European Parliament vote creates legal vacuum in battle against online child abuse

Vote sounded death knell for a system which was far from perfect, but which allowed for some limited monitoring by tech companies of online child sexual abuse material
From Good Friday, April 3, tech companies will no longer have legal permission to carry out the current monitoring. A legal vacuum will be created. And children will be at greater risk of harm online than ever.

From Good Friday, April 3, tech companies will no longer have legal permission to carry out the current monitoring. A legal vacuum will be created. And children will be at greater risk of harm online than ever.

Right up to the last possible minute, there was some hope the voices of children and those who advocate and work for and with them would be heard. But a vote in the European Parliament on Thursday, March 26, probably sounded the death knell for a system which was far from perfect, but which allowed for some limited monitoring by tech companies of online child sexual abuse material.

From Good Friday, April 3, tech companies will no longer have legal permission to carry out the current monitoring. A legal vacuum will be created. And children will be at greater risk of harm online than ever.

Sadly, the failure to reach agreement is happening because one aspect of a debate about rights and principles that has been rumbling on for years in the European institutions has come to a head. That discussion concerns the extent to which data privacy rights can be modified to protect children from serious abuse and harm.

The default position in Europe’s approach to people’s interactions online is privacy. This is an agreed value which is cherished by all those who believe in the right of people to live their lives with minimum interference from government, big business and the like. It is a value enshrined in EU legislation, including in the very significant ePrivacy Directive of 2002.

People will see evidence of this directive every time they go on to a website, including when they are asked to accept or reject cookies. Without that consent, the web page is not entitled to collect certain information. 

Electronic privacy of communications is also the assurance which journalists have that their sources will remain confidential and the encrypted messages of human rights defenders will not be intercepted by hostile governments.

That privacy law does allow exceptions to ensure one right does not negate another. Necessary cookies must be accepted. Privacy rights do not extend to putting malware on systems. Emergency services may be allowed access location in a crisis.

No such exception in law limits those peddling and spreading exploitative and criminal child sexual abuse material which, originally, remained covered by the privacy law. A situation which was partially addressed in 2012 when another EU regulation allowed for a temporary exception – an exception that made it legal for tech platforms to scan some of the material seen by European consumers for child sexual abuse material and stop that material going any farther.

On foot of that regulation, Meta reported that in 2024, it actioned about 1.5 million pieces of media constituting child sexual abuse material which included an EU user it detected. Those who uploaded the material could appeal the removal. 

In 2024, it restored 1,800 pieces of content: a miniscule error rate of 0.12%. The almost 1.5 million pieces it found were reported to the worldwide National Center for Missing and Exploited Children. The ‘exception to the rule’ that enabled Meta and others online platforms to carry out such monitoring was extended from time to time, with the most recent extension due to expire on April 3.

At the beginning of March, it was expected it would be renewed while the various EU institutions worked out a more robust and permanent solution. The European Parliament and the EU Council of Ministers would have to agree to do that. Work could continue on the permanent solution which has been on the cards for a few years now and the Irish Government committed to working on it with its EU partners in the programme for government.

However, by mid-March, the European Parliament debate flagged difficulties. It agreed in principle to an extension to 2027 but went on to narrow the extent to which monitoring could take place. Encrypted material or identifying unknown predators or groomers was no longer to be included. When this proposal went to the EU Council, the council balked at the additional restrictions which, it concluded, made the monitoring ineffective.

All over Europe, children's rights advocates were appalled, and pleaded with their MEPs to allow the current status quo to continue. A previous break in monitoring in 2021 had halved the number of reports to the National Center for Missing and Exploited Children. 

A further last-minute vote took place on Thursday, March 26, where the proposal to extend the current scheme temporarily was defeated by 311 votes to 228, with 92 abstentions.

The sad reality is that after Easter, it looks like children in Ireland and all over Europe will be even more at risk of exploitation and abuse, and the spread of that abusive material, than they were before. 

They too are entitled to privacy and protection. How is that to be honoured? To do this, a balance must be achieved in the same way it was achieved so location could be revealed for an emergency call. This is what has been a normal discussion in the offline world. We need to normalise it in the online world as well. Children are entitled to that, in fairness.

  • Noeline Blackwell is online safety co-ordinator for the Children’s Rights Alliance

More in this section