EDPS issues Opinion on extension of CSAM rules
The European Data Protection Supervisor (EDPS) has issued Opinion 7/2026 regarding the European Commission’s proposal to extend the interim rules under Regulation (EU) 2021/1232, which governs data processing aimed at combatting child sexual abuse material (CSAM) online. These interim rules, currently set to expire on April 3, 2026, would be extended until April 3, 2028. The temporary framework allows service providers to voluntarily implement measures against CSAM while negotiations continue on a permanent legal solution.
The EDPS emphasizes the importance of fighting child sexual abuse, recognizing it as a serious crime and a matter of general interest within the European Union. However, the extension presents an opportunity to address shortcomings in the current regulation. The EDPS highlights the need for clearer legal certainty, especially regarding the lawfulness of data processing under the General Data Protection Regulation (GDPR). The Opinion stresses that any scanning of data must be necessary, proportionate, and avoid indiscriminate approaches that could infringe on privacy rights.
Wojciech Wiewiórowski, the EDPS, stated that protecting children from abuse is a shared responsibility that requires maintaining fundamental rights. He noted that temporary measures should not create legal gaps or weaken privacy protections. The extension period should be used to refine the rules to ensure scanning targets only illegal content and that there is a clear legal basis for processing personal data.
The EDPS recalls previous opinions from 2020 and 2024, as well as a joint opinion with the European Data Protection Board (EDPB) in 2022. These documents consistently underline that detection methods must be targeted and respect users’ privacy. The EDPS operates under Regulation (EU) 2018/1725, overseeing data protection in EU institutions and advising on privacy issues to safeguard individuals’ rights when their data is processed.
