On 30 June 2026, the Council of the European Union published its position at first reading on a regulation that temporarily derogates from the ePrivacy Directive to allow providers of number-independent interpersonal communications services to process personal data for detecting and reporting online child sexual abuse. The draft statement of reasons, to be formally adopted on 1 July 2026, aims to close a legal gap created by the expiry of the previous interim regulation (Regulation (EU) 2021/1232) on 3 April 2026, and to ensure continued voluntary detection activities until a long-term legal framework is adopted.
The Council's position adopts a new self-standing regulation that replicates the expired CSA Interim Regulation with updated dates and deletions of irrelevant provisions. It provides a temporary derogation from Articles 5(1) and 6(1) of Directive 2002/58/EC (ePrivacy Directive) for voluntary detection of online child sexual abuse, limiting the period of application until 3 April 2028. The regulation requires compliance with conditions and safeguards for processing personal data and aims to enter into force as soon as possible to provide legal certainty.
The move follows the European Parliament's rejection of an earlier extension proposal, which has necessitated further negotiations at second reading. The Council's position now goes back to the Parliament for a second reading. The temporary measure allows providers to resume voluntary detection activities, helping to identify and rescue victims of online child sexual abuse during the interim period. However, it delays the implementation of a comprehensive long-term solution for combating online child sexual abuse, which remains politically contentious.
The regulation provides legal certainty for providers of number-independent interpersonal communications services, allowing them to process personal data for child protection without violating ePrivacy rules. National authorities benefit from continued reporting of abuse material. However, privacy advocates may view the derogation as a temporary weakening of ePrivacy protections. The delay in a permanent framework prolongs uncertainty for all stakeholders, including child protection NGOs and law enforcement agencies.