EU chat control exemption for business leader
Executive summary
EU member states’ representatives in the Council adopted a common position on the Regulation to Prevent and Combat Child Sexual Abuse that keeps a temporary exemption allowing voluntary platform scanning for CSAM beyond April 2026 and removes mandatory detection orders for encrypted services, while negotiations with the European Parliament continue (Consilium; WinBuzzer) [1] [2]. The text establishes an EU Centre on Child Sexual Abuse and preserves the existing voluntary scanning derogation, but critics and privacy groups say risks to encryption, privacy and potential back‑doors remain and parliamentary disagreement persists (Consilium; Patrick Breyer; EDRi) [1] [3] [4].
1. Council keeps voluntary scanning, drops mandatory orders — what changed
The Council’s common position explicitly continues the temporary derogation (Regulation 2021/1232) that allows providers to scan for CSAM without breaching e‑privacy rules and removes language creating binding detection orders for end‑to‑end encrypted services; national competent authorities will still be able to compel removals and blocking and the text sets up a new EU Centre on Child Sexual Abuse to manage indicators and support enforcement (Consilium; WinBuzzer) [1] [2].
2. Parliament vs Council: a fundamental disagreement over “voluntary” scanning
The European Parliament previously voted in November 2023 to protect end‑to‑end encryption and had pushed to remove E2EE scanning entirely; Parliament is wary that keeping a permanent derogation for voluntary scanning creates a loophole for mass surveillance, while the Council frames voluntary scanning as necessary to aid law enforcement — setting up a clear clash in trilogue talks (WinBuzzer; Patrick Breyer) [2] [3].
3. What the Council position practically enables — voluntary scanning and enforcement powers
By preserving the derogation which was due to expire in April 2026, the Council position lets companies continue to choose to scan for CSAM without falling foul of e‑privacy rules; simultaneously, competent national authorities gain powers to order removals, blocks and delisting — a dual approach that keeps operational enforcement tools while avoiding a direct mandate to break encryption (Consilium; EU Perspectives) [1] [5].
4. Privacy and tech community concerns: “back doors” and weakened encryption
Digital‑rights groups and some technologists argue that any regime that encourages client‑side scanning or requires “all appropriate risk mitigation measures” risks undermining E2EE and creating systemic vulnerabilities; critics say even “voluntary” scanning can become de facto mandatory through market and regulatory pressure and that the Council text still contains problematic phrasing according to privacy advocates (Patrick Breyer; EDRi; Fight Chat Control) [3] [4] [6].
5. Political dynamics: who’s blocking what and why
Council deliberations have been divisive: several member states and presidencies stalled talks in 2024, Denmark’s 2025 presidency revived negotiations and late‑2025 bargaining produced the compromise preserving voluntary scanning but dropping mandatory detection orders; Germany and other opponents have at times formed blocking minorities, while around 19 member states reportedly favoured reviving parts of the proposal — underscoring split priorities between child‑protection urgency and encryption/privacy safeguards (EU.ci; Euperspectives; Euronews) [7] [5] [8].
6. What remains undecided and what to watch in trilogue
Trilogue negotiations between Council and Parliament will now reconcile the Council’s common position with Parliament’s stronger encryption protections; key items to watch include whether “voluntary” scanning provisions remain, precise powers of the new EU Centre on Child Sexual Abuse, any wording that could be interpreted as an obligation to adopt client‑side scanning measures, and safeguards for journalists, lawyers and other sensitive professions (Consilium; Patrick Breyer; WinBuzzer) [1] [3] [2].
7. Competing narratives and potential hidden agendas
Advocates for the Council text emphasise operational effectiveness against CSAM and saving victims, while privacy groups stress structural risks to encryption and potential for mission creep; campaign groups frame political actors as protecting themselves (professional secrecy) while exposing citizens — a rhetorical charge found in advocacy sites but not confirmed in the Council text itself, which focuses on enforcement powers and an agency (Fight Chat Control; Consilium) [6] [1].
8. Bottom line for business leaders and organisations
Available sources show the Council position preserves the legal space for providers to continue voluntary CSAM scanning and creates enforcement mechanisms and an EU Centre, but the final legal obligations and the balance between voluntary action and regulatory pressure will depend on upcoming trilogue outcomes; organisations should monitor negotiations closely and assess technical, legal and reputational implications as the Parliament and Council reconcile their positions (Consilium; WinBuzzer; EDRi) [1] [2] [4].
Limitations: reporting is evolving and the final regulation is not yet agreed — available sources do not mention the final trilogue outcome or post‑November 26 text changes (not found in current reporting).