EU's Child Safety Lapse: A Compliance Crisis for Dating Apps

Google, Meta, Microsoft, and Snap issued a joint statement this week condemning EU lawmakers for allowing a temporary child safety provision to expire without replacement—a rare alliance that signals genuine operational anxiety, not just regulatory theatre. The derogation, which permitted platforms to scan for child sexual abuse material (CSAM) despite strict EU privacy rules, lapsed on 3 April. For dating platforms already facing intensified scrutiny over age verification and grooming activity, the regulatory vacuum creates a particularly acute dilemma: how to detect abuse when the legal basis for detection tools has evaporated.

The expired provision was a stopgap measure introduced whilst the EU developed comprehensive child safety legislation. That legislation, known as the proposed CSAM Regulation, has been stalled since 2022 over concerns about encryption, privacy, and the scope of mandatory scanning. The temporary derogation was meant to bridge the gap. Instead, it's been allowed to expire whilst politicians argue, leaving platforms in a legal grey zone.

Create a free account

Unlock unlimited access and get the weekly briefing delivered to your inbox.

Register free

No spam. No password. We'll send a one-time link to confirm your email.

What platforms actually lose

The lapsed derogation specifically allowed number-independent interpersonal communications services—which includes messaging features on dating apps—to use automated tools for detecting CSAM. Without it, such scanning could violate the EU's ePrivacy Directive, which prohibits interception of communications without user consent.

Dating platforms have deployed increasingly sophisticated detection systems over the past 18 months, driven by regulatory pressure and reputational risk. PhotoDNA, Microsoft's hash-matching technology, is widely used across the industry to flag known CSAM. Machine learning classifiers attempt to identify grooming patterns in text exchanges. Some platforms have implemented live photo verification to combat catfishing and underage account creation. All of these tools involve automated processing of user content.

The question operators now face is whether any of this remains legally defensible under EU law. The tech giants claim in their statement that they 'will continue voluntary efforts' to protect children. That pledge requires examination. Voluntary scanning, conducted without the legal cover of the expired derogation, could itself trigger GDPR challenges from privacy advocates. The European Data Protection Board has historically taken a strict view of consent as a legal basis for processing—and it's difficult to argue users meaningfully consent to CSAM scanning when it's presented as a non-negotiable platform safety measure.

The UK divergence widens

Dating platforms operating in both the UK and EU now face diverging compliance frameworks. The Online Safety Act, which came into force with full requirements for illegal content duties in early 2025, explicitly requires services to prevent child sexual exploitation and abuse. Ofcom's codes of practice specify that platforms must use technology to identify and remove CSAM, verify user ages, and monitor for grooming behaviour.

UK-based operators have legal certainty: they must scan, and they have statutory backing to do so. EU-based operations now occupy the opposite position: scanning may violate privacy law, but failing to detect abuse could trigger liability under national criminal codes or tort law if harm occurs. The regulatory misalignment is particularly problematic for platforms that operate unified infrastructure across jurisdictions.

Match Group (MTCH), which operates Tinder, Hinge, and other brands across both markets, disclosed in its most recent 10-K filing that it faces 'increasing and sometimes conflicting legal and regulatory requirements' around content moderation and user safety.

The lapse of the EU derogation sharpens that conflict. Bumble (BMBL) and Grindr (GRND), both of which have emphasised trust and safety investments in recent earnings calls, face the same jurisdictional tension.

Smaller operators, particularly white-label platform providers serving EU markets, lack the resources to navigate this complexity. Venntro, which provides infrastructure for niche dating sites, has built age verification and content moderation tools into its platform offering—but legal ambiguity around detection mechanisms could force difficult decisions about feature availability in EU jurisdictions versus the UK and other markets.

What actually happens next

The European Commission has indicated it still intends to secure passage of the CSAM Regulation, though no timeline has been provided. The legislation has faced fierce opposition from privacy groups, cybersecurity experts, and some member states over provisions that would require platforms to scan encrypted messages. Apple, Signal, and WhatsApp have all threatened to withdraw services from the EU rather than comply with such requirements.

Dating platforms should expect the legal vacuum to persist for months, possibly longer. In the interim, operators face three options: continue scanning and accept GDPR risk, halt detection tools and accept child safety risk, or implement scanning only in jurisdictions where legal cover exists and disable it elsewhere.

The third option is the most likely outcome, but it creates a perverse incentive structure. Bad actors already target platforms with weaker enforcement. A fragmented detection regime across jurisdictions makes the EU a more attractive operating environment for those distributing CSAM or conducting grooming. That, in turn, increases reputational and regulatory risk for platforms operating in those markets—precisely the risk that drove investment in detection tools in the first place.

The tech giants' joint statement was carefully worded to apply political pressure without admitting operational changes. Dating platforms don't have that luxury. Their trust and safety teams need to make concrete decisions about detection capabilities, and they need to make them without clear legal guidance. The regulatory failure in Brussels has created a compliance crisis that will force those decisions sooner than the industry would prefer.