Skip to main content
Geopolitics & DefenseGovernment & Policy

EU Parliament Paves Way for Chat Control Reintroduction

European Parliament interior with MEPs discussing in a debating chamber.

"The fact that Chat Control is moving forward against the will of the majority of voting MEPs is a farce and damages democracy," said former MEP Patrick Breyer, calling the measure "suspicionless mass surveillance."

How MEPs voted — the numbers that mattered

European Parliament members today failed to reach the supermajority needed to stop the reintroduction of an interim rule commonly called Chat Control or Chat Control 1.0. The roll call produced 314 votes to scrap the interim rule and 276 to keep it; but the motion to block the Council of the European Union's position required 360 votes to succeed. Because the threshold was not met, the attempt to abolish the interim rule failed despite more lawmakers voting against it than for it.

A related amendment that would have limited scanning to accounts identified by the judiciary also failed to secure the necessary majority, effectively leaving open the possibility that scanning could be applied across accounts without a warrant.

What Chat Control 1.0 permits and how it originated

Chat Control 1.0 is an interim derogation from the ePrivacy Directive that gives online communications platforms legal permission to voluntarily detect, report, and remove child sexual abuse material (CSAM). It was first introduced in August 2021 and expired on April 3, 2026. Under the interim rule, tech companies are not required to scan messages, but may do so if they wish.

The measure was introduced on the assumption that a permanent Child Sexual Abuse Regulation (CSAR), sometimes called Chat Control 2.0, would arrive sooner. The CSAR is intended to create lasting obligations for platforms to assess and mitigate the risk of their services being used to spread CSAM or facilitate grooming; it is still under negotiation.

End-to-end encryption: excluded on paper, limited in practice

Parliamentarians did secure a majority for excluding end-to-end encrypted (E2EE) platforms from the interim scanning provisions. However, the practical effect of that exclusion may be limited. The legislation as amended preserves the same basic structure as the 2021 text—Chat Control 1.0—except that it lacks legal permission to scan E2EE messages. Observers note that providers should not be able to inspect message contents in transit in any case, which constrains how meaningful the exclusion will be.

Client-side scanning and the Council's position

The Council of the European Union has advanced a position seeking laws that preserve E2EE while allowing client-side scanning for harmful material. Client-side scanning is a controversial technical approach: supporters — including some lawmakers and law enforcement officials cited in the debate — argue it is a compromise that keeps analysis on the device and lets authorities detect CSAM without exposing messages in transit. Critics, including privacy campaigners quoted in today’s discussion, contend the same mechanisms could be repurposed for mass surveillance.

Technical critics say client-side scanning breaks the principle of fully encrypted communications even if it does not expose contents in transit. Signal has previously warned that such scanning mechanisms could theoretically be used to block certain communications, for example "negative expressions related to the state," illustrating the scope of the privacy concern voiced by opponents.

The CSAR trilogue, timing, and next steps

The permanent CSAR (Chat Control 2.0) remains under trilogue negotiations between the European Parliament, the Council, and member states. Five rounds of negotiations have taken place, including what was supposed to be a final round on June 29, but no agreement has been reached. Parliament’s amended position will now be sent back to the Council, which has three months to approve or reject the legislation.

If the Council cannot accept all Parliament amendments, a conciliation committee will be convened to seek a resolution. If the interim measure is approved by the Council, it would be valid until 2028 or until a permanent regulation is passed.

What this means for tech companies, law enforcement, and privacy campaigners

  • Tech companies and providers: The interim rule leaves voluntary scanning legal; providers who choose to scan non-E2EE traffic retain a path to do so, while those offering E2EE services gained a formal exclusion but face unclear practical effects.
  • Law enforcement and policymakers: The Council’s preference for reconciling E2EE preservation with client-side scanning remains a negotiation aim; the failure to reach agreement on CSAR after five trilogue rounds keeps those options open but contested.
  • Privacy campaigners and civil libertarians: Opponents view today’s outcome as a setback. Patrick Breyer called the process "undemocratic" and warned that the old approach of "suspicionless scanning" will persist unless a new permanent regulation replaces it.

The immediate consequence of today’s vote is procedural: Parliament’s amended text goes back to the Council and a three-month window opens for acceptance, rejection, or conciliation. Substantively, the law that could return is largely the 2021 interim framework—Chat Control 1.0—now stripped of permission to scan E2EE messages but otherwise very similar to the original text. Whether that will satisfy member states, change provider behaviour, or settle the deeper conflict between privacy and investigatory needs remains unresolved.

Source: The Register