12 December 2025

The Centre for Democracy & Technology Europe¹, Global Partners Digital², the Internet Freedom Foundation³, the Internet Society⁴, and Mozilla⁵, constituting the Steering Committee of the Global Encryption Coalition, write to share our views on the newly agreed Council of the EU position on the EU Child Sexual Abuse Regulation (CSAR).

We have followed this file (nicknamed “Chat Control”) closely over the past three years due to the implications that the regulation could have for end-to-end encryption. We have worked with the Coalition’s 500+ members to push back against harmful previous versions of the proposal⁶.

EU policymakers have long debated how to address the distribution of child sexual abuse material in online spaces, including encrypted environments, in a way that is privacy and rights respecting. We recognize the importance of addressing child safety and appreciate that the concerns raised by the Global Encryption Coalition and other partners featured strongly in the political debate.

Previous versions of the proposal would have forced providers of encrypted communication services to introduce client side scanning capabilities to scan their users’ messages for such material. While well-intended, this would have undermined the security and privacy of everyone who relies on encryption to preserve the confidentiality and security of their communication, including young people and survivors.

We are pleased that the Council of the EU, informed by expert input, reached its position⁷ on the Child Sexual Abuse Regulation on 26 November, 2026 with a result that better protects encryption for everyone. The agreed position⁸ makes the following changes to the European Commission’s proposal:

• It removes mandatory detection obligations that would have required providers to indiscriminately scan personal communications for child sexual abuse material, including in end-to-end encrypted environments;
• It makes the derogation from the ePrivacy Directive⁹ permanent by allowing the voluntary use of scanning technologies in non-encrypted private messages;
• It requires that hosting and interpersonal communication services complete risk assessments. Providers that identify a risk of their service being used for child sexual abuse must take “all reasonable mitigation measures”. Any product functionality that allows the sharing of images or videos, especially in the context of messengers, is considered to increase risk;
• Such mitigation measures include functionalities for users to notify providers of child sexual abuse material (CSAM), features to let users control who may contact them, and the voluntary scanning of non-encrypted private communication to detect CSAM;
• Three years after the regulation comes into force, the Commission must assess the necessity and feasibility of making detection obligations mandatory.

What does the Council’s position mean for encryption?

The final Council position is a win for encryption and a testament to the efforts of the Global Encryption Coalition and its partners. By making the use of detection technologies voluntary rather than mandatory, providers will no longer be forced to undermine the strong encryption that they offer their customers. This means that European Internet users will continue to enjoy the security protections offered by encryption and use the technology to exercise their fundamental rights.

The Coalition’s Steering Committee has long emphasized the security and fundamental rights issues associated with client-side scanning¹⁰. The Council’s position safeguards encrypted communication and the privacy and security promises offered by end-to-end encryption. By making scanning voluntary, however, it does permanently open the door to the continued mass scanning of private, unencrypted communication¹¹.

We believe that strong privacy protections should be universal, and not depend on the tech-savvyness of users, who may not be aware that private, but unencrypted, chats may be subject to automated scanning.

Next steps: Trilogues

Now that both the Parliament and the Council of the EU have reached their positions on the file, the next phase of the EU lawmaking process, the trilogue negotiations, can start. Trilogue negotiations are a feature of EU policymaking where the European Commission, the European Parliament, and the Council negotiate and agree on a single unified text.

Trilogues started on December 9, 2025 and there is significant pressure for negotiations to conclude by 3 April 2026, when the temporary derogation that currently allows for voluntary scanning expires. If the trilogues do not conclude by this time, a further extension to the temporary derogation would be needed.

With both the Parliament and the Council standing against mandating client-side scanning for encrypted environments, our hope is that the trilogue negotiations will protect the security, privacy and confidentiality of encryption. At the same time, the Commission has long advocated for the use of these technologies and may continue to apply pressure on the co-legislators to undermine encryption. The Global Encryption Coalition stands ready to support this process, working with policymakers to ensure that the Internet can be used safely by children.

Beyond Chat Control – EU plans on Encryption

The Commission’s recently presented EUProtect Strategy¹² includes plans for a “Technology Roadmap to identify and assess technological solutions that would enable law enforcement authorities to access encrypted data”. As shared in our previous open letter, signed by 89 civil society organizations, companies, and cybersecurity experts, we are concerned by the Strategy’s potential impact on end-to-end encryption¹³. We continue to call on the European Commission to reframe the Technology Roadmap to highlight the benefits of encryption and identify areas for its increased usage as a tool to strengthen cyber defense. 

---

This is a statement of the members of the Steering Committee of the Global Encryption Coalition, which consists of the Center for Democracy & Technology, Global Partners Digital, the Internet Freedom Foundation, the Internet Society, and Mozilla.

1.  Center for Democracy and Technology, 8 Aug. 2025, cdt.org/. ↩︎
2.  Global Partners Digital, www.gp-digital.org/. Accessed 1 Sept. 2025. ↩︎
3. “Internet Freedom Foundation.” Internet Freedom Foundation, internetfreedom.in/. Accessed 1 Sept. 2025. ↩︎
4. Internet Society, 8 Aug. 2025, www.internetsociety.org/. ↩︎
5. Mozilla, www.mozilla.org/en-US/. Accessed 1 Sept. 2025. ↩︎
6. https://www.globalencryption.org/2024/05/joint-statement-on-the-dangers-of-the-may-2024-council-of-the-eu-compromise-proposal-on-eu-csam/;
   https://www.globalencryption.org/2024/09/gec-steering-committee-statement-on-9-september-text-of-the-european-csa-regulation/;
   https://www.globalencryption.org/2025/09/gec-steering-committee-statement-on-1-july-text-of-the-european-csa-regulation/. ↩︎
7. https://www.consilium.europa.eu/en/press/press-releases/2025/11/26/child-sexual-abuse-council-reaches-position-on-law-protecting-children-from-online-abuse/ ↩︎
8. https://www.consilium.europa.eu/en/press/press-releases/2025/11/26/child-sexual-abuse-council-reaches-position-on-law-protecting-children-from-online-abuse/ ↩︎
9.  https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32021R1232 ↩︎
10. https://www.globalencryption.org/2025/09/gec-steering-committee-statement-on-1-july-text-of-the-european-csa-regulation/ ↩︎
11.  The temporary derogation creates an exception to the EU’s ePrivacy Rules that allows providers to voluntarily scan private messages for child sexual abuse material. The inclusion of voluntary scanning in the Council’s position would replace the temporary derogation, creating a permanent exception that allows for the scanning of unencrypted communications.
    ↩︎
12.  https://ec.europa.eu/commission/presscorner/detail/en/ip_25_920
    ↩︎
13. https://www.globalencryption.org/2025/05/joint-letter-on-the-european-internal-security-strategy-protecteu/
    ↩︎