Articles

EU Chat Control Vote: What Message Scanning Means for Privacy

The European Parliament has supported the return of temporary EU rules allowing online service providers to voluntarily scan certain private communications for child sexual abuse material.

The measure is commonly referred to by critics as Chat Control 1.0. It permits providers such as email, messaging and social media platforms to use detection technologies to identify, report and remove online child sexual abuse material, or CSAM.

The July 2026 vote is particularly controversial because more Members of the European Parliament voted against the measure than in favour of it. However, opponents did not reach the absolute majority required to reject the proposal under the parliamentary procedure used. The rejection motion received 314 votes, while 276 MEPs voted in favour and 17 abstained. A minimum of 361 votes was required to block the proposal.

The proposal is intended to restore an exemption from EU electronic communications privacy rules that expired on 3 April 2026. Under the proposed extension, the temporary framework could remain applicable until 3 April 2028 while EU institutions continue negotiating a permanent law on preventing and combating child sexual abuse online.

However, the process is not yet necessarily complete. Following the Parliament’s July position, the Council must address the Parliament’s amendments before the measure can be formally adopted and take legal effect.

The development raises difficult questions about the confidentiality of communications, automated content analysis, false positive results, the protection of children and the future of end-to-end encryption in Europe.

Full article here

What is EU Chat Control?

“Chat Control” is an informal term used to describe EU legislative measures concerning the detection of child sexual abuse material in online communications.

It is important to distinguish between two related but separate initiatives:

  • Chat Control 1.0 refers to the temporary and voluntary ePrivacy derogation introduced through Regulation (EU) 2021/1232.
  • Chat Control 2.0 generally refers to the proposed permanent EU Child Sexual Abuse Regulation, which has undergone several revisions and remains the subject of institutional negotiations.

The temporary regulation does not generally require companies to scan messages. Instead, it creates an exception allowing qualifying communications providers to voluntarily process communications data using technologies designed to detect and report online child sexual abuse.

The permanent proposal is broader. Different versions have included mandatory risk assessments, detection orders, age-verification measures and obligations applicable to a wider range of online services.

Conflating these two initiatives can create the misleading impression that the July 2026 vote immediately introduced mandatory scanning of every private or encrypted message in Europe. That is not what the temporary derogation does.

Why is an ePrivacy exemption needed?

The confidentiality of electronic communications is protected in the EU primarily through the ePrivacy Directive, alongside the GDPR and the EU Charter of Fundamental Rights.

Article 5 of the ePrivacy Directive establishes the confidentiality of communications and related traffic data. As a general rule, listening to, tapping, storing or otherwise intercepting communications without the consent of the users concerned is prohibited, except where legally authorised.

The European Data Protection Supervisor describes the ePrivacy Directive as an important EU instrument protecting the confidentiality of communications and limiting tracking and monitoring.

This creates a legal issue when an email or messaging provider wants to analyse the content of users’ communications for CSAM. Even where the provider’s intention is to detect illegal material, analysing private communications may interfere with confidentiality and involve the processing of personal data.

Regulation (EU) 2021/1232 was therefore introduced in 2021 as a temporary derogation from specific ePrivacy requirements. It created a limited legal framework under which providers of certain number-independent interpersonal communications services could continue voluntary detection, reporting and removal activities.

The original measure was temporary because EU policymakers intended to replace it with a comprehensive and permanent legal framework.

That permanent framework has still not been finalised.

What happened to Chat Control 1.0 in 2026?

The temporary derogation was previously extended until 3 April 2026.

In December 2025, the European Commission proposed extending the framework again, this time until 3 April 2028. The stated purpose was to prevent a legal gap while negotiations continued on the permanent Child Sexual Abuse Regulation.

The European Parliament’s position then changed several times.

On 11 March 2026, Parliament adopted amendments supporting a more limited extension, with 458 votes in favour, 103 against and 63 abstentions. The proposed safeguards included tighter limits on the technologies and communications that could be covered.

On 26 March 2026, Parliament rejected the overall legislative proposal by 311 votes to 228. As a result, the existing derogation expired after 3 April 2026.

In July, the Council moved to reinstate the interim measure, arguing that voluntary detection activities play an important role in identifying offenders, rescuing victims and reducing the circulation of child sexual abuse material.

The file then returned to Parliament under an urgent procedure.

Although 314 MEPs opposed the proposal in the July vote, they did not reach the absolute majority of all Parliament members required to reject it. Consequently, Parliament did not block the Council’s position, subject to the treatment of the Parliament’s amendments and completion of the legislative process.

This unusual outcome is why some coverage has described the measure as having passed even though more participating MEPs voted against it than supported it.

Does Chat Control allow companies to read all private messages?

The phrase “reading private messages” can be misleading if it suggests that employees at technology companies manually open and review every email or conversation.

In practice, providers may use automated detection technologies to analyse content or attachments for indicators of child sexual abuse material.

Depending on the system, those technologies may include:

  • hash matching against databases of known illegal images;
  • classifiers designed to detect previously unknown CSAM;
  • language or behavioural analysis intended to identify grooming;
  • automated flagging followed by human review;
  • reporting suspected content to competent authorities or specialist organisations.

Nevertheless, automated scanning is still a form of processing communications content. It may reveal information about users, flag lawful communications, generate reports and lead to further investigation.

For that reason, the legal and fundamental-rights implications remain significant even where no human employee reads the majority of scanned messages.

Does Chat Control 1.0 apply to end-to-end encrypted messages?

The July 2026 Parliament position seeks to exclude end-to-end encrypted communications from the temporary scanning regime.

End-to-end encryption means that the content of a communication can generally be accessed only by the sender and intended recipient. The service provider does not hold the key needed to decrypt the message in transit.

Services such as Signal rely on end-to-end encryption by default, while other platforms provide it for some or all communication features.

The Parliament’s amendments were designed to protect end-to-end encrypted services from the voluntary scanning framework. Reporting on the vote indicates that services such as WhatsApp, Signal and Telegram would therefore remain outside the relevant scanning regime where communications are genuinely end-to-end encrypted.

This distinction is important.

Chat Control 1.0 is not the same as a general EU requirement to break encryption. However, the broader permanent Child Sexual Abuse Regulation continues to generate debate about whether detection technologies could eventually be applied before encryption or directly on users’ devices.

Why do supporters consider message scanning necessary?

Supporters argue that online services are frequently used to store, share and distribute child sexual abuse material.

They maintain that voluntary detection systems help providers:

  • identify known illegal material;
  • discover previously unknown abuse;
  • detect grooming and exploitation;
  • report suspected offences;
  • remove harmful content;
  • provide information that may help authorities identify offenders and victims.

The Council has stated that voluntary detection activities contribute to investigating and prosecuting offenders, rescuing victims and reducing the spread of online child sexual abuse.

Technology companies and child-protection organisations also warned that allowing the temporary framework to expire could significantly reduce the number of CSAM reports made by online platforms.

From this perspective, the ePrivacy derogation is viewed as a necessary bridge until a permanent EU framework can be adopted.

Why are privacy experts concerned about Chat Control?

Privacy and digital-rights organisations do not generally dispute the need to combat child sexual abuse. Their concerns focus on whether scanning large volumes of private communications is necessary, proportionate and technically reliable.

The main concerns include the following.

1. Generalised monitoring of private communications

Scanning communications from users who are not suspected of an offence may amount to indiscriminate monitoring.

EU fundamental-rights law generally requires serious interferences with privacy to be clearly defined, necessary and proportionate. Systems that analyse everyone’s communications may struggle to meet those requirements, particularly where less intrusive alternatives exist.

2. False positive results

Detection technologies do not always correctly distinguish illegal material from lawful family photographs, medical images, consensual communications or discussions about abuse.

The European Data Protection Board and European Data Protection Supervisor have warned that technologies such as artificial intelligence used to scan communications are likely to produce errors.

A false positive may result in private content being disclosed to human reviewers, specialist organisations or law-enforcement authorities.

3. Processing of sensitive personal data

Private conversations may reveal health information, sexual orientation, religious beliefs, political views, family relationships and other highly sensitive information.

Even where scanning is intended only to identify CSAM, the underlying system may still technically process extensive amounts of personal and special-category data.

4. Risks to encryption and cybersecurity

Although the current temporary proposal seeks to exclude end-to-end encrypted communications, the wider Chat Control debate remains closely connected to the future of encryption.

Privacy and cybersecurity experts warn that creating mechanisms capable of analysing content before or after encryption may introduce vulnerabilities that can be misused by criminals, hostile governments or other third parties.

5. Limited transparency and oversight

Users may not understand:

  • whether their communications are scanned;
  • which technologies are used;
  • what content triggers a report;
  • how long flagged information is retained;
  • whether a human reviews the result;
  • how an incorrect report can be challenged.

These issues make transparency, independent oversight and effective remedies essential.

Is Chat Control governed by the GDPR?

The temporary framework is primarily an exemption from specific rules in the ePrivacy Directive. However, this does not mean that the GDPR becomes irrelevant.

Where a provider processes personal data while detecting, reviewing, reporting or retaining suspected content, the GDPR may continue to apply alongside the specific regulation.

Depending on the circumstances, relevant GDPR obligations may include:

  • identifying a valid legal basis;
  • complying with purpose limitation;
  • minimising the data processed;
  • limiting retention periods;
  • implementing technical and organisational security measures;
  • providing transparent information;
  • controlling access to flagged content;
  • governing international data transfers;
  • enabling data-subject rights where applicable;
  • conducting a data protection impact assessment.

The temporary derogation should not therefore be interpreted as a general exemption from all EU data protection requirements.

Instead, it creates a specific and conditional exception to communications-confidentiality rules for a defined purpose.

Would a Data Protection Impact Assessment be required?

Providers deploying automated communications-scanning technologies would need to assess carefully whether a Data Protection Impact Assessment, or DPIA, is required.

Under Article 35 GDPR, a DPIA is required where processing is likely to result in a high risk to individuals’ rights and freedoms.

Large-scale or systematic analysis of private communications may involve several recognised high-risk indicators, including:

  • systematic monitoring;
  • use of innovative technologies;
  • processing of highly personal or sensitive data;
  • large-scale data processing;
  • automated evaluation;
  • vulnerable individuals, including children;
  • processing that may lead to reports to law enforcement;
  • inability of users to avoid the processing without leaving the service.

A robust DPIA should not treat the protection of children and the protection of privacy as competing objectives where only one can be achieved.

It should document how the system pursues a legitimate child-safety objective while minimising unnecessary access to lawful communications and reducing the likelihood of incorrect reports.

What should organisations using communication providers do?

Most businesses will not themselves scan communications for CSAM. However, organisations should still understand how their communication and collaboration providers process message content.

This is especially relevant when selecting or reviewing providers of:

  • corporate email;
  • employee messaging;
  • cloud collaboration tools;
  • social media communications;
  • customer-support chat systems;
  • content-hosting platforms;
  • online community services.

Privacy teams should determine whether the provider performs automated content analysis, whether the organisation can control that functionality and whether the processing is adequately reflected in contractual and privacy documentation.

Useful questions include:

  1. Does the provider scan communications content or attachments?
  2. Is scanning limited to known illegal material, or does it also use predictive classifiers?
  3. Are communications protected by end-to-end encryption?
  4. In which jurisdictions is scanning performed?
  5. Who receives reports generated by the system?
  6. Is human review conducted before a report is submitted?
  7. How are false positives handled?
  8. How long is flagged content retained?
  9. Has the provider conducted a DPIA?
  10. Are subprocessors or non-EU organisations involved?

The answers should be documented in the organisation’s vendor-management, data-mapping and risk-management processes.

What does the vote mean for businesses and privacy professionals?

For most organisations, the Chat Control vote does not create a new direct obligation to scan employee or customer communications.

Its immediate importance is broader.

The debate demonstrates that communications confidentiality, platform safety, artificial intelligence and fundamental rights are increasingly interconnected.

It also shows why privacy compliance cannot be reduced to publishing a privacy notice or maintaining a basic processing register. Organisations need to understand how their technology providers analyse data, which automated systems are operating and what risks those systems create.

Privacy professionals should follow three areas in particular:

The final adoption of the temporary extension

The legislative procedure must be completed before organisations can treat the extension until April 2028 as settled law.

Negotiations on the permanent CSAM Regulation

The permanent framework could introduce more extensive duties for hosting services, messaging providers, application stores and other technology companies.

Rules affecting end-to-end encryption

Any future attempt to apply detection measures to encrypted communications would have major implications for privacy, cybersecurity, confidential business communications and professional secrecy.

Chat Control 1.0 and Chat Control 2.0: key differences

IssueChat Control 1.0Chat Control 2.0
Legal formTemporary ePrivacy derogationProposed permanent CSAM Regulation
StatusReinstatement moving through the legislative processStill under negotiation
Nature of scanningVoluntary for qualifying providersCould introduce mandatory obligations or detection orders
Main purposeAllow existing CSAM detection practices to continueCreate a comprehensive EU framework
End-to-end encryptionParliament seeks to exclude E2EE communicationsEncryption remains a major point of debate
Proposed durationUntil 3 April 2028Permanent framework
Direct effect on ordinary businessesGenerally limitedCould affect a broader range of regulated services

Frequently asked questions

Has the EU approved Chat Control?

The European Parliament has supported the reinstatement of the temporary Chat Control 1.0 framework through the July 2026 procedure. However, the Council must still address the Parliament’s amendments and complete the legislative process before the measure can be treated as finally adopted.

Can Meta and Google scan private messages in the EU?

The proposed temporary framework allows qualifying providers to voluntarily use certain technologies to detect, report and remove online child sexual abuse material. The precise scope depends on the final adopted text and the type of service and communication involved.

Does Chat Control apply to WhatsApp and Signal?

The European Parliament’s July position seeks to exclude genuinely end-to-end encrypted communications. This would generally keep end-to-end encrypted services outside the temporary voluntary scanning framework.

Is Chat Control part of the GDPR?

No. Chat Control 1.0 is primarily a derogation from certain provisions of the ePrivacy Directive. Nevertheless, GDPR requirements may continue to apply to the personal-data processing involved.

Does Chat Control require every company to scan emails?

No. The temporary framework does not impose a general obligation on ordinary businesses to scan employee or customer emails. It concerns qualifying providers of online communications services and permits voluntary detection under defined conditions.

When would the Chat Control extension expire?

The proposed reinstatement would extend the temporary framework until 3 April 2028, unless a permanent EU legal framework becomes applicable earlier.

The wider lesson for privacy governance

The EU Chat Control debate highlights a recurring challenge in digital regulation: how to address serious online harms without normalising disproportionate surveillance.

Protecting children is a compelling and legitimate objective. So is protecting the confidentiality and security of communications.

Effective regulation must pursue both objectives through targeted, technically sound and accountable measures. It should avoid creating permanent monitoring infrastructure simply because large-scale automated scanning is technically possible.

For organisations, the practical lesson is clear: privacy teams must understand not only what personal data is collected, but also how software providers analyse content, apply artificial intelligence, generate risk scores and share resulting information.

A complete privacy-governance programme should connect vendor management, data mapping, DPIAs, risk assessments and AI governance in one documented process.

GDPR Register helps organisations maintain RoPAs, assess vendors, complete DPIAs and LIAs, document privacy risks and manage AI Act obligations through one centralised platform.

As the Chat Control negotiations continue, organisations should follow the final legislative text carefully rather than relying on headlines suggesting that all private messages have either become fully scannable or fully protected overnight.

Tags:
case study
gdpr
gutenberg
interesting
PREVIOUS
AI providers under GDPR