Long story short: On 9 July 2026, the European Parliament voted on whether to extend the temporary “Chat Control 1.0” regime that allows tech companies to scan private messages and emails for child sexual abuse material (CSAM). A majority of MEPs present voted against the measure (314 to 276), but the extension was still approved because the law requires an absolute majority of all 720 members (361 votes) to reject it. With only 314 votes against, opponents fell 47 votes short, so the derogation remained in force for now until at least 2028.
If you care about privacy, this is another reason to rely on genuinely end-to-end encrypted tools and to be cautious about where you store or send sensitive information.
What Chat Control 1.0 actually is
Chat Control 1.0 is a temporary derogation (exception) to the EU’s e‑Privacy rules, which normally protect the confidentiality of all communications. Under this derogation:- Providers of interpersonal communication services (messaging apps, email, some forums) are allowed to scan private messages for CSAM.
- The scanning is voluntary, not mandatory, but companies can do it without a warrant or prior suspicion.
- Suspected cases are matched against CSAM databases and reported to a US-based centre for further analysis.
Why a majority “no” still led to a “yes”
The vote was not a simple majority of those present. To block the extension, opponents needed:- 361 votes (an absolute majority of all 720 MEPs).
- 314 votes against the measure.
- Even though more people voted “no” than “yes”, the threshold for rejection was not reached.
- Every empty seat and abstention effectively counted as a “yes” in the math, because the law only counts the number of “no” votes, not the number of “yes” votes.
What the July 2026 amendments changed
The Parliament did not just rubber‑stamp the old regime. The July 2026 amendments added a crucial protection:- End-to-end encrypted (E2EE) communications are now excluded from the scanning regime.
- Services that are genuinely E2EE by default (e.g., WhatsApp, Signal, and certain configurations of Proton Mail/Tuta) cannot be scanned under the derogation.
- The law now explicitly tries to prevent companies from introducing “surveillance bugs” into encrypted apps or offering separate, less-secure modes to bypass the exclusion.
Implications for everyday users
1. Who can still be scanned?
The following types of messages are still eligible for scanning if the provider chooses to use the derogation:- Facebook Messenger and Instagram messages
These are not end-to-end encrypted by default, so they are not covered by the E2EE exclusion. Meta has already publicly stated it uses the derogation to scan messages for CSAM. - X (Twitter) private messages (DMs)
X DMs are also not E2EE, so they remain legally eligible for scanning under the regime if X implements it. - Standard email services (e.g., Gmail, Outlook, and many hosted providers)
Most mainstream email providers do not use E2EE for all traffic. They can still scan emails under the derogation. - Proton Mail and Tuta
- For messages between two Proton users or two Tuta users: those are E2EE and excluded from mass scanning.
- For messages to external providers (e.g. Gmail) or in some hybrid modes: the legal situation is less clear, but the provider‑held part is still potentially vulnerable. - Cloud storage
- Google Drive: Not E2EE by default; files are potentially within scope if the provider decides to scan.
- Proton Drive: Designed as E2EE/zero‑access; stored files should be excluded from scanning under the new amendments.
2. What about private forums (vBulletin, XenForo)?
- In strict legal terms, private messages on forums that qualify as “interpersonal communication services” could fall under the derogation.
- In reality:
- The regime is voluntary.
- No small or medium forums are known to run CSAM scanning under this law.
- Forums already have full access to their own databases; the legal permission is less relevant for them than for big platforms.
3. What this means for privacy and encryption
- The regime normalizes suspicionless scanning of private communications for a large part of the digital ecosystem.
- However, the July 2026 amendments protect the most privacy-focused tools:
- Encrypted messengers like WhatsApp and Signal are explicitly excluded.
- E2EE email (Proton/Tuta) between their own users is also excluded. - Users who care about privacy should:
- Prefer E2EE messaging apps for sensitive conversations.
- Use E2EE email providers for direct communication with other users of the same service.
- Be aware that regular email, social media DMs, and non-E2EE cloud storage are still potentially scanned.
Why US big tech lobbied for this
Major US companies (Meta, Google, Microsoft, etc.) have said they use the derogation to scan messages and emails for CSAM. Their lobbying aims to:- Preserve a legal basis to continue or expand scanning under EU law.
- Avoid a fragmented patchwork of national rules by keeping a single EU framework.
- Maintain control over the technical design (hash matching, reporting pipelines, etc.).
- Use “we scan for CSAM” as a trust and reputation signal.
Bottom line
- The EU Parliament voted against extending the Chat Control 1.0 scanning regime, but it still passed because the rejection threshold was not reached.
- The regime now has a key protection: end-to-end encrypted communications are excluded.
- For everyday users:
- Encrypted messaging (WhatsApp, Signal) and E2EE email (Proton/Tuta) are protected.
- Facebook, Instagram, X DMs, most email services, and non-E2EE cloud storage are still potentially scanned.
- Small private forums are legally in scope but not practically targeted.
If you care about privacy, this is another reason to rely on genuinely end-to-end encrypted tools and to be cautious about where you store or send sensitive information.
Last edited: