Brussels, 26 June 2026 — As EU institutions move toward concluding key consultations on digital child protection rules, the Council of European Professional Informatics Societies (CEPIS) is issuing a strong warning against proposals that could introduce broad monitoring of private communications.
CEPIS cautions that ongoing discussions around the temporary rules on voluntary detection of child sexual abuse material (CSAM) and the proposed permanent CSA Regulation risk shifting toward warrantless searches of private messages, emails, and cloud content.
Risk of Policy Reversal
Recent signals from the European Parliament suggest the possibility of a political reversal that could undermine previous opposition to blanket scanning of digital communications. Such a move, the organisation argues, would have serious implications for fundamental rights, cybersecurity, and democratic transparency.
CEPIS urges EU lawmakers to uphold the Parliament’s earlier stance rejecting indiscriminate monitoring of chat services, emphasizing that measures to combat child sexual abuse must remain targeted, lawful, and technically sound.
Targeted Enforcement, Not Mass Surveillance
At the heart of CEPIS’s position is the argument that effective child protection depends on focused law enforcement rather than large-scale surveillance.
“Child protection is a core responsibility of the state and cannot be delegated to private platforms to monitor hundreds of millions of users without suspicion,” said Kai Rannenberg, Chair of the CEPIS Legal and Security Issues expert group.
CEPIS also warns that weakening encryption technologies—or bypassing them through tools such as client-side scanning—could have far-reaching consequences beyond privacy. The group stresses that secure encryption is essential not only for individuals, but also for businesses, public authorities, journalists, and civil society.
Three Key Concerns
CEPIS highlights three specific risks in the current policy debate:
- De facto mandatory monitoring: So-called “voluntary” detection systems could effectively become compulsory if platforms are forced to adopt widespread scanning to meet regulatory requirements.
- Lack of judicial oversight: Detection orders must be based on concrete suspicion and approved by courts, rather than vague risk assessments.
- Mandatory age verification: Requiring identity checks for private communications could restrict anonymous or pseudonymous interaction, disproportionately impacting vulnerable groups.
Technical Limitations and Risks
The organisation also points to the limitations of automated detection technologies used to identify abusive content or grooming behaviour. Such systems, CEPIS notes, are prone to errors and misuse.
False positives could flag legitimate communications—such as family exchanges, educational material or medical information—as suspicious. Meanwhile, more sophisticated offenders are often able to evade detection by moving to alternative platforms, encrypted tools, or darknet networks.
As a result, CEPIS argues, mass scanning measures would primarily affect ordinary users, while doing little to disrupt organised criminal activity.
Call for Alternative Measures
Rather than expanding surveillance, CEPIS is advocating for:
- Increased investment in specialised investigative units
- Stronger cross-border cooperation among law enforcement
- Faster analysis of credible leads
- Improved support for victims
Concerns Over Legislative Process
CEPIS also criticised reports suggesting that previously rejected measures could be reintroduced through procedural manoeuvres. It stressed that bypassing parliamentary decisions through last-minute negotiations would damage public trust in EU lawmaking.
Policy Recommendations
The group calls on EU institutions to ensure that any final agreement respects fundamental rights and democratic principles. Its recommendations include:
- Reject any form of general or de facto mandatory monitoring of private communications
- Safeguard end-to-end encryption without weakening or circumvention
- Avoid mandatory age verification for private messaging and email services
- Limit detection measures to targeted cases based on court orders and reasonable suspicion
- Prioritise effective, lawful, and evidence-based child protection strategies
- Maintain transparency and respect parliamentary decisions in ongoing negotiations
A Broader Warning
CEPIS concluded with a broader appeal, cautioning that infrastructure designed for surveillance in the name of child protection could later be repurposed for other uses.
As EU lawmakers prepare to finalise their position in the coming days, CEPIS is urging policymakers to reject blanket surveillance measures and instead pursue targeted, rights-respecting solutions to protect children online.
The current status of the Chat Control proposal debate can be followed on the Fight Chat Control website.
