Why ‘I Don’t Allow Meta’ Posts Don’t Work and What to Do
Every so often, viral posts start spreading on Facebook and Instagram claiming something like: “I do not allow Meta to […]
The European Parliament has supported the return of temporary EU rules allowing online service providers to voluntarily scan certain private communications for child sexual abuse material.
The measure is commonly referred to by critics as Chat Control 1.0. It permits providers such as email, messaging and social media platforms to use detection technologies to identify, report and remove online child sexual abuse material, or CSAM.
The July 2026 vote is particularly controversial because more Members of the European Parliament voted against the measure than in favour of it. However, opponents did not reach the absolute majority required to reject the proposal under the parliamentary procedure used. The rejection motion received 314 votes, while 276 MEPs voted in favour and 17 abstained. A minimum of 361 votes was required to block the proposal.
The proposal is intended to restore an exemption from EU electronic communications privacy rules that expired on 3 April 2026. Under the proposed extension, the temporary framework could remain applicable until 3 April 2028 while EU institutions continue negotiating a permanent law on preventing and combating child sexual abuse online.
However, the process is not yet necessarily complete. Following the Parliament’s July position, the Council must address the Parliament’s amendments before the measure can be formally adopted and take legal effect.
The development raises difficult questions about the confidentiality of communications, automated content analysis, false positive results, the protection of children and the future of end-to-end encryption in Europe.
Full article here
“Chat Control” is an informal term used to describe EU legislative measures concerning the detection of child sexual abuse material in online communications.
It is important to distinguish between two related but separate initiatives:
The temporary regulation does not generally require companies to scan messages. Instead, it creates an exception allowing qualifying communications providers to voluntarily process communications data using technologies designed to detect and report online child sexual abuse.
The permanent proposal is broader. Different versions have included mandatory risk assessments, detection orders, age-verification measures and obligations applicable to a wider range of online services.
Conflating these two initiatives can create the misleading impression that the July 2026 vote immediately introduced mandatory scanning of every private or encrypted message in Europe. That is not what the temporary derogation does.
The confidentiality of electronic communications is protected in the EU primarily through the ePrivacy Directive, alongside the GDPR and the EU Charter of Fundamental Rights.
Article 5 of the ePrivacy Directive establishes the confidentiality of communications and related traffic data. As a general rule, listening to, tapping, storing or otherwise intercepting communications without the consent of the users concerned is prohibited, except where legally authorised.
The European Data Protection Supervisor describes the ePrivacy Directive as an important EU instrument protecting the confidentiality of communications and limiting tracking and monitoring.
This creates a legal issue when an email or messaging provider wants to analyse the content of users’ communications for CSAM. Even where the provider’s intention is to detect illegal material, analysing private communications may interfere with confidentiality and involve the processing of personal data.
Regulation (EU) 2021/1232 was therefore introduced in 2021 as a temporary derogation from specific ePrivacy requirements. It created a limited legal framework under which providers of certain number-independent interpersonal communications services could continue voluntary detection, reporting and removal activities.
The original measure was temporary because EU policymakers intended to replace it with a comprehensive and permanent legal framework.
That permanent framework has still not been finalised.
The temporary derogation was previously extended until 3 April 2026.
In December 2025, the European Commission proposed extending the framework again, this time until 3 April 2028. The stated purpose was to prevent a legal gap while negotiations continued on the permanent Child Sexual Abuse Regulation.
The European Parliament’s position then changed several times.
On 11 March 2026, Parliament adopted amendments supporting a more limited extension, with 458 votes in favour, 103 against and 63 abstentions. The proposed safeguards included tighter limits on the technologies and communications that could be covered.
On 26 March 2026, Parliament rejected the overall legislative proposal by 311 votes to 228. As a result, the existing derogation expired after 3 April 2026.
In July, the Council moved to reinstate the interim measure, arguing that voluntary detection activities play an important role in identifying offenders, rescuing victims and reducing the circulation of child sexual abuse material.
The file then returned to Parliament under an urgent procedure.
Although 314 MEPs opposed the proposal in the July vote, they did not reach the absolute majority of all Parliament members required to reject it. Consequently, Parliament did not block the Council’s position, subject to the treatment of the Parliament’s amendments and completion of the legislative process.
This unusual outcome is why some coverage has described the measure as having passed even though more participating MEPs voted against it than supported it.
The phrase “reading private messages” can be misleading if it suggests that employees at technology companies manually open and review every email or conversation.
In practice, providers may use automated detection technologies to analyse content or attachments for indicators of child sexual abuse material.
Depending on the system, those technologies may include:
Nevertheless, automated scanning is still a form of processing communications content. It may reveal information about users, flag lawful communications, generate reports and lead to further investigation.
For that reason, the legal and fundamental-rights implications remain significant even where no human employee reads the majority of scanned messages.
The July 2026 Parliament position seeks to exclude end-to-end encrypted communications from the temporary scanning regime.
End-to-end encryption means that the content of a communication can generally be accessed only by the sender and intended recipient. The service provider does not hold the key needed to decrypt the message in transit.
Services such as Signal rely on end-to-end encryption by default, while other platforms provide it for some or all communication features.
The Parliament’s amendments were designed to protect end-to-end encrypted services from the voluntary scanning framework. Reporting on the vote indicates that services such as WhatsApp, Signal and Telegram would therefore remain outside the relevant scanning regime where communications are genuinely end-to-end encrypted.
This distinction is important.
Chat Control 1.0 is not the same as a general EU requirement to break encryption. However, the broader permanent Child Sexual Abuse Regulation continues to generate debate about whether detection technologies could eventually be applied before encryption or directly on users’ devices.
Supporters argue that online services are frequently used to store, share and distribute child sexual abuse material.
They maintain that voluntary detection systems help providers:
The Council has stated that voluntary detection activities contribute to investigating and prosecuting offenders, rescuing victims and reducing the spread of online child sexual abuse.
Technology companies and child-protection organisations also warned that allowing the temporary framework to expire could significantly reduce the number of CSAM reports made by online platforms.
From this perspective, the ePrivacy derogation is viewed as a necessary bridge until a permanent EU framework can be adopted.
Privacy and digital-rights organisations do not generally dispute the need to combat child sexual abuse. Their concerns focus on whether scanning large volumes of private communications is necessary, proportionate and technically reliable.
The main concerns include the following.
Scanning communications from users who are not suspected of an offence may amount to indiscriminate monitoring.
EU fundamental-rights law generally requires serious interferences with privacy to be clearly defined, necessary and proportionate. Systems that analyse everyone’s communications may struggle to meet those requirements, particularly where less intrusive alternatives exist.
Detection technologies do not always correctly distinguish illegal material from lawful family photographs, medical images, consensual communications or discussions about abuse.
The European Data Protection Board and European Data Protection Supervisor have warned that technologies such as artificial intelligence used to scan communications are likely to produce errors.
A false positive may result in private content being disclosed to human reviewers, specialist organisations or law-enforcement authorities.
Private conversations may reveal health information, sexual orientation, religious beliefs, political views, family relationships and other highly sensitive information.
Even where scanning is intended only to identify CSAM, the underlying system may still technically process extensive amounts of personal and special-category data.
Although the current temporary proposal seeks to exclude end-to-end encrypted communications, the wider Chat Control debate remains closely connected to the future of encryption.
Privacy and cybersecurity experts warn that creating mechanisms capable of analysing content before or after encryption may introduce vulnerabilities that can be misused by criminals, hostile governments or other third parties.
Users may not understand:
These issues make transparency, independent oversight and effective remedies essential.
The temporary framework is primarily an exemption from specific rules in the ePrivacy Directive. However, this does not mean that the GDPR becomes irrelevant.
Where a provider processes personal data while detecting, reviewing, reporting or retaining suspected content, the GDPR may continue to apply alongside the specific regulation.
Depending on the circumstances, relevant GDPR obligations may include:
The temporary derogation should not therefore be interpreted as a general exemption from all EU data protection requirements.
Instead, it creates a specific and conditional exception to communications-confidentiality rules for a defined purpose.
Providers deploying automated communications-scanning technologies would need to assess carefully whether a Data Protection Impact Assessment, or DPIA, is required.
Under Article 35 GDPR, a DPIA is required where processing is likely to result in a high risk to individuals’ rights and freedoms.
Large-scale or systematic analysis of private communications may involve several recognised high-risk indicators, including:
A robust DPIA should not treat the protection of children and the protection of privacy as competing objectives where only one can be achieved.
It should document how the system pursues a legitimate child-safety objective while minimising unnecessary access to lawful communications and reducing the likelihood of incorrect reports.
Most businesses will not themselves scan communications for CSAM. However, organisations should still understand how their communication and collaboration providers process message content.
This is especially relevant when selecting or reviewing providers of:
Privacy teams should determine whether the provider performs automated content analysis, whether the organisation can control that functionality and whether the processing is adequately reflected in contractual and privacy documentation.
Useful questions include:
The answers should be documented in the organisation’s vendor-management, data-mapping and risk-management processes.
For most organisations, the Chat Control vote does not create a new direct obligation to scan employee or customer communications.
Its immediate importance is broader.
The debate demonstrates that communications confidentiality, platform safety, artificial intelligence and fundamental rights are increasingly interconnected.
It also shows why privacy compliance cannot be reduced to publishing a privacy notice or maintaining a basic processing register. Organisations need to understand how their technology providers analyse data, which automated systems are operating and what risks those systems create.
Privacy professionals should follow three areas in particular:
The legislative procedure must be completed before organisations can treat the extension until April 2028 as settled law.
The permanent framework could introduce more extensive duties for hosting services, messaging providers, application stores and other technology companies.
Any future attempt to apply detection measures to encrypted communications would have major implications for privacy, cybersecurity, confidential business communications and professional secrecy.
| Issue | Chat Control 1.0 | Chat Control 2.0 |
|---|---|---|
| Legal form | Temporary ePrivacy derogation | Proposed permanent CSAM Regulation |
| Status | Reinstatement moving through the legislative process | Still under negotiation |
| Nature of scanning | Voluntary for qualifying providers | Could introduce mandatory obligations or detection orders |
| Main purpose | Allow existing CSAM detection practices to continue | Create a comprehensive EU framework |
| End-to-end encryption | Parliament seeks to exclude E2EE communications | Encryption remains a major point of debate |
| Proposed duration | Until 3 April 2028 | Permanent framework |
| Direct effect on ordinary businesses | Generally limited | Could affect a broader range of regulated services |
The European Parliament has supported the reinstatement of the temporary Chat Control 1.0 framework through the July 2026 procedure. However, the Council must still address the Parliament’s amendments and complete the legislative process before the measure can be treated as finally adopted.
The proposed temporary framework allows qualifying providers to voluntarily use certain technologies to detect, report and remove online child sexual abuse material. The precise scope depends on the final adopted text and the type of service and communication involved.
The European Parliament’s July position seeks to exclude genuinely end-to-end encrypted communications. This would generally keep end-to-end encrypted services outside the temporary voluntary scanning framework.
No. Chat Control 1.0 is primarily a derogation from certain provisions of the ePrivacy Directive. Nevertheless, GDPR requirements may continue to apply to the personal-data processing involved.
No. The temporary framework does not impose a general obligation on ordinary businesses to scan employee or customer emails. It concerns qualifying providers of online communications services and permits voluntary detection under defined conditions.
The proposed reinstatement would extend the temporary framework until 3 April 2028, unless a permanent EU legal framework becomes applicable earlier.
The EU Chat Control debate highlights a recurring challenge in digital regulation: how to address serious online harms without normalising disproportionate surveillance.
Protecting children is a compelling and legitimate objective. So is protecting the confidentiality and security of communications.
Effective regulation must pursue both objectives through targeted, technically sound and accountable measures. It should avoid creating permanent monitoring infrastructure simply because large-scale automated scanning is technically possible.
For organisations, the practical lesson is clear: privacy teams must understand not only what personal data is collected, but also how software providers analyse content, apply artificial intelligence, generate risk scores and share resulting information.
A complete privacy-governance programme should connect vendor management, data mapping, DPIAs, risk assessments and AI governance in one documented process.
GDPR Register helps organisations maintain RoPAs, assess vendors, complete DPIAs and LIAs, document privacy risks and manage AI Act obligations through one centralised platform.
As the Chat Control negotiations continue, organisations should follow the final legislative text carefully rather than relying on headlines suggesting that all private messages have either become fully scannable or fully protected overnight.