Think again Signor Buttarelli and friends

Most people with an interest in the field will now know the Article 29 Working Party no longer exists. It has been replaced by the European Data Protection Supervisory Board (EDPB). The EDPB is an independent body made up of representatives of the national data protection authorities (DPAs) each of which, in turn, is an independent body (or should be) within its own jurisdiction.

The EDPB is meant to be a vehicle which facilitates co-operation and collaboration between DPAs with a view to promoting greater consistency between jurisdictions that are anyway supposed to be applying the same rules and regulations.  At the moment the Chair of the EDPB is Andrea Jellinek of the Austrian DPA.

The Board’s secretariat is provided by the European Data Protection Supervisor (EDPS)Signor Giovanni  Buttarelli. Buttarelli is also the Commission’s principal official with responsibility for ensuring, inter alia, EU institutions observe their own data privacy laws.  In addition he is the principal source of advice to  all EU institutions on privacy policy and can appear in the Court of Justice  of the European Union to provide expert advice on how to interpret the EU’s privacy laws.

He’s a big shot

You get the picture? If the world of privacy in the EU was a pyramid Buttarelli would be sitting on the pointiest part. A prince among princes, or perhaps the High Priest of a newly emerging priestly class would be a more apt metaphor.

But he is child-blind

Eleven days ago Buttarelli posted a blog. It addresses the draft ePrivacy Regulation that is currently chugging its way through EU institutions.  Buttarelli is clearly losing patience with the political shenanigans that he thinks are delaying and therefore jeopardising his carefully crafted text. I will return to that blog in a moment but first let me list a few words that do not appear in the blog at any point: child, children, youth and young.

Déjà vu all over again

The way the GDPR evolved and was passed into law very visibly demonstrated how little the privacy community understood or had troubled to engage with the position of children as internet users or data subjects. Yet for all the tears that were shed and ink that was spilt before and since the GDPR was adopted, for all the howls of protest, not least coming out of the UK where, via the Kidron Amendment, the GDPR was expressly adapted to make it more child-oriented, Signor Buttarelli remains distant. In his expansive blog he does not even trouble to refer to minors.

But  in his blog he did say this by way of a general comment

… is unfair and economically unsustainable to expect controllers providing electronic communications services to be subject to a patchwork of (nationally based) data rules….

Hear hear

Why does any of this matter to children?

One of the things the draft ePrivacy Regulation appears to do is make it unlawful for companies to use or continue using tools such as PhotoDNA to locate child sex abuse material. This is a necessary precursor to securing its deletion, reporting it to the police and thereby commencing a search for the victim depicted.

How do I know this? Because I asked a lawyer who was involved in the drafting. She acknowledged the draft did outlaw PhotoDNA and similar tools because she countered that it was open to any Member State to derogate from that part of the Regulation.

Derogation  inevitably leads to a

patchwork of nationally based data rules

Further comment is almost superfluous but, for the avoidance of doubt, if it is

unfair and economically unsustainable

for companies to be made the subject of a patchwork I can tell Signor Buttarelli in this case it is definitely not good for children either.

Last Friday’s meeting

I understand that at a key meeting last Friday Commission officials defended their draft arguing that Recital 26 met any concerns people might have about the use of PhotoDNA or similar tools.

First of all a Recital is not the law and secondly, see above.  This takes us into patchwork territory. Cui bono? Not children.

Seemingly Commission officials also referred to an EU Directive of 2011.  This is the Directive on  combating the sexual abuse  and sexual exploitation of children and child pornography (sic). That is a mystery. There is nothing anywhere in that Directive which addresses the deployment of tools such as PhotoDNA, certainly there is nothing which mandates or permits their use.

There is, however, Article, 25 (1) which obliges every Member State to establish mechanisms to facilitate the removal of “web pages”  (?) containing or disseminating child pornography (sic). 25 (1) permits no variation. No patchwork. This is the Article which is the legal basis for hotlines. Every EU Member State has at least one.

In his own words

Buttarelli’s blog opens with this passage

A swarm of misinformation and misunderstanding surrounds the case for revising our rules on the confidentiality of electronic communications, otherwise known as ePrivacy. 

The answer, therefore, is clear. Signor Buttarelli should write another blog explaining how nothing in his proposed ePrivacy Regulation will prevent businesses from deploying tools such as PhotoDNA, neither will it permit any patchwork of laws governing their use. In short he should explain how it will make things better for children or at least not make them any worse.