**Legal Landscape for AI-Assisted Child-Safety Triage Systems (Sweden/EU, 2026)**

Pedalgo operates exclusively as a **triage/prioritization tool**. All outputs are risk signals for trained human reviewers. No automated enforcement, blocking, or public attribution occurs. Lawful escalation follows NCMEC CyberTipline, Swedish Police (via Polisen or Barnombudsmannen channels), IWF, or DSA trusted flagger routes only.

### GDPR
- **Children’s data (Art. 8)**: Processing of data relating to minors requires heightened transparency and, where consent is the basis, verifiable parental consent mechanisms. Legitimate-interest assessments must explicitly weigh the child’s best interests.
- **Article 22 (automated decision-making)**: Profiling that produces legal or similarly significant effects is prohibited without explicit consent or a Member-State derogation. Triage scores must therefore remain advisory; final decisions rest with human reviewers.
- **Data Protection Impact Assessment (DPIA)**: Mandatory under Art. 35 for large-scale processing of special-category or children’s data and for systematic monitoring. A DPIA must cover model logic, data flows, retention, and residual risks to children.
- **Data minimisation & storage limitation**: Raw platform data must be deleted or irreversibly anonymised once the triage window closes unless a specific report is escalated.

### Digital Services Act (DSA)
- **Trusted flagger status** (Art. 22): Accredited organisations receive priority processing. An AI triage system may generate internal priority flags but cannot itself act as a trusted flagger; human-reviewed reports are submitted through accredited channels.
- **Risk assessment & mitigation** (Art. 34–35): Very large online platforms (VLOPs) must assess systemic risks to minors. Documented use of audited triage models can form part of mitigation evidence.
- **No general monitoring obligation** remains, but voluntary, proportionate detection measures are permitted when paired with human oversight and transparency reporting.

### ePrivacy Directive & Derogations
- The 2022–2024 derogation allowing voluntary CSAM detection expired. Any continued processing of electronic communications content for detection purposes now requires either user consent or a new targeted legal basis. Metadata-only analysis (e.g., behavioural signals) faces fewer restrictions but still triggers GDPR.

### EU AI Act (applicable 2026)
- Systems that detect, prioritise or triage potential child sexual exploitation material are classified as **high-risk** (Annex III, category “law enforcement / child protection”).
- Requirements include:
  - Risk-management system
  - Technical documentation & model cards
  - Human oversight measures
  - Accuracy, robustness and cybersecurity obligations
  - Logging of all automated outputs for post-deployment monitoring
- Transparency obligations apply when users interact with the system indirectly (e.g., platform safety features).

### CSA Regulation (status 2026)
- The 2022 proposal remains under trilogue negotiation. No EU-wide mandatory detection obligation is in force. Voluntary detection continues under the conditions set by GDPR, DSA and the AI Act. Any future mandatory regime would likely require prior DPIA, independent audit, and judicial safeguards.

### Recommendations for Responsible Operators

A compliant operator must maintain:

- **DPIA** approved by the competent supervisory authority (Integritetsskyddsmyndigheten in Sweden) before deployment.
- **Human-in-the-loop protocol**: Every high-risk score reviewed by at least one trained moderator before escalation.
- **Audit logs**: Immutable records of model version, input features (without raw content where possible), score, reviewer decision, and escalation path. Retention aligned with GDPR.
- **Model cards & performance documentation**: Public or regulator-accessible description of training data provenance, performance metrics on synthetic and reviewer-confirmed datasets, known limitations, and bias testing (universal base rate applied).
- **Whistleblowing & redress channels**: Clear internal and external routes for reviewers or data subjects.
- **Lawful escalation mapping**: Documented procedures for NCMEC, Swedish authorities, IWF and DSA trusted flaggers.
- **Regular independent audit**: At minimum annually, covering both technical performance and procedural compliance.

### Safe Harbours & Reporting Obligations
- **DSA Art. 22 & 34** provide a degree of protection for good-faith, proportionate voluntary measures when accompanied by transparency reports and human oversight.
- **GDPR Art. 6(1)(f)** legitimate-interest pathway remains viable for narrowly tailored triage provided the balancing test and DPIA are documented.
- No general immunity exists for over-blocking or erroneous flagging; operators remain liable under national tort and data-protection rules.

All synthetic test data and illustrative figures used in development or documentation must be clearly labelled “SYNTHETIC — FOR ILLUSTRATION ONLY — NOT REAL CASES”.