Skip to main content
NormaGrid

Temporary CSAM Regulation

In force Law Enforcement Regulation Adopted: 14 July 2021 · Applies from: 2 August 2021

AI-assisted content notice: this page includes AI-assisted summaries, FAQs, and glossary entries prepared for navigation purposes. Verify the underlying legal text before relying on this content.

Summary

Regulation (EU) 2021/1232 establishes a temporary derogation from certain confidentiality provisions of the ePrivacy Directive, permitting providers of interpersonal communications services to voluntarily deploy technologies for detecting, reporting, and removing child sexual abuse material (CSAM) and grooming. This temporary measure remains in force while negotiations continue on a proposed permanent framework to address online child sexual abuse.

Who is affected?

Providers of interpersonal communications services (including number-independent services) that choose to carry out voluntary detection under the temporary derogation are directly affected, as are competent authorities receiving reports and law enforcement bodies handling referrals. End users are indirectly affected because the derogation concerns processing of communications data for CSAM detection purposes under defined safeguards.

Scope

The temporary regulation applies to voluntary CSAM and grooming detection measures by providers of interpersonal communications services, as a time-limited derogation from specific ePrivacy confidentiality obligations, subject to safeguards and oversight.

Key Points

  • Provides a temporary, time-limited derogation from specific ePrivacy Directive obligations to allow voluntary detection and reporting of CSAM and grooming by service providers.
  • Mandates safeguards such as necessity, proportionality, use of the least privacy-intrusive technologies, and human oversight to minimize errors and misuse.
  • Enables reporting of detected CSAM/grooming to designated authorities and requires actions for removal or disabling access in accordance with applicable law.
  • Includes transparency and accountability requirements, such as informing users and reporting to authorities, with oversight by competent and data protection authorities.
  • Operates alongside the ongoing legislative process for a permanent CSAM Regulation, which, if adopted, will replace the temporary regime.

Key Deadlines

  • — Expiry of the temporary derogation under Regulation (EU) 2021/1232 as extended by Regulation (EU) 2024/1309

Related Regulations

Frequently Asked Questions

Who must comply with the Temporary CSAM Regulation?

Providers of interpersonal communications services who voluntarily choose to detect, report, and remove child sexual abuse material (CSAM) or grooming under the temporary derogation must comply with this regulation. Competent authorities and law enforcement bodies handling referrals are also involved.

What is the main purpose of the Temporary CSAM Regulation?

The regulation temporarily allows providers of interpersonal communications services to use specific technologies to detect, report, and remove CSAM and grooming, by derogating from certain confidentiality obligations under the ePrivacy Directive, subject to strict safeguards.

What types of services are covered by this regulation?

The regulation applies to providers of interpersonal communications services, including number-independent services such as messaging and email platforms, when they voluntarily engage in CSAM and grooming detection activities.

What safeguards must providers implement when detecting CSAM or grooming?

Providers must ensure that detection measures are necessary and proportionate, use the least privacy-intrusive technologies available, include measures to minimize errors and misuse, and provide human oversight where appropriate.

Are providers required to detect CSAM or grooming under this regulation?

No, the regulation allows but does not require providers to voluntarily detect CSAM or grooming. It creates a legal basis for such voluntary actions under defined conditions.

What are the reporting and removal obligations under the regulation?

If CSAM or grooming is detected, providers must report it to designated authorities and take actions to remove or disable access to the material, consistent with applicable law and their own terms of service.

How does the Temporary CSAM Regulation interact with the ePrivacy Directive?

The regulation creates a temporary derogation from certain confidentiality obligations in the ePrivacy Directive, specifically to allow voluntary CSAM and grooming detection, subject to safeguards and oversight.

What are the penalties for non-compliance with the regulation?

Penalties for non-compliance are determined by national authorities under the applicable legal framework, and may include administrative sanctions or other measures, particularly if providers misuse the derogation or fail to implement required safeguards.

How long will the Temporary CSAM Regulation remain in force?

The regulation is time-limited and will remain in force until a permanent EU framework for preventing and combating child sexual abuse is adopted and becomes applicable.

What practical steps should providers take to comply with the regulation?

Providers should assess the necessity and proportionality of detection technologies, implement robust safeguards and oversight, ensure transparency with users, and establish procedures for reporting and removal in line with legal requirements.

Key Terms

CSAM (Child Sexual Abuse Material)
Any material that depicts or represents the sexual abuse or exploitation of children, which providers may detect, report, and remove under this regulation.
Grooming
The solicitation of children for sexual purposes, which is also covered as a target for detection and reporting under the regulation.
Interpersonal Communications Services
Electronic communications services that enable direct interpersonal and interactive exchange of information, including number-independent services like messaging apps and email.
Temporary Derogation
A time-limited exception from certain confidentiality obligations under the ePrivacy Directive, allowing voluntary detection of CSAM and grooming.
ePrivacy Directive
Directive 2002/58/EC, which sets out rules on privacy and confidentiality in electronic communications, from which this regulation temporarily derogates.
Least Privacy-Intrusive Technology
Detection technologies that minimize the impact on users’ privacy, which providers are required to use when implementing voluntary CSAM/grooming detection.
Competent Authority
National authorities designated to receive reports of detected CSAM or grooming and oversee compliance with the regulation.
Human Oversight
The requirement for human review in the detection process to minimize errors and prevent misuse of automated technologies.
Transparency Measures
Obligations for providers to inform users about detection activities and report on their use of the derogation, ensuring accountability.
Permanent CSAM Regulation
The proposed long-term EU framework (COM(2022) 209) intended to replace the temporary regulation with a comprehensive system for combating child sexual abuse online.