The Commission has proposed an extension to temporary rules allowing tech companies to voluntarily scan their services for traces of child sexual abuse material (CSAM) for a period of two additional years – running to April 2028.
The temporary derogation to the EU’s ePrivacy Directive, which currently lets platforms scan for CSAM if they choose, is set to expire in April 2026 – with no prospect of a permanent legal framework for scanning being agreed before then. Hence the need for the Commission to propose an extension so that companies don’t lose an important tool to tackle CSAM in the meanwhile.
A planned permanent CSAM regulation, which was proposed back in 2022, has faced difficult negotiations in the Parliament and, especially, Council – which only finally agreed its mandate in November.
The proposed law has faced strong pushback from privacy experts and others, concerned it could lead to indiscriminate scanning of Europeans’ communications. Opponents attack the law as an attempt at “chat control” – and the strength of the opposition finally led to capitals opting to remove provisions on mandatory scanning orders from their version of the draft text.
MEPs, meanwhile, settled their own position on the file around two years ago – so, after the Council deal, trilogue talks between the EU institutions were able to start in early December. But with the temporary CSAM scanning rules expiring in April, it’s seen as essentially impossible for the permanent law to be agreed and come into force that soon.
During the first trilogue on the CSAM scanning law, Home Affairs Commissioner Magnus Brunner told the two institutions that he would propose an extension to the temporary rules.
Parliament and Council now have limited time to negotiate this so it can be applicable before April and avoid a legal gap.
(nl)