On 30 June 2026, the Council of the European Union adopted a temporary Regulation that permits providers of number-independent interpersonal communications services (such as webmail and messaging apps) to voluntarily process personal and other data for the purpose of detecting and reporting online child sexual abuse. The Regulation derogates from the confidentiality rules in Articles 5(1) and 6(1) of Directive 2002/58/EC, which protect the secrecy of communications and traffic data. The measure applies from its entry into force until a permanent legal framework is adopted and implemented, filling the gap left by the expiry of Regulation (EU) 2021/1232 on 3 April 2026.

The Regulation allows the use of technologies such as hashing, classifiers, and artificial intelligence, but requires that they be the least privacy-intrusive option available. Providers are prohibited from systematically filtering text unless they are detecting patterns that indicate a concrete suspicion of child sexual abuse. Any data processed must be strictly necessary, and must be deleted immediately if no abuse is identified, or no later than 12 months after detection of suspected abuse. Providers must publish reports within six months of the Regulation's entry into force and annually by 31 January, detailing volumes, error rates, complaints, and data protection safeguards. These reports must be submitted to the competent supervisory authority and the European Commission, which will establish a common reporting format through implementing powers.

The Regulation strikes a balance between combating child sexual abuse and protecting privacy. For EU citizens, it enhances safety by enabling detection of abuse, but raises concerns about potential overreach into private communications. For messaging providers, it offers legal clarity and a voluntary framework, but imposes compliance costs for reporting and data safeguards. For child protection NGOs, it provides a tool to combat abuse, though they may argue the voluntary nature limits effectiveness. For privacy advocates, the strict safeguards are positive, but the derogation from confidentiality sets a precedent that could be expanded. The Regulation will apply until a permanent framework is adopted, with the Commission expected to propose long-term legislation in the coming months.

← Atlas › News › Home affairs & Migration