Skip to content

EU Chat Control Returns: How a Procedural Loophole Just Revived Mass Message Scanning

Karify98 & Amy 🌸·
Cover Image for EU Chat Control Returns: How a Procedural Loophole Just Revived Mass Message Scanning

On March 26, 2026, the European Parliament voted 311–228 to let Chat Control 1.0 expire. The regulation died on April 3. It seemed like the end.

On July 2, the EU Council revived it β€” same text, new legislative packaging. On July 7, Parliament voted 331–304 to allow an emergency procedure. The final vote: Thursday, July 9, 2026 β€” the last working day before summer recess, when most MEPs have already left Strasbourg.

This is not just a political story. It is a direct threat to end-to-end encryption β€” and every developer building messaging apps for EU users needs to understand what is happening.

What Chat Control 1.0 Is β€” and How It Came Back

Chat Control is the common name for the EU's CSAR, proposed by the European Commission in May 2022. Version 1.0 allows platforms to voluntarily scan private messages for child abuse material. But "voluntary" is more technical than truthful β€” Meta, Google, and Microsoft have been running scans under this framework since 2021, operating on a temporary derogation from the ePrivacy Directive.

In March 2026, Parliament refused to extend that derogation. The regulation expired on April 3. But instead of accepting the democratic vote, the EU Council found a different path: the second-reading procedure.

Here is the key mechanism: in a second reading, Parliament cannot simply vote "no." It needs an absolute majority β€” 361 out of 720 votes β€” to reject or amend the Council's position. Not just a majority of those present. On the last day before summer recess, with most MEPs gone, reaching that threshold is nearly impossible. Opponents need 361 votes to block; supporters only need a simple majority of whoever is left.

Former MEP Patrick Breyer, who led parliamentary opposition for years, called it "a blatant disregard for democratic processes." The EU Council's own Legal Service warned the proposal violates Article 7 of the EU Charter of Fundamental Rights. No one disputes that β€” they are simply ignoring it.

What It Means for Encryption

Chat Control 1.0 permits three client-side scanning methods:

  1. Hash-matching β€” against known CSAM databases
  2. Machine learning classification β€” for unknown abuse material
  3. Real-time text analysis β€” for grooming pattern detection

The critical point: all three methods operate before encryption is applied. Content is checked on the sender's device, before the encryption key touches anything. Technically, end-to-end encryption still exists β€” but the content has already been read before it is encrypted. Think of it this way: the lock is still on the door, they just check your bag before you put anything in it.

Signal's vice president for global affairs described the proposals as posing an "existential catastrophic risk" to encryption. Over 500 cryptographers signed an open letter opposing it. The irony: EU law enforcement agencies themselves requested exemptions for government devices β€” because they understand the backdoor they are asking others to build.

Signal CEO Meredith Whittaker has been unambiguous: "We will leave the EU market rather than undermine our privacy guarantees." WhatsApp has taken the same position. These are not negotiating tactics. Client-side scanning is architecturally incompatible with the product both companies have built and sold to users as private. Once you scan before encryption, the product is no longer what users think they are using.

The Cost of Scanning: 80% False Positives

Here is the number that deserves attention: Swiss federal police data shows 80% of machine-generated CSAM reports are without merit. Only 20% of reports are confirmed as actual abuse material. The false-positive rate floods law enforcement with noise while doing nothing to stop encrypted distribution on non-compliant platforms.

Criminals migrate to unscanned platforms. Law-abiding users get surveilled. That is the actual trade-off on the table β€” not "protect children or protect privacy," but "mass surveillance with low efficacy or find a different approach."

What Developers Should Do Now

Four concrete actions for developers running messaging apps or communication platforms with EU users:

1. Audit your encryption pipeline today. Client-side scanning cannot be implemented without restructuring your encryption pipeline. If your application uses true E2EE β€” keys only on user devices β€” adding a pre-encryption scanning layer means changing your security model at the root level. There is no such thing as "partially end-to-end encrypted."

2. Prepare for the Signal/WhatsApp exit scenario. If the largest encrypted platforms leave the EU market, user migration to alternatives will be massive. Your infrastructure needs to handle unusual peak loads. More importantly: decide now whether you will implement scanning to retain EU users, or follow Signal's path.

3. Track the law, not just the technology. Chat Control has gone through three rounds: rejected (March), redirected (April–June), resurrected in new packaging (July). Every round extends the period during which you must make architecture decisions under legal uncertainty. This is an operational risk, not a theoretical one.

4. Watch the open-source opportunity. If Signal and WhatsApp leave, alternatives like Matrix, XMPP, or self-hosted E2EE will face an unprecedented wave of new users. This could be the moment to invest in decentralized architecture that depends on no single platform β€” and no single jurisdiction that might demand scanning.

What Happens on July 9

The 361-vote threshold to block on the last working day before summer recess is almost impossible to reach β€” even opponents concede this. Chat Control 1.0 will almost certainly pass.

But this is not the end. Even after passage, the regulation faces strong legal challenges before the EU Court of Justice. Meanwhile, Chat Control 2.0 β€” a stricter version mandating scanning rather than making it "voluntary" β€” is still being negotiated separately.

What developers need to understand: this is not the last battle. The EU Council's willingness to use procedural maneuvers to override Parliament's democratic vote is itself the signal β€” this issue will keep coming back until it either passes permanently or the political will collapses.

Key takeaways:

  • Chat Control 1.0 was rejected in March, revived via a second-reading procedure requiring 361 absolute-majority votes to block instead of a simple majority
  • Three client-side scanning methods operate before encryption β€” E2EE technically remains in place, but content is checked before it is locked
  • 80% of automated reports are false positives; over 500 cryptographers oppose it; EU law enforcement agencies themselves requested exemptions
  • Signal and WhatsApp may leave the EU β€” developers need a plan now, not when the law takes effect

Content assisted by AI (Amy 🌸). Reviewed by the author.

Related Posts