Published on
This Wednesday, EU member states agreed on a common position regarding the controversial child sexual abuse (CSA) protection law – also known as the CSA Regulation – during the Council gathering Justice ministers from the 27 EU countries.
The goal is to ensure that social media platforms systematically remove child sexual abuse material from the internet. The proposed measures would create a new European body, the EU Centre on Child Sexual Abuse, and national authorities would have the power to oblige companies to remove or block access to content.
Yet the proposal remains highly controversial, with critics from Big Tech companies and data privacy NGOs warning it could pave the way for mass surveillance, as private messages would be scanned by authorities to detect illegal images.
The big tech factor
The text has been under negotiation since 2022, with several rotating presidencies struggling to build consensus as the questions of “detection order” by authorities have been proven very divisive.
After failed attempts by the Czech, Spanish, Belgian, Hungarian and Poland presidencies to come up with a workable model, Denmark has managed to secure a compromise: the removal of mandatory scanning of private communications by authorities and the scanning of end-to-end encrypted messages. It would still allow platforms such as Facebook Messenger or Instagram to scan messages themselves.
While the Big Tech industry has broadly welcomed the compromise text, the Brussels-based lobby group CCIA Europe sounded a note of caution.
“EU Member States have made it very clear that the CSA Regulation can only move forward if these new rules to prevent and combat child sexual abuse strike a true balance – protecting minors while mainting the confidentiality of communications, including end-to-end encryption,” it said in a statement.
CCIA also added that they hoped the principle will guide the negotiations until a final version of the measure is adopted.
Mass surveillance concerns
Online privacy advocates are also still concerned.
Former Pirate MEP Patrick Breyer, who has been advocating against the file, wrote: “What the Council endorsed today is a Trojan Horse. By cementing ‘voluntary’ mass scanning, they are legitimising the warrantless, error-prone mass surveillance of millions of Europeans by US corporations.”
Currently, the AI system to check CSA imagery online is not fully operational and carries a high risk of false positives. Data from the German Federal Police showed that 50% of all reports are criminally irrelevant.
Breyer also pointed out that the introduction of age-verification systems – using ID cards or facial recognition – would endanger online privacy.
Now that the Council has finally reached a compromise – despite opposition from the Czech Republic, the Netherlands and Poland – negotiations with the European Parliament and the Commission, known as trilogues, can start in 2026.
Those negotiations need to land before the already postponed expiration of the current E-Privacy regulation that allows exceptions under which companies can conduct this kind of voluntary scanning.