European Union: European Data Protection Supervisor issued opinion on proposal to extend Regulation (EU) 2021/1232 on derogation from ePrivacy Directive until 2028

On 17 February 2026, the European Data Protection Supervisor (EDPS) issued Opinion 7/2026 on the European Commission’s proposal to extend the application of Regulation (EU) 2021/1232. This regulation sets out interim rules on data processing for the purpose of combatting online child sexual abuse material (CSAM). The Regulation would temporarily derogate from the ePrivacy Directive, enabling providers of online communication services to voluntarily detect, report, and remove CSAM. The Commission proposed extending this interim framework, due to expire on 3 April 2026, until 3 April 2028. In the opinion, the EDPS acknowledged that combating child sexual abuse is a recognised objective of general interest in the Union, and the extension presents an opportunity to address shortcomings in the current framework. The EDPS called for greater legal certainty regarding the lawfulness of processing under Regulation (EU) 2016/679 (General Data Protection Regulation) and emphasised the need for effective safeguards against indiscriminate and general scanning, in line with the principles of necessity and proportionality.