Is Surveillance the Price for Protecting Children? EU Council Agreement on Chat Regulation

The agreement reached by the Council of the European Union concerns the proposal for a regulation presented by the European Commission in May 2022, laying down rules to prevent and combat child sexual abuse. The EU Council justified the need to adopt such regulations on the grounds of the need for more effective protection of minors, the rise in cases of child sexual abuse during the COVID-19 pandemic, and the inadequacy of current regulations to address such challenges.

Is child protection a pretext for mass surveillance of Europeans?

The European Commission’s proposal has sparked significant controversy from the very beginning. Experts and critics, representing a broad ideological spectrum, accused the European Commission of enabling de facto surveillance of the citizens of the European Union’s member states under the pretext of protecting children and minors. The legislative proposal was based on the assumption that every action, piece of information, message, and every file posted on digital platforms would be seen as a potential threat requiring verification, which would involve analyzing it, that is, scanning its content. As a result, in accordance with the draft regulation, all such content should be decrypted and subject to assessment, including information sent between employees as well as commercial correspondence between businesses. The draft proposal was also negatively evaluated by Ordo Iuris.

Members of the current Polish government have also expressed opposition to the mass scanning of private correspondence. “Polish representatives have repeatedly emphasized the need to maintain a balance between effectively countering the dissemination of materials depicting the sexual exploitation of children (CSAM, for Child Sexual Abuse Material) and protecting users’ fundamental rights, such as the right to privacy and online safety,” it said in the statement published in mid-September of this year on the website of the Polish Ministry of Digital Affairs.

A lot of controversy and more drafts of the regulation

As a result of the controversies surrounding the original version of the regulation, in November 2023 the Committee on Civil Liberties, Justice and Home Affairs of the European Parliament (LIBE) approved an amended draft of this legal act. As a matter of fact, the European Parliament introduced a number of significant changes, including, among other things, the removal of provisions in the original draft of the regulation on mass surveillance that infringed on users’ privacy.

The proposed changes introduced in the draft regulation significantly relaxed its provisions. It still contained. however, provisions that raised serious concerns. In July 2025, the Danish presidency of the EU Council presented another draft, which, among other things, proposed adding risk categorization (in three groups). The draft also introduced proposed provisions aimed at protecting the privacy of users of online services (requiring the authorization of judicial authorities or independent administrative authorities for issuing orders concerning the detection and removal of CSAM content, i.e., content depicting the sexual exploitation of children). This project, too, despite the introduction of some positive elements, still sparked controversy.

The Council of the European Union reaches agreement

Ultimately, the Council of the European Union managed to reach an agreement on this matter. The new draft regulation introduces a number of significant changes. It provides for the imposition of an obligation on internet service providers to assess whether the services they provide are being used to disseminate CSAM. Based on this assessment, they will have to implement appropriate measures aimed at reducing this risk, including providing tools that enable users to report cases of online child sexual abuse, as well as introducing default privacy settings for children. The analysis of these assessments would be carried out by national authorities designated by the individual EU countries and authorized to issue orders to remove content and to remove such content from search results. Additionally, in the event of non-compliance with the regulations, the draft regulation provides for the imposition of monetary fines on providers.

It also includes provisions requiring companies that provide online services to assist victims of sexual exploitation in removing or blocking materials in which they appear. To this end, under the proposal, victims will be able to contact the planned EU Center on Child Sexual Abuse. The task of this agency will be to support Member States and internet service providers in implementing the provisions of the regulation. The Center shall assess and process information from internet service providers about detected CSAM and shall create, maintain, and operate a database of reports from providers.

Public opinion reactions

The draft regulation adopted by the Council of the European Union has drawn mixed reactions. On the one hand on the Telepolis website it was emphasized that “instead of invasive scanning, the burden of responsibility has been shifted to risk analysis,” while also stressing that “there is no (…) mandate for algorithms to read our chats”.

“It seems to me that a compromise in the Council of the EU was reached by postponing the implementation of the decryption of online communications, if it happens at all, to the distant future and only with the consent of regulators”, further emphasized Piotr Mieczkowski on the WNP website. “This is, de facto, a victory for opponents of chat control,” noted the managing director of the Digital Poland Foundation.

On the other hand, experts and the media point out that the project in its current form still entails numerous risks. In the cited article on the WNP portal, Ella Jakubowska of European Digital Rights stated that the Council of the EU’s position is a major step toward ruling out any mandate for mass scanning of online messages and attempts to weaken encryption. She emphasized that “at this stage, it’s more of a political statement than a real guarantee.” “The current ‘safeguards’ in the EU Council’s draft regulation are not yet sufficient to guarantee this [encryption protection],”, the expert noted. A similar view was expressed by Patrick Beyer, a former German MEP, who said that the proposal contains “hidden dangers,” and that even voluntary consent to the scanning of platforms will lead to the “legalization” of this mechanism.

What are the next stages of the legislative process?

The position adopted by the Member States within the Council of the European Union will serve as the basis for negotiations with the European Parliament to agree on the final wording of the proposal. It is expected that EU institutions will reach an agreement on this matter before April 2026, since that is when interim provisions, under which platforms may voluntarily scan the web for CSAM content, take effect. The specified provisions (Regulation 2021/1232) were supposed to remain in force until August 2024, but due to the lack of the expected progress in the work on “chat control,” the regulation’s validity has just been extended until April 2026.

“Protecting children and young people from sexual exploitation, as well as combating the presence on the Internet of harmful content related to this phenomenon, should raise no objections. In the case at hand, however, the problem is not the concept of protecting children itself, but the way it would be implemented, which would lead to mass surveillance of citizens of the Member States of the European Union. The proposed regulation, although considerably softened compared to earlier drafts, still raises certain significant concerns regarding the ability of internet service providers to scan private content. Moreover, it should be noted that the draft regulation that is the subject of this publication will be subject to further negotiations,” comments Patryk Ignaszczak of the Ordo Iuris Center for International Law.