EU glitch hits CSAM tools

On April 3, 2026, a small line in European Union law expired and left some of the world’s biggest internet companies in a legal gray zone. Google, Meta, Microsoft, and other messaging and email providers can still try to detect child sexual abuse material, but the clear European legal cover that had allowed those scans in private communications is gone. (europarl.europa.eu) The expired rule was a temporary exception to Europe’s privacy framework. It let providers of web-based email, messaging, and similar services use specific technologies to detect, report, and remove online child sexual abuse material even though electronic communications are normally protected by strict confidentiality rules. (consilium.europa.eu; eur-lex.europa.eu) That exception existed because Europe changed the definition of electronic communications in December 2020. When webmail and messaging services were pulled fully under the privacy rules, companies suddenly faced questions about whether routine child-safety scanning in private messages was still lawful. (eur-lex.europa.eu) The European Union answered that problem in 2021 with Regulation 2021/1232. That law created a temporary derogation, which is European legal language for a narrow carveout, so companies could keep using tools to find known abuse images, report them, and remove them while lawmakers worked on a permanent system. (eur-lex.europa.eu) In April 2024, the Council of the European Union extended that temporary measure until April 3, 2026. The extension was supposed to buy time for a long-term law, but the long-term law was still not finished when the new deadline arrived. (consilium.europa.eu) The fight was never just about whether abuse should be reported. It was about whether private communications services should be allowed to scan message content at all, what kinds of material could be scanned for, and whether any such system could avoid spilling into broader surveillance. (europarl.europa.eu) On March 11, 2026, the European Parliament backed a narrower extension until August 3, 2027. Members said any continued voluntary detection should stay targeted, should not apply to end-to-end encrypted communications, and should focus on already identified abuse material or content flagged by users, trusted flaggers, or organizations. (europarl.europa.eu) Fifteen days later, on March 26, 2026, Parliament said negotiations with the Council had failed and voted not to prolong the interim derogation. The final vote was 228 in favor, 311 against, and 92 abstentions, which meant the temporary rule would expire after April 3, 2026. (europarl.europa.eu) That is why this story matters to companies like Google, Meta, and Microsoft. If they keep scanning private communications in Europe, they now face more legal uncertainty under privacy law; if they stop, they may miss known abuse material that their systems previously caught automatically. (blog.google; blogs.microsoft.com) The main technology at issue is often hash matching. A hash is an irreversible digital fingerprint of a file, and companies compare those fingerprints against databases of already identified child sexual abuse images and videos to find exact matches at high precision. (blog.google) That sounds technical, but the practical effect is simple: fewer lawful scans can mean fewer reports. In late 2020, when Europe first created uncertainty around these practices, the National Center for Missing and Exploited Children said reports of European Union-related child sexual exploitation dropped by 58 percent after the rules changed. (missingkids.org) Those reports usually move through the National Center for Missing and Exploited Children’s CyberTipline, which receives reports from electronic service providers and passes actionable information to law enforcement. A disruption in what companies can lawfully detect in Europe can therefore ripple outward into the reporting pipeline used by investigators in the United States and abroad. (missingkids.org) Europol sits on the European side of that broader enforcement picture. The European Union’s temporary regime was designed in part to keep reporting and removal flowing while lawmakers built a permanent framework, so a legal gap now creates uncertainty not just for platform trust-and-safety teams but for the agencies that depend on those reports. (consilium.europa.eu; europarl.europa.eu) The companies are publicly signaling that they do not plan to walk away from child-safety work. On April 3, Microsoft published a joint statement saying Google, Meta, Microsoft, and Snap would continue taking voluntary action on relevant interpersonal communication services while urging European Union institutions to agree on an interim and durable framework. (blogs.microsoft.com) That does not remove the legal risk. A company can promise to keep acting, but if the law no longer clearly authorizes the scanning that underpins those actions, every detection system becomes more vulnerable to challenge by regulators