Why EU CSAM scanning talks face new transparency pressure

The EU ombudsman has again questioned how much the European Commission has withheld about its work on a CSAM-scanning proposal. The dispute centers on documents tied to private technology companies, legal advice, impact assessment drafts and the decision-making process behind a law that remains under negotiation.

WTF Index TERMINATOR
◄ Terminator 3 Idiocracy 0 ►

A proposed mandate to scan private messages raises clear surveillance and control concerns, though the story focuses mainly on transparency rather than new AI capability.

Why EU CSAM scanning talks face new transparency pressure

The European Commission is facing renewed pressure to open up its files on a disputed CSAM-scanning proposal that could require scanning European Union citizens’ private messages to detect child sexual abuse material.

The latest scrutiny comes from the EU’s ombudsman, Emily O’Reilly, who has again found preliminary maladministration in the Commission’s handling of an access-to-documents request. The issue is not only whether the policy is controversial, but whether the public has been given enough information about how it was shaped.

What the Ombudsman Is Challenging

The preliminary finding was reached on Friday and made public on the ombudsman’s website yesterday. It follows a similar conclusion back in January, when the ombudsman invited the Commission to respond to concerns about its handling of the request.

The complaint has been under review since December. It was brought by a journalist seeking access to documents related to the CSAM regulation and the EU’s “associated decision-making process”.

The Commission released some information after the public access request. But it withheld 28 documents entirely and partially redacted five more.

The reasons given for keeping information back covered several exemptions, including:

  • public interest as regards public security;
  • the need to protect personal data;
  • the need to protect commercial interests;
  • the need to protect legal advice;
  • the need to protect its decision-making.

After reviewing what was withheld and the Commission’s defence for non-disclosure, the ombudsman remained unconvinced that the level of transparency was sufficient.

Why Tech Industry Contacts Matter

A central concern is the Commission’s correspondence with private technology companies and other stakeholders. Some of the withheld information relates to exchanges with companies that could be potential suppliers of CSAM-scanning technology.

That matters because those companies could gain commercially from any pan-EU law that mandates message scanning. The source article notes that concerns have been raised about tech industry lobbying influencing the Commission’s drafting of the proposal.

According to information released by the ombudsman, five documents linked to the complaint concern “exchanges with interest representatives from the technology industry”. The companies involved were not listed in that information.

The source also notes that U.S.-based Thorn, a maker of AI-based child safety tech, was linked to lobbying on the file in an investigative report by BalkanInsights last September.

The ombudsman questioned several Commission arguments for withholding information about contacts with tech companies. In one case, the Commission redacted details of information exchanged between law enforcement and unnamed companies. The ombudsman accepted that redacting the substance of those exchanges may be justified on public security grounds, but questioned why the company names also had to be withheld.

“It is not readily clear how disclosure of the names of the companies concerned could possibly undermine public security, if the information exchanged between the companies and law enforcement has been redacted,” wrote the ombudsman.

The Wider Policy Fight

The CSAM-scanning legislation remains on the table with EU co-legislators. That is happening despite serious warnings and opposition across parts of the EU system.

The Council’s own legal service has warned that the proposed approach is unlawful. The European Data Protection Supervisor and civil society groups have also warned that the proposal represents a tipping point for democratic rights in the EU.

In October, lawmakers in the European Parliament who oppose the Commission’s direction proposed a substantially revised draft. Their version aimed to limit the scope of scanning.

But the next major step is still with the Council. Member States’ governments have yet to settle on their own negotiating position for the file.

The Commission, meanwhile, has continued to stand behind the controversial CSAM detection orders. Critics warn that the law could force platforms to deploy client-side scanning, with serious implications for European web users’ privacy and security.

What Documents Are Still in Dispute

The withheld or redacted bundle is not limited to industry correspondence. It also includes drafts of the Commission’s impact assessment prepared while the legislation was being developed, along with comments from its legal service.

The ombudsman also challenged the Commission over what appeared to be selective disclosure of input from technology industry representatives. In one instance, the ombudsman said it was unclear why some “preliminary options” were treated as more sensitive than others that had already been disclosed to the complainant.

“From the very general reasons for non-disclosure the Commission provided in its confirmatory decision, it is not clear why it considered the withheld ‘preliminary options’ to be more sensitive than those that it had decided to disclose to the complainant.”

That point goes to the heart of the transparency dispute. The question is not simply whether the Commission can protect some sensitive material. It is whether it has explained, document by document and category by category, why public access should be limited for a policy with major implications for private communications.

What Happens Next

The ombudsman’s current conclusion repeats the earlier finding of maladministration over the Commission’s refusal to give “wide public access” to the 33 documents.

O’Reilly recommended that the Commission revisit its position on the access request. In her recommendation, she wrote: “The European Commission shou ld re-consider its position on the access request with a view to providing significantly increased access, taking into account the Ombudsman’s considerations shared in this recommendation.”

The Commission has been invited to respond with a “detailed opinion” by July 26. That means the transparency dispute is still open, even as the underlying CSAM-scanning proposal continues through the EU legislative process.

The Commission was contacted about the ombudsman’s latest findings on the complaint, but at press time it had not provided a response.