On 1 July 2026, the Council of the European Union adopted a draft Regulation temporarily derogating from Directive 2002/58/EC to allow providers of number-independent interpersonal communications services to process personal and other data for detecting and reporting online child sexual abuse. The adoption, conducted via written procedure due to urgency, restores the legal basis for voluntary measures that had lapsed on 3 April 2026 with the expiration of the previous Regulation (EU) 2021/1232. The Council also adopted its position at first reading and a statement of reasons.
The temporary derogation addresses a legal gap that left service providers without a clear framework for voluntary detection and reporting of child sexual abuse material. The previous regulation expired on 3 April 2026, creating uncertainty for providers and potentially hampering enforcement efforts. The new regulation aims to ensure continued protection of children while a permanent legislative framework is developed. The Council's decision to use the written procedure reflects the urgency of restoring the legal basis.
The regulation impacts several stakeholders. For providers of number-independent interpersonal communications services, it re-establishes a legal basis for voluntary data processing, reducing legal uncertainty and allowing continued cooperation with authorities. For EU regulatory bodies, it maintains enforcement capabilities against online child sexual abuse. For EU citizens, particularly children, it ensures continued protection from online exploitation. For privacy advocates, the temporary derogation raises concerns about data processing without a permanent framework, though it is limited in scope and duration. The European Parliament and Council will need to agree on a permanent solution to replace the temporary measure.