) The measures taken by providers of hosting services and providers of publicly available interpersonal communications services to execute detection orders addressed to them should remain strictly limited to what is specified in this Regulation and in the detection orders issued in accordance with this Regulation. In order to ensure the effectiveness of those measures, allow for tailored solutions, remain technologically neutral, and avoid circumvention of the detection obligations, those measures should be taken regardless of the technologies used by the providers concerned in connection to the provision of their services. Therefore, this Regulation leaves to the provider concerned the choice of the technologies to be operated to comply effectively with detection orders and should not be understood as incentivising or disincentivising the use of any given technology, provided that the technologies and accompanying measures meet the requirements of this Regulation. That includes the use ofIn accordance with Article 6a, nothing in this regulation shall be interpreted as prohibiting, or compromising the integrity and confidentiality of, end-to-end encryptied con technology, which is an important tool to guarantee the security and confidentiality of the communications of users, including those of childrennt or communications through client-side scanning with side- channel leaks or other measures by which the provider of a hosting service or a provider of interpersonal communication services provides third party actors with access to the end-to-end encrypted content and communications. When executing the detection order, providers should take all available safeguard measures to ensure that the technologies employed by them cannot be used by them or their employees for purposes other than compliance with this Regulation, nor by third parties, and thus to avoid undermining the security and confidentiality of the communications of users.
Amendment 389 #
Proposal for a regulation
Recital 26 a (new)
Recital 26 a (new)
(26a) End-to-end encryption is an essential tool to guarantee the security, privacy and confidentiality of the communications between users, including those of children. Any weakening of the end-to-end encryption's effect could potentially be abused by malicious third parties. Nothing in this Regulation should therefore be interpreted as prohibiting or compromising the integrity and confidentiality of end-to-end encrypted content and communications. As compromising the integrity of end-to-end encrypted content and communications shall be understood the processing of any data, that would compromise or put at risk the integrity and confidentiality of the aforementioned end-to-end encrypted content. Nothing in this regulation shall thus be interpreted as justifying client-side scanning with side-channel leaks or other measures by which the provider of a hosting service or a provider of interpersonal communication services provide third party actors access to the end-to-end encrypted content and communications.
Amendment 651 #
Proposal for a regulation
Article 3 – paragraph 2 – point b – indent 4 a (new)
Article 3 – paragraph 2 – point b – indent 4 a (new)
- functionalities enabling age- appropriate parental controls, including with the use of AI;
Amendment 653 #
Proposal for a regulation
Article 3 – paragraph 2 – point b – indent 4 b (new)
Article 3 – paragraph 2 – point b – indent 4 b (new)
- functionalities enabling self- reporting, including with the use of AI;
Amendment 695 #
Proposal for a regulation
Article 3 – paragraph 2 a (new)
Article 3 – paragraph 2 a (new)
2a. The provider, where applicable, shall assess, in a separate section of its risk assessment, the voluntary use of specific technologies for the processing of personal and other data to the extent strictly necessary to detect, to report and to remove online child sexual abuse material from its services. Such voluntary use of specific technologies shall under no circumstances undermine the integrity and confidentiality of end-to-end encrypted content and communcations.
Amendment 862 #
Proposal for a regulation
Article 6 – paragraph 1 – point b
Article 6 – paragraph 1 – point b
(b) take reasonable measures to prevent child users from accessing the software applications in relation to which they have identified a significant risk of use of the service concerned for the purpose of the solicitation of children; or where:
Amendment 864 #
Proposal for a regulation
Article 6 – paragraph 1 – point b – point i (new)
Article 6 – paragraph 1 – point b – point i (new)
i) the developer of the software application has decided and informed the software application store that its terms and conditions of use do not permit child users,
Amendment 865 #
Proposal for a regulation
Article 6 – paragraph 1 – point b – point ii (new)
Article 6 – paragraph 1 – point b – point ii (new)
ii) the software application has an appropriate age rating model in place, or
Amendment 866 #
Proposal for a regulation
Article 6 – paragraph 1 – point b – point iii (new)
Article 6 – paragraph 1 – point b – point iii (new)
iii) the developer of the software application has requested the software application store not to allow child users to download its software applications.
Amendment 875 #
Proposal for a regulation
Article 6 a (new)
Article 6 a (new)
Article6a End-to-end encrypted services Nothing in this Regulation shall be interpreted as prohibiting or compromising the integrity and confidentiality of end-to-end encrypted content and communications. As compromising the integrity of end-to-end encrypted content and communcations shall be understood the processing of any data that would compromise or put at risk the integrity and confidentiality of the content and communications in the end- to-end encryption. Nothing in this regulation shall thus be interpreted as justifying client-side scanning with side- channel leaks or other measures by which the provider of a hosting service or a provider of interpersonal communications services provides third party actors access to the end-to-end encrypted content.
Amendment 1017 #
Proposal for a regulation
Article 7 – paragraph 8 – subparagraph 1
Article 7 – paragraph 8 – subparagraph 1
The Coordinating Authority of establishment when requesting the issuance of detection orders, and the competent judicial or independent administrative authority when issuing the detection order, shall, in accordance with Article 8 of Regulation (EU) 2022/2065, target and specify it in such a manner that the negative consequences referred to in paragraph 4, first subparagraph, point (b),2 remain limited to what is strictly necessary, justifiable and proportionate to effectively address the significant risk referred to in point (a) thereof, and limit the detection order to an identifiable part or component of a service, such as a specific channel of communication or a specific group of users identified with particularity for which the significant risk has been identified. In accordance with Article 6a, no such detection order shall be interpreted as prohibiting, or compromising the integrity and confidentiality of, end-to-end encrypted content and communications.