Last updated: Wednesday, December 17th, 2025
1. Purpose and scope
CRC operates technologies that surface technical indicators (e.g., network metadata and filehash indicators) suggesting the distribution or solicitation of child sexual abuse material (CSAM) on certain publicly accessible networks. We curate and disclose these indicators only to competent lawenforcement and designated childprotection authorities to support investigations and the protection of children.
CRC does not determine guilt or make enforcement decisions; those decisions are made by competent authorities.
2. Categories of data
- Network metadata: IP addresses, ports, timestamps, protocol identifiers, swarm/room/channel identifiers, and similar technical information.
- Content indicators: cryptographic hashes of known illegal material or other noncontent signals provided by authorized partners.
- Derived analytics: risk/priority scores or flags derived from the above.
- Operational logs: access logs and audit trails for security and integrity.
(We do not read or store the content of private communications.)
3. Sources
Automated collection from publicly accessible peertopeer or chat environments and partner feeds; CRC’s own systems generate derived indicators.
4. Controller/processor roles
- Outside the EU/UK: CRC generally acts as a controller for the compilation, curation and disclosure of indicators to lawenforcement.
- EU/UK contexts: Roles may vary. Where CRC processes personal data under the control or on behalf of a competent authority, CRC will act as a processor for that authority. Where CRC processes on its own initiative, CRC is a controller and must meet EU/UK rules for criminaloffence data (see below).
5. Legal bases and specialcategory/criminaloffence data
- EU GDPR (Article 10): Personal data “relating to criminal convictions and offences” (including suspected offences) may be processed only under the control of an official authority or when authorized by Union or MemberState law with appropriate safeguards. CRC will only process EU offencerelated personal data where one of those routes applies (e.g., acting under the control of a competent authority, or under a specific MemberState legal authorization).
- UK GDPR & Data Protection Act 2018: CRC may process criminaloffence data where Article 6 is satisfied and a Schedule 1 condition applies—typically “preventing or detecting unlawful acts” (Para 10)—with an Appropriate Policy Document in place and a DPIA demonstrating necessity and proportionality.
CRC does not make decisions that produce legal or similarly significant effects about individuals solely by automated means. Scoring/flagging supports human decisionmaking by competent authorities.
6. Transparency and individual rights (indirect collection)
Where feasible, CRC provides the information required by Article 14 (EU/UK) to individuals whose data we process indirectly.
In some cases, we may delay or limit individual notice and/or restrict certain rights where giving notice would be likely to prejudice the prevention or detection of crime (e.g., under UK DPA 2018 Schedule 2 or equivalent statutory restrictions). We assess this case by case and record our reasons.
How to exercise rights: See Your EU/UK Privacy Rights. For LE Dataset enquiries, use [email protected].
7. Sharing and recipient
Disclosures are limited to competent lawenforcement and, where necessary, tightly bound service providers (processors) that host or secure our systems under our instructions. We do not share the LE Dataset with private parties for nonlawenforcement purposes.
8. International transfers
Where EU/UK personal data in the LE Dataset is accessed from or transferred to a third country, CRC applies recognized safeguards (e.g., SCCs/IDTA, and, if applicable, Data Privacy Framework certification for U.S. recipients) and technical measures (minimization, encryption, strict access controls).
When we transfer EU/UK personal data outside your region, we use recognized safeguards:
- Adequacy & Frameworks. We rely on adequacy decisions where available. For U.S. recipients that are certified.
- Standard Contractual Clauses / IDTA. For other transfers, we use the EU Standard Contractual Clauses (2021) and, for the UK, the International Data Transfer Agreement (IDTA) or UK Addendum, plus transfer impact assessments and technical measures.
Minimization & security. We minimize what we transfer, use encryption, restrict access, and keep detailed logs
9. Retention
Raw network telemetry, derived indicators, and audit logs are kept for at least 3 years.
10. Security
Access is restricted on a needtoknow basis with multifactor authentication; data are encrypted in transit and at rest; systems are segregated and monitored; disclosures are logged and auditable.
11. DPIA and governance
CRC completes Data Protection Impact Assessments for the LE Dataset and maintains an Appropriate Policy Document for UK processing. Summaries may be provided on request where doing so would not prejudice legitimate aims.
