2 September 2025
The Centre for Democracy & Technology Europe,[i] Global Partners Digital,[ii] the Internet Freedom Foundation,[iii] the Internet Society,[iv] and Mozilla,[v] constituting the Steering Committee of the Global Encryption Coalition, write to express our concerns with the 1 July Danish Presidency’s Compromise Text[vi] on the EU Child Sexual Abuse Regulation (CSAR).
We have carefully followed Council discussions on this file due to its potential impact on end-to-end encryption. We helped develop a joint statement on the Belgian Presidency’s Compromise Text[vii] that was signed by 60+ organizations and 50+ individuals as well as a Steering Committee statement on the Hungarian Presidency’s Compromise Text.[viii] These statements emphasized the dangers of mandated client-side scanning for end-to-end encrypted messaging services due to the creation of new cybersecurity vulnerabilities and the impact on human rights and fundamental freedoms.
The recent Danish Compromise Text not only retains concerning aspects of previous proposals but goes even further by mandating that service providers scan for both known and unknown Child Sexual Abuse images.
This continued effort to mandate client-side scanning for end-to-end encrypted environments fails to address concerns raised by the Global Encryption Coalition, the Council’s Legal Service,[ix] and the European Data Protection Supervisor.[x] Mandated scanning is not fit for purpose as it is ineffective, creates new vulnerabilities, and defeats the end-to-end principle of strong encryption that enables the exercise of human rights.
- Client-side scanning is ineffective. Perpetrators that share child sexual abuse material can easily circumvent scanning measures and avoid detection[xi] by zipping the images, embedding them in a presentation, or encrypting them themselves. Mandated scanning risks creating a false sense of safety, when in reality children will be no better protected. Children deserve measures that will actually tackle the issue of abusive material.
- Client-side scanning puts individuals and national security at risk. Client-side scanning requires the creation of a complex infrastructure of databases, on-device scanning capabilities, and alerts which would be an attractive target for attackers,[xii] particularly hostile foreign governments. At a moment when the European Union is prioritizing security, it is essential that vulnerabilities are minimized, not created. These concerns have been echoed by member state authorities in Sweden[xiii] and the Netherlands.[xiv] Tellingly, the Danish Compromise Text exempts European Union government and military accounts from scanning requirements, likely due to the associated security risks.
- Client-side scanning threatens fundamental rights. Experts believe that the proposal would fail to hold up in court as it is incompatible with areas of European law. The EU Charter of Fundamental Rights[xv] sets limits on “general monitoring” while the European Court of Human Rights Podchasov v Russia case[xvi] establishes that requirements to weaken end-to-end encryption disproportionately violate the fundamental right to privacy. It is clear that client-side scanning threatens everyone’s rights, including the rights of those it aims to protect.
In practice, client-side scanning creates a system that could be abused for mass surveillance purposes. Public perception of the creation of such a system presents a risk to the European Institutions at a time when the credibility of our democracies is more critical than ever.
We call on Ministers in the Council of the EU to once again reject[xvii] all scanning proposals that are inconsistent with the principle of end-to-end encryption, including client-side scanning.
Regulation that ineffectively addresses the root problem while creating new security vulnerabilities and threatening rights is not a good trade-off. Children deserve measures that actually will work and are technically sound, respectful of rights, and fit for purpose.
This is a statement of the members of the Steering Committee of the Global Encryption Coalition, which consists of the Center for Democracy & Technology, Global Partners Digital, the Internet Freedom Foundation
[i] Center for Democracy and Technology, 8 Aug. 2025, cdt.org/.
[ii] Global Partners Digital, www.gp-digital.org/. Accessed 1 Sept. 2025.
[iii] “Internet Freedom Foundation.” Internet Freedom Foundation, internetfreedom.in/. Accessed 1 Sept. 2025.
[iv] Internet Society, 8 Aug. 2025, www.internetsociety.org/.
[v] Mozilla, www.mozilla.org/en-US/. Accessed 1 Sept. 2025.
[vi] “Interinstitutional File: 2022/0155(COD). Proposal for a Regulation of the European Parliament and of the Council Laying down Rules to Prevent and Combat Child Sexual Abuse − Presidency Compromise Texts.” Council of the European Union, 9 Sept. 2024, www.patrick-breyer.de/wp-content/uploads/2024/09/st12406.en_clean.pdf.
[vii] “Joint Statement on the Dangers of the May 2024 Council of the EU Compromise Proposal on EU CSAM.” Global Encryption Coalition, 13 June 2024, www.globalencryption.org/2024/05/joint-statement-on-the-dangers-of-the-may-2024-council-of-the-eu-compromise-proposal-on-eu-csam/.
[viii] “GEC Steering Committee Statement on 9 September Text of the European CSA Regulation.” Global Encryption Coalition, 16 Sept. 2024, www.globalencryption.org/2024/09/gec-steering-committee-statement-on-9-september-text-of-the-european-csa-regulation/.
[ix] “OPINION OF THE LEGAL SERVICE: Proposal for a Regulation Laying down Rules to Prevent and Combat Child Sexual Abuse – Detection Orders in Interpersonal Communications – Articles 7 and 8 of the Charter of Fundamental Rights – Right to Privacy and Protection of Personal Data – Proportionality.” Council of the European Union, 26 Apr. 2023, www.statewatch.org/media/3901/eu-council-cls-opinion-csam-proposal-8787-23.pdf.
[x] “EDPS Joint Opinion 04/2022 on the Proposal for a Regulation of the European Parliament and of the Council Laying down Rules to Prevent and Combat Child Sexual Abuse.” EDPB, 28 July 2022, www.edpb.europa.eu/our-work-tools/our-documents/edpbedps-joint-opinion/edpb-edps-joint-opinion-042022-proposal_en.
[xi] “EDPS Joint Opinion 04/2022 on the Proposal for a Regulation of the European Parliament and of the Council Laying down Rules to Prevent and Combat Child Sexual Abuse.” EDPB, 28 July 2022, www.edpb.europa.eu/our-work-tools/our-documents/edpbedps-joint-opinion/edpb-edps-joint-opinion-042022-proposal_en.
[xii] “Experimental Analyses of the Physical Surveillance Risks in Client-Side Content Scanning.” NDSS Symposium, 15 Oct. 2024, www.ndss-symposium.org/ndss-paper/experimental-analyses-of-the-physical-surveillance-risks-in-client-side-content-scanning/.
[xiii] “Försvarsmaktens Remissyttrande.” Försvarsmakten, 22 Nov. 2024, regeringen.se/contentassets/e22f777eb1964c258c5d9a21adb6a355/forsvarsmakten.pdf.
[xiv] “Beslisnota Bij Kamerbrief Inzake Kabinetsstandpunt EU- Verordening Ter Bestrijding van Online Seksueel Kindermisbruik.” Ministerie van Justitie En Veiligheid, 30 Sept. 2024, gegevensmagazijn.tweedekamer.nl/SyncFeed/2.0/Resources/6b0e965e-76c0-489a-a253-1cb81d1bace8.
[xv] Charter of Fundamental Rights of the European …, www.europarl.europa.eu/charter/pdf/text_en.pdf. Accessed 1 Sept. 2025.
[xvi] “Global Encryption Coalition Steering Committee Statement on the ECtHR Court Ruling on Encryption in Podchasov v. Russia.” Global Encryption Coalition, 23 Feb. 2024, www.globalencryption.org/2024/02/global-encryption-coalition-steering-committee-statement-on-the-ecthr-court-ruling-on-encryption-in-podchasov-v-russia/.
[xvii] “European Union Member States Speak up for Encryption.” Global Encryption Coalition, 20 Dec. 2024, www.globalencryption.org/2024/12/european-union-member-states-speak-up-for-encryption/.