European Union: End of Legal Exemption for Identifying Child Abuse Content in Private Communications

A temporary European Union regulation allowing online services to detect child sexual abuse material (CSAM) in private communications expired on 3 April 2026.

The measure had provided an exemption from the ePrivacy Directive, which normally restricts how companies can process private communications data. Under this derogation, providers of messaging and similar services were permitted to use automated tools to scan content, identify potential abuse material, and report it to authorities.

These services include so-called “number-independent interpersonal communication services”, such as messaging apps, which do not rely on traditional phone numbers.

The regulation also required companies to submit reports of detected abuse in a structured format to both national authorities and the European Commission.

With the expiry of the derogation, this specific legal basis for scanning private communications no longer applies at the EU level. This creates a gap in the regulatory framework, as existing data protection rules again fully apply to how such data can be processed.

The measure had been introduced as a temporary solution while the EU continues discussions on a longer-term legal framework addressing online child protection and the detection of abuse material.