The European Parliament on Thursday voted against extending rules that have let tech companies hunt for child sexual abuse material (CSAM) by scanning their services.

The law, which exempts platforms from strict privacy rules so they can scan for CSAM, lapses next Friday. When it does, tech companies will no longer be able to use certain scanning tools to detect the material and turn it over to law enforcement.

The 311 members of Parliament who voted against an extension did so despite strong support from law enforcement, children’s rights groups, German Chancellor Friedrich Merz, several European commissioners and a half dozen big tech companies to allow the scans to continue.

Critics have long held that scanning for CSAM allows mass surveillance and violates Europeans’ privacy rights, an argument that apparently resonated with many lawmakers.

“This is actually just enabling big tech companies to scan all of our private messages, our most intimate details, all our private chats so it constitutes a really, really serious interference with our right to privacy,” said Ella Jakubowska, head of policy at the digital rights nonprofit eDRI.

“It's not targeted against people that are suspected of child abuse — It's just targeting everyone, potentially all of the time.”

Jakubowska also said there are no credible statistics showing that scanning is effective and cited cases where innocent people have been falsely accused of spreading CSAM because scanning tools are not as “robust as the developers of them claim they are.”

Catherine De Bolle, the executive director of Europol, expressed alarm over Parliament’s vote, saying there has been a sharp increase in online CSAM recently and law enforcement will now be severely hindered when investigating it.

De Bolle said in a statement that she is “deeply concerned about the potential operational impact” of the vote.

Last year, Europol processed around 1.1 million so-called CyberTips alerting authorities to potential CSAM that were sourced as a result of the scanning, De Bolle said.

She predicted a “serious reduction” in CyberTips moving forward and said Parliament’s actions will “undermine the capability to detect relevant investigative leads on CSAM, which in turn will severely impair the EU’s security interests of identifying victims and safeguarding children.”

“From a law enforcement perspective, enabling online service providers to continue detecting and reporting suspected CSAM to the competent authorities is vital for the protection of children,” De Bolle said.

The vote was the culmination of several weeks of infighting between Parliament and national governments and European commissioners who wanted the rules extended.

The rule that Parliament failed to extend is a temporary one that has been in place since voluntary CSAM detection was last extended in 2024. Parliament has been negotiating a permanent framework since November 2023, but an agreement has been elusive due to strong disagreements.

Tech companies are strong proponents of the scanning, saying it is a vital tool for protecting children.

On March 19, tech giants including Google, Snapchat, Microsoft, TikTok and Meta released a statement saying they are “deeply concerned.”

“Failure to act will reduce the legal clarity that has enabled companies for nearly 20 years to voluntarily detect and report known child sexual abuse material (CSAM) in interpersonal communication services, leaving children across Europe and around the world with fewer protections than they had before,” the statement said.

The tech companies portrayed their tools for detecting CSAM as highly effective, saying they use hash matching to create digital fingerprints that identify known CSAM and match the “unique” hashes to previously identified material stored in a secure database.

“The system ensures high-precision detection while adhering to privacy principles,” the statement said.