The European Commission has again been called on to more fully disclose its dealings with private technology companies and other stakeholders, in relation to a controversial piece of technology policy that could see a law force the scanning of private messages of European Union citizens in a bid to identify child sexual abuse material (CSAM).
The issue is notable as concerns have been raised about lobbying from the tech industry influencing the Commission’s drafting of the controversial CSAM scanning proposal. Some of the withheld information relates to correspondence between the EU and private companies that could be potential suppliers of CSAM scanning technology — meaning they stand to benefit commercially from any EU-wide law mandating message scanning.
The preliminary finding of maladministration by EU Ombudsman Emily O’Reilly was concluded on Friday and was made public in Website yesterday. In January, the Ombudsman reached a similar conclusion — calling on the Commission to respond to her concerns. Its latest findings affect the EU executive’s responses and call on the Commission to respond to its recommendations with a “detailed opinion” by July 26 — so the saga is far from over.
Draft legislation on CSAM scanning, meanwhile, remains on the table with EU co-legislators — despite a warning from the Council’s legal service that the proposed approach is illegal. The European Data Protection Supervisor and civil society groups have also warned that the proposal represents a turning point for democratic rights in the EU. While, in October, lawmakers in the European Parliament who are also opposed to the Commission’s direction of travel proposed an essentially revised plan that aims to set limits on the scope of scanning. However, the ball is in the Council’s court, as member state governments have yet to reach their own negotiating position on the file.
Despite growing alarm and opposition in some EU institutions, the Commission continued to stand behind the controversial CSAM detection mandates — ignoring warnings from critics that the law could force platforms to deploy client-side scanning , with dire implications for European web users’ privacy and security.
The continued lack of transparency over the EU executive’s decision-making process when it drafted the controversial legislation hardly helps — fueling concerns that some vested commercial interests may have played a role in shaping the original proposal.
Since December, the EU Ombudsman has been looking into a complaint from a journalist seeking access to documents about the CSAM regulation and the EU’s “relevant decision-making process”.
After examining the information withheld by the Commission, along with its defense of non-disclosure, the Ombudsman remains largely unimpressed with the level of transparency on display.
The Commission released some data after the journalist’s request for public access, but withheld 28 documents in their entirety and, in the case of another five, partially redacted the information — citing a range of exceptions to the refusal to disclose, including the public interest in public security. the need to protect personal data; the need to protect commercial interests; the need to protect legal advice; and the need to protect its decision-making.
According to information released by the Ombudsman, five of the documents linked to the complaint relate to “exchanges with lobbyists from the technology industry”. It did not list which companies corresponded with the Commission, but US-based Thorn, a maker of artificial intelligence-based child safety technology, was linked to lobbying on the dossier in an investigative report by BalkanInsights last September.
Other documents in the package that were either withheld or redacted by the Commission include drafts of its impact assessment when preparing the legislation. and comments from his legal department.
When it comes to information about EU correspondence with tech companies, the ombudsman questions many of the Commission’s justifications for withholding the data — noting, for example, in the case of one of these documents that while the EU’s decision to delete details about information exchanged between law enforcement and certain unnamed companies may be warranted for public safety reasons. There is no clear reason to hide the names of the companies themselves.
“It is not readily clear how disclosing the names of the companies involved could potentially undermine public safety if the information exchanged between the companies and law enforcement authorities is redacted,” the ombudsman wrote.
In another instance, the Ombudsman questions the Commission’s apparently selective releases of information about data from representatives of the technology industry, writing that: “From the very broad reasons for non-disclosure provided by the Commission in its confirmation decision, it is not clear why it considered the withheld “preliminaries” to be more sensitive than those he had decided to disclose to the complainant.”
The Ombudsman’s conclusion on this point of the inquiry reiterates his previous finding of maladministration at the Commission for refusing to provide “broad public access” to the 33 documents. In her recommendation, O’Reilly also writes: “The European Commission should review its position on the access request with a view to providing significantly increased access, taking into account the views of the Ombudsman who share this recommendation.”
He contacted the Commission about the Ombudsman’s latest findings on the complaint, but had not responded at press time.