Notes from the IAPP Europe: Children's protection, simplification and GDPR developments

In June, several significant developments took place in Europe's digital landscape. Earlier this week, the European Parliament and Council found common ground on the proposal to update the directive on combating the sexual abuse and sexual exploitation of children and child sexual abuse material. 

With the increased presence of minors online and the rapid evolution of digital technologies, child sexual abuse offenses online have grown not only in number, but also in complexity. Hence, an update to these rules was needed to bring the protection of children in line with today's technological developments. Among other revisions, the co-legislators provisionally agreed to criminalize new offenses, such as accessing live streams of abuse and developing or distributing artificial intelligence that generates child sexual abuse material.

There has been another recent advancement in this area. The Digital Omnibus on AI, which is finishing its journey through the EU's legislative process, also addresses the issue of AI-generated child sexual abuse material. Among several changes, it adds to the EU AI Act a ban on "AI nudifier" systems that generate child sexual abuse material or non-consensual sexualized imagery. The file, approved by Parliament 16 June, is awaiting final adoption by the Council and publication in the Official Journal of the EU before it is integrated into the EU AI Act. The ban on nudifier AI will become applicable 2 Dec.

Protection of minors online is not a new topic, and advancements in this field do not seem to be slowing down. Starting with Australia in 2025, the global move to ban social media for kids is apparent despite ongoing discussion on whether this is the most effective solution. The U.K. has just joined the worldwide trend to restrict children's access to social media, as its government announced plans to introduce a ban for minors under 16. 

The Special Panel on child safety online addressed social media's effect on minors during its third and final meeting 16 June. The panel began its activities in March and comprises experts in the field. Its discussions involved youth representatives and specialists from various fields, focusing not only on the risks but also the benefits of kids' online presence. On 13 July, the panel will present recommendations to European Commission President Ursula von der Leyen on how to further improve child safety online in Europe.

When it comes to the EU's simplification initiatives in the digital field, it is not only the Digital Omnibus on AI that is nearing its conclusion. On 9 June, EU co-legislators reached a provisional agreement on the Omnibus IV legislative package, which includes a proposal to amend the exemption for keeping a record of processing activities that currently applies to small and medium-sized enterprises. 

The proposed amendment would extend this exemption to small mid-cap enterprises, a new category of companies introduced by another proposal in this legislative package, which, as Parliament and the Council agreed, are enterprises with less than 1,000 employees rather than the initial threshold of under 750 set by the European Commission. 

Another change is to the limitation to this exemption; it alters the scope of having to maintain records when processing activities are likely to result in a risk to the rights and freedoms of data subjects. It is now amended to being likely to result in a high risk. 

There has been another EU General Data Protection Regulation-related development in June. Ireland's High Court concluded that Ireland's Data Protection Commission was right in finding TikTok's data transfers to China in violation of the GDPR's Chapter V on international transfers. The court implemented a fine of 530 million euros. However, its corrective measures, namely the suspension of TikTok's data transfers to China, were annulled. 

The court explained that the DPC's reasoning on why TikTok's protective measures to prevent data reidentification were not adequate was insufficient and, therefore, sent the issue to be reconsidered by the DPC. It remains to be seen whether this will bring more clarity on what kind of protective measures could qualify as sufficient when transferring personal data to third countries.  

In June, the European Data Protection Board issued two tools to improve consistency when it comes to the GDPR. One is a template that aims to facilitate data breach reporting and accelerate the DPC's case assessment process. The other tool is expected to improve consistency when it comes to GDPR enforcement across the EU. It is a form that "enables stakeholders to report alleged divergences between national positions, as well as between national positions and those of the EDPB." 

As the month of June is coming to an end, the Cyprus Presidency of the Council of the European Union is also wrapping up. Before Cyprus passes the baton to Ireland 1 July, it is expected to formally adopt the Digital Omnibus on AI and try to reach a negotiating mandate on the other Digital Omnibus proposal.