• Don't want to see ads? Install an adblocker like uBlock Origin or use a Europe-based privacy-friendly browser like Vivaldi or Mullvad.

High-tech Chat Control survived: how the EU Parliament “killed” it, then passed it anyway

Maciamo

Veteran member
Admin
Messages
10,646
Reaction score
4,565
Points
113
Location
Lothier
Ethnic group
Italo-celto-germanic
Long story short: On 9 July 2026, the European Parliament voted on whether to extend the temporary “Chat Control 1.0” regime that allows tech companies to scan private messages and emails for child sexual abuse material (CSAM). A majority of MEPs present voted against the measure (314 to 276), but the extension was still approved because the law requires an absolute majority of all 720 members (361 votes) to reject it. With only 314 votes against, opponents fell 47 votes short, so the derogation remained in force for now until at least 2028.



What Chat Control 1.0 actually is​

Chat Control 1.0 is a temporary derogation (exception) to the EU’s e‑Privacy rules, which normally protect the confidentiality of all communications. Under this derogation:
  • Providers of interpersonal communication services (messaging apps, email, some forums) are allowed to scan private messages for CSAM.
  • The scanning is voluntary, not mandatory, but companies can do it without a warrant or prior suspicion.
  • Suspected cases are matched against CSAM databases and reported to a US-based centre for further analysis.
This directly conflicts with the usual EU principle that companies must not read or scan private messages unless there is a specific, targeted reason.



Why a majority “no” still led to a “yes”​

The vote was not a simple majority of those present. To block the extension, opponents needed:
  • 361 votes (an absolute majority of all 720 MEPs).
They only got:
  • 314 votes against the measure.
That means:
  • Even though more people voted “no” than “yes”, the threshold for rejection was not reached.
  • Every empty seat and abstention effectively counted as a “yes” in the math, because the law only counts the number of “no” votes, not the number of “yes” votes.
This is why the popular narrative is: “The Parliament voted against Chat Control, but it passed anyway.”



What the July 2026 amendments changed​

The Parliament did not just rubber‑stamp the old regime. The July 2026 amendments added a crucial protection:
  • End-to-end encrypted (E2EE) communications are now excluded from the scanning regime.
This means:
  • Services that are genuinely E2EE by default (e.g., WhatsApp, Signal, and certain configurations of Proton Mail/Tuta) cannot be scanned under the derogation.
  • The law now explicitly tries to prevent companies from introducing “surveillance bugs” into encrypted apps or offering separate, less-secure modes to bypass the exclusion.
Private messages in services that are not E2EE remain fully in scope.



Implications for everyday users​

1. Who can still be scanned?​

The following types of messages are still eligible for scanning if the provider chooses to use the derogation:
  • Facebook Messenger and Instagram messages
    These are not end-to-end encrypted by default, so they are not covered by the E2EE exclusion. Meta has already publicly stated it uses the derogation to scan messages for CSAM.
  • X (Twitter) private messages (DMs)
    X DMs are also not E2EE, so they remain legally eligible for scanning under the regime if X implements it.
  • Standard email services (e.g., Gmail, Outlook, and many hosted providers)
    Most mainstream email providers do not use E2EE for all traffic. They can still scan emails under the derogation.
  • Proton Mail and Tuta
    - For messages between two Proton users or two Tuta users: those are E2EE and excluded from mass scanning.
    - For messages to external providers (e.g. Gmail) or in some hybrid modes: the legal situation is less clear, but the provider‑held part is still potentially vulnerable.
  • Cloud storage
    - Google Drive: Not E2EE by default; files are potentially within scope if the provider decides to scan.
    - Proton Drive: Designed as E2EE/zero‑access; stored files should be excluded from scanning under the new amendments.

2. What about private forums (vBulletin, XenForo)?​

  • In strict legal terms, private messages on forums that qualify as “interpersonal communication services” could fall under the derogation.
  • In reality:
    - The regime is voluntary.
    - No small or medium forums are known to run CSAM scanning under this law.
    - Forums already have full access to their own databases; the legal permission is less relevant for them than for big platforms.
So while the law is technically broad, everyday forum users are not being targeted by this regime in practice.

3. What this means for privacy and encryption​

  • The regime normalizes suspicionless scanning of private communications for a large part of the digital ecosystem.
  • However, the July 2026 amendments protect the most privacy-focused tools:
    - Encrypted messengers like WhatsApp and Signal are explicitly excluded.
    - E2EE email (Proton/Tuta) between their own users is also excluded.
  • Users who care about privacy should:
    - Prefer E2EE messaging apps for sensitive conversations.
    - Use E2EE email providers for direct communication with other users of the same service.
    - Be aware that regular email, social media DMs, and non-E2EE cloud storage are still potentially scanned.



Why US big tech lobbied for this​

Major US companies (Meta, Google, Microsoft, etc.) have said they use the derogation to scan messages and emails for CSAM. Their lobbying aims to:
  • Preserve a legal basis to continue or expand scanning under EU law.
  • Avoid a fragmented patchwork of national rules by keeping a single EU framework.
  • Maintain control over the technical design (hash matching, reporting pipelines, etc.).
  • Use “we scan for CSAM” as a trust and reputation signal.
They are not pushing for arbitrary surveillance; they want a predictable, EU-sanctioned framework that fits their existing technical models.



Bottom line​

  • The EU Parliament voted against extending the Chat Control 1.0 scanning regime, but it still passed because the rejection threshold was not reached.
  • The regime now has a key protection: end-to-end encrypted communications are excluded.
  • For everyday users:
    - Encrypted messaging (WhatsApp, Signal) and E2EE email (Proton/Tuta) are protected.
    - Facebook, Instagram, X DMs, most email services, and non-E2EE cloud storage are still potentially scanned.
    - Small private forums are legally in scope but not practically targeted.

If you care about privacy, this is another reason to rely on genuinely end-to-end encrypted tools and to be cautious about where you store or send sensitive information.
 
Last edited:
If even the corrupted parliament voted against it with a significant majority, but missed "the threshold" and it will be stil implemented, it tells you a lot about the value and importance of the EU parliament. And those absent can either claim they didn't vote or were not informed in time to vote for whatever reasons. It is a complete farce.

Quite typical and systematic to make such votes in times when the parliament is far from complete and the numbers can't be reached. Like during holidays they can get through with everything with that "method".
 
Back
Top