Extension of interim rules to combat child sexual abuse online must address shortcomings and prevent indiscriminate scanning
The European Data Protection Supervisor (EDPS) has issued Opinion 7/2026 on the European Commission’s Proposal to extend the application of Regulation (EU) 2021/1232 - namely, the interim rules regarding data processing for the purposes of combatting child sexual abuse material (CSAM) online.
The Proposal seeks to extend the interim framework, which is due to expire on 3 April 2026, until 3 April 2028. The temporary rules allow providers to take voluntary measures to combat CSAM while inter-institutional negotiations continue on a longer-term legal framework.
The EDPS underlines that child sexual abuse is a particularly serious and heinous crime and that combatting it is an objective of general interest recognised by the Union. The renewal of the interim rules provides an important opportunity, however, to address some clear shortcomings of the current Regulation (EU) 2021/1232.
The EDPS offers specific suggestions on how to ensure greater legal certainty, in particular on how to ensure lawfulness of processing within the meaning of Regulation 2016/679 (‘GDPR’). The Opinion further underlines the need of effective safeguards against general and indiscriminate scanning, in line with the principles of necessity and proportionality.
Wojciech Wiewiórowski, Supervisor, said: “Protecting children from abuse is a shared and vital duty, and we must ensure no legal vacuum emerges in this fight. However, ‘temporary’ measures must not bypass fundamental rights. This extension is the right moment to address some of the concerns that have been raised also during the discussions around a long-term Regulation, to ensure that scanning is not indiscriminate and that there is always a clear legal basis for the processing of personal data.”
The EDPS recalls previous Opinions on the matter issued in 2020 and 2024, and a 2022 Joint Opinion with the European Data Protection Board (EDPB), reiterating that any solution used to detect illegal content must be targeted and carefully consider the privacy rights of all users.
The rules for data protection in the EU institutions, as well as the duties of the European Data Protection Supervisor (EDPS), are set out in Regulation (EU) 2018/1725.
About the EDPS: The EDPS is the independent supervisory authority with responsibility for monitoring the processing of personal data by the EU institutions and bodies, advising on policies and legislation that affect privacy and cooperating with similar authorities to ensure consistent data protection. Our mission is also to raise awareness on risks and protect people’s rights and freedoms when their personal data is processed.
Wojciech Wiewiórowski (EDPS) was appointed by a joint decision of the European Parliament and the Council to serve a five-year term, beginning on 6 December 2019.
The selection procedure for a new EDPS mandate for the next term of five years is still ongoing.