EU’s CSAM Detection Derogation Expires, Tech Firms Lose Legal Basis

Legal Framework for CSAM Detection Expires

The European Union’s temporary exemption from the ePrivacy Directive, which allowed messaging platforms to scan private communications for child sexual abuse material (CSAM), ended on April 3, 2026, without renewal. This legal provision, a modification of the ePrivacy Directive, had enabled companies such as Google, Meta, Snap, and Microsoft to detect child sexual abuse material (CSAM), grooming, and sextortion through automated systems. The exemption was initially extended in 2024 for an additional 15 months, extending it to August 2027, amid ongoing discussions for a permanent legislative framework. However, the European Parliament ultimately declined to prolong the exemption beyond April 2026, citing concerns over proportionality, end-to-end encryption, and the risks of indiscriminate scanning.

Legal Uncertainty for Tech Companies

The Digital Services Act (DSA), enacted in 2022, mandates the removal of illegal content but does not authorize automated scanning for CSAM. The DSA establishes a tiered regulatory approach: basic obligations for all services, enhanced duties for online platforms, and the most stringent requirements for Very Large Online Platforms (VLOPs) and Very Large Online Search Engines (VLOSEs) with over 45 million monthly active users in the EU. While the DSA requires platforms to address illegal content, it does not provide a legal basis for automated CSAM detection, leaving companies in regulatory uncertainty as the exemption lapsed.

Impact on Child Safety

“MEPs emphasized that any measures must target only pre-identified or flagged CSAM, exclude traffic data scanning, and apply to users judicially suspected of involvement, to ensure judicial viability.”

The expiration of the exemption has prompted major tech companies to reassess their CSAM detection strategies. Although Google, Meta, Snap, and Microsoft have stated they will continue voluntary scanning for CSAM, they now operate without a clear legal basis, exposing them to potential regulatory scrutiny. Under the ePrivacy Directive, any scanning of private messages without user consent could constitute a breach of data protection laws, potentially leading to fines or enforcement actions. The absence of a legal exemption means companies must navigate a complex landscape of compliance and risk management.

Decline in CSAM Reporting

The impact on child safety is already evident. During the 2021 legal gap, CSAM reports to organizations like the National Center for Missing and Exploited Children (NCMEC) dropped by 5.8%, and the NCMEC reported a 21.3 million surge in 2025, with 90% of reports coming from non-U.S. countries. Advocates warn that the current lapse could lead to a similar decline in reports, as platforms may reduce or halt scanning efforts. The lack of a legal framework also complicates cross-border cooperation, as law enforcement agencies struggle to track abusers who exploit jurisdictional gaps. Without automated detection, identifying victims and holding perpetrators accountable becomes significantly more difficult.

EU Parliament’s Rejection

The European Parliament’s rejection of extending the exemption reflects deepening tensions between privacy rights and child safety. Despite initial support for a limited extension to August 2027, MEPs ultimately voted against it, citing concerns over proportionality, end-to-end encryption, and the risks of indiscriminate scanning. The debate centered on whether voluntary detection measures could be implemented without infringing on users’ privacy. MEPs emphasized that any measures must target only pre-identified or flagged CSAM, exclude traffic data scanning, and apply to users judicially suspected of involvement, to ensure judicial viability.

Stalled Legislative Negotiations

The Council of the EU had previously adopted its position in November 2025, advocating for a permanent legislative framework to address CSAM detection. However, negotiations on the permanent law have stalled, with MEPs and the Council unable to reconcile differences over the scope of detection powers and privacy safeguards. The European Data Protection Supervisor (EDPS) highlighted the need to address shortcomings in the current framework to prevent broad surveillance. This stance aligns with broader concerns about the potential for overreach in digital monitoring. While privacy advocates argue that scanning private messages violates fundamental rights, child safety experts warn that the absence of a legal basis for detection could enable predators to exploit legal uncertainty. The decision underscores the EU’s prioritization of privacy over proactive child protection measures, raising questions about the adequacy of existing safeguards in the digital age.

Calls for Permanent Legislation

The expiry of the exemption has reignited calls for a permanent legislative framework to address CSAM detection. Advocacy groups, including the European Child Sexual Abuse Legislation Advocacy Group (ECLAG), have urged EU policymakers to adopt a binding legal framework that allows for continued detection while balancing privacy concerns. The proposed ‘Chat Control’ regulation, first introduced in 2022, aims to impose mandatory detection, reporting, and removal of known and new CSAM, as well as grooming content. However, critics argue that the regulation’s reliance on client-side scanning for encrypted services could lead to high false-positive rates and privacy violations.

International Implications

“EU decision-makers were aware of the consequences of inaction, which will lead to more victims, trauma, and impunity for abusers.”

The absence of a legal framework also complicates international efforts to combat online child sexual abuse. The International Child Sexual Abuse (IWF) report highlights a surge in AI-generated child sexual abuse imagery, urging EU lawmakers to implement a zero-tolerance ban on such content and the tools used to create it. The IWF specifically notes “record levels of AI-generated child sexual abuse imagery” and calls for an AI Bill that mandates safety-by-design standards as a non-negotiable requirement in AI development. Without such measures, the EU risks failing to address the evolving threats posed by digital technologies. The debate over CSAM detection highlights the broader challenge of balancing privacy rights with the imperative to protect children in an increasingly connected world.

Advocacy Against Inaction

The decision to end the exemption has sparked widespread condemnation from child protection advocates, who warn of the severe consequences for child safety. A joint statement signed by over 245 organizations working to end sexual abuse across the EU and beyond condemns the EU’s failure to extend the legal framework enabling detection activities. The statement calls for a permanent legislative solution to ensure that platforms can continue identifying and reporting CSAM without facing legal penalties. “EU decision-makers were aware of the consequences of inaction, which will lead to more victims, trauma, and impunity for abusers,” said Helen Mason, Executive Director of Child Helpline International.

Urgency of the Situation

The urgency of the situation is underscored by the growing use of AI-generated content in child sexual abuse material. The IWF report notes record levels of AI-generated imagery, prompting calls for an AI Bill that mandates safety-by-design standards as a non-negotiable requirement in AI development. Without a permanent legal framework, the EU risks failing to address the evolving threats posed by digital technologies. The debate over CSAM detection highlights the broader challenge of balancing privacy rights with the imperative to protect children in an increasingly connected world. As the EU grapples with this issue, the stakes for vulnerable children remain alarmingly high.