European Union member states have reached a provisional agreement to extend the legal framework for the voluntary detection of child sexual abuse material (CSAM) online until April 2028. The Council of the European Union confirmed the extension, which maintains the current interim rules that allow communication service providers to continue using automated scanning technologies to identify and report illicit content on their platforms, according to the official Council of the EU press release dated October 23, 2024.
The decision extends the “interim regulation,” which was initially adopted in 2021 to bridge the gap between the sunsetting of the ePrivacy Directive and the development of a permanent, comprehensive legislative framework. This regulation permits, but does not mandate, that service providers use technologies such as hash-matching and artificial intelligence to scan private communications—including emails, instant messages, and cloud storage files—for known or new instances of child abuse material. The extension arrives as negotiations continue for a permanent solution, often referred to by critics and advocates as the “Chat Control” legislation.
Extension of Voluntary Scanning Measures
Under the terms of the agreement, the ability for companies to voluntarily deploy scanning tools will remain in effect until April 3, 2028. The European Commission originally proposed a longer extension, but member states reached a compromise to limit the duration while negotiations on the broader “Proposal for a Regulation to prevent and combat child sexual abuse” continue. The Council stated that the extension ensures continuity in the detection of illegal content while the European Parliament and the Council work toward a permanent legal solution, as documented in the Council’s official legislative tracking records.

The regulatory environment remains complex because the current interim rules act as a derogation from the ePrivacy Directive. This directive generally mandates the confidentiality of electronic communications. By providing a temporary legal basis, the EU allows companies to process user data for the specific purpose of combating CSAM without violating existing privacy protections. However, the temporary nature of this derogation has necessitated repeated extensions as a permanent agreement has remained elusive for several years.
Privacy Concerns and Industry Impact
The extension has drawn significant criticism from digital rights organizations and privacy advocates who argue that the widespread use of automated scanning tools undermines the principle of end-to-end encryption. Groups such as European Digital Rights (EDRi) have consistently cautioned that allowing the scanning of private messages creates a “backdoor” that could be exploited by third parties or lead to mission creep, where surveillance tools are eventually used for purposes beyond the detection of child abuse, according to official statements published by EDRi.

Technology companies have expressed mixed reactions to the regulatory uncertainty. While many firms, including those providing email and messaging services, have historically used scanning tools to report illegal content to authorities like the National Center for Missing & Exploited Children (NCMEC), they also face conflicting legal requirements across different jurisdictions. The lack of a permanent, harmonized framework forces these platforms to navigate a patchwork of voluntary measures and national laws, which complicates their compliance strategies and user trust initiatives.
The Path to Permanent Legislation
The debate surrounding “Chat Control” centers on the tension between public safety and the fundamental right to digital privacy. Proponents of the legislation, including various law enforcement agencies and child protection groups, argue that automated scanning is essential given that the vast majority of CSAM reports to authorities originate from automated hashes provided by tech platforms, as reported by the European Commission’s Home Affairs department.
Conversely, opponents highlight the risks of “false positives,” where benign content is incorrectly flagged as illegal, leading to potential legal jeopardy for innocent users. The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) have previously issued warnings regarding the necessity and proportionality of mass scanning, emphasizing that any permanent regulation must be strictly limited to avoid mass surveillance, according to the Joint Opinion 01/2024 issued by the EDPB and EDPS.
Next Steps in the Legislative Process
With the extension secured until 2028, the immediate focus shifts back to the European Parliament’s Civil Liberties, Justice and Home Affairs (LIBE) committee and the Council’s working groups. These bodies are tasked with refining the permanent proposal to address concerns regarding proportionality and privacy safeguards. There is no set date for the final vote on the permanent regulation, but the extension provides a buffer for further debate and potential amendments.
Stakeholders are encouraged to monitor the European Parliament’s Legislative Train Schedule for updates on committee hearings and plenary sessions. As the situation evolves, the impact on encryption standards and the operational procedures of major global tech platforms will remain a focal point for both policy experts and the general public. Readers are invited to share their perspectives on the balance between digital privacy and online safety in the comments section below.