A sweeping EU deal promises to curb online child abuse, but it could quietly erase private messages. On Wednesday, EU member states reached a common position on the controversial Child Sexual Abuse (CSA) Regulation after years of difficult negotiations. The aim is simple in theory: push social platforms to remove illegal CSA content across the internet and to deter offenders. In practice, the compromise sought to balance safety with fundamental rights, a balance that has kept privacy advocates and tech companies at odds.
What changed under the compromise is the removal of mandatory scanning of private communications by authorities. Instead, platforms themselves would be allowed to scan messages where feasible, and a new European body—the EU Centre on Child Sexual Abuse—would coordinate national authorities’ enforcement powers to remove or block access to content. End-to-end encrypted messages would not be subject to government-wide private-message scanning, a concession that drew praise from privacy groups but drew cautious notes from industry groups. CCIA Europe stressed that any rules must protect minors while safeguarding the confidentiality of communications, including end-to-end encryption, as talks continue toward a final version.
Despite the concession, concerns about mass surveillance persist. Former Pirate MEP Patrick Breyer described the text as a Trojan Horse, warning that even voluntary scanning could normalize warrantless surveillance by US platforms. Data from the German Federal Police indicates that half of CSA-related reports are not criminally relevant, underscoring the risk of false positives and inefficient interventions. Critics also argue that age-verification measures, such as ID-based or biometric checks, could erode online privacy rather than improve safety.
The agreement envisions a centralized EU framework and empowers national authorities to compel removal or blocking of CSA content. It creates an EU-wide focal point for coordination but stops short of mandating government-in-the-mandate scans of private chats. Platforms like Facebook Messenger or Instagram could still deploy their own content-scanning tools, potentially exposing private communications to platform-level screening. The plan seeks to strike a balance between protecting children and preserving the confidentiality of user communications, including encrypted ones, a line that remains the subject of intense negotiation among member states.
Privacy advocates warn that the compromise may not fully prevent surveillance creep, and opposition remains in several capitals, including the Czech Republic, the Netherlands, and Poland. The next phase involves trilogue negotiations among the European Parliament, the Commission, and the Council, expected to begin in 2026, with urgency tied to the pending expiration of the current E-Privacy regulation’s exemptions.
