The Council of the European Union has adopted its first-reading position on a draft regulation that temporarily derogates from the ePrivacy Directive to allow providers of number-independent interpersonal communications services to process personal data for combating online child sexual abuse. The decision, taken via written procedure on 2 July 2026, aims to ensure continuity of enforcement action while a permanent regime is being negotiated.
The regulation replicates the provisions of Regulation (EU) 2021/1232 for a limited duration, bridging the gap until a permanent framework is adopted. The Council's position was approved by qualified majority, with Italy expressing reservations in a statement. Italy raised concerns about mass scanning by private entities, proportionality, judicial oversight, and the need to exclude end-to-end encrypted content from detection activities to safeguard cybersecurity and communication confidentiality.
This temporary measure allows providers to continue voluntary detection of known child sexual abuse material, but critics argue it risks generalized monitoring and infringes on fundamental privacy rights. The regulation now passes to the European Parliament for a second reading. The permanent regime, currently under negotiation, is expected to address these concerns more comprehensively.