EU parliament blocks extension of ePrivacy carve-out for automated child-abuse scanning
Platform safety teams lose legal basis to run automated CSAM scans
Change
EU parliament declined to extend the 2021 ePrivacy carve-out that authorised automated scanning of private communications for child sexual abuse material, letting the carve-out expire on 3 April.
Why it matters
Automated, proactive scanning of private messages for child sexual abuse material now lacks the temporary legal exemption previously provided by the ePrivacy carve-out, removing the routine lawful basis platforms used for hashing and pattern detection. Platforms remain separately obliged to remove illegal content under the Digital Services Act but cannot rely on the expired carve-out to justify routine scanning of private communications, increasing legal uncertainty for detection workflows.
Implications
- — Platform legal teams processing EU private communications — must immediately cease automated scanning or secure explicit legal authorisation for such processing — continuing scans now exposes the company to breaches of EU privacy law and potential regulatory enforcement.
- — Platform safety and trust-and-safety teams — must immediately reconfigure detection workflows to prioritise public-content scanning, user reports and non-invasive detection channels and document those changes — failing to adjust leaves platforms unable to discover illicit private-material while still facing takedown obligations under the Digital Services Act.
Unlock the decision layer.
- Implications: What this forces you to change — operations, exposure, or compliance.
- Who is affected: Which roles, contracts, and obligations are exposed.
- What to watch: Binding deadlines and enforcement dates.
- Real-time alerts: Delivered the moment a binding change is published.
- Ask AI: Ask what this means for your specific role.
No credit card · 14-day trial · Active in seconds
Unlock the decision layer
Source
The Guardian
View on The Guardian