EU rejects extension: No legal basis for voluntary scans by Google, Meta, Microsoft, and Snapchat

A temporary exemption to the e-Privacy Directive expired on 3 April 2026. This regulation had allowed service providers to detect and report child sexual abuse material (CSAM). The decision to end this practice followed a vote in the European Parliament, in which a majority opposed extending the transitional period. With 311 votes against and 228 in favour of the Commission's proposal, the extension of the measure was rejected.

Leading technology companies such as Google, Meta, Microsoft and Snapchat view this legal situation as posing a significant risk to child protection. These companies advocate the use of hash-matching technology. During this technical process, content is not 'read' in the traditional sense; instead, it is converted into irreversible digital fingerprints, known as 'hashes'.

These unique values are then compared against a secure database of previously identified abusive material. The industry argues that this precise detection method is vital for law enforcement agencies to effectively prevent the distribution of illegal content.

By contrast, the European Parliament prioritises proportionality and the protection of privacy. Rejecting the extension highlights the effort to protect private communication from automated scans. Many MEPs believe that permanent or wide-reaching surveillance of private data would disproportionately interfere with citizens' fundamental rights.

It is emphasised that unauthorised or automated searches of private data disadvantage the individual and compromise the integrity of private communication. Ultimately, negotiations between the Parliament and the Council failed to reach a consensus on a permanent legal framework. While the European Commission favoured extending the transitional measures to allow more time for negotiations, the Parliament demanded more specific limits and a shorter timeframe until August 2027 to ensure the measures remained targeted.

As no agreement was reached, the legal basis for these voluntary scans has lapsed. Despite this, the technology companies involved maintain their commitment and state that they will continue to take voluntary measures within their interpersonal communications services.

However, the current legal situation significantly shifts the balance in favour of data protection. The Parliament's decision reflects the view that protection against the surveillance of private communications by the state or corporations is a fundamental right that takes precedence over demands for automated content control.