The EU's interim legal basis for voluntary private communications scanning has lapsed, and the European Parliament has declined to renew it. Google, Meta, Microsoft, and Snap have publicly pledged to continue CSAM scanning anyway — without a current legal foundation under the ePrivacy Directive. This creates a live compliance exposure for those platforms and raises a structural question about whether voluntary scanning, however well-intentioned, can survive scrutiny from national data protection authorities. The practical question is not whether enforcement will come, but which DPA moves first and on what theory.
The AEPD's SIM-swap enforcement decision (EXP202308705) deserves attention beyond its facts. Rather than grounding liability in Article 5(1)(f) or Article 32 — the security provisions most practitioners reach for in telecoms incidents — Spain's authority applied Article 6(1), treating the unlawful SIM transfer as a failure of lawful basis for processing. That doctrinal choice may indicate a broader enforcement posture: controllers who facilitate identity fraud through procedural failures could face lawful-basis challenges, not just security-design critiques. Telecoms compliance teams across the EU should map their SIM change workflows against this framing.
State-level activity in the US is accelerating across two distinct tracks. Illinois HB5521 would prohibit law enforcement biometric surveillance comprehensively — facial recognition, iris, fingerprint — while closing inter-agency and third-party workarounds and creating a private right of action. This extends Illinois's long-established commercial biometric framework into the public sector in a meaningful way. Separately, California's AB2246 (children's online services) has moved through committee amendments, South Carolina has introduced chatbot-specific child protection legislation, and Maryland's SB564 has cleared a second reading with amendments expanding AG data enforcement authority. The pattern suggests converging state pressure on child-facing digital products and biometric applications even in the absence of federal movement.
On EU digital infrastructure, the Entry-Exit System is days from its April 10 scheduled full rollout with confirmed operational failures already on the record: the UK has stated biometric checks will not launch on time, and industry groups are reporting two-hour wait times at peak periods. The Commission's 90-day suspension window signals that flexibility is now baked into rollout strategy, not contingency planning. Meanwhile, ENISA's EUDI Wallet certification consultation closes April 30 — covered in Monday's briefing — but a new dimension has emerged: Epicenter.Works has raised objections to the Commission's proposed mandatory biometric photo requirement and removal of trilogue-era user protections, suggesting civil society friction may complicate final scheme adoption. Organizations participating in the ENISA consultation should weigh these objections when framing their submissions.
Policy Signal · policysignalhq.com · Major privacy + AI governance moves, distilled.