Contrasting tools

Child abuse online, the extension of the provisional EU privacy regulation skipped

It will remain in force until 3 April. After the deadline voluntary scanning to counter the dissemination of child pornography will no longer be possible

by Camilla Curcio

19 March 2026

3' min read

Translated by AI

Versione italiana

3' min read

Translated by AI

Versione italiana

It sinksthe extension of the provisional regulation on privacy that allows providers of online services such as Instagram and Whatsapp to voluntarily track child pornography disseminated by users and help combat child sexual abuse.

What blocked everything was the disagreements between the European Parliament and the EU Council, which failed to reach an agreement to extend the exemption to the rules beyond the scheduled expiry date (3 April 2026). A necessary step to fill the legislative gap that will have to be dealt with until the entry into force of the new law, the so-called Chat Control, which is currently the focus of negotiations between the two sides.

The hunt for the culprit was not long in coming: the 27 members of the Council pointed the finger at the MEPs who, according to the spokesperson of the Cypriot presidency, 'insisted on changing the scope of the provisional measure in a way that, for the vast majority of member states, would have rendered it ineffective'. The clash was fuelled by conflicting positions on the balance between protection of minors and the protection of privacy, to be reconciled with the monitoring of material and the protection of trade.

Contrasting positions

On 11 March, in fact, the Euro Chamber approved the proposal of the Committee on Civil Liberties, Justice and Home Affairs on the extension of the derogation until August 2027. But with a text that in several points is very different from the one presented by the Commission, proposing for instance the exclusion from the perimeter of controls (and thus of punishability) of encrypted communications end-to-end - this is the case of conversations on Whatsapp - and the prohibition of data scanning on traffic and content. Not only that: the draft also called for limiting the detection to material that has already been tracked (or reported as potentially harmful by a user, a trusted reporter or an organisation) and to profiles that have already been identified by law enforcement agencies. And to limit the measures to persons or groups already suspected of disseminating child pornography.

For its part, the Commission pleaded its position unchanged, insisting on the need to systematise scanning with the obligation to prevent offences through risk categories applied to the services provided. And by obliging companies - under penalty of heavy penalties - to remove or block malicious content (for browsers, by obscuring it from search results lists).

Sipler's position

Parliament's rapporteur Birgit Sippler (A&D Germany) took no prisoners: 'It is a pity that Parliament and Council could not agree on the extension, despite our willingness to negotiate constructively,' she said. "However, with their lack of flexibility, the member states have deliberately accepted that the regulation expires in April. From then on voluntary scanning by service providers will no longer be possible." Reiterating MEPs' call for a targeted and proportionate approach aimed at avoiding serious breaches of privacy, Sippler then also emphasised that for Parliament, one of the priorities was that identified or flagged content should remain discoverable as a law enforcement tool.

The halt does not, of course, stop the road to success: 'We need to continue to raise public awareness, strengthen law enforcement and their ability to combat the online dissemination of material in a proportionate manner, remind providers of their obligations. And, even more, accelerate negotiations to arrive at a permanent regulatory framework'.

A long way

But let us take a few steps back. The legislation at the centre of the debate - the so-called Regulation 1307/2024 - amends the previous framework of rules, that of 2021. And, specifically, it allows communication service providers to make use of certain technologies to detect and report abuse on under-18s, temporarily derogating from the Privacy Directive (2002/58/Ce). The extension that extended its validity until April 2026, however, was always presented as 'exceptional': the urgency to find a square on a final law made it almost unavoidable.

With respect to the definition of a clear perimeter and permanent rules, the Parliament has been ready to negotiate since November 2023. And, since the Council adopted its position in November 2025, the dialogue and negotiations are still in progress in search of a square. And of rules (finally) without an expiry date.