Users online are sounding the alarm over a set of measures outlined in the European Commission’s proposal to combat child sexual abuse online. The measures, if approved, would allow governments and private messaging companies to scan users’ messages to prevent the circulation of child sexual abuse material (CSAM), and to help identify victims.
But a new wave of online content alleges that the European Union is about to start scanning all messages immediately, and sometimes before they have even been sent.
These concerns are premature and misleading, as the process to approve the law is still underway, and it’s unclear what the final measures will look like.
The proposed law in question is the European Commission’s 2022 proposal for a Regulation to Prevent and Combat Child Sexual Abuse. It is designed to create a single EU-wide legal framework for detecting, reporting, and removing CSAM and for tackling the online grooming of children.
The proposal aims to replace the current patchwork of industry efforts and national rules with a harmonised system that gives authorities clear legal tools to act.
And yes, the Commission’s original proposal does include aspects of text and message scanning, but proponents argue it would be done in a limited and legally defined way. It would introduce “detection orders,” which are legally binding requests for a technology provider to detect either known or new CSAM, or grooming attempts online.
These orders would have to be requested by a national coordinating authority, justified on the basis of risk, and authorised by a court or an independent administrative authority.
Yet, critics warn that such measures could significantly undermine online privacy. If applied to end-to-end encrypted services, detection might have to occur on users’ devices, a practice known as client-side scanning, weakening encryption and privacy even if the law’s stated focus is strictly limited to child protection.
However, claims that a blanket system will soon scan everyone’s messages are misleading because this text is still moving through the EU’s lawmaking process.
Until Parliament and the Council agree on a single version of the draft law, nothing can be enforced.
The European Parliament has already voted for major changes that would roll back the most far-reaching parts of the Commission’s draft. In late 2023, its civil liberties committee (LIBE) adopted a position that rejected generalised and indiscriminate scanning and explicitly seeks to protect end-to-end encryption.
The Parliament’s text favours more targeted, risk-based detection measures and insists on strong safeguards. It argues that breaking encryption would harm privacy and cybersecurity for everyone.
The Council’s position is more complicated and for now remains divided. A majority of 15 member states, such as France and Spain and Italy, currently support mandatory scanning. Six countries including Austria, the Netherlands and Poland have said they cannot accept the law in its current form, while six member states remain undecided.
A new vote is now scheduled for 12 September 2025. But even if the Council comes to an agreement, it will still need to negotiate a compromise text with Parliament in a process called “trilogues.” The regulation can only take effect once both institutions have signed off on identical wording.
Concerns about privacy
If the text were to be greenlit in its current form, the proposal would give EU authorities, for the first time, the power to ask providers of private communications services to actively search through users’ messages, images, and other data.
These “detection orders” could apply to entire services, not just individual suspects. If applied to end-to-end encrypted apps like WhatsApp or Signal, providers might have to introduce client-side scanning, where content is checked on the device before encryption.
Critics also fear so-called “function creep”: once a system for scanning all users’ messages exists, future governments might be tempted to expand its scope to other areas, such as terrorism, copyright enforcement, or political dissent.
But viral panic about the EU “immediately scanning everyone’s messages” is misleading, because the proposal is still only a draft and has been under debate for more than three years without agreement.
Nothing can take effect until both the European Parliament and the Council agree on the same text, and the Parliament has already voted to limit scanning and protect encryption.
Even if a compromise is eventually reached, detection orders would still require case-by-case authorisation by courts or independent authorities, and would be time-limited. This means there are no plans to flick a switch that will suddenly scan all Europeans’ private communications.
Read the full article here