EU Parliament backs extension of CSAM detection rules until 2027
The European Parliament has voted to extend a temporary exemption to EU privacy legislation that allows online platforms to voluntarily detect child sexual abuse material (CSAM).
The extension prolongs a derogation from the EU’s ePrivacy Directive, which was set to expire on 3 April 2026, until 3 August 2027. Lawmakers say the additional time will allow the EU to negotiate and adopt a permanent legal framework to prevent and combat child sexual abuse online.
Members of the European Parliament said detection measures must remain proportionate and targeted. The exemption should not apply to end-to-end encrypted communications. They also opposed scanning traffic data alongside message content.
Parliament set limits on the use of detection technologies. Tools should only identify known CSAM or material flagged by users, trusted organizations, or recognized flaggers. Measures should target users or groups reasonably suspected of involvement, as determined by a judicial authority.
“We have a responsibility to address the horrific crime of child sexual abuse while safeguarding everyone’s fundamental rights. This interim derogation, which I support, is a temporary, strictly limited instrument allowing providers to continue voluntary detection measures under specific conditions,” said rapporteur Birgit Sippel, after the vote.
“At the same time, this extension must uphold end-to-end encryption. Reducing the scope of the extension to previously identified and hashed child sexual abuse material and material raised by flaggers is both necessary and justified for a proportionate framework that will withstand judicial scrutiny and provide sustainable protection for children,” Sippel continued.
An open letter to the European Parliament, signed by more than 800 scientists and researchers, questions the reliability of technologies proposed to detect CSAM online. The researchers say current systems cannot reliably detect known or new CSAM at the scale of hundreds of millions of users and produce high rates of false positives and false negatives.
Benjamin Schilz, CEO at Wire, told Help Net Security that Chat Control threatens fundamental privacy rights and weakens encryption protections used by millions of individuals and businesses, in pursuit of a monitoring system that EU data protection bodies and advisers have already deemed unworkable.
The European Parliament is ready to begin negotiations with the Council of the EU on extending the exemption and establishing a permanent framework. The voluntary exemption was previously extended in 2024, and Parliament has been prepared to negotiate long-term rules since November 2023.