Legal provisions of COM(2022)209 - Rules to prevent and combat child sexual abuse - Main contents
Please note
This page contains a limited version of this dossier in the EU Monitor.
dossier | COM(2022)209 - Rules to prevent and combat child sexual abuse. |
---|---|
document | COM(2022)209 |
date | May 11, 2022 |
CHAPTER I
GENERAL PROVISIONS
Contents
- Article 1 - Subject matter and scope
- Article 2 - Definitions
- Article 3 - Risk assessment
- Article 4 - Risk mitigation
- Article 5 - Risk reporting
- Article 6 - Obligations for software application stores
- Article 7 - Issuance of detection orders
- Article 8 - Additional rules regarding detection orders
- Article 9 - Redress, information, reporting and modification of detection orders
- Article 10 - Technologies and safeguards
- Article 11 - Guidelines regarding detection obligations
- Article 12 - Reporting obligations
- Article 13 - Specific requirements for reporting
- Section - 4
- Article 14 - Removal orders
- Article 15 - Redress and provision of information
- Section - 5
- Article 16 - Blocking orders
- Article 17 - Additional rules regarding blocking orders
- Article 18 - Redress, information and reporting of blocking orders
- Article 19 - Liability of providers
- Article 20 - Victims’ right to information
- Article 21 - Victims’ right of assistance and support for removal
- Article 22 - Preservation of information
- Article 23 - Points of contact
- Article 24 - Legal representative
- Article 25 - Coordinating Authorities for child sexual abuse issues and other competent authorities
- Article 26 - Requirements for Coordinating Authorities
- Article 27 - Investigatory powers
- Article 28 - Enforcement powers
- Article 29 - Additional enforcement powers
- Article 30 - Common provisions on investigatory and enforcement powers
- Article 31 - Searches to verify compliance
- Article 32 - Notification of known child sexual abuse material
- Article 33 - Jurisdiction
- Article 34 - Right of users of the service to lodge a complaint
- Article 36 - Identification and submission of online child sexual abuse
- Article 37 - Cross-border cooperation among Coordinating Authorities
- Article 38 - Joint investigations
- Article 39 - General cooperation and information-sharing system
- Article 40 - Establishment and scope of action of the EU Centre
- Article 41 - Legal status
- Article 42 - Seat
- Article 43 - Tasks of the EU Centre
- Article 44 - Databases of indicators
- Article 45 - Database of reports
- Article 46 - Access, accuracy and security
- Article 47 - Delegated acts relating to the databases
- Article 48 - Reporting
- Article 49 - Searches and notification
- Article 50 - Technologies, information and expertise
- Article 51 - Processing activities and data protection
- Article 52 - Contact officers
- Article 53 - Cooperation with Europol
- Article 54 - Cooperation with partner organisations
- Subsection 1 - Single Programming Document
- Subsection 2 - Presentation, implementation and control of the budget
Article 1 - Subject matter and scope
It establishes, in particular:
(a)obligations on providers of relevant information society services to minimise the risk that their services are misused for online child sexual abuse;
(b)obligations on providers of hosting services and providers of interpersonal communication services to detect and report online child sexual abuse;
(c)obligations on providers of hosting services to remove or disable access to child sexual abuse material on their services;
(d)obligations on providers of internet access services to disable access to child sexual abuse material;
(e)rules on the implementation and enforcement of this Regulation, including as regards the designation and functioning of the competent authorities of the Member States, the EU Centre on Child Sexual Abuse established in Article 40 (‘EU Centre’) and cooperation and transparency.
2. This Regulation shall apply to providers of relevant information society services offering such services in the Union, irrespective of their place of main establishment.
3. This Regulation shall not affect the rules laid down by the following legal acts:
(a)Directive 2011/93/EU on combating the sexual abuse and sexual exploitation of children and child pornography, and replacing Council Framework Decision 2004/68/JHA;
(b)Directive 2000/31/EC and Regulation (EU) …/… [on a Single Market For Digital Services (Digital Services Act) and amending Directive 2000/31/EC];
(c)Directive 2010/13/EU;
(d)Regulation (EU) 2016/679, Directive 2016/680, Regulation (EU) 2018/1725, and, subject to paragraph 4 of this Article, Directive 2002/58/EC.
4. This Regulation limits the exercise of the rights and obligations provided for in 5(1) and (3) and Article 6(1) of Directive 2002/58/EC insofar as necessary for the execution of the detection orders issued in accordance with Section 2 of Chapter 1 of this Regulation.
Article 2 - Definitions
(a)‘hosting service’ means an information society service as defined in Article 2, point (f), third indent, of Regulation (EU) …/… [on a Single Market For Digital Services (Digital Services Act) and amending Directive 2000/31/EC];
(b)‘interpersonal communications service’ means a publicly available service as defined in Article 2, point 5, of Directive (EU) 2018/1972, including services which enable direct interpersonal and interactive exchange of information merely as a minor ancillary feature that is intrinsically linked to another service;
(c)‘software application’ means a digital product or service as defined in Article 2, point 13, of Regulation (EU) …/… [on contestable and fair markets in the digital sector (Digital Markets Act)];
(d)‘software application store’ means a service as defined in Article 2, point 12, of Regulation (EU) …/… [on contestable and fair markets in the digital sector (Digital Markets Act)];
(e)‘internet access service’ means a service as defined in Article 2(2), point 2, of Regulation (EU) 2015/2120 of the European Parliament and of the Council 49 ;
(f)‘relevant information society services’ means all of the following services:
(i) a hosting service;
(ii) an interpersonal communications service;
(iii) a software applications store;
(iv) an internet access service.
(g)‘to offer services in the Union’ means to offer services in the Union as defined in Article 2, point (d), of Regulation (EU) …/… [on a Single Market For Digital Services (Digital Services Act) and amending Directive 2000/31/EC];
(h)‘user’ means any natural or legal person who uses a relevant information society service;
(i)‘child’ means any natural person below the age of 18 years;
(j)‘child user’ means a natural person who uses a relevant information society service and who is a natural person below the age of 17 years;
(k)‘micro, small or medium-sized enterprise’ means an enterprise as defined in Commission Recommendation 2003/361 concerning the definition of micro, small and medium-sized enterprises 50 ;
(l)‘child sexual abuse material’ means material constituting child pornography or pornographic performance as defined in Article 2, points (c) and (e), respectively, of Directive 2011/93/EU;
(m)‘known child sexual abuse material’ means potential child sexual abuse material detected using the indicators contained in the database of indicators referred to in Article 44(1), point (a);
(n)‘new child sexual abuse material’ means potential child sexual abuse material detected using the indicators contained in the database of indicators referred to in Article 44(1), point (b);
(o)‘solicitation of children’ means the solicitation of children for sexual purposes as referred to in Article 6 of Directive 2011/93/EU;
(p)‘online child sexual abuse’ means the online dissemination of child sexual abuse material and the solicitation of children;
(q)‘child sexual abuse offences’ means offences as defined in Articles 3 to 7 of Directive 2011/93/EU;
(r)‘recommender system’ means the system as defined in Article 2, point (o), of Regulation (EU) …/… [on a Single Market For Digital Services (Digital Services Act) and amending Directive 2000/31/EC];
(s)‘content data’ means data as defined in Article 2, point 10, of Regulation (EU) … [on European Production and Preservation Orders for electronic evidence in criminal matters (…/… e-evidence Regulation)];
(t)‘content moderation’ means the activities as defined in Article 2, point (p), of Regulation (EU) …/… [on a Single Market For Digital Services (Digital Services Act) and amending Directive 2000/31/EC];
(u)‘Coordinating Authority of establishment’ means the Coordinating Authority for child sexual abuse issues designated in accordance with Article 25 by the Member State where the provider of information society services has its main establishment or, where applicable, where its legal representative resides or is established;
(v)‘terms and conditions’ means terms and conditions as defined in Article 2, point (q), of Regulation (EU) …/… [on a Single Market For Digital Services (Digital Services Act) and amending Directive 2000/31/EC];
(w)‘main establishment’ means the head office or registered office of the provider of relevant information society services within which the principal financial functions and operational control are exercised.
CHAPTER II
OBLIGATIONS OF PROVIDERS OF RELEVANT INFORMATION SOCIETY SERVICES TO PREVENT AND COMBAT ONLINE CHILD SEXUAL ABUSE
Section 1Risk assessment and mitigation obligations
Article 3 - Risk assessment
2. When carrying out a risk assessment, the provider shall take into account, in particular:
(a)any previously identified instances of use of its services for the purpose of online child sexual abuse;
(b)the existence and implementation by the provider of a policy and the availability of functionalities to address the risk referred to in paragraph 1, including through the following:
–prohibitions and restrictions laid down in the terms and conditions;
–measures taken to enforce such prohibitions and restrictions;
–functionalities enabling age verification;
–functionalities enabling users to flag online child sexual abuse to the provider through tools that are easily accessible and age-appropriate;
(c)the manner in which users use the service and the impact thereof on that risk;
(d)the manner in which the provider designed and operates the service, including the business model, governance and relevant systems and processes, and the impact thereof on that risk;
(e)with respect to the risk of solicitation of children:
(i) the extent to which the service is used or is likely to be used by children;
(ii) where the service is used by children, the different age groups of the child users and the risk of solicitation of children in relation to those age groups;
(iii) the availability of functionalities creating or reinforcing the risk of solicitation of children, including the following functionalities:
–enabling users to search for other users and, in particular, for adult users to search for child users;
–enabling users to establish contact with other users directly, in particular through private communications;
–enabling users to share images or videos with other users, in particular through private communications.
3. The provider may request the EU Centre to perform an analysis of representative, anonymized data samples to identify potential online child sexual abuse, to support the risk assessment.
The costs incurred by the EU Centre for the performance of such an analysis shall be borne by the requesting provider. However, the EU Centre shall bear those costs where the provider is a micro, small or medium-sized enterprise, provided the request is reasonably necessary to support the risk assessment.
The Commission shall be empowered to adopt delegated acts in accordance with Article 86 in order to supplement this Regulation with the necessary detailed rules on the determination and charging of those costs and the application of the exemption for micro, small and medium-sized enterprises.
4. The provider shall carry out the first risk assessment by [Date of application of this Regulation + 3 months] or, where the provider did not offer the service in the Union by [Date of application of this Regulation], by three months from the date at which the provider started offering the service in the Union.
Subsequently, the provider shall update the risk assessment where necessary and at least once every three years from the date at which it last carried out or updated the risk assessment. However:
(a)for a service which is subject to a detection order issued in accordance with Article 7, the provider shall update the risk assessment at the latest two months before the expiry of the period of application of the detection order;
(b)the Coordinating Authority of establishment may require the provider to update the risk assessment at a reasonable earlier date than the date referred to in the second subparagraph, where there is evidence indicating a possible substantial change in the risk that the service is used for the purpose of online child sexual abuse.
5. The risk assessment shall include an assessment of any potential remaining risk that, after taking the mitigation measures pursuant to Article 4, the service is used for the purpose of online child sexual abuse.
6. The Commission, in cooperation with Coordinating Authorities and the EU Centre and after having conducted a public consultation, may issue guidelines on the application of paragraphs 1 to 5, having due regard in particular to relevant technological developments and to the manners in which the services covered by those provisions are offered and used.
Article 4 - Risk mitigation
(a)adapting, through appropriate technical and operational measures and staffing, the provider’s content moderation or recommender systems, its decision-making processes, the operation or functionalities of the service, or the content or enforcement of its terms and conditions;
(b)reinforcing the provider’s internal processes or the internal supervision of the functioning of the service;
(c)initiating or adjusting cooperation, in accordance with competition law, with other providers of hosting services or providers of interpersonal communication services, public authorities, civil society organisations or, where applicable, entities awarded the status of trusted flaggers in accordance with Article 19 of Regulation (EU) …/… [on a Single Market For Digital Services (Digital Services Act) and amending Directive 2000/31/EC] .
2. The mitigation measures shall be:
(a)effective in mitigating the identified risk;
(b)targeted and proportionate in relation to that risk, taking into account, in particular, the seriousness of the risk as well as the provider’s financial and technological capabilities and the number of users;
(c)applied in a diligent and non-discriminatory manner, having due regard, in all circumstances, to the potential consequences of the mitigation measures for the exercise of fundamental rights of all parties affected;
(d)introduced, reviewed, discontinued or expanded, as appropriate, each time the risk assessment is conducted or updated pursuant to Article 3(4), within three months from the date referred to therein.
3. Providers of interpersonal communications services that have identified, pursuant to the risk assessment conducted or updated in accordance with Article 3, a risk of use of their services for the purpose of the solicitation of children, shall take the necessary age verification and age assessment measures to reliably identify child users on their services, enabling them to take the mitigation measures.
4. Providers of hosting services and providers of interpersonal communications services shall clearly describe in their terms and conditions the mitigation measures that they have taken. That description shall not include information that may reduce the effectiveness of the mitigation measures.
5. The Commission, in cooperation with Coordinating Authorities and the EU Centre and after having conducted a public consultation, may issue guidelines on the application of paragraphs 1, 2, 3 and 4, having due regard in particular to relevant technological developments and in the manners in which the services covered by those provisions are offered and used.
Article 5 - Risk reporting
(a)the process and the results of the risk assessment conducted or updated pursuant to Article 3, including the assessment of any potential remaining risk referred to in Article 3(5);
(b)any mitigation measures taken pursuant to Article 4.
2. Within three months after receiving the report, the Coordinating Authority of establishment shall assess it and determine, on that basis and taking into account any other relevant information available to it, whether the risk assessment has been carried out or updated and the mitigation measures have been taken in accordance with the requirements of Articles 3 and 4.
3. Where necessary for that assessment, that Coordinating Authority may require further information from the provider, within a reasonable time period set by that Coordinating Authority. That time period shall not be longer than two weeks.
The time period referred to in the first subparagraph shall be suspended until that additional information is provided.
4. Without prejudice to Articles 7 and 27 to 29, where the requirements of Articles 3 and 4 have not been met, that Coordinating Authority shall require the provider to re-conduct or update the risk assessment or to introduce, review, discontinue or expand, as applicable, the mitigation measures, within a reasonable time period set by that Coordinating Authority. That time period shall not be longer than one month.
5. Providers shall, when transmitting the report to the Coordinating Authority of establishment in accordance with paragraph 1, transmit the report also to the EU Centre.
6. Providers shall, upon request, transmit the report to the providers of software application stores, insofar as necessary for the assessment referred to in Article 6(2). Where necessary, they may remove confidential information from the reports.
Article 6 - Obligations for software application stores
(a)make reasonable efforts to assess, where possible together with the providers of software applications, whether each service offered through the software applications that they intermediate presents a risk of being used for the purpose of the solicitation of children;
(b)take reasonable measures to prevent child users from accessing the software applications in relation to which they have identified a significant risk of use of the service concerned for the purpose of the solicitation of children;
(c)take the necessary age verification and age assessment measures to reliably identify child users on their services, enabling them to take the measures referred to in point (b).
2. In assessing the risk referred to in paragraph 1, the provider shall take into account all the available information, including the results of the risk assessment conducted or updated pursuant to Article 3.
3. Providers of software application stores shall make publicly available information describing the process and criteria used to assess the risk and describing the measures referred to in paragraph 1. That description shall not include information that may reduce the effectiveness of the assessment of those measures.
4. The Commission, in cooperation with Coordinating Authorities and the EU Centre and after having conducted a public consultation, may issue guidelines on the application of paragraphs 1, 2 and 3, having due regard in particular to relevant technological developments and to the manners in which the services covered by those provisions are offered and used.
Section 2Detection obligations
Article 7 - Issuance of detection orders
2. The Coordinating Authority of establishment shall, before requesting the issuance of a detection order, carry out the investigations and assessments necessary to determine whether the conditions of paragraph 4 have been met.
To that end, it may, where appropriate, require the provider to submit the necessary information, additional to the report and the further information referred to in Article 5(1) and (3), respectively, within a reasonable time period set by that Coordinating Authority, or request the EU Centre, another public authority or relevant experts or entities to provide the necessary additional information.
3. Where the Coordinating Authority of establishment takes the preliminary view that the conditions of paragraph 4 have been met, it shall:
(a)establish a draft request for the issuance of a detection order, specifying the main elements of the content of the detection order it intends to request and the reasons for requesting it;
(b)submit the draft request to the provider and the EU Centre;
(c)afford the provider an opportunity to comment on the draft request, within a reasonable time period set by that Coordinating Authority;
(d)invite the EU Centre to provide its opinion on the draft request, within a time period of four weeks from the date of receiving the draft request.
Where, having regard to the comments of the provider and the opinion of the EU Centre, that Coordinating Authority continues to be of the view that the conditions of paragraph 4 have met, it shall re-submit the draft request, adjusted where appropriate, to the provider. In that case, the provider shall do all of the following, within a reasonable time period set by that Coordinating Authority:
(a)draft an implementation plan setting out the measures it envisages taking to execute the intended detection order, including detailed information regarding the envisaged technologies and safeguards;
(b)where the draft implementation plan concerns an intended detection order concerning the solicitation of children other than the renewal of a previously issued detection order without any substantive changes, conduct a data protection impact assessment and a prior consultation procedure as referred to in Articles 35 and 36 of Regulation (EU) 2016/679, respectively, in relation to the measures set out in the implementation plan;
(c)where point (b) applies, or where the conditions of Articles 35 and 36 of Regulation (EU) 2016/679 are met, adjust the draft implementation plan, where necessary in view of the outcome of the data protection impact assessment and in order to take into account the opinion of the data protection authority provided in response to the prior consultation;
(d)submit to that Coordinating Authority the implementation plan, where applicable attaching the opinion of the competent data protection authority and specifying how the implementation plan has been adjusted in view of the outcome of the data protection impact assessment and of that opinion.
Where, having regard to the implementation plan of the provider and the opinion of the data protection authority, that Coordinating Authority continues to be of the view that the conditions of paragraph 4 have met, it shall submit the request for the issuance of the detection, adjusted where appropriate, to the competent judicial authority or independent administrative authority. It shall attach the implementation plan of the provider and the opinions of the EU Centre and the data protection authority to that request.
4. The Coordinating Authority of establishment shall request the issuance of the detection order, and the competent judicial authority or independent administrative authority shall issue the detection order where it considers that the following conditions are met:
(a)there is evidence of a significant risk of the service being used for the purpose of online child sexual abuse, within the meaning of paragraphs 5, 6 and 7, as applicable;
(b)the reasons for issuing the detection order outweigh negative consequences for the rights and legitimate interests of all parties affected, having regard in particular to the need to ensure a fair balance between the fundamental rights of those parties.
When assessing whether the conditions of the first subparagraph have been met, account shall be taken of all relevant facts and circumstances of the case at hand, in particular:
(a)the risk assessment conducted or updated and any mitigation measures taken by the provider pursuant to Articles 3 and 4, including any mitigation measures introduced, reviewed, discontinued or expanded pursuant to Article 5(4) where applicable;
(b)any additional information obtained pursuant to paragraph 2 or any other relevant information available to it, in particular regarding the use, design and operation of the service, regarding the provider’s financial and technological capabilities and size and regarding the potential consequences of the measures to be taken to execute the detection order for all other parties affected;
(c)the views and the implementation plan of the provider submitted in accordance with paragraph 3;
(d)the opinions of the EU Centre and of the data protection authority submitted in accordance with paragraph 3.
As regards the second subparagraph, point (d), where that Coordinating Authority substantially deviates from the opinion of the EU Centre, it shall inform the EU Centre and the Commission thereof, specifying the points at which it deviated and the main reasons for the deviation.
5. As regards detection orders concerning the dissemination of known child sexual abuse material, the significant risk referred to in paragraph 4, first subparagraph, point (a), shall be deemed to exist where the following conditions are met:
(a)it is likely, despite any mitigation measures that the provider may have taken or will take, that the service is used, to an appreciable extent for the dissemination of known child sexual abuse material;
(b)there is evidence of the service, or of a comparable service if the service has not yet been offered in the Union at the date of the request for the issuance of the detection order, having been used in the past 12 months and to an appreciable extent for the dissemination of known child sexual abuse material.
6. As regards detection orders concerning the dissemination of new child sexual abuse material, the significant risk referred to in paragraph 4, first subparagraph, point (a), shall be deemed to exist where the following conditions are met:
(a)it is likely that, despite any mitigation measures that the provider may have taken or will take, the service is used, to an appreciable extent, for the dissemination of new child sexual abuse material;
(b)there is evidence of the service, or of a comparable service if the service has not yet been offered in the Union at the date of the request for the issuance of the detection order, having been used in the past 12 months and to an appreciable extent, for the dissemination of new child sexual abuse material;
(c)for services other than those enabling the live transmission of pornographic performances as defined in Article 2, point (e), of Directive 2011/93/EU:
(1) a detection order concerning the dissemination of known child sexual abuse material has been issued in respect of the service;
(2) the provider submitted a significant number of reports concerning known child sexual abuse material, detected through the measures taken to execute the detection order referred to in point (1), pursuant to Article 12.
7. As regards detection orders concerning the solicitation of children, the significant risk referred to in paragraph 4, first subparagraph, point (a), shall be deemed to exist where the following conditions are met:
(a)the provider qualifies as a provider of interpersonal communication services;
(b)it is likely that, despite any mitigation measures that the provider may have taken or will take, the service is used, to an appreciable extent, for the solicitation of children;
(c)there is evidence of the service, or of a comparable service if the service has not yet been offered in the Union at the date of the request for the issuance of the detection order, having been used in the past 12 months and to an appreciable extent, for the solicitation of children.
The detection orders concerning the solicitation of children shall apply only to interpersonal communications where one of the users is a child user.
8. The Coordinating Authority of establishment when requesting the issuance of detection orders, and the competent judicial or independent administrative authority when issuing the detection order, shall target and specify it in such a manner that the negative consequences referred to in paragraph 4, first subparagraph, point (b), remain limited to what is strictly necessary to effectively address the significant risk referred to in point (a) thereof.
To that aim, they shall take into account all relevant parameters, including the availability of sufficiently reliable detection technologies in that they limit to the maximum extent possible the rate of errors regarding the detection and their suitability and effectiveness for achieving the objectives of this Regulation, as well as the impact of the measures on the rights of the users affected, and require the taking of the least intrusive measures, in accordance with Article 10, from among several equally effective measures.
In particular, they shall ensure that:
(a)where that risk is limited to an identifiable part or component of a service, the required measures are only applied in respect of that part or component;
(b)where necessary, in particular to limit such negative consequences, effective and proportionate safeguards additional to those listed in Article 10(4), (5) and (6) are provided for;
(c)subject to paragraph 9, the period of application remains limited to what is strictly necessary.
9. The competent judicial authority or independent administrative authority shall specify in the detection order the period during which it applies, indicating the start date and the end date.
The start date shall be set taking into account the time reasonably required for the provider to take the necessary measures to prepare the execution of the detection order. It shall not be earlier than three months from the date at which the provider received the detection order and not be later than 12 months from that date.
The period of application of detection orders concerning the dissemination of known or new child sexual abuse material shall not exceed 24 months and that of detection orders concerning the solicitation of children shall not exceed 12 months.
Article 8 - Additional rules regarding detection orders
(a)information regarding the measures to be taken to execute the detection order, including the indicators to be used and the safeguards to be provided for, including the reporting requirements set pursuant to Article 9(3) and, where applicable, any additional safeguards as referred to in Article 7(8);
(b)identification details of the competent judicial authority or the independent administrative authority issuing the detection order and authentication of the detection order by that judicial or independent administrative authority;
(c)the name of the provider and, where applicable, its legal representative;
(d)the specific service in respect of which the detection order is issued and, where applicable, the part or component of the service affected as referred to in Article 7(8);
(e)whether the detection order issued concerns the dissemination of known or new child sexual abuse material or the solicitation of children;
(f)the start date and the end date of the detection order;
(g)a sufficiently detailed statement of reasons explaining why the detection order is issued;
(h)a reference to this Regulation as the legal basis for the detection order;
(i)the date, time stamp and electronic signature of the judicial or independent administrative authority issuing the detection order;
(j)easily understandable information about the redress available to the addressee of the detection order, including information about redress to a court and about the time periods applicable to such redress.
2. The competent judicial authority or independent administrative authority issuing the detection order shall address it to the main establishment of the provider or, where applicable, to its legal representative designated in accordance with Article 24.
The detection order shall be transmitted to the provider’s point of contact referred to in Article 23(1), to the Coordinating Authority of establishment and to the EU Centre, through the system established in accordance with Article 39(2).
The detection order shall be drafted in the language declared by the provider pursuant to Article 23(3).
3. If the provider cannot execute the detection order because it contains manifest errors or does not contain sufficient information for its execution, the provider shall, without undue delay, request the necessary clarification to the Coordinating Authority of establishment, using the template set out in Annex II.
4. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 in order to amend Annexes I and II where necessary to improve the templates in view of relevant technological developments or practical experiences gained.
Article 9 - Redress, information, reporting and modification of detection orders
2. When the detection order becomes final, the competent judicial authority or independent administrative authority that issued the detection order shall, without undue delay, transmit a copy thereof to the Coordinating Authority of establishment. The Coordinating Authority of establishment shall then, without undue delay, transmit a copy thereof to all other Coordinating Authorities through the system established in accordance with Article 39(2).
For the purpose of the first subparagraph, a detection order shall become final upon the expiry of the time period for appeal where no appeal has been lodged in accordance with national law or upon confirmation of the detection order following an appeal.
3. Where the period of application of the detection order exceeds 12 months, or six months in the case of a detection order concerning the solicitation of children, the Coordinating Authority of establishment shall require the provider to report to it on the execution of the detection order at least once, halfway through the period of application.
Those reports shall include a detailed description of the measures taken to execute the detection order, including the safeguards provided, and information on the functioning in practice of those measures, in particular on their effectiveness in detecting the dissemination of known or new child sexual abuse material or the solicitation of children, as applicable, and on the consequences of those measures for the rights and legitimate interests of all parties affected.
4. In respect of the detection orders that the competent judicial authority or independent administrative authority issued at its request, the Coordinating Authority of establishment shall, where necessary and in any event following reception of the reports referred to in paragraph 3, assess whether any substantial changes to the grounds for issuing the detection orders occurred and, in particular, whether the conditions of Article 7(4) continue to be met. In that regard, it shall take account of additional mitigation measures that the provider may take to address the significant risk identified at the time of the issuance of the detection order.
That Coordinating Authority shall request to the competent judicial authority or independent administrative authority that issued the detection order the modification or revocation of such order, where necessary in the light of the outcome of that assessment. The provisions of this Section shall apply to such requests, mutatis mutandis.
Article 10 - Technologies and safeguards
2. The provider shall be entitled to acquire, install and operate, free of charge, technologies made available by the EU Centre in accordance with Article 50(1), for the sole purpose of executing the detection order. The provider shall not be required to use any specific technology, including those made available by the EU Centre, as long as the requirements set out in this Article are met. The use of the technologies made available by the EU Centre shall not affect the responsibility of the provider to comply with those requirements and for any decisions it may take in connection to or as a result of the use of the technologies.
3. The technologies shall be:
(a)effective in detecting the dissemination of known or new child sexual abuse material or the solicitation of children, as applicable;
(b)not be able to extract any other information from the relevant communications than the information strictly necessary to detect, using the indicators referred to in paragraph 1, patterns pointing to the dissemination of known or new child sexual abuse material or the solicitation of children, as applicable;
(c)in accordance with the state of the art in the industry and the least intrusive in terms of the impact on the users’ rights to private and family life, including the confidentiality of communication, and to protection of personal data;
(d)sufficiently reliable, in that they limit to the maximum extent possible the rate of errors regarding the detection.
4. The provider shall:
(a)take all the necessary measures to ensure that the technologies and indicators, as well as the processing of personal data and other data in connection thereto, are used for the sole purpose of detecting the dissemination of known or new child sexual abuse material or the solicitation of children, as applicable, insofar as strictly necessary to execute the detection orders addressed to them;
(b)establish effective internal procedures to prevent and, where necessary, detect and remedy any misuse of the technologies, indicators and personal data and other data referred to in point (a), including unauthorized access to, and unauthorised transfers of, such personal data and other data;
(c)ensure regular human oversight as necessary to ensure that the technologies operate in a sufficiently reliable manner and, where necessary, in particular when potential errors and potential solicitation of children are detected, human intervention;
(d)establish and operate an accessible, age-appropriate and user-friendly mechanism that allows users to submit to it, within a reasonable timeframe, complaints about alleged infringements of its obligations under this Section, as well as any decisions that the provider may have taken in relation to the use of the technologies, including the removal or disabling of access to material provided by users, blocking the users’ accounts or suspending or terminating the provision of the service to the users, and process such complaints in an objective, effective and timely manner;
(e)inform the Coordinating Authority, at the latest one month before the start date specified in the detection order, on the implementation of the envisaged measures set out in the implementation plan referred to in Article 7(3);
(f)regularly review the functioning of the measures referred to in points (a), (b), (c) and (d) of this paragraph and adjust them where necessary to ensure that the requirements set out therein are met, as well as document the review process and the outcomes thereof and include that information in the report referred to in Article 9(3).
5. The provider shall inform users in a clear, prominent and comprehensible way of the following:
(a)the fact that it operates technologies to detect online child sexual abuse to execute the detection order, the ways in which it operates those technologies and the impact on the confidentiality of users’ communications;
(b)the fact that it is required to report potential online child sexual abuse to the EU Centre in accordance with Article 12;
(c)the users’ right of judicial redress referred to in Article 9(1) and their rights to submit complaints to the provider through the mechanism referred to in paragraph 4, point (d) and to the Coordinating Authority in accordance with Article 34.
The provider shall not provide information to users that may reduce the effectiveness of the measures to execute the detection order.
6. Where a provider detects potential online child sexual abuse through the measures taken to execute the detection order, it shall inform the users concerned without undue delay, after Europol or the national law enforcement authority of a Member State that received the report pursuant to Article 48 has confirmed that the information to the users would not interfere with activities for the prevention, detection, investigation and prosecution of child sexual abuse offences.
Article 11 - Guidelines regarding detection obligations
Section 3
Reporting obligations
Article 12 - Reporting obligations
2. Where the provider submits a report pursuant to paragraph 1, it shall inform the user concerned, providing information on the main content of the report, on the manner in which the provider has become aware of the potential child sexual abuse concerned, on the follow-up given to the report insofar as such information is available to the provider and on the user’s possibilities of redress, including on the right to submit complaints to the Coordinating Authority in accordance with Article 34.
The provider shall inform the user concerned without undue delay, either after having received a communication from the EU Centre indicating that it considers the report to be manifestly unfounded as referred to in Article 48(2), or after the expiry of a time period of three months from the date of the report without having received a communication from the EU Centre indicating that the information is not to be provided as referred to in Article 48(6), point (a), whichever occurs first.
Where within the three months’ time period referred to in the second subparagraph the provider receives such a communication from the EU Centre indicating that the information is not to be provided, it shall inform the user concerned, without undue delay, after the expiry of the time period set out in that communication.
3. The provider shall establish and operate an accessible, age-appropriate and user-friendly mechanism that allows users to flag to the provider potential online child sexual abuse on the service.
Article 13 - Specific requirements for reporting
(a)identification details of the provider and, where applicable, its legal representative;
(b)the date, time stamp and electronic signature of the provider;
(c)all content data, including images, videos and text;
(d)all available data other than content data related to the potential online child sexual abuse;
(e)whether the potential online child sexual abuse concerns the dissemination of known or new child sexual abuse material or the solicitation of children;
(f)information concerning the geographic location related to the potential online child sexual abuse, such as the Internet Protocol address;
(g)information concerning the identity of any user involved in the potential online child sexual abuse;
(h)whether the provider has also reported, or will also report, the potential online child sexual abuse to a public authority or other entity competent to receive such reports of a third country and if so, which authority or entity;
(i)where the potential online child sexual abuse concerns the dissemination of known or new child sexual abuse material, whether the provider has removed or disabled access to the material;
(j)whether the provider considers that the report requires urgent action;
(k)a reference to this Regulation as the legal basis for reporting.
2. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 in order to amend Annex III to improve the template where necessary in view of relevant technological developments or practical experiences gained.
Section - 4
Removal obligations
Article 14 - Removal orders
2. The provider shall execute the removal order as soon as possible and in any event within 24 hours of receipt thereof.
3. The competent judicial authority or the independent administrative authority shall issue a removal order using the template set out in Annex IV. Removal orders shall include:
(a)identification details of the judicial or independent administrative authority issuing the removal order and authentication of the removal order by that authority;
(b)the name of the provider and, where applicable, of its legal representative;
(c)the specific service for which the removal order is issued;
(d)a sufficiently detailed statement of reasons explaining why the removal order is issued and in particular why the material constitutes child sexual abuse material;
(e)an exact uniform resource locator and, where necessary, additional information for the identification of the child sexual abuse material;
(f)where applicable, the information about non-disclosure during a specified time period, in accordance with Article 15(4), point (c);
(g)a reference to this Regulation as the legal basis for the removal order;
(h)the date, time stamp and electronic signature of the judicial or independent administrative authority issuing the removal order;
(i)easily understandable information about the redress available to the addressee of the removal order, including information about redress to a court and about the time periods applicable to such redress.
4. The judicial authority or the independent administrative issuing the removal order shall address it to the main establishment of the provider or, where applicable, to its legal representative designated in accordance with Article 24.
It shall transmit the removal order to the point of contact referred to in Article 23(1) by electronic means capable of producing a written record under conditions that allow to establish the authentication of the sender, including the accuracy of the date and the time of sending and receipt of the order, to the Coordinating Authority of establishment and to the EU Centre, through the system established in accordance with Article 39(2).
It shall draft the removal order in the language declared by the provider pursuant to Article 23(3).
5. If the provider cannot execute the removal order on grounds of force majeure or de facto impossibility not attributable to it, including for objectively justifiable technical or operational reasons, it shall, without undue delay, inform the Coordinating Authority of establishment of those grounds, using the template set out in Annex V.
The time period set out in paragraph 1 shall start to run as soon as the reasons referred to in the first subparagraph have ceased to exist.
6. If the provider cannot execute the removal order because it contains manifest errors or does not contain sufficient information for its execution, it shall, without undue delay, request the necessary clarification to the Coordinating Authority of establishment, using the template set out in Annex V.
The time period set out in paragraph 1 shall start to run as soon as the provider has received the necessary clarification.
7. The provider shall, without undue delay and using the template set out in Annex VI, inform the Coordinating Authority of establishment and the EU Centre, of the measures taken to execute the removal order, indicating, in particular, whether the provider removed the child sexual abuse material or disabled access thereto in all Member States and the date and time thereof.
8. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 in order to amend Annexes IV, V and VI where necessary to improve the templates in view of relevant technological developments or practical experiences gained.
Article 15 - Redress and provision of information
2. When the removal order becomes final, the competent judicial authority or independent administrative authority that issued the removal order shall, without undue delay, transmit a copy thereof to the Coordinating Authority of establishment. The Coordinating Authority of establishment shall then, without undue delay, transmit a copy thereof to all other Coordinating Authorities through the system established in accordance with Article 39(2).
For the purpose of the first subparagraph, a removal order shall become final upon the expiry of the time period for appeal where no appeal has been lodged in accordance with national law or upon confirmation of the removal order following an appeal.
3. Where a provider removes or disables access to child sexual abuse material pursuant to a removal order issued in accordance with Article 14, it shall without undue delay, inform the user who provided the material of the following:
(a)the fact that it removed the material or disabled access thereto;
(b)the reasons for the removal or disabling, providing a copy of the removal order upon the user’s request;
(c)the users’ rights of judicial redress referred to in paragraph 1 and to submit complaints to the Coordinating Authority in accordance with Article 34.
4. The Coordinating Authority of establishment may request, when requesting the judicial authority or independent administrative authority issuing the removal order, and after having consulted with relevant public authorities, that the provider is not to disclose any information regarding the removal of or disabling of access to the child sexual abuse material, where and to the extent necessary to avoid interfering with activities for the prevention, detection, investigation and prosecution of child sexual abuse offences.
In such a case:
(a)the judicial authority or independent administrative authority issuing the removal order shall set the time period not longer than necessary and not exceeding six weeks, during which the provider is not to disclose such information;
(b)the obligations set out in paragraph 3 shall not apply during that time period;
(c)that judicial authority or independent administrative authority shall inform the provider of its decision, specifying the applicable time period.
That judicial authority or independent administrative authority may decide to extend the time period referred to in the second subparagraph, point (a), by a further time period of maximum six weeks, where and to the extent the non-disclosure continues to be necessary. In that case, that judicial authority or independent administrative authority shall inform the provider of its decision, specifying the applicable time period. Article 14(3) shall apply to that decision.
Section - 5
Blocking obligations
Article 16 - Blocking orders
2. The Coordinating Authority of establishment shall, before requesting the issuance of a blocking order, carry out all investigations and assessments necessary to determine whether the conditions of paragraph 4 have been met.
To that end, it shall, where appropriate:
(a)verify that, in respect of all or a representative sample of the uniform resource locators on the list referred to in paragraph 1, the conditions of Article 36(1), point (b), are met, including by carrying out checks to verify in cooperation with the EU Centre that the list is complete, accurate and up-to-date;
(b)require the provider to submit, within a reasonable time period set by that Coordinating Authority, the necessary information, in particular regarding the accessing or attempting to access by users of the child sexual abuse material indicated by the uniform resource locators, regarding the provider’s policy to address the risk of dissemination of the child sexual abuse material and regarding the provider’s financial and technological capabilities and size;
(c)request the EU Centre to provide the necessary information, in particular explanations and assurances regarding the accuracy of the uniform resource locators in indicating child sexual abuse material, regarding the quantity and nature of that material and regarding the verifications by the EU Centre and the audits referred to in Article 36(2) and Article 46(7), respectively;
(d)request any other relevant public authority or relevant experts or entities to provide the necessary information.
3. The Coordinating Authority of establishment shall, before requesting the issuance of the blocking order, inform the provider of its intention to request the issuance of the blocking order, specifying the main elements of the content of the intended blocking order and the reasons to request the blocking order. It shall afford the provider an opportunity to comment on that information, within a reasonable time period set by that Coordinating Authority.
4. The Coordinating Authority of establishment shall request the issuance of the blocking order, and the competent judicial authority or independent authority shall issue the blocking order, where it considers that the following conditions are met:
(a)there is evidence of the service having been used during the past 12 months, to an appreciable extent, for accessing or attempting to access the child sexual abuse material indicated by the uniform resource locators;
(b)the blocking order is necessary to prevent the dissemination of the child sexual abuse material to users in the Union, having regard in particular to the quantity and nature of that material, the need to protect the rights of the victims and the existence and implementation by the provider of a policy to address the risk of such dissemination;
(c)the uniform resource locators indicate, in a sufficiently reliable manner, child sexual abuse material;
(d)the reasons for issuing the blocking order outweigh negative consequences for the rights and legitimate interests of all parties affected, having regard in particular to the need to ensure a fair balance between the fundamental rights of those parties, including the exercise of the users’ freedom of expression and information and the provider’s freedom to conduct a business.
When assessing whether the conditions of the first subparagraph have been met, account shall be taken of all relevant facts and circumstances of the case at hand, including any information obtained pursuant to paragraph 2 and the views of the provider submitted in accordance with paragraph 3.
5. The Coordinating Authority of establishment when requesting the issuance of blocking orders, and the competent judicial or independent administrative authority when issuing the blocking order, shall:
(a)specify effective and proportionate limits and safeguards necessary to ensure that any negative consequences referred to in paragraph 4, point (d), remain limited to what is strictly necessary;
(b)subject to paragraph 6, ensure that the period of application remains limited to what is strictly necessary.
6. The Coordinating Authority shall specify in the blocking order the period during which it applies, indicating the start date and the end date.
The period of application of blocking orders shall not exceed five years.
7. In respect of the blocking orders that the competent judicial authority or independent administrative authority issued at its request, the Coordinating Authority shall, where necessary and at least once every year, assess whether any substantial changes to the grounds for issuing the blocking orders occurred and, in particular, whether the conditions of paragraph 4 continue to be met.
That Coordinating Authority shall request to the competent judicial authority or independent administrative authority that issued the blocking order the modification or revocation of such order, where necessary in the light of the outcome of that assessment or to take account of justified requests or the reports referred to in Article 18(5) and (6), respectively. The provisions of this Section shall apply to such requests, mutatis mutandis.
Article 17 - Additional rules regarding blocking orders
(a)the reference to the list of uniform resource locators, provided by the EU Centre, and the safeguards to be provided for, including the limits and safeguards specified pursuant to Article 16(5) and, where applicable, the reporting requirements set pursuant to Article 18(6);
(b)identification details of the competent judicial authority or the independent administrative authority issuing the blocking order and authentication of the blocking order by that authority;
(c)the name of the provider and, where applicable, its legal representative;
(d)the specific service in respect of which the detection order is issued;
(e)the start date and the end date of the blocking order;
(f)a sufficiently detailed statement of reasons explaining why the blocking order is issued;
(g)a reference to this Regulation as the legal basis for the blocking order;
(h)the date, time stamp and electronic signature of the judicial authority or the independent administrative authority issuing the blocking order;
(i)easily understandable information about the redress available to the addressee of the blocking order, including information about redress to a court and about the time periods applicable to such redress.
2. The competent judicial authority or independent administrative authority issuing the blocking order shall address it to the main establishment of the provider or, where applicable, to its legal representative designated in accordance with Article 24.
3. The blocking order shall be transmitted to the provider’s point of contact referred to in Article 23(1), to the Coordinating Authority of establishment and to the EU Centre, through the system established in accordance with Article 39(2).
4. The blocking order shall be drafted in the language declared by the provider pursuant to Article 23(3).
5. If the provider cannot execute the blocking order because it contains manifest errors or does not contain sufficient information for its execution, the provider shall, without undue delay, request the necessary clarification to the Coordinating Authority of establishment, using the template set out in Annex VIII.
6. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 in order to amend Annexes VII and VIII where necessary to improve the templates in view of relevant technological developments or practical experiences gained.
Article 18 - Redress, information and reporting of blocking orders
2. When the blocking order becomes final, the competent judicial authority or independent administrative authority that issued the blocking order shall, without undue delay, transmit a copy thereof to the Coordinating Authority of establishment. The Coordinating Authority of establishment shall then, without undue delay, transmit a copy thereof to all other Coordinating Authorities through the system established in accordance with Article 39(2).
For the purpose of the first subparagraph, a blocking order shall become final upon the expiry of the time period for appeal where no appeal has been lodged in accordance with national law or upon confirmation of the removal order following an appeal.
3. The provider shall establish and operate an accessible, age-appropriate and user-friendly mechanism that allows users to submit to it, within a reasonable timeframe, complaints about alleged infringements of its obligations under this Section. It shall process such complaints in an objective, effective and timely manner.
4. Where a provider prevents users from accessing the uniform resource locators pursuant to a blocking order issued in accordance with Article 17, it shall take reasonable measures to inform the users of the following:
(a)the fact that it does so pursuant to a blocking order;
(b)the reasons for doing so, providing, upon request, a copy of the blocking order;
(c)the users’ right of judicial redress referred to in paragraph 1, their rights to submit complaints to the provider through the mechanism referred to in paragraph 3 and to the Coordinating Authority in accordance with Article 34, as well as their right to submit the requests referred to in paragraph 5.
5. The provider and the users referred to in paragraph 1 shall be entitled to request the Coordinating Authority that requested the issuance of the blocking order to assess whether users are wrongly prevented from accessing a specific item of material indicated by uniform resource locators pursuant to the blocking order. The provider shall also be entitled to request modification or revocation of the blocking order, where it considers it necessary due to substantial changes to the grounds for issuing the blocking orders that occurred after the issuance thereof, in particular substantial changes preventing the provider from taking the required reasonable measures to execute the blocking order,
The Coordinating Authority shall, without undue delay, diligently assess such requests and inform the provider or the user submitting the request of the outcome thereof. Where it considers the request to be justified, it shall request modification or revocation of the blocking order in accordance with Article 16(7) and inform the EU Centre.
6. Where the period of application of the blocking order exceeds 24 months, the Coordinating Authority of establishment shall require the provider to report to it on the measures taken to execute the blocking order, including the safeguards provided for, at least once, halfway through the period of application.
Section 6
Additional provisions
Article 19 - Liability of providers
Article 20 - Victims’ right to information
That Coordinating Authority shall transmit the request to the EU Centre through the system established in accordance with Article 39(2) and shall communicate the results received from the EU Centre to the person making the request.
2. The request referred to in paragraph 1 shall indicate:
(a)the relevant item or items of known child sexual abuse material;
(b)where applicable, the individual or entity that is to receive the information on behalf of the person making the request;
(c)sufficient elements to demonstrate the identity of the person making the request.
3. The information referred to in paragraph 1 shall include:
(a)the identification of the provider that submitted the report;
(b)the date of the report;
(c)whether the EU Centre forwarded the report in accordance with Article 48(3) and, if so, to which authorities;
(d)whether the provider reported having removed or disabled access to the material, in accordance with Article 13(1), point (i).
Article 21 - Victims’ right of assistance and support for removal
2. Persons residing in the Union shall have the right to receive, upon their request, from the Coordinating Authority designated by the Member State where the person resides, support from the EU Centre when they seek to have a provider of hosting services remove or disable access to one or more specific items of known child sexual abuse material depicting them. Persons with disabilities shall have the right to ask and receive any information relating to such support in a manner accessible to them.
That Coordinating Authority shall transmit the request to the EU Centre through the system established in accordance with Article 39(2) and shall communicate the results received from the EU Centre to the person making the request.
3. The requests referred to in paragraphs 1 and 2 shall indicate the relevant item or items of child sexual abuse material.
4. The EU Centre’s support referred to in paragraph 2 shall include, as applicable:
(a)support in connection to requesting the provider’s assistance referred to in paragraph 1;
(b)verifying whether the provider removed or disabled access to that item or those items, including by conducting the searches referred to in Article 49(1);
(c)notifying the item or items of known child sexual abuse material depicting the person to the provider and requesting removal or disabling of access, in accordance with Article 49(2);
(d)where necessary, informing the Coordinating Authority of establishment of the presence of that item or those items on the service, with a view to the issuance of a removal order pursuant to Article 14.
Article 22 - Preservation of information
(a)executing a detection order issued pursuant to Article 7, or a removal order issued pursuant to Article 14;
(b)reporting potential online child sexual abuse to the EU Centre pursuant to Article 12;
(c)blocking the account of, or suspending or terminating the provision of the service to, the user concerned;
(d)handling users’ complaints to the provider or to the Coordinating Authority, or the exercise of users’ right to administrative or judicial redress, in respect of alleged infringements of this Regulation;
(e)responding to requests issued by competent law enforcement authorities and judicial authorities in accordance with the applicable law, with a view to providing them with the necessary information for the prevention, detection, investigation or prosecution of child sexual abuse offences, insofar as the content data and other data relate to a report that the provider has submitted to the EU Centre pursuant to Article 12.
As regards the first subparagraph, point (a), the provider may also preserve the information for the purpose of improving the effectiveness and accuracy of the technologies to detect online child sexual abuse for the execution of a detection order issued to it in accordance with Article 7. However, it shall not store any personal data for that purpose.
2. Providers shall preserve the information referred to in paragraph 1 for no longer than necessary for the applicable purpose and, in any event, no longer than 12 months from the date of the reporting or of the removal or disabling of access, whichever occurs first.
They shall, upon request from the competent national authority or court, preserve the information for a further specified period, set by that authority or court where and to the extent necessary for ongoing administrative or judicial redress proceedings, as referred to in paragraph 1, point (d).
Providers shall ensure that the information referred to in paragraph 1 is preserved in a secure manner and that the preservation is subject to appropriate technical and organisational safeguards. Those safeguards shall ensure, in particular, that the information can be accessed and processed only for the purpose for which it is preserved, that a high level of security is achieved and that the information is deleted upon the expiry of the applicable time periods for preservation. Providers shall regularly review those safeguards and adjust them where necessary.
Article 23 - Points of contact
2. The providers shall communicate to the EU Centre and make public the information necessary to easily identify and communicate with their single points of contact, including their names, addresses, the electronic mail addresses and telephone numbers.
3. The providers shall specify in the information referred to in paragraph 2 the official language or languages of the Union, which can be used to communicate with their points of contact.
The specified languages shall include at least one of the official languages of the Member State in which the provider has its main establishment or, where applicable, where its legal representative resides or is established.
Article 24 - Legal representative
2. The legal representative shall reside or be established in one of the Member States where the provider offers its services.
3. The provider shall mandate its legal representatives to be addressed in addition to or instead of the provider by the Coordinating Authorities, other competent authorities of the Member States and the Commission on all issues necessary for the receipt of, compliance with and enforcement of decisions issued in relation to this Regulation, including detection orders, removal orders and blocking orders.
4. The provider shall provide its legal representative with the necessary powers and resources to cooperate with the Coordinating Authorities, other competent authorities of the Member States and the Commission and comply with the decisions referred to in paragraph 3.
5. The designated legal representative may be held liable for non-compliance with obligations of the provider under this Regulation, without prejudice to the liability and legal actions that could be initiated against the provider.
6. The provider shall notify the name, address, the electronic mail address and telephone number of its legal representative designated pursuant to paragraph 1 to the Coordinating Authority in the Member State where that legal representative resides or is established, and to the EU Centre. They shall ensure that that information is up to date and publicly available.
7. The designation of a legal representative within the Union pursuant to paragraph 1 shall not amount to an establishment in the Union.
CHAPTER III
SUPERVISION, ENFORCEMENT AND COOPERATION
Section 1Coordinating Authorities for child sexual abuse issues
Article 25 - Coordinating Authorities for child sexual abuse issues and other competent authorities
2. Member States shall, by the date referred to in paragraph 1, designate one of the competent authorities as their Coordinating Authority for child sexual abuse issues (‘Coordinating Authority’).
The Coordinating Authority shall be responsible for all matters related to application and enforcement of this Regulation in the Member State concerned, unless that Member State has assigned certain specific tasks or sectors to other competent authorities.
The Coordinating Authority shall in any event be responsible for ensuring coordination at national level in respect of those matters and for contributing to the effective, efficient and consistent application and enforcement of this Regulation throughout the Union.
3. Where a Member State designates more than one competent authority in addition to the Coordinating Authority, it shall ensure that the respective tasks of those authorities and of the Coordinating Authority are clearly defined and that they cooperate closely and effectively when performing their tasks. The Member State concerned shall communicate the name of the other competent authorities as well as their respective tasks to the EU Centre and the Commission.
4. Within one week after the designation of the Coordinating Authorities and any other competent authorities pursuant to paragraph 1, Member States shall make publicly available, and communicate to the Commission and the EU Centre, the name of their Coordinating Authority. They shall keep that information updated.
5. Each Member State shall ensure that a contact point is designated or established within the Coordinating Authority’s office to handle requests for clarification, feedback and other communications in relation to all matters related to the application and enforcement of this Regulation in that Member State. Member States shall make the information on the contact point publicly available and communicate it to the EU Centre. They shall keep that information updated.
6. Within two weeks after the designation of the Coordinating Authorities pursuant to paragraph 2, the EU Centre shall set up an online register listing the Coordinating Authorities and their contact points. The EU Centre shall regularly publish any modification thereto.
7. Coordinating Authorities may, where necessary for the performance of their tasks under this Regulation, request the assistance of the EU Centre in carrying out those tasks, in particular by requesting the EU Centre to:
(a)provide certain information or technical expertise on matters covered by this Regulation;
(b)assist in assessing, in accordance with Article 5(2), the risk assessment conducted or updated or the mitigation measures taken by a provider of hosting or interpersonal communication services under the jurisdiction of the Member State that designated the requesting Coordinating Authority;
(c)verify the possible need to request competent national authorities to issue a detection order, a removal order or a blocking order in respect of a service under the jurisdiction of the Member State that designated that Coordinating Authority;
(d)verify the effectiveness of a detection order or a removal order issued upon the request of the requesting Coordinating Authority.
8. The EU Centre shall provide such assistance free of charge and in accordance with its tasks and obligations under this Regulation and insofar as its resources and priorities allow.
9. The requirements applicable to Coordinating Authorities set out in Articles 26, 27, 28, 29 and 30 shall also apply to any other competent authorities that the Member States designate pursuant to paragraph 1.
Article 26 - Requirements for Coordinating Authorities
2. When carrying out their tasks and exercising their powers in accordance with this Regulation, the Coordinating Authorities shall act with complete independence. To that aim, Member States shall ensure, in particular, that they:
(a)are legally and functionally independent from any other public authority;
(b)have a status enabling them to act objectively and impartially when carrying out their tasks under this Regulation;
(c)are free from any external influence, whether direct or indirect;
(d)neither seek nor take instructions from any other public authority or any private party;
(e)are not charged with tasks relating to the prevention or combating of child sexual abuse, other than their tasks under this Regulation.
3. Paragraph 2 shall not prevent supervision of the Coordinating Authorities in accordance with national constitutional law, to the extent that such supervision does not affect their independence as required under this Regulation.
4. The Coordinating Authorities shall ensure that relevant members of staff have the required qualifications, experience and technical skills to perform their duties.
5. The management and other staff of the Coordinating Authorities shall, in accordance with Union or national law, be subject to a duty of professional secrecy both during and after their term of office, with regard to any confidential information which has come to their knowledge in the course of the performance of their tasks. Member States shall ensure that the management and other staff are subject to rules guaranteeing that they can carry out their tasks in an objective, impartial and independent manner, in particular as regards their appointment, dismissal, remuneration and career prospects.
Section 2Powers of Coordinating Authorities
Article 27 - Investigatory powers
(a)the power to require those providers, as well as any other persons acting for purposes related to their trade, business, craft or profession that may reasonably be aware of information relating to a suspected infringement of this Regulation, to provide such information within a reasonable time period;
(b)the power to carry out on-site inspections of any premises that those providers or the other persons referred to in point (a) use for purposes related to their trade, business, craft or profession, or to request other public authorities to do so, in order to examine, seize, take or obtain copies of information relating to a suspected infringement of this Regulation in any form, irrespective of the storage medium;
(c)the power to ask any member of staff or representative of those providers or the other persons referred to in point (a) to give explanations in respect of any information relating to a suspected infringement of this Regulation and to record the answers;
(d)the power to request information, including to assess whether the measures taken to execute a detection order, removal order or blocking order comply with the requirements of this Regulation.
2. Member States may grant additional investigative powers to the Coordinating Authorities.
Article 28 - Enforcement powers
(a)the power to accept the commitments offered by those providers in relation to their compliance with this Regulation and to make those commitments binding;
(b)the power to order the cessation of infringements of this Regulation and, where appropriate, to impose remedies proportionate to the infringement and necessary to bring the infringement effectively to an end;
(c)the power to impose fines, or request a judicial authority in their Member State to do so, in accordance with Article 35 for infringements of this Regulation, including non-compliance with any of the orders issued pursuant to Article 27 and to point (b) of this paragraph;
(d)the power to impose a periodic penalty payment in accordance with Article 35 to ensure that an infringement of this Regulation is terminated in compliance with an order issued pursuant to point (b) of this paragraph or for failure to comply with any of the orders issued pursuant to Article 27 and to point (b) of this paragraph;
(e)the power to adopt interim measures to avoid the risk of serious harm.
2. Member States may grant additional enforcement powers to the Coordinating Authorities.
3. As regards paragraph 1, points (c) and (d), Coordinating Authorities shall have the enforcement powers set out in those points also in respect of the other persons referred to in Article 27, for failure to comply with any of the orders issued to them pursuant to that Article.
4. They shall only exercise those enforcement powers after having provided those other persons in good time with all relevant information relating to such orders, including the applicable time period, the fines or periodic payments that may be imposed for failure to comply and redress possibilities.
Article 29 - Additional enforcement powers
(a)all other powers pursuant to Articles 27 and 28 to bring about the cessation of an infringement of this Regulation have been exhausted;
(b)the infringement persists;
(c)the infringement causes serious harm which cannot be avoided through the exercise of other powers available under Union or national law.
2. Coordinating Authorities shall have the additional enforcement powers to take the following measures:
(a)require the management body of the providers to examine the situation within a reasonable time period and to:
(i)adopt and submit an action plan setting out the necessary measures to terminate the infringement;
(ii)ensure that the provider takes those measures;
(iii)report on the measures taken;
(b)request the competent judicial authority or independent administrative authority of the Member State that designated the Coordinating Authority to order the temporary restriction of access of users of the service concerned by the infringement or, only where that is not technically feasible, to the online interface of the provider on which the infringement takes place, where the Coordinating Authority considers that:
(i)the provider has not sufficiently complied with the requirements of point (a);
(ii)the infringement persists and causes serious harm;
(iii)the infringement results in the regular and structural facilitation of child sexual abuse offences.
3. The Coordinating Authority shall, prior to submitting the request referred to in paragraph 2, point (b), invite interested parties to submit written observations on its intention to submit that request within a reasonable time period set by that Coordinating Authority. That time period shall not be less than two weeks.
The invitation to submit written observations shall:
(a)describe the measures that it intends to request;
(b)identify the intended addressee or addressees thereof.
The provider, the intended addressee or addressees and any other third party demonstrating a legitimate interest shall be entitled to participate in the proceedings regarding the request.
4. Any measure ordered upon the request referred to in paragraph 2, point (b), shall be proportionate to the nature, gravity, recurrence and duration of the infringement, without unduly restricting access to lawful information by users of the service concerned.
The temporary restriction shall apply for a period of four weeks, subject to the possibility for the competent judicial authority, in its order, to allow the Coordinating Authority to extend that period for further periods of the same lengths, subject to a maximum number of extensions set by that judicial authority.
The Coordinating Authority shall only extend the period where it considers, having regard to the rights and legitimate interests of all parties affected by the restriction and all relevant facts and circumstances, including any information that the provider, the addressee or addressees and any other third party that demonstrated a legitimate interest may provide to it, that both of the following conditions have been met:
(a)the provider has failed to take the necessary measures to terminate the infringement;
(b)the temporary restriction does not unduly restrict access to lawful information by users of the service, having regard to the number of users affected and whether any adequate and readily accessible alternatives exist.
Where the Coordinating Authority considers that those two conditions have been met but it cannot further extend the period pursuant to the second subparagraph, it shall submit a new request to the competent judicial authority, as referred to in paragraph 2, point (b).
Article 30 - Common provisions on investigatory and enforcement powers
2. Member States shall ensure that any exercise of the investigatory and enforcement powers referred to in Articles 27, 28 and 29 is subject to adequate safeguards laid down in the applicable national law to respect the fundamental rights of all parties affected. In particular, those measures shall only be taken in accordance with the right to respect for private life and the rights of defence, including the rights to be heard and of access to the file, and subject to the right to an effective judicial remedy of all parties affected.
Article 31 - Searches to verify compliance
Article 32 - Notification of known child sexual abuse material
The request shall clearly set out the identification details of the Coordinating Authority making the request and information on its contact point referred to in Article 25(5), the necessary information for the identification of the item or items of known child sexual abuse material concerned, as well as the reasons for the request. The request shall also clearly state that it is for the provider’s voluntary consideration.
Section 3
Other provisions on enforcement
Article 33 - Jurisdiction
2. A provider of relevant information society services which does not have an establishment in the Union shall be deemed to be under the jurisdiction of the Member State where its legal representative resides or is established.
Where a provider failed to appoint a legal representative in accordance with Article 24, all Member States shall have jurisdiction. Where a Member State decides to exercise jurisdiction under this subparagraph, it shall inform all other Member States and ensure that the principle of ne bis in idem is respected.
Article 34 - Right of users of the service to lodge a complaint
2. Coordinating Authorities shall provide child-friendly mechanisms to submit a complaint under this Article and adopt a child-sensitive approach when handling complaints submitted by children, taking due account of the child's age, maturity, views, needs and concerns.
3. The Coordinating Authority receiving the complaint shall assess the complaint and, where appropriate, transmit it to the Coordinating Authority of establishment.
Where the complaint falls under the responsibility of another competent authority of the Member State that designated the Coordinating Authority receiving the complaint, that Coordinating Authority shall transmit it to that other competent authority.
Article 35
Penalties
1. Member States shall lay down the rules on penalties applicable to infringements of the obligations pursuant to Chapters II and V of this Regulation by providers of relevant information society services under their jurisdiction and shall take all the necessary measures to ensure that they are implemented.
The penalties shall be effective, proportionate and dissuasive. Member States shall, by [Date of application of this Regulation], notify the Commission of those rules and of those measures and shall notify it, without delay, of any subsequent amendments affecting them.
2. Member States shall ensure that the maximum amount of penalties imposed for an infringement of this Regulation shall not exceed 6 % of the annual income or global turnover of the preceding business year of the provider.
3. Penalties for the supply of incorrect, incomplete or misleading information, failure to reply or rectify incorrect, incomplete or misleading information or to submit to an on-site inspection shall not exceed 1% of the annual income or global turnover of the preceding business year of the provider or the other person referred to in Article 27.
4. Member States shall ensure that the maximum amount of a periodic penalty payment shall not exceed 5 % of the average daily global turnover of the provider or the other person referred to in Article 27 in the preceding financial year per day, calculated from the date specified in the decision concerned.
5. Member States shall ensure that, when deciding whether to impose a penalty and when determining the type and level of penalty, account is taken of all relevant circumstances, including:
(a)the nature, gravity and duration of the infringement;
(b)whether the infringement was intentional or negligent;
(c)any previous infringements by the provider or the other person;
(d)the financial strength of the provider or the other person;
(e)the level of cooperation of the provider or the other person;
(f)the nature and size of the provider or the other person, in particular whether it is a micro, small or medium-sized enterprise;
(g)the degree of fault of the provider or other person, taking into account the technical and organisational measures taken by it to comply with this Regulation.
Section 4
Cooperation
Article 36 - Identification and submission of online child sexual abuse
(a)specific items of material and transcripts of conversations that Coordinating Authorities or that the competent judicial authorities or other independent administrative authorities of a Member State have identified, after a diligent assessment, as constituting child sexual abuse material or the solicitation of children, as applicable, for the EU Centre to generate indicators in accordance with Article 44(3);
(b)exact uniform resource locators indicating specific items of material that Coordinating Authorities or that competent judicial authorities or other independent administrative authorities of a Member State have identified, after a diligent assessment, as constituting child sexual abuse material, hosted by providers of hosting services not offering services in the Union, that cannot be removed due to those providers’ refusal to remove or disable access thereto and to the lack of cooperation by the competent authorities of the third country having jurisdiction, for the EU Centre to compile the list of uniform resource locators in accordance with Article 44(3).
Member States shall take the necessary measures to ensure that the Coordinating Authorities that they designated receive, without undue delay, the material identified as child sexual abuse material, the transcripts of conversations identified as the solicitation of children, and the uniform resource locators, identified by a competent judicial authority or other independent administrative authority than the Coordinating Authority, for submission to the EU Centre in accordance with the first subparagraph.
2. Upon the request of the EU Centre where necessary to ensure that the data contained in the databases referred to in Article 44(1) are complete, accurate and up-to-date, Coordinating Authorities shall verify or provide clarifications or additional information as to whether the conditions of paragraph 1, points (a) and (b) have been and, where relevant, continue to be met, in respect of a given submission to the EU Centre in accordance with that paragraph.
3. Member States shall ensure that, where their law enforcement authorities receive a report of the dissemination of new child sexual abuse material or of the solicitation of children forwarded to them by the EU Centre in accordance with Article 48(3), a diligent assessment is conducted in accordance with paragraph 1 and, if the material or conversation is identified as constituting child sexual abuse material or as the solicitation of children, the Coordinating Authority submits the material to the EU Centre, in accordance with that paragraph, within one month from the date of reception of the report or, where the assessment is particularly complex, two months from that date.
4. They shall also ensure that, where the diligent assessment indicates that the material does not constitute child sexual abuse material or the solicitation of children, the Coordinating Authority is informed of that outcome and subsequently informs the EU Centre thereof, within the time periods specified in the first subparagraph.
Article 37 - Cross-border cooperation among Coordinating Authorities
Where the Commission has reasons to suspect that a provider of relevant information society services infringed this Regulation in a manner involving at least three Member States, it may recommend that the Coordinating Authority of establishment assess the matter and take the necessary investigatory and enforcement measures to ensure compliance with this Regulation.
2. The request or recommendation referred to in paragraph 1 shall at least indicate:
(a)the point of contact of the provider as set out in Article 23;
(b)a description of the relevant facts, the provisions of this Regulation concerned and the reasons why the Coordinating Authority that sent the request, or the Commission suspects, that the provider infringed this Regulation;
(c)any other information that the Coordinating Authority that sent the request, or the Commission, considers relevant, including, where appropriate, information gathered on its own initiative and suggestions for specific investigatory or enforcement measures to be taken.
3. The Coordinating Authority of establishment shall assess the suspected infringement, taking into utmost account the request or recommendation referred to in paragraph 1.
Where it considers that it has insufficient information to asses the suspected infringement or to act upon the request or recommendation and has reasons to consider that the Coordinating Authority that sent the request, or the Commission, could provide additional information, it may request such information. The time period laid down in paragraph 4 shall be suspended until that additional information is provided.
4. The Coordinating Authority of establishment shall, without undue delay and in any event not later than two months following receipt of the request or recommendation referred to in paragraph 1, communicate to the Coordinating Authority that sent the request, or the Commission, the outcome of its assessment of the suspected infringement, or that of any other competent authority pursuant to national law where relevant, and, where applicable, an explanation of the investigatory or enforcement measures taken or envisaged in relation thereto to ensure compliance with this Regulation.
Article 38 - Joint investigations
Such joint investigations are without prejudice to the tasks and powers of the participating Coordinating Authorities and the requirements applicable to the performance of those tasks and exercise of those powers provided for in this Regulation.
2. The participating Coordinating Authorities shall make the results of the joint investigations available to other Coordinating Authorities, the Commission and the EU Centre, through the system established in accordance with Article 39(2), for the fulfilment of their respective tasks under this Regulation.
Article 39 - General cooperation and information-sharing system
2. The EU Centre shall establish and maintain one or more reliable and secure information sharing systems supporting communications between Coordinating Authorities, the Commission, the EU Centre, other relevant Union agencies and providers of relevant information society services.
3. The Coordinating Authorities, the Commission, the EU Centre, other relevant Union agencies and providers of relevant information society services shall use the information-sharing systems referred to in paragraph 2 for all relevant communications pursuant to this Regulation.
4. The Commission shall adopt implementing acts laying down the practical and operational arrangements for the functioning of the information-sharing systems referred to in paragraph 2 and their interoperability with other relevant systems. Those implementing acts shall be adopted in accordance with the advisory procedure referred to in Article 87.
CHAPTER IV
EU CENTRE TO PREVENT AND COMBAT CHILD SEXUAL ABUSE
Section 1
Principles
Article 40 - Establishment and scope of action of the EU Centre
2. The EU Centre shall contribute to the achievement of the objective of this Regulation by supporting and facilitating the implementation of its provisions concerning the detection, reporting, removal or disabling of access to, and blocking of online child sexual abuse and gather and share information and expertise and facilitate cooperation between relevant public and private parties in connection to the prevention and combating of child sexual abuse, in particular online.
Article 41 - Legal status
2. In each of the Member States the EU Centre shall enjoy the most extensive legal capacity accorded to legal persons under their laws. It may, in particular, acquire and dispose of movable and immovable property and be party to legal proceedings.
3. The EU Centre shall be represented by its Executive Director.
Article 42 - Seat
Section 2
Tasks
Article 43 - Tasks of the EU Centre
(1) facilitate the risk assessment process referred to in Section 1 of Chapter II, by:
(a)supporting the Commission in the preparation of the guidelines referred to in Article 3(8), Article 4(5), Article 6(4) and Article 11, including by collecting and providing relevant information, expertise and best practices, taking into account advice from the Technology Committee referred to in Article 66;
(b)upon request from a provider of relevant information services, providing an analysis of anonymised data samples for the purpose referred to in Article 3(3);
(2) facilitate the detection process referred to in Section 2 of Chapter II, by:
(a)providing the opinions on intended detection orders referred to in Article 7(3), first subparagraph, point (d);
(b)maintaining and operating the databases of indicators referred to in Article 44;
(c)giving providers of hosting services and providers of interpersonal communications services that received a detection order access to the relevant databases of indicators in accordance with Article 46;
(d)making technologies available to providers for the execution of detection orders issued to them, in accordance with Article 50(1);
(3) facilitate the reporting process referred to in Section 3 of Chapter II, by:
(a)maintaining and operating the database of reports referred to in Article 45;
(b)assessing, processing and, where necessary, forwarding the reports and providing feedback thereon in accordance with Article 48;
(4) facilitate the removal process referred to in Section 4 of Chapter II and the other processes referred to in Section 5 and 6 of that Chapter, by:
(a)receiving the removal orders transmitted to it pursuant to Article 14(4) in order to fulfil the verification function referred to in Article 49(1);
(b)cooperating with and responding to requests of Coordinating Authorities in connection to intended blocking orders as referred to in Article 16(2);
(c)receiving and processing the blocking orders transmitted to it pursuant to Article 17(3);
(d)providing information and support to victims in accordance with Articles 20 and 21;
(e)maintaining up-to-date records of contact points and legal representatives of providers of relevant information society services as provided in accordance with Article 23(2) and Article 24(6);
(5) support the Coordinating Authorities and the Commission in the performance of their tasks under this Regulation and facilitate cooperation, coordination and communication in connection to matters covered by this Regulation, by:
(a)creating and maintaining an online register listing the Coordinating Authorities and their contact points referred to in Article 25(6);
(b)providing assistance to the Coordinating Authorities as provided for in Article 25(7);
(c)assisting the Commission, upon its request, in connection to its tasks under the cooperation mechanism referred to in Article 37;
(d)creating, maintaining and operating the information-sharing system referred to in Article 39;
(e)assisting the Commission in the preparation of the delegated and implementing acts and the guidelines that the Commission adopts under this Regulation;
(f)providing information to Coordinating Authorities, upon their request or on its own initiative, relevant for the performance of their tasks under this Regulation, including by informing the Coordinating Authority of establishment of potential infringements identified in the performance of the EU Centre’s other tasks;
(6) facilitate the generation and sharing of knowledge with other Union institutions, bodies, offices and agencies, Coordinating Authorities or other relevant authorities of the Member States to contribute to the achievement of the objective of this Regulation, by:
(a)collecting, recording, analysing and providing information, providing analysis based on anonymised and non-personal data gathering, and providing expertise on matters regarding the prevention and combating of online child sexual abuse, in accordance with Article 51;
(b)supporting the development and dissemination of research and expertise on those matters and on assistance to victims, including by serving as a hub of expertise to support evidence-based policy;
(c)drawing up the annual reports referred to in Article 84.
Article 44 - Databases of indicators
(a)indicators to detect the dissemination of child sexual abuse material previously detected and identified as constituting child sexual abuse material in accordance with Article 36(1);
(b)indicators to detect the dissemination of child sexual abuse material not previously detected and identified as constituting child sexual abuse material in accordance with Article 36(1);
(c)indicators to detect the solicitation of children.
2. The databases of indicators shall solely contain:
(a)relevant indicators, consisting of digital identifiers to be used to detect the dissemination of known or new child sexual abuse material or the solicitation of children, as applicable, on hosting services and interpersonal communications services, generated by the EU Centre in accordance with paragraph 3;
(b)as regards paragraph 1, point (a), the relevant indicators shall include a list of uniform resource locators compiled by the EU Centre in accordance with paragraph 3;
(c)the necessary additional information to facilitate the use of the indicators in accordance with this Regulation, including identifiers allowing for a distinction between images, videos and, where relevant, other types of material for the detection of the dissemination of known and new child sexual abuse material and language identifiers for the detection of solicitation of children.
3. The EU Centre shall generate the indicators referred to in paragraph 2, point (a), solely on the basis of the child sexual abuse material and the solicitation of children identified as such by the Coordinating Authorities or the courts or other independent authorities of the Member States, submitted to it by the Coordinating Authorities pursuant to Article 36(1), point (a).
The EU Centre shall compile the list of uniform resource locators referred to in paragraph 2, point (b), solely on the basis of the uniform resource locators submitted to it pursuant to Article 36(1), point (b).
4. The EU Centre shall keep records of the submissions and of the process applied to generate the indicators and compile the list referred to in the first and second subparagraphs. It shall keep those records for as long as the indicators, including the uniform resource locators, to which they correspond are contained in the databases of indicators referred to in paragraph 1.
Article 45 - Database of reports
2. The database of reports shall contain the following information:
(a)the report;
(b)where the EU Centre considered the report manifestly unfounded, the reasons and the date and time of informing the provider in accordance with Article 48(2);
(c)where the EU Centre forwarded the report in accordance with Article 48(3), the date and time of such forwarding and the name of the competent law enforcement authority or authorities to which it forwarded the report or, where applicable, information on the reasons for forwarding the report solely to Europol for further analysis;
(d)where applicable, information on the requests for and provision of additional information referred to in Article 48(5);
(e)where available, information indicating that the provider that submitted a report concerning the dissemination of known or new child sexual abuse material removed or disabled access to the material;
(f)where applicable, information on the EU Centre’s request to the Coordinating Authority of establishment to issue a removal order pursuant to Article 14 in relation to the item or items of child sexual abuse material to which the report relates;
(g)relevant indicators and ancillary tags associated with the reported potential child sexual abuse material.
Article 46 - Access, accuracy and security
2. The EU Centre shall give providers of hosting services, providers of interpersonal communications services and providers of internet access services access to the databases of indicators referred to in Article 44, where and to the extent necessary for them to execute the detection or blocking orders that they received in accordance with Articles 7 or 16. It shall take measures to ensure that such access remains limited to what is strictly necessary for the period of application of the detection or blocking orders concerned and that such access does not in any way endanger the proper operation of those databases and the accuracy and security of the data contained therein.
3. The EU Centre shall give Coordinating Authorities access to the databases of indicators referred to in Article 44 where and to the extent necessary for the performance of their tasks under this Regulation.
4. The EU Centre shall give Europol and the competent law enforcement authorities of the Member States access to the databases of indicators referred to in Article 44 where and to the extent necessary for the performance of their tasks of investigating suspected child sexual abuse offences.
5. The EU Centre shall give Europol access to the databases of reports referred to in Article 45, where and to the extent necessary for the performance of its tasks of assisting investigations of suspected child sexual abuse offences
6. The EU Centre shall provide the access referred to in paragraphs 2, 3, 4 and 5 only upon the reception of a request, specifying the purpose of the request, the modalities of the requested access, and the degree of access needed to achieve that purpose. The requests for the access referred to in paragraph 2 shall also include a reference to the detection order or the blocking order, as applicable.
The EU Centre shall diligently assess those requests and only grant access where it considers that the requested access is necessary for and proportionate to the specified purpose.
7. The EU Centre shall regularly verify that the data contained in the databases referred to in Articles 44 and 45 is, in all respects, complete, accurate and up-to-date and continues to be necessary for the purposes of reporting, detection and blocking in accordance with this Regulation, as well as facilitating and monitoring of accurate detection technologies and processes. In particular, as regards the uniform resource locators contained in the database referred to Article 44(1), point (a), the EU Centre shall, where necessary in cooperation with the Coordination Authorities, regularly verify that the conditions of Article 36(1), point (b), continue to be met. Those verifications shall include audits, where appropriate. Where necessary in view of those verifications, it shall immediately complement, adjust or delete the data.
8. The EU Centre shall ensure that the data contained in the databases referred to in Articles 44 and 45 is stored in a secure manner and that the storage is subject to appropriate technical and organisational safeguards. Those safeguards shall ensure, in particular, that the data can be accessed and processed only by duly authorised persons for the purpose for which the person is authorised and that a high level of security is achieved. The EU Centre shall regularly review those safeguards and adjust them where necessary.
Article 47 - Delegated acts relating to the databases
(a)the types, precise content, set-up and operation of the databases of indicators referred to in Article 44(1), including the indicators and the necessary additional information to be contained therein referred to in Article 44(2);
(b)the processing of the submissions by Coordinating Authorities, the generation of the indicators, the compilation of the list of uniform resource locators and the record-keeping, referred to in Article 44(3);
(c)the precise content, set-up and operation of the database of reports referred to in Article 45(1);
(d)access to the databases referred to in Articles 44 and 45, including the modalities of the access referred to in Article 46(1) to (5), the content, processing and assessment of the requests referred to in Article 46(6), procedural matters related to such requests and the necessary measures referred to in Article 46(6);
(e)the regular verifications and audits to ensure that the data contained in those databases is complete, accurate and up-to-date referred to in Article 46(7) and the security of the storage of the data, including the technical and organisational safeguards and regular review referred to in Article 46(8).
Article 48 - Reporting
2. Where the EU Centre considers that the report is manifestly unfounded, it shall inform the provider that submitted the report, specifying the reasons why it considers the report to be unfounded.
3. Where the EU Centre considers that a report is not manifestly unfounded, it shall forward the report, together with any additional relevant information available to it, to Europol and to the competent law enforcement authority or authorities of the Member State likely to have jurisdiction to investigate or prosecute the potential child sexual abuse to which the report relates.
Where that competent law enforcement authority or those competent law enforcement authorities cannot be determined with sufficient certainty, the EU Centre shall forward the report, together with any additional relevant information available to it, to Europol, for further analysis and subsequent referral by Europol to the competent law enforcement authority or authorities.
4. Where a provider that submitted the report has indicated that the report requires urgent action, the EU Centre shall assess and process that report as a matter of priority and, where it forwards the report in accordance with paragraph 3 and it considers that the report requires urgent action, shall ensure that the forwarded report is marked as such.
5. Where the report does not contain all the information required in Article 13, the EU Centre may request the provider that submitted the report to provide the missing information.
6. Where so requested by a competent law enforcement authority of a Member State in order to avoid interfering with activities for the prevention, detection, investigation and prosecution of child sexual abuse offences, the EU Centre shall:
(a)communicate to the provider that submitted the report that it is not to inform the user concerned, specifying the time period during which the provider is not to do so;
(b)where the provider that submitted the report is a provider of hosting services and the report concerns the potential dissemination of child sexual abuse material, communicate to the provider that it is not to remove or disable access to the material, specifying the time period during which the provider is not to do so.
7. The time periods referred to in the first subparagraph, points (a) and (b), shall be those specified in the competent law enforcement authority’s request to the EU Centre, provided that they remain limited to what is necessary to avoid interference with the relevant activities and does not exceed 18 months.
8. The EU Centre shall verify whether a provider of hosting services that submitted a report concerning the potential dissemination of child sexual abuse material removed or disabled access to the material, insofar as the material is publicly accessible. Where it considers that the provider did not remove or disable access to the material expeditiously, the EU Centre shall inform the Coordinating Authority of establishment thereof.
Article 49 - Searches and notification
(a)where so requested to support a victim by verifying whether the provider of hosting services removed or disabled access to one or more specific items of known child sexual abuse material depicting the victim, in accordance with Article 21(4), point (c);
(b)where so requested to assist a Coordinating Authority by verifying the possible need for the issuance of a detection order or a removal order in respect of a specific service or the effectiveness of a detection order or a removal order that the Coordinating Authority issued, in accordance with Article 25(7), points (c) and (d), respectively.
2. The EU Centre shall have the power to notify, after having conducted the searches referred to in paragraph 1, providers of hosting services of the presence of one or more specific items of known child sexual abuse material on their services and request them to remove or disable access to that item or those items, for the providers’ voluntary consideration.
The request shall clearly set out the identification details of the EU Centre and a contact point, the necessary information for the identification of the item or items, as well as the reasons for the request. The request shall also clearly state that it is for the provider’s voluntary consideration.
3. Where so requested by a competent law enforcement authority of a Member State in order to avoid interfering with activities for the prevention, detection, investigation and prosecution of child sexual abuse offences, the EU Centre shall not submit a notice, for as long as necessary to avoid such interference but no longer than 18 months.
Article 50 - Technologies, information and expertise
To that aim, the EU Centre shall compile lists of such technologies, having regard to the requirements of this Regulation and in particular those of Article 10(2).
Before including specific technologies on those lists, the EU Centre shall request the opinion of its Technology Committee and of the European Data Protection Board. The Technology Committee and the European Data Protection Board shall deliver their respective opinions within eight weeks. That period may be extended by a further six weeks where necessary, taking into account the complexity of the subject matter. The Technology Committee and the European Data Protection Board shall inform the EU Centre of any such extension within one month of receipt of the request for consultation, together with the reasons for the delay.
2. The EU Centre shall collect, record, analyse and make available relevant, objective, reliable and comparable information on matters related to the prevention and combating of child sexual abuse, in particular:
(a)information obtained in the performance of its tasks under this Regulation concerning detection, reporting, removal or disabling of access to, and blocking of online child sexual abuse;
(b)information resulting from the research, surveys and studies referred to in paragraph 3;
(c)information resulting from research or other activities conducted by Member States’ authorities, other Union institutions, bodies, offices and agencies, the competent authorities of third countries, international organisations, research centres and civil society organisations.
3. Where necessary for the performance of its tasks under this Regulation, the EU Centre shall carry out, participate in or encourage research, surveys and studies, either on its own initiative or, where appropriate and compatible with its priorities and its annual work programme, at the request of the European Parliament, the Council or the Commission.
4. The EU Centre shall provide the information referred to in paragraph 2 and the information resulting from the research, surveys and studies referred to in paragraph 3, including its analysis thereof, and its opinions on matters related to the prevention and combating of online child sexual abuse to other Union institutions, bodies, offices and agencies, Coordinating Authorities, other competent authorities and other public authorities of the Member States, either on its own initiative or at request of the relevant authority. Where appropriate, the EU Centre shall make such information publicly available.
5. The EU Centre shall develop a communication strategy and promote dialogue with civil society organisations and providers of hosting or interpersonal communication services to raise public awareness of online child sexual abuse and measures to prevent and combat such abuse.
Section 3
Processing of information
Article 51 - Processing activities and data protection
2. The EU Centre shall process personal data as strictly necessary for the purposes of:
(a)providing the opinions on intended detection orders referred to in Article 7(3);
(b)cooperating with and responding to requests of Coordinating Authorities in connection to intended blocking orders as referred to in Article 16(2);
(c)receiving and processing blocking orders transmitted to it pursuant to Article 17(3);
(d)cooperating with Coordinating Authorities in accordance with Articles 20 and 21 on tasks related to victims’ rights to information and assistance;
(e)maintaining up-to-date records of contact points and legal representatives of providers of relevant information society services as provided in accordance with Article 23(2) and Article 24(6);
(f)creating and maintaining an online register listing the Coordinating Authorities and their contact points referred to in Article 25(6);
(g)providing assistance to Coordinating Authorities in accordance with Article 25(7);
(h)assisting the Commission, upon its request, in connection to its tasks under the cooperation mechanism referred to in Article 37;
(i)create, maintain and operate the databases of indicators referred to in Article 44;
(j)create, maintain and operate the database of reports referred to in Article 45;
(k)providing and monitoring access to the databases of indicators and of reports in accordance with Article 46;
(l)performing data quality control measures in accordance with Article 46(7);
(m)assessing and processing reports of potential online child sexual abuse in accordance with Article 48;
(n)cooperating with Europol and partner organisations in accordance with Articles 53 and 54, including on tasks related to the identification of victims;
(o)generating statistics in accordance with Article 83.
3. The EU Centre shall store the personal data referred to in paragraph 2 only where and for as long as strictly necessary for the applicable purposes listed in paragraph 2.
4. It shall ensure that the personal data is stored in a secure manner and that the storage is subject to appropriate technical and organisational safeguards. Those safeguards shall ensure, in particular, that the personal data can be accessed and processed only for the purpose for which it is stored, that a high level of security is achieved and that the personal data is deleted when no longer strictly necessary for the applicable purposes. It shall regularly review those safeguards and adjust them where necessary.
Section 4
Cooperation
Article 52 - Contact officers
2. Contact officers shall assist in the exchange of information between the EU Centre and the Coordinating Authorities that designated them. Where the EU Centre receives reports submitted in accordance with Article 12 concerning the potential dissemination of new child sexual abuse material or the potential solicitation of children, the contact officers designated by the competent Member State shall facilitate the process to determine the illegality of the material or conversation, in accordance with Article 36(1).
3. The Management Board shall determine the rights and obligations of contact officers in relation to the EU Centre. Contact officers shall enjoy the privileges and immunities necessary for the performance of their tasks.
4. Where contact officers are seconded to the EU Centre, the EU Centre shall cover the costs of providing them with the necessary premises within the building and adequate support for contact officers to perform their duties. All other costs that arise in connection with the designation of contact officers and the performance of their tasks shall be borne by the Coordinating Authority that designated them.
Article 53 - Cooperation with Europol
2. Europol and the EU Centre shall provide each other with the fullest possible access to relevant information and information systems, where necessary for the performance of their respective tasks and in accordance with the acts of Union law regulating such access.
Without prejudice to the responsibilities of the Executive Director, the EU Centre shall maximise efficiency by sharing administrative functions with Europol, including functions relating to personnel management, information technology (IT) and budget implementation.
3. The terms of cooperation and working arrangements shall be laid down in a memorandum of understanding.
Article 54 - Cooperation with partner organisations
2. The EU Centre may conclude memoranda of understanding with organisations referred to in paragraph 1, laying down the terms of cooperation.
Section 5
Organisation
Article 55
Administrative and management structure
The administrative and management structure of the EU Centre shall comprise:
(a)a Management Board, which shall exercise the functions set out in Article 57;
(b)an Executive Board which shall perform the tasks set out in Article 62;
(c)an Executive Director of the EU Centre, who shall exercise the responsibilities set out in Article 64;
(d)a Technology Committee as an advisory group, which shall exercise the tasks set out in Article 66.
Part 1: Management Board
Article 56
Composition of the Management Board
1. The Management Board shall be composed of one representative from each Member State and two representatives of the Commission, all as members with voting rights.
2. The Management Board shall also include one independent expert observer designated by the European Parliament, without the right to vote.
Europol may designate a representative to attend the meetings of the Management Board as an observer on matters involving Europol, at the request of the Chairperson of the Management Board.
3. Each member of the Management Board shall have an alternate. The alternate shall represent the member in his/her absence.
4. Members of the Management Board and their alternates shall be appointed in the light of their knowledge in the field of combating child sexual abuse, taking into account relevant managerial, administrative and budgetary skills. Member States shall appoint a representative of their Coordinating Authority, within four months of [date of entry into force of this Regulation]. All parties represented in the Management Board shall make efforts to limit turnover of their representatives, in order to ensure continuity of its work. All parties shall aim to achieve a balanced representation between men and women on the Management Board.
5. The term of office for members and their alternates shall be four years. That term may be renewed.
Article 57
Functions of the Management Board
1. The Management Board shall:
(a)give the general orientations for the EU Centre's activities;
(b)contribute to facilitate the effective cooperation with and between the Coordinating Authorities;
(c)adopt rules for the prevention and management of conflicts of interest in respect of its members, as well as for the members of the Technological Committee and of any other advisory group it may establish and publish annually on its website the declaration of interests of the members of the Management Board;
(d)adopt the assessment of performance of the Executive Board referred to in Article 61(2);
(e)adopt and make public its Rules of Procedure;
(f)appoint the members of the Technology Committee, and of any other advisory group it may establish;
(g)adopt the opinions on intended detection orders referred to in Article 7(4), on the basis of a draft opinion provided by the Executive Director;
(h)adopt and regularly update the communication and dissemination plans referred to in Article 77(3) based on an analysis of needs.
Article 58
Chairperson of the Management Board
1. The Management Board shall elect a Chairperson and a Deputy Chairperson from among its members. The Chairperson and the Deputy Chairperson shall be elected by a majority of two thirds of the members of the Management Board.
The Deputy Chairperson shall automatically replace the Chairperson if he/she is prevented from attending to his/her duties.
2. The term of office of the Chairperson and the deputy Chairperson shall be four years. Their term of office may be renewed once. If, however, their membership of the Management Board ends at any time during their term of office, their term of office shall automatically expire on that date.
Article 59
Meetings of the Management Board
1. The Chairperson shall convene the meetings of the Management Board.
2. The Executive Director shall take part in the deliberations, without the right to vote.
3. The Management Board shall hold at least two ordinary meetings a year. In addition, it shall meet on the initiative of its Chairperson, at the request of the Commission, or at the request of at least one-third of its members.
4. The Management Board may invite any person whose opinion may be of interest to attend its meetings as an observer.
5. The members of the Management Board and their alternates may, subject to its rules of procedure, be assisted at the meetings by advisers or experts.
6. The EU Centre shall provide the secretariat for the Management Board.
Article 60
Voting rules of the Management Board
1. Unless provided otherwise in this Regulation, the Management Board shall take decisions by absolute majority of its members.
2. Each member shall have one vote. In the absence of a member, his/her alternate shall be entitled to exercise his/her right to vote.
3. The Executive Director shall not take part in the voting.
4. The Management Board's rules of procedure shall establish more detailed voting arrangements, in particular the circumstances in which a member may act on behalf of another member.
Part 2: Executive Board
Article 61 - Composition and appointment of the Executive Board
1. The Executive Board shall be composed of the Chairperson and the Deputy Chairperson of the Management Board, two other members appointed by the Management Board from among its members with the right to vote and two representatives of the Commission to the Management Board. The Chairperson of the Management Board shall also be the Chairperson of the Executive Board.The Executive Director shall participate in meetings of the Executive Board without the right to vote.
2. The term of office of members of the Executive Board shall be four years. In the course of the 12 months preceding the end of the four-year term of office of the Chairperson and five members of the Executive Board, the Management Board or a smaller committee selected among Management Board members including a Commission representative shall carry out an assessment of performance of the Executive Board. The assessment shall take into account an evaluation of the Executive Board members’ performance and the EU Centre’s future tasks and challenges. Based on the assessment, the Management Board may extend their term of office once.
Article 62
Tasks of the Executive Board
1. The Executive Board shall be responsible for the overall planning and the execution of the tasks conferred on the EU Centre pursuant to Article 43. The Executive Board shall adopt all the decisions of the EU Centre with the exception of the decisions that shall be taken by the Management Board in accordance with Article 57.
2. In addition, the Executive Board shall have the following tasks:
(a)adopt, by 30 November of each year, on the basis of a proposal by the Executive Director, the draft Single Programming Document, and shall transmit it for information to the European Parliament, the Council and the Commission by 31 January the following year, as well as any other updated version of the document;
(b)adopt the draft annual budget of the EU Centre and exercise other functions in respect of the EU Centre’s budget;
(c)assess and adopt a consolidated annual activity report on the EU Centre's activities, including an overview of the fulfilment of its tasks and send it, by 1 July each year, to the European Parliament, the Council, the Commission and the Court of Auditors and make the consolidated annual activity report public;
(d)adopt an anti-fraud strategy, proportionate to fraud risks taking into account the costs and benefits of the measures to be implemented, an efficiency gains and synergies strategy, a strategy for cooperation with third countries and/or international organisations, and a strategy for the organisational management and internal control systems
(e)adopt rules for the prevention and management of conflicts of interest in respect of its members;
(f)adopt its rules of procedure;
(g)exercise, with respect to the staff of the EU Centre, the powers conferred by the Staff Regulations on the Appointing Authority and by the Conditions of Employment of Other Servants on the EU Centre Empowered to Conclude a Contract of Employment 51 ("the appointing authority powers");
(h)adopt appropriate implementing rules for giving effect to the Staff Regulations and the Conditions of Employment of Other Servants in accordance with Article 110(2) of the Staff Regulations;
(i)appoint the Executive Director and remove him/her from office, in accordance with Article 65;
(j)appoint an Accounting Officer, who may be the Commission's Accounting Officer, subject to the Staff Regulations and the Conditions of Employment of other servants, who shall be totally independent in the performance of his/her duties;
(k)ensure adequate follow-up to findings and recommendations stemming from the internal or external audit reports and evaluations, as well as from investigations of the European Anti-Fraud Office (OLAF);
(l)adopt the financial rules applicable to the EU Centre;
(m)take all decisions on the establishment of the EU Centre's internal structures and, where necessary, their modification.
(n)appoint a Data Protection Officer;
(o)adopt internal guidelines further specifying the procedures for the processing of information in accordance with Article 51, after consulting the European Data Protection Supervisor;
(p)authorise the conclusion of memoranda of understanding referred to in Article 53(3) and Article 54(2).
3. With respect to the powers mentioned in paragraph 2 point (g) and (h), the Executive Board shall adopt, in accordance with Article 110(2) of the Staff Regulations, a decision based on Article 2(1) of the Staff Regulations and Article 6 of the Conditions of Employment, delegating relevant appointing authority powers to the Executive Director. The Executive Director shall be authorised to sub-delegate those powers.
4. In exceptional circumstances, the Executive Board may by way of a decision temporarily suspend the delegation of the appointing authority powers to the Executive Director and any sub-delegation by the latter and exercise them itself or delegate them to one of its members or to a staff member other than the Executive Director.
5. Where necessary because of urgency, the Executive Board may take certain provisional decisions on behalf of the Management Board, in particular on administrative management matters, including the suspension of the delegation of the appointing authority powers and budgetary matters.
Article 63
Voting rules of the Executive Board
1. The Executive Board shall take decisions by simple majority of its members. Each member of the Executive Board shall have one vote. The Chairperson shall have a casting vote in case of a tie.
2. The representatives of the Commission shall have a right to vote whenever matters pertaining to Article 62(2), points (a) to (l) and (p) are discussed and decided upon. For the purposes of taking the decisions referred to in Article 62(2), points (f) and (g), the representatives of the Commission shall have one vote each. The decisions referred to in Article 62(2), points (b) to (e), (h) to (l) and (p), may only be taken if the representatives of the Commission casts a positive vote. For the purposes of taking the decisions referred to in Article 62(2), point (a), the consent of the representatives of the Commission shall only be required on the elements of the decision not related to the annual and multi-annual working programme of the EU Centre.
The Executive Board's rules of procedure shall establish more detailed voting arrangements, in particular the circumstances in which a member may act on behalf of another member.
Part 3: Executive Director
Article 64 - Responsibilities of the Executive Director
1. The Executive Director shall manage the EU Centre. The Executive Director shall be accountable to the Management Board.2. The Executive Director shall report to the European Parliament on the performance of his/her duties when invited to do so. The Council may invite the Executive Director to report on the performance of his/her duties.
3. The Executive Director shall be the legal representative of the EU Centre.
4. The Executive Director shall be responsible for the implementation of the tasks assigned to the EU Centre by this Regulation. In particular, the Executive Director shall be responsible for:
(a)the day-to-day administration of the EU Centre;
(b)preparing decisions to be adopted by the Management Board;
(c)implementing decisions adopted by the Management Board;
(d)preparing the Single Programming Document and submitting it to the Executive Board after consulting the Commission;
(e)implementing the Single Programming Document and reporting to the Executive Board on its implementation;
(f)preparing the Consolidated Annual Activity Report (CAAR) on the EU Centre’s activities and presenting it to the Executive Board for assessment and adoption;
(g)preparing an action plan following-up conclusions of internal or external audit reports and evaluations, as well as investigations by the European Anti-Fraud Office (OLAF) and by the European Public Prosecutor’s Office (EPPO) and reporting on progress twice a year to the Commission and regularly to the Management Board and the Executive Board;
(h)protecting the financial interests of the Union by applying preventive measures against fraud, corruption and any other illegal activities, without prejudicing the investigative competence of OLAF and EPPO by effective checks and, if irregularities are detected, by recovering amounts wrongly paid and, where appropriate, by imposing effective, proportionate and dissuasive administrative, including financial penalties;
(i)preparing an anti-fraud strategy, an efficiency gains and synergies strategy, a strategy for cooperation with third countries and/or international organisations and a strategy for the organisational management and internal control systems for the EU Centre and presenting them to the Executive Board for approval;
(j)preparing draft financial rules applicable to the EU Centre;
(k)preparing the EU Centre’s draft statement of estimates of revenue and expenditure and implementing its budget;
(l)preparing and implementing an IT security strategy, ensuring appropriate risk management for all IT infrastructure, systems and services, which are developed or procured by the EU Centre as well as sufficient IT security funding.
(m)implementing the annual work programme of the EU Centre under the control of the Executive Board;
(n)drawing up a draft statement of estimates of the EU Centre’s revenue and expenditure as part of the EU Centre’s Single Programming Document and implementing the budget of the EU Centre pursuant to Article 67;
(o)preparing a draft report describing all activities of the EU Centre with a section on financial and administrative matters;
(p)fostering recruitment of appropriately skilled and experienced EU Centre staff, while ensuring gender balance.
5. Where exceptional circumstances so require, the Executive Director may decide to locate one or more staff in another Member State for the purpose of carrying out the EU Centre’s tasks in an a more efficient, effective and coherent manner. Before deciding to establish a local office, the Executive Director shall obtain the prior consent of the Commission, the Management Board and the Member State concerned. The decision shall be based on an appropriate cost-benefit analysis that demonstrates in particular the added value of such decision and specify the scope of the activities to be carried out at the local office in a manner that avoids unnecessary costs and duplication of administrative functions of the EU Centre. A headquarters agreement with the Member State(s) concerned may be concluded.
Article 65 - Executive Director
1. The Executive Director shall be engaged as a temporary agent of the EU Centre under Article 2(a) of the Conditions of Employment of Other Servants.2. The Executive Director shall be appointed by the Executive Board, from a list of candidates proposed by the Commission, following an open and transparent selection procedure.
3. For the purpose of concluding the contract with the Executive Director, the EU Centre shall be represented by the Chairperson of the Executive Board.
4. The term of office of the Executive Director shall be five years. Six months before the end of the Executive Director’s term of office, the Commission shall complete an assessment that takes into account an evaluation of the Executive Director's performance and the EU Centre's future tasks and challenges.
5. The Executive Board, acting on a proposal from the Commission that takes into account the assessment referred to in paragraph 3, may extend the term of office of the Executive Director once, for no more than five years.
6. An Executive Director whose term of office has been extended may not participate in another selection procedure for the same post at the end of the overall period.
7. The Executive Director may be dismissed only upon a decision of the Executive Board acting on a proposal from the Commission.
8. The Executive Board shall take decisions on appointment, extension of the term of office or dismissal of the Executive Director by a majority of two-thirds of its members with voting rights.
Subsection 5: Technology Committee
Article 66 - Establishment and tasks of the Technology Committee
1. The Technology Committee shall consist of technical experts appointed by the Management Board in view of their excellence and their independence, following the publication of a call for expressions of interest in the Official Journal of the European Union.2. Procedures concerning the appointment of the members of the Technology Committee and its operation shall be specified in the rules of procedure of the Management Board and shall be made public.
3. The members of the Committee shall be independent and shall act in the public interest. The list of members of the Committee shall be made public and shall be updated by the EU Centre on its website.
4. When a member no longer meets the criteria of independence, he or she shall inform the Management Board. Alternatively, the Management Board may declare, on a proposal of at least one third of its members or of the Commission, a lack of independence and revoke the person concerned. The Management Board shall appoint a new member for the remaining term of office in accordance with the procedure for ordinary members.
5. The mandates of members of the Technology Committee shall be four years. Those mandates shall be renewable once.
6. The Technology Committee shall
(a)contribute to the EU Centre’s opinions referred to in Article 7(3), first subparagraph, point (d);
(b)contribute to the EU Centre’s assistance to the Coordinating Authorities, the Management Board, the Executive Board and the Executive Director, in respect of matters related to the use of technology;
(c)provide internally, upon request, expertise on matters related to the use of technology for the purposes of prevention and detection of child sexual abuse online.
Section 6
Establishment and Structure of the Budget
Subsection 1 - Single Programming Document
Article 67
Budget establishment and implementation
1. Each year the Executive Director shall draw up a draft statement of estimates of the EU Centre’s revenue and expenditure for the following financial year, including an establishment plan, and shall send it to the Executive Board.
2. The Executive Board shall, on the basis of the draft statement of estimates, adopt a provisional draft estimate of the EU Centre’s revenue and expenditure for the following financial year and shall send it to the Commission by 31 January each year.
3. The Executive Board shall send the final draft estimate of the EU Centre’s revenue and expenditure, which shall include a draft establishment plan, to the European Parliament, the Council and the Commission by 31 March each year.
4. The Commission shall send the statement of estimates to the European Parliament and the Council, together with the draft general budget of the Union.
5. On the basis of the statement of estimates, the Commission shall enter in the draft general budget of the Union the estimates that it considers necessary for the establishment plan and the amount of the contribution to be charged to the general budget, which it shall place before the European Parliament and the Council in accordance with Articles 313 and 314 of the Treaty on the Functioning of the European Union.
6. The European Parliament and the Council shall authorise the appropriations for the contribution from the Union to the EU Centre.
7. The European Parliament and the Council shall adopt the EU Centre’s establishment plan.
8. The EU Centre’s budget shall be adopted by the Executive Board. It shall become final following the final adoption of the general budget of the Union. Where necessary, it shall be adjusted accordingly.
9. The Executive Director shall implement the EU Centre’s budget.
10. Each year the Executive Director shall send to the European Parliament and the Council all information relevant to the findings of any evaluation procedures.
Article 68
Financial rules
The financial rules applicable to the EU Centre shall be adopted by the Executive Board after consultation with the Commission. They shall not depart from Delegated Regulation (EU) 2019/715 52 unless such a departure is specifically required for the operation of the EU Centre and the Commission has given its prior consent.
1.
Subsection 2 - Presentation, implementation and control of the budget
Article 69
Budget
1. Estimates of all revenue and expenditure for the EU Centre shall be prepared each financial year, which shall correspond to the calendar year, and shall be shown in the EU Centre’s budget, which shall be balanced in terms of revenue and of expenditure.
2. Without prejudice to other resources, the EU Centre’s revenue shall comprise a contribution from the Union entered in the general budget of the Union.
3. The EU Centre may benefit from Union funding in the form of delegation agreements or ad hoc grants in accordance with its financial rules referred to in Article 68 and with the provisions of the relevant instruments supporting the policies of the Union.
4. The EU Centre’s expenditure shall include staff remuneration, administrative and infrastructure expenses, and operating costs.
5. Budgetary commitments for actions relating to large-scale projects extending over more than one financial year may be broken down into several annual instalments.
Article 70 - Presentation of accounts and discharge
1. The EU Centre’s accounting officer shall send the provisional accounts for the financial year (year N) to the Commission's accounting officer and to the Court of Auditors by 1 March of the following financial year (year N + 1).2. The EU Centre shall send a report on the budgetary and financial management for year N to the European Parliament, the Council and the Court of Auditors by 31 March of year N + 1.
3. The Commission's accounting officer shall send the EU Centre’s provisional accounts for year N, consolidated with the Commission's accounts, to the Court of Auditors by 31 March of year N + 1.
4. The Management Board shall deliver an opinion on the EU Centre’s final accounts for year N.
5. The EU Centre’s accounting officer shall, by 1 July of year N + 1, send the final accounts for year N to the European Parliament, the Council, the Commission, the Court of Auditors and national parliaments, together with the Management Board's opinion.
6. The final accounts for year N shall be published in the Official Journal of the European Union by 15 November of year N + 1.
7. The Executive Director shall send to the Court of Auditors, by 30 September of year N + 1, a reply to the observations made in its annual report. He or she shall also send the reply to the Management Board.
8. The Executive Director shall submit to the European Parliament, at the latter's request, any information required for the smooth application of the discharge procedure for year N.
9. On a recommendation from the Council acting by a qualified majority, the European Parliament shall, before 15 May of year N + 2, grant a discharge to the Executive Director in respect of the implementation of the budget for year N.
Section 7
Staff
Article 71 - General provisions
1. The Staff Regulations and the Conditions of Employment of Other Servants and the rules adopted by agreement between the institutions of the Union for giving effect thereto shall apply to the EU Centre for all matters not covered by this Regulation.2. The Executive Board, in agreement with the Commission, shall adopt the necessary implementing measures, in accordance with the arrangements provided for in Article 110 of the Staff Regulations.
3. The EU Centre staff, in particular those working in areas related to detection, reporting and removal of online child sexual abuse, shall have access to appropriate counselling and support services.
Article 72 - Seconded national experts and other staff
1. The EU Centre may make use of seconded national experts or other staff not employed by it.2. The Executive Board shall adopt rules related to staff from Member States, including the contact officers referred to in Article 52, to be seconded to the EU Centre and update them as necessary. Those rules shall include, in particular, the financial arrangements related to those secondments, including insurance and training. Those rules shall take into account the fact that the staff is seconded and to be deployed as staff of the EU Centre. They shall include provisions on the conditions of deployment. Where relevant, the Executive Board shall aim to ensure consistency with the rules applicable to reimbursement of the mission expenses of the statutory staff.
Article 73 - Privileges and immunities
Protocol No 7 on the Privileges and Immunities of the European Union annexed to the Treaty on the Functioning of the European Union shall apply to the EU Centre and its staff.Privileges and immunities of contact officers and members of their families shall be subject to an agreement between the Member State where the seat of the EU Centre is located and the other Member States. That agreement shall provide for such privileges and immunities as are necessary for the proper performance of the tasks of contact officers.
Article 74 - Obligation of professional secrecy
1. Members of the Management Board and the Executive Board, and all members of the staff of the EU Centre, including officials seconded by Member States on a temporary basis, and all other persons carrying out tasks for the EU Centre on a contractual basis, shall be subject to the requirements of professional secrecy pursuant to Article 339 of the Treaty on the Functioning of the European Union even after their duties have ceased.2. The Executive Board shall ensure that individuals who provide any service, directly or indirectly, permanently or occasionally, relating to the tasks of the EU Centre, including officials and other persons authorised by the Executive Board or appointed by the coordinating authorities for that purpose, are subject to requirements of professional secrecy equivalent to those in paragraph 1.
3. The EU Centre shall establish practical arrangements for implementing the confidentiality rules referred to in paragraphs 1 and 2.
4. The EU Centre shall apply Commission Decision (EU, Euratom) 2015/444 53 .
Article 75 - Security rules on the protection of classified and sensitive non-classified information
1. The EU Centre shall adopt its own security rules equivalent to the Commission’s security rules for protecting European Union Classified Information (EUCI) and sensitive non-classified information, as set out in Commission Decisions (EU, Euratom) 2015/443 54 and (EU, Euratom) 2015/444. The security rules of the EU Centre shall cover, inter alia, provisions for the exchange, processing and storage of such information. The Executive Board shall adopt the EU Centre’s security rules following approval by the Commission.2. Any administrative arrangement on the exchange of classified information with the relevant authorities of a third country or, in the absence of such arrangement, any exceptional ad-hoc release of EUCI to those authorities, shall be subject to the Commission’s prior approval.
Section 8
General provisions
Article 76 - Language arrangements
The provisions laid down in Regulation No 1 55 shall apply to the EU Centre. The translation services required for the functioning of the EU Centre shall be provided by the Translation Centre for the bodies of the European Union.Article 77 - Transparency and communication
1. Regulation (EC) No 1049/2001 56 shall apply to documents held by the EU Centre. The Management Board shall, within six months of the date of its first meeting, adopt the detailed rules for applying that Regulation.2. The processing of personal data by the EU Centre shall be subject to Regulation (EU) 2018/1725. The Management Board shall, within six months of the date of its first meeting, establish measures for the application of that Regulation by the EU Centre, including those concerning the appointment of a Data Protection Officer of the EU Centre. Those measures shall be established after consultation of the European Data Protection Supervisor.
3. The EU Centre may engage in communication activities on its own initiative within its field of competence. Communication activities shall be carried out in accordance with relevant communication and dissemination plans adopted by the Management Board.
Article 78 - Anti-fraud measures
1. In order to combat fraud, corruption and other unlawful activities, Regulation (EU, Euratom) No 883/2013 57 shall apply.2. The EU Centre shall accede to the Interinstitutional Agreement of 25 May 1999 between the European Parliament, the Council of the European Union and the Commission of the European Communities concerning internal investigations by OLAF within six months from [date of start of operations as set out in Article 82] and shall adopt the appropriate provisions applicable to its staff using the template set out in the Annex to that Agreement.
3. The European Court of Auditors shall have the power of audit, on the basis of documents and on the spot, over all grant beneficiaries, contractors and subcontractors who have received Union funds from the EU Centre.
4. OLAF may carry out investigations, including on-the-spot checks and inspections with a view to establishing whether there has been fraud, corruption or any other illegal activity affecting the financial interests of the Union in connection with a grant or a contract funded by the EU Centre, in accordance with the provisions and procedures laid down in Regulation (EU, Euratom) No 883/2013 and Council Regulation (Euratom, EC) No 2185/96 58 .
5. Without prejudice to paragraphs 1, 2, 3, and 4, cooperation agreements with third countries and international organisations, contracts, grant agreements and grant decisions of the EU Centre shall contain provisions expressly empowering the European Court of Auditors and OLAF to conduct such audits and investigations, in accordance with their respective competences.
Article 79 - Liability
1. The EU Centre's contractual liability shall be governed by the law applicable to the contract in question.2. The Court of Justice of the European Union shall have jurisdiction to give judgment pursuant to any arbitration clause contained in a contract concluded by the EU Centre.
3. In the case of non-contractual liability, the EU Centre shall, in accordance with the general principles common to the laws of the Member States, make good any damage caused by its departments or by its staff in the performance of their duties.
4. The Court of Justice of the European Union shall have jurisdiction in disputes over compensation for damages referred to in paragraph 3.
5. The personal liability of its staff towards the Centre shall be governed by the provisions laid down in the Staff Regulations or Conditions of Employment applicable to them.
Article 80 - Administrative inquiries
The activities of the EU Centre shall be subject to the inquiries of the European Ombudsman in accordance with Article 228 of the Treaty on the Functioning of the European Union.Article 81 - Headquarters Agreement and operating conditions
1. The necessary arrangements concerning the accommodation to be provided for the EU Centre in the Member State where the seat of the EU Centre is located and the facilities to be made available by that Member State, together with the specific rules applicable in that Member State to the Executive Director, members of the Executive Board, EU Centre staff and members of their families shall be laid down in a Headquarters Agreement between the EU Centre and the Member State where the seat of the EU Centre is located, concluded after obtaining the approval of the Executive Board and no later than [2 years after the entry into force of this Regulation].2. The Member State where the seat of the EU Centre is located shall provide the best possible conditions to ensure the smooth and efficient functioning of the EU Centre, including multilingual, European-oriented schooling and appropriate transport connections.
Article 82 - Start of the EU Centre's activities
1. The Commission shall be responsible for the establishment and initial operation of the EU Centre until the Executive Director has taken up his or her duties following his or her appointment by the Executive Board in accordance with Article 65(2). For that purpose:(a)the Commission may designate a Commission official to act as interim Executive Director and exercise the duties assigned to the Executive Director;
(b)by derogation from Article 62(2)(g) and until the adoption of a decision as referred to in Article 62(4), the interim Executive Director shall exercise the appointing authority power;
(c)the Commission may offer assistance to the EU Centre, in particular by seconding Commission officials to carry out the activities of the EU Centre under the responsibility of the interim Executive Director or the Executive Director;
(d)the interim Executive Director may authorise all payments covered by appropriations entered in the EU Centre's budget after approval by the Executive Board and may conclude contracts, including staff contracts, following the adoption of the EU Centre's establishment plan.
CHAPTER V
DATA COLLECTION AND TRANSPARENCY REPORTING
Article 83 - Data collection
1. Providers of hosting services, providers of interpersonal communications services and providers of internet access services shall collect data on the following topics and make that information available to the EU Centre upon request:(a)where the provider has been subject to a detection order issued in accordance with Article 7:
–the measures taken to comply with the order, including the technologies used for that purpose and the safeguards provided;
–the error rates of the technologies deployed to detect online child sexual abuse and measures taken to prevent or remedy any errors;
–in relation to complaints and cases submitted by users in connection to the measures taken to comply with the order, the number of complaints submitted directly to the provider, the number of cases brought before a judicial authority, the basis for those complaints and cases, the decisions taken in respect of those complaints and in those cases, the average time needed for taking those decisions and the number of instances where those decisions were subsequently reversed;
(b)the number of removal orders issued to the provider in accordance with Article 14 and the average time needed for removing or disabling access to the item or items of child sexual abuse material in question;
(c)the total number of items of child sexual abuse material that the provider removed or to which it disabled access, broken down by whether the items were removed or access thereto was disabled pursuant to a removal order or to a notice submitted by a Competent Authority, the EU Centre or a third party or at the provider’s own initiative;
(d)the number of blocking orders issued to the provider in accordance with Article 16;
(e)the number of instances in which the provider invoked Article 8(3), Article 14(5) or (6) or Article 17(5), together with the grounds therefor;
2. The Coordinating Authorities shall collect data on the following topics and make that information available to the EU Centre upon request:
(a)the follow-up given to reports of potential online child sexual abuse that the EU Centre forwarded in accordance with Article 48(3), specifying for each report:
–whether the report led to the launch of a criminal investigation, contributed to an ongoing investigation, led to taking any other action or led to no action;
–where the report led to the launch of a criminal investigation or contributed to an ongoing investigation, the state of play or outcome of the investigation, including whether the case was closed at pre-trial stage, whether the case led to the imposition of penalties, whether victims were identified and rescued and if so their numbers differentiating by gender and age, and whether any suspects were arrested and any perpetrators were convicted and if so their numbers;
–where the report led to any other action, the type of action, the state of play or outcome of that action and the reasons for taking it;
–where no action was taken, the reasons for not taking any action;
(b)the most important and recurrent risks of online child sexual abuse, as reported by providers of hosting services and providers of interpersonal communications services in accordance with Article 3 or identified through other information available to the Coordinating Authority;
(c)a list of the providers of hosting services and providers of interpersonal communications services to which the Coordinating Authority addressed a detection order in accordance with Article 7;
(d)the number of detection orders issued in accordance with Article 7, broken down by provider and by type of online child sexual abuse, and the number of instances in which the provider invoked Article 8(3);
(e)a list of providers of hosting services to which the Coordinating Authority issued a removal order in accordance with Article 14;
(f)the number of removal orders issued in accordance with Article 14, broken down by provider, the time needed to remove or disable access to the item or items of child sexual abuse material concerned, and the number of instances in which the provider invoked Article 14(5) and (6);
(g)the number of blocking orders issued in accordance with Article 16, broken down by provider, and the number of instances in which the provider invoked Article 17(5);
(h)a list of relevant information society services to which the Coordinating Authority addressed a decision taken pursuant to Articles 27, 28 or 29, the type of decision taken, and the reasons for taking it;
(i)the instances in which the opinion of the EU Centre pursuant to Article 7(4)(d) substantially deviated from the opinion of the Coordinating Authority, specifying the points at which it deviated and the main reasons for the deviation.
3. The EU Centre shall collect data and generate statistics on the detection, reporting, removal of or disabling of access to online child sexual abuse under this Regulation. The data shall be in particular on the following topics:
(a)the number of indicators in the databases of indicators referred to in Article 44 and the development of that number as compared to previous years;
(b)the number of submissions of child sexual abuse material and solicitation of children referred to in Article 36(1), broken down by Member State that designated the submitting Coordinating Authorities, and, in the case of child sexual abuse material, the number of indicators generated on the basis thereof and the number of uniform resource locators included in the list of uniform resource locators in accordance with Article 44(3);
(c)the total number of reports submitted to the EU Centre in accordance with Article 12, broken down by provider of hosting services and provider of interpersonal communications services that submitted the report and by Member State the competent authority of which the EU Centre forwarded the reports to in accordance with Article 48(3);
(d)the online child sexual abuse to which the reports relate, including the number of items of potential known and new child sexual abuse material and instances of potential solicitation of children, the Member State the competent authority of which the EU Centre forwarded the reports to in accordance with Article 48(3), and type of relevant information society service that the reporting provider offers;
(e)the number of reports that the EU Centre considered manifestly unfounded, as referred to in Article 48(2);
(f)the number of reports relating to potential new child sexual abuse material and solicitation of children that were assessed as not constituting child sexual abuse material of which the EU Centre was informed pursuant to Article 36(3), broken down by Member State;
(g)the results of the searches in accordance with Article 49(1), including the number of images, videos and URLs by Member State where the material is hosted;
(h)where the same item of potential child sexual abuse material was reported more than once to the EU Centre in accordance with Article 12 or detected more than once through the searches in accordance with Article 49(1), the number of times that that item was reported or detected in that manner.
(i)the number of notices and number of providers of hosting services notified by the EU Centre pursuant to Article 49(2);
(j)number of victims of online child sexual abuse assisted by the EU Centre pursuant to Article 21(2), and the number of these victims that requested to receive such assistance in a manner accessible to them due to disabilities.
4. The providers of hosting services, providers of interpersonal communications services and providers of internet access services, the Coordinating Authorities and the EU Centre shall ensure that the data referred to in paragraphs 1, 2 and 3, respectively, is stored no longer than is necessary for the transparency reporting referred to in Article 84. The data stored shall not contain any personal data.
5. They shall ensure that the data is stored in a secure manner and that the storage is subject to appropriate technical and organisational safeguards. Those safeguards shall ensure, in particular, that the data can be accessed and processed only for the purpose for which it is stored, that a high level of security is achieved and that the information is deleted when no longer necessary for that purpose. They shall regularly review those safeguards and adjust them where necessary.
Article 84 - Transparency reporting
1. Each provider of relevant information society services shall draw up an annual report on its activities under this Regulation. That report shall compile the information referred to in Article 83(1). The providers shall, by 31 January of every year subsequent to the year to which the report relates, make the report available to the public and communicate it to the Coordinating Authority of establishment, the Commission and the EU Centre.2. Each Coordinating Authority shall draw up an annual report on its activities under this Regulation. That report shall compile the information referred to in Article 83(2). It shall, by 31 March of every year subsequent to the year to which the report relates, make the report available to the public and communicate it to the Commission and the EU Centre.
3. Where a Member State has designated several competent authorities pursuant to Article 25, it shall ensure that the Coordinating Authority draws up a single report covering the activities of all competent authorities under this Regulation and that the Coordinating Authority receives all relevant information and support needed to that effect from the other competent authorities concerned.
4. The EU Centre, working in close cooperation with the Coordinating Authorities, shall draw up an annual report on its activities under this Regulation. That report shall also compile and analyse the information contained in the reports referred to in paragraphs 2 and 3. The EU Centre shall, by 30 June of every year subsequent to the year to which the report relates, make the report available to the public and communicate it to the Commission.
5. The annual transparency reports referred to in paragraphs 1, 2 and 3 shall not include any information that may prejudice ongoing activities for the assistance to victims or the prevention, detection, investigation or prosecution of child sexual abuse offences. They shall also not contain any personal data.
6. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 in order to supplement this Regulation with the necessary templates and detailed rules concerning the form, precise content and other details of the reports and the reporting process pursuant to paragraphs 1, 2 and 3.
CHAPTER VI
FINAL PROVISIONS
Article 85 - Evaluation
1. By [five years after the entry into force of this Regulation], and every five years thereafter, the Commission shall evaluate this Regulation and submit a report on its application to the European Parliament and the Council.2. By [five years after the entry into force of this Regulation], and every five years thereafter, the Commission shall ensure that an evaluation in accordance with Commission guidelines of the EU Centre’s performance in relation to its objectives, mandate, tasks and governance and location is carried out. The evaluation shall, in particular, address the possible need to modify the tasks of the EU Centre, and the financial implications of any such modification.
3. On the occasion of every second evaluation referred to in paragraph 2, the results achieved by the EU Centre shall be assessed, having regard to its objectives and tasks, including an assessment of whether the continuation of the EU Centre is still justified with regard to those objectives and tasks.
4. The Commission shall report to the European Parliament and the Council the findings of the evaluation referred to in paragraph 3. The findings of the evaluation shall be made public.
5. For the purpose of carrying out the evaluations referred to in paragraphs 1, 2 and 3, the Coordinating Authorities and Member States and the EU Centre shall provide information to the Commission at its request.
6. In carrying out the evaluations referred to in paragraphs 1, 2 and 3, the Commission shall take into account the relevant evidence at its disposal.
7. Where appropriate, the reports referred to in paragraphs 1 and 4 shall be accompanied by legislative proposals.
Article 86 - Exercise of the delegation
1. The power to adopt delegated acts is conferred on the Commission subject to the conditions laid down in this Article.2. The power to adopt delegated acts referred to in Articles 3, 8, 13, 14, 17, 47 and 84 shall be conferred on the Commission for an indeterminate period of time from [date of adoption of the Regulation].
3. The delegation of power referred to in Articles 3, 8, 13, 14, 17, 47 and 84 may be revoked at any time by the European Parliament or by the Council. A decision to revoke shall put an end to the delegation of the power specified in that decision. It shall take effect the day after the publication of the decision in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of any delegated acts already in force.
4. Before adopting a delegated act, the Commission shall consult experts designated by each Member State in accordance with the principles laid down in the Inter-institutional Agreement of 13 April 2016 on Better Law-Making.
5. As soon as it adopts a delegated act, the Commission shall notify it simultaneously to the European Parliament and to the Council.
6. A delegated act adopted pursuant to Articles 3, 8, 13, 14, 17, 47 and 84 shall enter into force only if no objection has been expressed either by the European Parliament or the Council within a period of two months of notification of that act to the European Parliament and the Council or if, before the expiry of that period, the European Parliament and the Council have both informed the Commission that they will not object. That period shall be extended by two months at the initiative of the European Parliament or of the Council.
Article 87 - Committee procedure
1. For the purposes of the adoption of the implementing acts referred to in Article 39(4), the Commission shall be assisted by a committee. That committee shall be a committee within the meaning of Regulation (EU) No 182/2011.2. Where reference is made to this paragraph, Article 4 of Regulation (EU) No 182/2011 shall apply.
Article 88 - Repeal
Regulation (EU) 2021/1232 is repealed from [date of application of this Regulation].Article 89 - Entry into force and application
This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.It shall apply from 6 months after its entry into force.
This Regulation shall be binding in its entirety and directly applicable in all Member States.