EU Member States Reach Compromise on Child Sexual Abuse Online Law

EU member states have agreed on a common position for a new law aimed at tackling child sexual abuse (CSA) online, while dropping plans for mandatory scanning of private messages. The decision was made at a Council meeting on Wednesday, where justice ministers from all 27 EU countries discussed the proposed CSA Regulation.

The law seeks to ensure that social media platforms remove child sexual abuse material from their services. It would establish a new European body, the EU Centre on Child Sexual Abuse, and give national authorities the power to order companies to remove or block access to illegal content.

Negotiations over the text have been ongoing since 2022, with several EU presidencies struggling to find common ground. A key sticking point has been the “detection order,” which would require authorities to scan private messages, including end-to-end encrypted communications, for illegal content.

Denmark, which currently holds the rotating EU presidency, brokered a compromise that removes the obligation for authorities to scan private communications. Platforms themselves, however, would still be allowed to scan messages. The move has been broadly welcomed by the tech industry, though some caution that the regulation must strike a careful balance between protecting minors and maintaining the confidentiality of communications.

CCIA Europe, a Brussels-based tech lobby group, welcomed the compromise but stressed that the principles of protecting minors while respecting end-to-end encryption should guide the final negotiations.

Privacy advocates, however, remain concerned. Patrick Breyer, former Pirate Party MEP and an outspoken critic of the file, called the compromise a “Trojan Horse.” He argued that voluntary scanning by platforms could enable mass, error-prone surveillance of Europeans without warrants. Breyer also highlighted the risks of false positives in current AI systems for detecting CSA material and criticized proposed age-verification measures, which could involve ID cards or facial recognition, as threats to online privacy.

Data from the German Federal Police indicates that up to 50% of CSA reports flagged by AI are criminally irrelevant, underscoring concerns about accuracy and potential misuse.

The Council’s agreement now clears the way for trilogue negotiations with the European Parliament and the European Commission, expected to begin in 2026. These talks must conclude before the expiration of the current E-Privacy regulation, which currently permits voluntary scanning under certain conditions.

Despite remaining debates over privacy and surveillance, the compromise marks a significant step toward a unified EU approach to combating child sexual abuse online. It aims to hold platforms accountable while addressing concerns over private communications, a compromise that has taken years of negotiations to reach.