The European Parliament has voted against extending temporary rules that allowed online platforms to voluntarily scan private communications for child sexual abuse material (CSAM).
In a plenary vote held earlier today, Members of the European Parliament (MEPs) rejected the European Commission’s proposal to prolong an interim derogation from the ePrivacy Directive, with 228 votes in favor, 311 against, and 92 abstentions. The derogation had enabled service providers to continue voluntary detection, reporting, and removal of CSAM while lawmakers worked toward a permanent legislative framework.
The rejected proposal was intended as a stopgap measure, maintaining existing detection practices during ongoing negotiations over the long-debated Child Sexual Abuse Regulation (CSAR), often referred to as “Chat Control.” However, despite Parliament adopting its negotiating position on March 11, 2026, talks with the Council of the European Union failed to produce a compromise.
The divisions within Parliament were also reflected in votes on individual amendments tied to the proposal, with one key amendment passing by a razor-thin 307–306 margin, underscoring how split lawmakers remain on the scope of such detection powers.
Under Parliament’s position, lawmakers had sought a more limited extension than originally proposed by the Commission, restricting the scope of detection measures and shortening their duration until August 2027. These changes were designed to ensure proportionality and stronger safeguards for fundamental rights, particularly the confidentiality of private communications.
The interim regulation, which had already been extended once in 2024, will now expire after April 3, 2026. This creates immediate legal uncertainty for online service providers that had relied on the exemption to lawfully scan user communications for CSAM on a voluntary basis.
The vote marks a significant shift from Parliament’s earlier stance this month, when MEPs supported extending the same derogation, albeit with tighter safeguards. As previously reported, lawmakers backed amendments requiring that any scanning of private communications be targeted and authorized by a judicial authority, effectively rejecting indiscriminate mass surveillance of user messages.
Without the derogation, platforms governed by the ePrivacy Directive may no longer have a clear legal basis to conduct voluntary scanning of private messages, particularly where such scanning could conflict with rules protecting the confidentiality of communications.
Parliament has been ready to negotiate a permanent framework since November 2023, while the Council adopted its position in November 2025. Discussions between the two institutions are ongoing, but key disagreements persist, especially around the scope of detection technologies and whether client-side or bulk scanning should be permitted.
For users and service providers, the immediate impact is a shift toward stricter adherence to existing privacy rules. Platforms operating in the EU should reassess their CSAM detection practices to ensure compliance with the ePrivacy Directive once the exemption expires. Organizations handling user communications may need to rely more heavily on user reports, known hashed CSAM databases, and cooperation with law enforcement rather than proactive scanning of private messages.
Leave a Reply