Did the EU Parliament Really Vote Not to Protect Children Online?

The interim ePrivacy derogation, introduced in 2021 as a temporary measure, allowed platforms such as Microsoft and Meta to scan private communications for child sexual abuse material (CSAM). While its intent was child protection, critics argued it conflicted with the European Charter of Fundamental Rights by enabling indiscriminate surveillance. The Commission’s last‑minute proposal in December 2025—just weeks before the winter recess—compressed the legislative timetable, limiting the Parliament and Council’s ability to negotiate meaningful safeguards.

Negotiations quickly stalled when the Council of Member States clung to the Commission’s original text, rejecting the European Parliament’s amendments that sought stronger privacy protections and compliance with EU data‑protection standards. The Parliament, fearing a loss of democratic credibility, refused to align its position with the Council, resulting in a decisive vote to preserve its mandate. This impasse caused the derogation to lapse on 4 April 2026, effectively ending the legal cover for mass message scanning and leaving a regulatory vacuum that tech companies must navigate cautiously.

Looking ahead, the upcoming CSA Regulation—expected to be finalized by June 2026—offers a chance to craft a proportionate, rights‑respecting framework for CSAM detection. Both institutions have signaled support for encryption and opposition to blanket surveillance, but the Commission’s previous lobbying tactics raise questions about its future role as an impartial broker. Stakeholders, from civil‑society groups to industry players, will be watching closely to ensure that any permanent solution safeguards children without eroding fundamental privacy and data‑protection guarantees.