This week, European Justice and Home Affairs Council ministers met to discuss the legislative proposal targeting online child sexual abuse material. The commission proposed a regulation in May 2022 to prevent and combat child sexual abuse, under which a new EU center would be set up to support authorities acting on reports of CSAM and grooming, and to collect and share expertise and best practices in prevention and victim support. The law would make it mandatory for internet companies to alert authorities about online child sexual abuse on their platforms.

The proposal epitomizes the long-held debate over balancing fundamental rights — including the right to privacy — with ensuring law enforcement agencies can meet obligations in an ever-evolving and sophisticated threat landscape. It led to intense exchanges last summer between stakeholders, including the European Data Protection Supervisor, European Data Protection Board and European Commissioner for Home Affairs Ylva Johansson.

The clock is ticking on the proposal. The current voluntary detection scheme applicable to online service providers expires in August 2024. Failing to approve the legislation by then would create a legal loophole that could only increase the scope of an issue at an already dramatic scale.

During the ministers' meeting, Johansson explained 10-20% of children experience some level of sexual violence online.

"Eighty percent of police investigations in Europe start with a report from internet companies. Detection is really important. Without these reports, police will be blind," she said.

It is estimated that more than 5 million videos, grooming attempts and pictures were sent in the EU last year alone.

Despite these striking statistics and advanced negotiations, member states still appeared divided on the approach to take. Some, like Bulgaria and Ireland, called for the council to be ambitious while recognizing the vital need to agree on the proposal before the end of this legislative term. Others like Cyprus, Denmark and Finland support the Spanish presidency's proposed compromise, some under the condition the regulation will include a robust review clause. Johansson is set to appear before the Committee on Civil Liberties, Justice and Home Affairs next week to discuss the proposal.

Elsewhere:

• On 10 July, the EU adopted its adequacy decision for the EU-U.S. Data Privacy Framework, setting the clock for a three-month transitional period that ended 10 Oct. During that period, Privacy Shield participants could convert to the Data Privacy Framework by updating their privacy policy to reflect compliance and transfer under the EU adequacy decision. This week, the official DPF website showed 2,506 active organizations listed as leveraging the EU-U.S. DPF.
• The agenda for the U.K. AI Safety Summit is now online. Since announcing the event, the U.K. government has been somewhat at pains to explain its ambitions for what was seen as yet another artificial intelligence summit. In Brussels earlier this month, the U.K. prime minister's representative for the Summit Matt Clifford explained its objective is to increase shared global knowledge about risks and extreme harm caused by the (mis)use of frontier AI.
  "The Summit is not a policy summit and not a governance summit," Clifford said.
  What type of harm does the U.K. have in mind? The nasty stuff — AI that makes it easier to create bioweapons, offensive cyber weapons, national security adjacent risks (e.g. in the chemical space), and risk of loss of control.