On 2 July 2026, the Council of the European Union adopted its position at first reading on a temporary Regulation that allows providers of number-independent interpersonal communications services (such as webmail and messaging apps) to process personal and other data to detect, report, and remove online child sexual abuse material and solicitation of children. The Regulation derogates from confidentiality obligations under Directive 2002/58/EC until a permanent legal framework is in place, aiming to balance child protection with fundamental rights.

The Council's position, adopted on 1 July 2026, establishes a temporary derogation from Article 5(1) and Article 6(1) of Directive 2002/58/EC for processing data to detect and report online child sexual abuse and remove related material. Technologies used must be least privacy-intrusive, state-of-the-art, and unable to deduce communication substance; text scanning is limited to detecting patterns indicating possible abuse. Providers must conduct prior data protection impact assessments and consultations under the GDPR, with transitional arrangements for existing technologies. Mandatory safeguards include human oversight, error minimization, internal redress mechanisms, user information, and reporting to supervisory authorities and the Commission. Data retention is limited to 12 months from detection, with immediate deletion if no suspicion is confirmed. Providers must report annually on data processed, errors, complaints, and organizations receiving reports. The Commission is to establish a common reporting format and maintain a public list of organizations acting against child sexual abuse. Member States must submit annual statistics on reports, identified children, and convictions. The Regulation applies until 3 April 2028, with an implementation report due after 18 months.

This temporary measure enables continued voluntary detection of online child sexual abuse by providers, supporting victim identification and offender prosecution, while creating legal certainty after the expiration of previous Regulation (EU) 2021/1232. It interferes with fundamental rights to privacy and data protection but is justified as a temporary, proportionate measure with safeguards. The Regulation aims to harmonize the internal market and prevent fragmentation from differing national measures. It preserves end-to-end encryption and professional secrecy (e.g., lawyer-client, doctor-patient communications). However, it imposes administrative and compliance burdens on providers, including reporting and data protection impact assessments, and raises concerns about potential overreach or false positives, mitigated by human review and error minimization requirements. The Regulation supports EU policy priorities on child protection and digital rights, with ongoing evaluation through implementation reports.

For EU citizens, the Regulation enhances child protection but may raise privacy concerns. For messaging providers, it creates legal certainty but imposes compliance costs. For national authorities, it provides a harmonized framework but requires annual reporting. For child protection organizations, it enables continued detection efforts. The Regulation is expected to be formally adopted by the European Parliament and Council in the coming months, with the Commission to prepare an implementation report after 18 months.

← Atlas › News › Home affairs & Migration