EU lawmakers extend ‘chat control’ powers for message scanning until 2028
The European Parliament has voted to prolong the EU’s controversial message‑scanning regime, informally known as “chat control,” keeping it in force until 2028. The decision allows tech companies to continue scanning users’ private messages for child sexual abuse material (CSAM), despite a majority of lawmakers actually voting against the extension.
A law that survived despite a negative majority
On paper, most members of the European Parliament opposed prolonging the regulation officially referred to as “Chat Control 1.0.” However, to block the extension outright, opponents needed an absolute majority of 361 votes. They secured 314 votes to stop the law, while 276 voted in favor of keeping it. Because the threshold to reject the regulation was not met, the framework survived by procedural default.
This vote effectively revives provisions that had lapsed in April, re‑authorizing digital platforms to use automated tools to detect suspected CSAM in private communications. The issue has long divided lawmakers, technologists and civil liberties advocates, who argue that mass scanning undermines privacy and the basic principles of secure communications.
Encryption carved out – for now
In a key amendment, Parliament adopted an exemption for end‑to‑end encrypted communication. Messages that use, have used, or will use end‑to‑end encryption are to be excluded from the voluntary scanning regime, delivering a limited victory to privacy advocates and cryptography experts who had warned that undermining encryption would weaken security for everyone.
The amendment was championed by Pirate Party MEP Markéta Gregorová, who described the outcome as a “bittersweet” result. She welcomed the protection of encryption as a crucial safeguard but warned that the broader authorization of voluntary mass scanning still passed. In practical terms, services that are not end‑to‑end encrypted, or features within platforms that fall outside that exemption, may remain subject to automated content analysis.
Child protection vs. privacy: the core clash
Supporters of the law frame it as a necessary tool to protect minors and curb the distribution of abusive material online. They argue that, without scanning capabilities, platforms become safe havens for perpetrators who exploit digital communication channels to share illegal content and groom potential victims.
Opponents counter that “suspicionless mass scanning” by private companies normalizes pervasive surveillance. They stress that once such a mechanism is legitimized for one purpose, it can be expanded to other types of content, creating a dangerous precedent. Privacy advocates also point to the risk of false positives, misclassification by automated systems and the chilling effect on free expression when users know their messages may be analyzed.
What happens next: Council of the EU and national governments
The legislation, including the encryption exemption, now goes back to the Council of the EU, which consists of ministers from member states. The Council can accept or reject the Parliament’s amended text or seek a compromise, meaning further political maneuvering is likely. National governments will be under pressure both from child protection organizations, which support robust detection tools, and from civil liberties groups calling for stronger safeguards.
The decision also comes shortly after Parliament triggered a rarely used urgent procedure. That fast‑track process forced lawmakers to return and decide whether to temporarily reinstate the legal basis for message scanning that had expired in April. Without that framework, platforms such as WhatsApp were free to decide independently whether and how to monitor for abusive content.
From temporary to permanent: Chat Control 2.0 on the horizon
The current extension is only one chapter in a longer legislative battle. Work on a new, permanent regulation – widely referred to as “Chat Control 2.0” – will resume in September. At the heart of the debate is whether any future scanning regime should be narrowly targeted at specific suspects or broadly applied to almost all users’ communications.
Critics of the permanent proposal argue that bulk scanning, even if automated and carried out by private companies, is indistinguishable from generalized surveillance. They maintain that targeted investigations based on reasonable suspicion are both more compatible with fundamental rights and potentially more effective.
Former MEP Patrick Breyer, a prominent critic of the proposals, described the current outcome as only the beginning of the political struggle. He argued that the strong resistance seen in Parliament makes it unrealistic to secure a stable majority for a full‑blown, suspicionless mass‑scanning regime in the future.
Political shifts and party dynamics
The path to the extension was shaped by shifting positions among major political groups. In March, Parliament had rejected an earlier attempt to prolong the existing rules while negotiations on Chat Control 2.0 were ongoing. At that time, the largest political group, the European People’s Party (EPP), largely opposed the extension because of amendments that would have narrowed the scope of scans.
In the urgent vote that followed, the EPP leadership changed course. Group leader Manfred Weber sought ways to push the extension through with fewer restrictions attached. That strategic pivot, combined with the complex voting rules requiring an absolute majority to block the law, allowed the regulation to be revived despite strong cross‑party criticism.
How “voluntary scanning” works in practice
Under the extended framework, scanning by platforms remains officially “voluntary” rather than mandated by law. Companies may deploy automated detection tools, such as hash‑matching databases and machine‑learning classifiers, to identify images, videos or text suspected of being CSAM or grooming attempts.
However, privacy specialists warn that once such capabilities exist and are endorsed by legislation, platforms may feel pressure from regulators or public opinion to implement them extensively. Even if participation is technically optional, market realities, regulatory expectations and reputational concerns can make opting out difficult, especially for large providers.
The reliance on automated tools also raises technical and legal questions:
– How accurate are detection algorithms, especially for new, previously unseen material?
– Who is accountable when lawful content is flagged and reported?
– What redress mechanisms exist for users wrongly accused or subjected to account restrictions?
End‑to‑end encryption: what is actually protected?
The newly adopted exemption for end‑to‑end encryption is significant but does not fully resolve the encryption debate. In end‑to‑end encrypted systems, only the sender and recipient can read the content of messages; the service provider theoretically cannot. Excluding such communications from scanning avoids the introduction of so‑called “backdoors” or client‑side scanning that would weaken this security model.
Yet grey areas remain. Some services offer mixed architectures, where certain features (for example, cloud backups, unencrypted metadata or spam and safety filters) might not be fully covered by end‑to‑end encryption. The legal text’s reference to messages that “is, has been or will be applied” with encryption also invites interpretation: regulators and courts may need to clarify how deeply this protection extends and at what technical layer it applies.
Privacy advocates are likely to watch closely for any attempts to reinterpret the exemption in a way that would reintroduce scanning on user devices before encryption is applied, a model they see as functionally equivalent to breaking encryption.
Implications for tech firms and users
For major messaging platforms, the extension means continued legal certainty to run detection programs they already have in place, especially for non‑encrypted services or components. For emerging platforms and smaller providers, it creates a more complex compliance environment: they must balance user expectations for privacy with regulatory frameworks that treat scanning as a socially responsible measure.
Users, meanwhile, face a more fragmented landscape. End‑to‑end encrypted messaging may become even more attractive to those concerned about surveillance or data misuse, while non‑encrypted services could see increased scrutiny over how they use or expand scanning tools. Transparency reports, clear privacy policies and user‑friendly explanations of how scanning works will likely become more important in keeping public trust.
The broader digital rights context
The “chat control” debate sits within a larger European conversation about digital sovereignty, platform accountability and fundamental rights online. The EU has already adopted far‑reaching rules on content moderation, data protection and digital markets. Each new law must be reconciled with the Charter of Fundamental Rights, which protects privacy, data protection and freedom of expression.
Civil liberties groups warn that normalizing mass inspection of private communications, even for a deeply serious issue like child sexual abuse, may open the door to future expansions: for instance, scanning for other illegal content, politically sensitive material or intellectual property violations. Lawmakers sympathetic to these concerns argue that robust child protection policies, better resourcing of law enforcement and cross‑border cooperation can be combined with targeted, warrant‑based digital investigations without turning every user into a potential suspect.
What to watch for by 2028
Between now and 2028, several developments will shape the real‑world impact of chat control:
– Ongoing negotiations over Chat Control 2.0 will determine whether a more permanent, possibly more expansive regime replaces the current temporary framework.
– Court challenges could test whether large‑scale scanning, even when “voluntary,” is compatible with fundamental rights protections in EU law.
– Technical innovations in encryption, privacy‑preserving detection methods and AI‑based moderation tools may shift the policy debate, especially if new approaches promise child protection without generalized surveillance.
– Political shifts in the next European elections could produce a Parliament more or less receptive to broad scanning powers.
For now, the EU has chosen to keep message scanning on the table, while drawing a provisional red line around end‑to‑end encryption. The fight over how far governments and platforms can go in scrutinizing private conversations – and at what cost to individual privacy – is far from over.

