Το αρχικό κείμενο στα Ελληνικά εδώ.
To:
Minister of Justice and Public Order, Mr. Marios Hartsiotis
Deputy Minister of Research, Innovation and Digital Policy, Mr. Nikodimos Damianou
Commissioner for Personal Data Protection, Ms. Maria Manoli Christofidou
Commissioner for the Regulation of Electronic Communications and Postal Services, Mr. Giorgos Michaelides
Commissioner for the Protection of the Rights of the Child, Ms. Elena Perikleous
Members of the European Parliament of the Republic of Cyprus
Cc:
Permanent Representation of the Republic of Cyprus to the European Union
European Data Protection Board
and the wider Cypriot and European public
Summary
With this letter, we set out our position on Cypriot Government stance regarding the Proposed “Regulation laying down rules to prevent and combat child sexual abuse (COM(2022) 209 final, 11/05/2022)” and its current trajectory in the Council of the European Union.
Below we summarise our key requests. The full and documented analysis, together with specific recommendations to the competent authorities, follows in the main body of the letter.
We call on the Republic of Cyprus to:
- Withdraw its support for the CSAR / “ChatControl” proposal in its current form, which remains legally and technically problematic.
- State explicitly that it will not support any mechanism that weakens end-to-end encryption (such as client-side scanning or backdoors).
- Launch immediately a public, open consultation with the participation of experts, institutions, and civil society before forming a final position.
The recent amendments to the proposal (2024–2025) do not remedy the fundamental legal and technical issues. Generalised or compelled scanning of private communications remains disproportionate and incompatible with fundamental rights, as explicitly stated by the European Data Protection Board and the European Data Protection Supervisor (EDPB/EDPS, Joint Opinion 04/2022). The genuine protection of children requires strengthening prevention, early intervention, education, victim support, and international cooperation, not mass-surveillance technologies.
1. Towards mature decisions for the effective protection of children
The undersigned organisations, researchers, and citizens of Cyprus wish to contribute constructively to the public debate on the proposed “Regulation laying down rules to prevent and combat child sexual abuse (COM(2022) 209 final, 11/05/2022”, known as the Child Sexual Abuse Regulation (CSAR) or “ChatControl”.
Protecting children is a top priority for any democratic society. To be effective, however, policy must be evidence-based, proportionate, and democratically legitimate, and must not put the fundamental rights of all citizens at risk. As noted in the chapter “Privacy and protection – two sides of the same coin” in the Council of Europe’s Digital Citizenship Education Handbook: “Privacy, data protection and security are intricately linked to rights, freedom and responsibility, and should be introduced to children from their very first steps on the internet”. Genuine child protection requires education, understanding, the strengthening of existing structures, and responsible public policy, not technological measures of mass surveillance that erode rights and public trust.
2. Risks of a rushed and technically incomplete decision
Since 2022, the CSAR proposal has undergone a number of changes, yet the fundamental concerns raised by experts and data-protection authorities remain unresolved. As more than 780 experts explain, including Professor Ilias Athanasopoulos in the Security Research area of the Department of Computer Science at the University of Cyprus, the current form of CSAR is immature and technically incomplete, failing to account for real technical impacts and the issues of governance and democratic accountability it entails. The proposal would oblige online service providers to read and filter users’ private messages, photos, and videos at scale, even in apps using end-to-end encryption. This approach, known as client-side scanning, has been described by many experts and institutions as technically and legally problematic (Scientists’ Open Letter on Client-Side Scanning, 8 October 2025). Client-side scanning mechanisms cannot be implemented without undermining encryption, while provisions on transparency, independent oversight, and judicial review remain inadequate.
The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS), in their Joint Opinion 04/2022, explicitly state that generalised, indiscriminate scanning of communications “cannot be considered proportionate” and constitutes a form of mass surveillance. Several Member States, such as Germany, Austria, and the Netherlands, have already indicated that they will not approve the proposal in its present form, citing constitutional concerns and the protection of fundamental rights.
Moreover, a body of studies shows that imposing technological surveillance mechanisms without fully understanding their social and technical consequences leads to institutional instability, legal gaps, and a loss of public trust (for example Abelson et al. 2015; Veen and Boeke 2020; Bieber et al. 2019; Khoury and Hallé 2022). Historically, mass surveillance of telecommunications, under the pretext of enhancing security, has proven counterproductive. Rather than strengthening citizens’ trust in authorities, it undermines the democratic legitimacy of institutions, breeds suspicion, and intensifies mistrust towards power centers that adopt such practices. The 2013 revelations by Edward Snowden about NSA mass surveillance, as well as subsequent investigations and disclosures such as done by WikiLeaks, clearly demonstrated that such policies do not meaningfully enhance security. On the contrary, they threaten fundamental democratic principles and the right to privacy. The Republic of Cyprus, and by extension the European Union, should not adopt practices that violate the confidentiality of citizens’ communications, reminiscent of surveillance mechanisms of authoritarian regimes in the past. Instead, they must consistently protect the rights, freedoms, and trust that underpin a democratic society.
3. Cyprus’s position and the importance of proper process
The proposal is currently under consideration in the Council of the European Union, where each Member State, including Cyprus, forms its own position. For a concise analysis of the proposal’s progress and the disagreements that have arisen at European level, see European Digital Rights (EDRi, 2025), “Chat Control: What is actually going on?”
In contrast to countries such as Germany, Austria, and the Netherlands, which have highlighted the proposal’s technical and institutional shortcomings and are conducting systematic public consultations, Cyprus appears to be proceeding without adequate public dialogue. The problem is not the lack of capacity to develop an evidence-based position, but the disconnect between policymakers and the community of experts (engineers, lawyers, researchers and others) and organisations that can contribute scientifically. This reflects a democratic communication gap and a lack of a healthy public sphere around digital policy in Cyprus.
Although public statements, such as that of the Deputy Minister of Research, Innovation and Digital Policy (Damianou, 2025), underline the importance of protecting minors online, it does not appear that Cyprus’s position on the CSAR proposal has been formed through consultation or an evidence-based analysis of its consequences. The absence of transparent debate makes it imperative for the Government to take a clear stance grounded in scientific and institutional evidence. An exception was the briefing session organised by the Cyprus Free/Libre Open Source Software (ELLAK) community (Briefing Session on ChatControl (CSAR) – 11 September 2025), which examined technical and legal arguments in favor of a more balanced approach, and formed the basis for this Open Letter.
The undersigned are at your disposal for any clarification, to provide additional material, and to put you in direct contact with leading Cypriot and international experts in the field.
4. A constructive call for dialogue and a responsible stance
In a spirit of cooperation and respect for institutions, we call for a transparent, and substantive dialogue on the CSAR proposal. We believe that Cyprus should not, at this stage, support the proposal in the Council of the European Union, as such a stance would be premature and would not reflect the level of knowledge and reflection of Cypriot scientists and researchers in the field of technology policy.
The most responsible stance, an indication of political maturity and respect for democratic process, is to refrain from a positive vote until it is ensured that Cyprus’s position has been formed through meaningful consultation with its scientific and technological bodies, as well as with independent rights-protection institutions.
We call on the Government of Cyprus to:
- Recognise the deficit of public dialogue and the importance of linking policy with scientific knowledge before forming a position.
- Acknowledge the serious consequences and potential risks to telecommunications security from the practices included in the proposed CSAR, which amount to a blatant violation of the privacy of electronic communications.
- Reaffirm that the protection of children cannot be achieved at the expense of the fundamental rights of all, including children themselves.
- Leverage the expertise of the Commissioner for Personal Data Protection and independent experts.
- Rely on the EDPB/EDPS Joint Opinion (04/2022) and on independent scientific evidence to form a position aligned with European principles of data protection and democratic accountability.
- Invite the newly appointed Commissioner for the Protection of the Rights of the Child to participate actively in the public debate, guided by the best interests of the child and compatibility with fundamental rights.
- State explicitly that undermining the security of electronic communications (via backdoors or equivalent techniques) is inconsistent with democratic principles and will not be supported.
Specific recommendations to the competent authorities
The discussion on the CSAR proposal requires clear public positions and coordinated action. We therefore ask that:
The Ministry of Justice and Public Order publishes Cyprus’s position in the Council negotiations and that it ensures that any future stance is based on consultation with scientific and technical bodies.
The Deputy Ministry of Research, Innovation and Digital Policy organises an open public consultation with the participation of experts, academia, technology professionals, and citizens.
The Commissioner for Personal Data Protection publicly confirms and explains the EDPB/EDPS (04/2022) position in the Cypriot context, providing documented guidance to the competent ministries and MPs.
The Commissioner for the Protection of the Rights of the Child participates actively in the public debate, highlighting that protecting children from sexual abuse requires strengthening and rationalising existing preventive, educational, and social mechanisms rather than hastily adopting technological solutions that have not been fully assessed for their social, technological, institutional, and ethical implications. We look forward to a public statement in favor of prioritising prevention, early intervention, education, psychosocial support, and effective reporting mechanisms before any technical measure that could weaken encryption, privacy, and the security of communications.
Regarding the upcoming Cypriot Presidency of the Council of the EU
Given the role Cyprus will assume in shaping the European agenda, we consider it crucial to commit that the CSAR proposal will not be brought back to the negotiating table during the Cypriot Presidency unless and until its compatibility with fundamental rights and communications security is ensured.
Cyprus’s Presidency should serve as a forum for responsible dialogue, enhanced transparency, and strengthened European cooperation for the protection of children and democracy, not a vehicle for imposing technical solutions that jeopardise public trust.
We emphasise the importance of the active participation of the technical community, researchers, and universities in the public debate. Cooperation among government, science, and civil society is a necessary condition for shaping policy that serves the public interest and the values of a democratic Europe.
Signatures
This letter remains open for co-signing.
Chrystalleni Loizidou, Regional Representative, Next Generation Internet Zero, Brno University of Technology
Marios Isaakidis, 101.CY, Cyprus University of Technology
Grigoris Andreou, greg.cy
Kyriakos Prokopi, Researcher and Cybersecurity Consultant, Roswell
Nils Grotnes, Senior System Adminstrator
Bethune, Jörn
Marios Vasileiou, CTO
Panis Pieri, Ιδρυτής του Panis.News
Μάριος Κωνσταντινίδης
Costas Costa, Cyprus University of Technology
Ζωή Χριστοφή
Demetris Tziambazis
Θεόδοτος Ανδρέου, digital rights activist, system administrator, EL/LAK Cyprus
Shukhrat Khannanov
Thomas witt
Christina Zavou
Αλέξης Χατζηβασιλείου
Stelios Michaelides
Andrew Petro
Γιώργος Ανδρέου
Galina Kovalchuk
Nikolas Pafitis
Marios Zantis
Aigul Abunagimova
Νόνη Νικολάου
Bastonopoulou Anna
Σωφρόνης Ξενοφώντος
– Last updated 17/10/2025 17:30
Contact for additional signatures and information:
https://ellak.org.cy & https://matrix.to/#/#ellakcy:matrix.org
References
Bastian, P. (1996). Constitutional considerations of the escrowed encryption standard. Communication Law and Policy, 1(1), 43–63. https://doi.org/10.1080/10811689609368596
CSA Scientist Open Letter on Client-Side Scanning. (2025, September 9). Retrieved from https://csa-scientist-open-letter.org/Sep2025 (PDF) csa-scientist-open-letter.org
CSAR / Chat Control FAQ – Client-side Scanning. (n.d.). Retrieved from https://csa-scientist-open-letter.org/FAQ (PDF) csa-scientist-open-letter.org
Damianou, N. [@NicDamianou]. (2025, October 4). Today at the @CypForum 2025, I joined a fireside discussion with @flavioarzarello @Meta, on the future of #digital policy, #AI and the role of #technology in democratic societies… [Post]. X (formerly Twitter). https://x.com/NicDamianou/status/1973700761113493546
EDPB & EDPS. (2022, July). Joint Opinion 04/2022 on the proposal for a Regulation on preventing and combating child sexual abuse (CSAM). Retrieved from https://www.edpb.europa.eu/system/files/2022-07/edpb_edps_jointopinion_202204_csam_en_0.pdf
EDRi. (2025, September). Chat Control: What is actually going on? Retrieved from https://edri.org/our-work/chat-control-what-is-actually-going-on/
European Commission. (2022, May 11). Proposal for a Regulation of the European Parliament and of the Council laying down rules to prevent and combat child sexual abuse (COM(2022) 209 final). Brussels. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:52022PC0209
European Commission / European Parliament (2022). Briefing: CSA Regulation / Chat Control. Retrieved from https://www.europarl.europa.eu/RegData/etudes/BRIE/2022/738224/EPRS_BRI%282022%29738224_EN.pdf
European Parliamentary Research Service, & Negreiro, M. (2024). Briefing: EU Legislation in Progress—Combating child sexual abuse online. https://www.europarl.europa.eu/RegData/etudes/BRIE/2022/738224/EPRS_BRI%282022%29738224_EN.pdf
Examining data privacy through the lens of government regulations. (2023, June). In Advances in Information Security, Privacy, and Ethics (pp. 80–94). https://doi.org/10.4018/978-1-6684-9018-1.ch003
Hewitt, C. (2019, July). Secure (against cyberattackers) backdoors for universal intelligent systems. SSRN. https://doi.org/10.2139/ssrn.3425957
Khoury, R., & Hallé, S. (2022, December). Are backdoor mandates ethical? — A position paper. IEEE Technology and Society Magazine, 41, 63–70. https://doi.org/10.1109/MTS.2022.3217699
Ludvigsen, K. R., Nagaraja, S., & Daly, A. (2022). YASM (Yet Another Surveillance Mechanism). arXiv. https://doi.org/10.48550/arXiv.2205.14601
Malviya, V., & Aslekar, A. (2022, January). Cyber laws and modern surveillance: Public protection or privacy violation. Nucleation and Atmospheric Aerosols. https://doi.org/10.1063/5.0110609
Sales, M. J. (2023, March). Cyber security, artificial intelligence, data protection & big data and security. Open Science Framework (OSF). https://doi.org/10.31219/osf.io/s9qkg
Comments are closed