EU Chat Control Is Back – And This Time It Might Actually Pass

The EU is, as of right now, in the final hours before a vote that could permanently change the way private digital communication works in Europe. Monday, June 29, is the fifth and supposedly final round of trilogue negotiations on Chat Control 2.0 – the permanent regulation that would, in one form or another, give authorities the ability to monitor the private messages of 450 million EU citizens.

And if that weren’t enough: this Friday (June 27), a separate backroom deal is reportedly underway to revive Chat Control 1.0 – the expired voluntary scanning regime through the backdoor.

Two simultaneous attacks on the same target. If either succeeds, the version of the internet Europeans have used for the past two decades – one where a private message is actually private could be gone by July.

This guide covers everything: what Chat Control is, what it proposes, the full legislative history, why it keeps dying and coming back, what’s at stake in the final trilogue, and what you can do. Start from the top or jump to the section you need.

What Is Chat Control?

“Chat Control” is the public nickname for the EU’s proposed Child Sexual Abuse Regulation – CSAR for short, sometimes called CSA Regulation 2022/0155. It was formally proposed by European Commissioner for Home Affairs Ylva Johansson on 11 May 2022. The stated goal is child protection: detect and report child sexual abuse material (CSAM) circulating across digital platforms.

Nobody argues with the goal. The fight is entirely about the method.

The Commission’s approach focuses on regulating digital services such as messaging apps, email providers, cloud storage by placing a legal duty on them to use technology to scan users’ communications in order to detect and report illegal activity. That means AI systems reading your messages before they reach the person you sent them to. All of them. Not because anyone suspects you of anything.

Civil society organisations argue the proposal would effectively mandate mass scanning of all private digital communications, undermining end-to-end encryption and violating fundamental rights to privacy and data protection.

The argument is simple: to catch the small fraction of criminals distributing abuse material, you have to build infrastructure that watches everyone.

Chat Control 1.0 vs Chat Control 2.0

It helps to understand that there are technically two separate legislative tracks running at the same time.

Chat Control 1.0 is the older, expired system. In 2021, the EU passed a temporary derogation to the ePrivacy Directive called Chat Control 1.0 by critics which allowed email and communication providers to search messages for CSAM. It was not mandatory and did not affect end-to-end encrypted messages.

This derogation let platforms like Gmail, Facebook Messenger, Skype, and Xbox voluntarily scan unencrypted messages. In 2024, the EU adopted an extension of the voluntary Chat Control 1.0 regulation by two years, until April 3, 2026. In March 2026, the European Parliament rejected a second extension.

So Chat Control 1.0 legally expired on April 3, 2026. However, Google, Meta, Microsoft and Snap announced they will continue indiscriminate and warrantless scanning of private messages. Companies can break the law without consequences while the permanent regulation is being negotiated. That alone should concern you.

Chat Control 2.0 (the CSAR) is the permanent replacement. This is what the June 29 trilogue is about. The purpose of CSAR is to make it mandatory for service providers to scan messages for CSAM and to bypass end-to-end encryption.

This is the regulation that has gone through four rounds of trilogue negotiations and is heading into its fifth on Monday.

The Proposals: What’s on the Table

The Original 2022 Commission Proposal

The first version of Chat Control 2.0 was aggressive. The Commission’s original proposal contains a requirement that platforms, once served with a detection order, must scan people’s messages not just for known CSAM (images identified previously and hashed for detection) but also for unknown CSAM (new images of abuse).

A further component in the Commission’s proposal requires platforms to identify grooming activity in real time. This means apps would need to be able to parse the contents of users’ communications to understand when an adult user might be trying to lure a minor to engage in sexual activity.

That last part – text-based behavior analysis in real time means the AI isn’t just checking images against a database. It’s reading conversations and deciding whether they look suspicious.

How the Technology Works (Client-Side Scanning)

With client-side scanning, end-to-end encryption remains in place, but it’s fundamentally circumvented: to detect CSAM, content must be checked on the sender’s device before encryption. Detection software would be embedded in the messaging app or operating system to scan chat content and automatically forward any material flagged as prohibited to law enforcement agencies.

It turns the user’s phone into a checkpoint, running pattern matching or machine learning classification locally and triggering reporting workflows when something looks suspicious.

The key thing to understand here: when privacy advocates say Chat Control “breaks encryption,” this is what they mean. End-to-end encryption is not cracked, it’s bypassed. The inspection happens before the message is encrypted. The lock is still on the door; they just check your bag before you put anything in it.

Cryptographers and security researchers warned that on-device detection “inherently undermines the protections” of end-to-end encryption without any guarantee that it would improve protection for children. The detection mechanism would become a high-value target for hackers and hostile nation states, which could reconfigure it to target other types of data, such as people’s financial or political interests.

The “Voluntary” Shift in the Council’s Position

After years of rejections, the Council text softened – at least on paper. The latest Council position drops the requirement for compulsory automated scanning of encrypted or unencrypted communications.

The Council agreed on its position, which removed the requirement that forces providers to scan messages on their services. It also comes with strong language to protect encryption.

So why are privacy advocates still furious? Because “voluntary” doesn’t mean what it sounds like.

Critics have argued that this amounts to mandatory scanning with extra steps. MEP Patrick Breyer has characterized the Council position as “cementing ‘voluntary’ mass scanning” and “legitimizing the warrantless, error-prone mass surveillance of millions of Europeans.”

The mechanism works through Article 4 risk mitigation requirements. Providers classified as “high-risk” for CSAM must implement unspecified “risk mitigation measures.” Scanning is one option on the list. The law doesn’t mandate scanning directly. Instead, it mandates risk mitigation, then includes scanning as the obvious compliance path, then makes non-compliant services legally liable. Patrick Breyer argues the framework could leave privacy-preserving services with little practical choice: “The proposal includes overly heavy and complex risk mitigation measures that punish privacy-respecting services, effectively forcing them to implement surveillance tools to avoid liability.”

It’s opt-in surveillance with enough carrots and sticks attached that it functions like opt-out surveillance.

Mandatory Age Verification

Separate from the scanning debate and arguably as damaging, is the age verification requirement.

To identify minors, every citizen would have to prove their age with an ID or a face scan for an email or messenger account. This threatens whistleblowers, journalists, and people seeking help.

The current text of Chat Control 2.0 has dropped mandatory client-side scanning of end-to-end encrypted messages, but retains a requirement that users verify their age before accessing encrypted messaging services. Anonymous encrypted communication, under that framework, ends. The encryption “survives,” but the anonymity doesn’t.

Think about what this means for a moment. Dissidents in EU member states. Domestic abuse survivors. Journalists with sources. LGBTQ+ teenagers in unsupportive households. Anonymous whistleblowers. Every one of them currently relies on the ability to communicate privately and without identifying themselves. Journalists, whistle-blowers, LGBTQ+ youth, and political dissidents may face new barriers to secure communication if anonymous accounts are no longer possible.

And there’s a basic technical problem: over 400 scientists have warned that “age assessment cannot be performed in a privacy-preserving way with current technology due to reliance on biometric, behavioural or contextual information. In fact, it incentivises children’s data collection and exploitation.”

You cannot verify age without collecting invasive data about everyone who tries to communicate.

Cloud Storage and Other Provisions

The proposal doesn’t stop at messaging. Other aspects of the proposal include ineffective network blocking, screening of personal cloud storage including private photos, mandatory age verification resulting in the end of anonymous communication, app store censorship, and excluding minors from the digital world.

The planned age control would exclude users under 17 from everyday apps like WhatsApp, Instagram, and online games.

That’s not child protection. That’s children’s digital exclusion.

There’s also a detail that went largely unnoticed: the proposal exempted government and military communications from scanning. States do not want Chat Control for their own communications, but the chats of others should be monitored. The people who designed this system exempted themselves from it.

Why the Technical Experts Say It Won’t Even Work

Let’s set aside the legality and ethics for a moment and just look at whether mass scanning actually catches abusers.

The math is the problem. Even a 99.5% accuracy rate would lead to billions of incorrect identifications daily, overwhelming investigators and wrongly flagging innocent users, according to Callum Voge of the Internet Society.

When you scan billions of messages a day, you’re looking for an extremely rare event. Basic probability means the system will generate far more false positives than true detections. When the actual prevalence of the phenomenon is low, even a 1% false positive rate generates a deluge of incorrect reports that swamp investigators and ruin innocent lives.

High false-positive rates in practice are not theoretical: high false-positive rates up to 80% have been documented in countries like Switzerland.

And the abusers most likely to be caught? The least sophisticated ones, who were already detectable through targeted investigations. Europol’s work on child sexual exploitation focuses on networks, identifiers, and investigative partnerships, not on redesigning every citizen’s device into a sensor. Anyone serious about hiding will just use a different service – one outside EU jurisdiction the moment scanning becomes mandatory.

The Commission claims the scanning would be targeted, but under the proposal, private communications of innocent people would be scanned with unreliable AI filters just in case they’re spreading CSAM.

The UN agrees. Child protection organisations, including the UN’s own Office of the High Commissioner for Human Rights, have warned that mass surveillance fails to prevent abuse and actually makes children less safe by weakening security for everyone and diverting resources from targeted investigations that actually work.

The Full Timeline

This legislation has been fighting to exist since 2021. Here’s the full chronological record.

July 2021 – The EU passes a temporary derogation to the ePrivacy Directive, allowing platforms to voluntarily scan for CSAM. This becomes known as Chat Control 1.0. Google, Meta, and Microsoft opt in immediately.

May 11, 2022 – The European Commission formally proposes the Child Sexual Abuse Regulation (CSAR) – Chat Control 2.0 – to create a permanent, mandatory scanning framework.

September 2022 – Public consultation closes. Over 80% of respondents oppose applying scanning to end-to-end encrypted communications.

November 2023 – The European Parliament’s Civil Liberties Committee (LIBE) votes to remove indiscriminate chat control and allow only targeted surveillance of specific individuals and groups where there is reasonable suspicion, and only with judicial authorisation. Parliament’s position also protects encryption.

2024 – Multiple Council Presidency attempts to pass the proposal fail. Belgium and Spain try different compromise texts, including a version that called mandatory scanning “upload moderation,” which Signal president Meredith Whittaker described as “rhetorical games.” Germany, the Netherlands, Poland, and Austria repeatedly block qualified majorities.

July 2025 – Denmark takes over the Council Presidency and makes CSAR a top priority.

September 9, 2025 – Over 500 cryptographers and security researchers sign an open letter warning the measures are technically unfeasible and would “completely undermine” the privacy and security of all European citizens by creating vulnerabilities that hackers or hostile nations could exploit.

October 8, 2025 – A scheduled Council vote is pulled at the last minute after Germany declares opposition. Without Germany, there’s no qualified majority.

October 2025 – Denmark backs down from mandatory scanning. The proposal shifts toward “voluntary” scanning with risk mitigation requirements attached – the version critics call a backdoor mandate.

November 26, 2025 – The Council adopts its general approach – the revised Danish text – without debate at a COREPER II meeting. With the Council’s position finally agreed, trilogue negotiations with Parliament can officially begin.

December 9, 2025 – First trilogue negotiation on Chat Control 2.0.

December 19, 2025 – The European Commission proposes extending Chat Control 1.0 by another two years, to April 2028.

February 5, 2026 – Parliament’s rapporteur publishes a draft mandate for extending Chat Control 1.0.

February 26, 2026 – Second trilogue negotiation on Chat Control 2.0.

March 11, 2026– The Parliament passes a compromise position on extending Chat Control 1.0: extend it to 2027, but require judicial authorisation and limit scanning to targeted cases – no mass scanning of unencrypted messages. MEPs vote 458-103 in favour. The Council rejects it – they want mass scanning without judicial oversight.

March 26, 2026 – The European Parliament votes to reject any further extensions of Chat Control 1.0. The critical amendment 34, rejecting automated assessment of unknown photos and texts, passes by a single vote. Chat Control 1.0’s extension is dead.

April 3, 2026 – Chat Control 1.0 legally expires. Platforms operating in the EU no longer have a legal basis for mass message scanning. But the permanent replacement (CSAR, Chat Control 2.0) is very much alive.

April 16, 2026 – Third trilogue negotiation on Chat Control 2.0.

May 11, 2026 – Fourth trilogue negotiation on Chat Control 2.0.

June 27, 2026 (today) – A backroom deal is reportedly underway to revive Chat Control 1.0 – the expired voluntary scanning regime – through a separate legislative route.

June 29, 2026 (Monday) -The government of Cyprus, currently holding the Presidency of the Council, has planned the very final negotiations to happen on June 29, 2026. This is the fifth and final scheduled trilogue on Chat Control 2.0.

July 2026 (expected) – If a deal is reached Monday, formal adoption by Parliament and Council is expected in July. The law would take binding effect across all 27 member states without any national implementation required.

The Double-Attack Happening Right Now

Here’s the part that requires attention right now – this weekend.

We face a double-attack on private communication: a backroom deal to revive Chat Control 1.0 this Friday, and on Monday June 29, the final trilogue for permanent mass scanning.

Track one is the Chat Control 2.0 trilogue on Monday – the permanent regulation that’s been in negotiation since December 2025. Four rounds in, they haven’t found a final text. Discussions are reportedly still slow. With discussions already reportedly facing delays, a summer deal seems increasingly at risk.

But track two is the one that caught privacy advocates off guard. Someone is trying to bring Chat Control 1.0 back through a separate legislative manoeuvre – before the Parliament gets another chance to vote on it. The previous plenary vote on March 26 killed the extension by a single vote. A backdoor revival would circumvent that democratic decision entirely.

The Council has explicitly signalled it wants mass scanning without judicial gatekeeping. The Commission has supported the Council’s position throughout. That leaves Parliament as the only institution with any interest in defending privacy and the pressure to reach a deal before the Cypriot Presidency ends is enormous.

The Council’s own Legal Service put it bluntly: in an opinion on June 10, 2026, it stated that the latest “own-initiative” scanning proposal still constitutes generalised scanning of interpersonal communication, and that accessing private communications without reasonable suspicion and prior judicial authorisation is incompatible with Article 7 of the EU Charter of Fundamental Rights.

Their own lawyers told them it won’t survive a court challenge. They’re proceeding anyway.

Why It Keeps Coming Back

If Chat Control has failed so many times, why does it keep returning?

Part of it is institutional persistence. The Commission has invested enormous political capital in this proposal since 2022. The rotating Council Presidencies of Spain, Belgium, Hungary, Denmark, Cyprus each have treated CSAR as a priority file. There’s a bureaucratic logic to closing it.

Part of it is lobbying. A transnational investigation by European media outlets revealed the close involvement of foreign technology and law enforcement lobbyists in the preparation of the original proposal. Commissioner Johansson was also criticised for using micro-targeting techniques to promote its controversial draft proposal, which violated the EU’s data protection and privacy rules.

And part of it is the framing problem. “Child protection” is the stated justification. Anyone who opposes the method gets painted as opposing the goal. That’s a difficult political position, which is why privacy advocates have been careful to frame their opposition around the technical ineffectiveness of the proposal, not just its rights implications.

The honest version of the disagreement is this: supporters believe some capability to detect CSAM online is worth accepting reduced privacy for everyone. Opponents believe mass surveillance of the innocent is categorically wrong, and that targeted investigations with judicial oversight would actually catch more criminals without building a surveillance apparatus that, once constructed, will be used for other purposes.

History has consistently supported the second position. Surveillance infrastructure has never stayed limited to its original stated purpose.

What’s at Stake for Encryption

Meredith Whittaker, president of Signal, has said plainly that Signal would leave Europe before implementing client-side scanning. She made clear this isn’t out of principle alone. Signal can’t keep its security promises if it’s forced to install surveillance mechanisms on users’ devices. Will Cathcart of WhatsApp echoed this, describing it as “the end of end-to-end encryption as we know it.”

If Chat Control becomes law, American technology companies will face an impossible choice. US companies would face conflicting legal obligations they cannot simultaneously satisfy. US users would find their communications subject to systematic European surveillance.

And beyond the companies: once client-side scanning infrastructure exists anywhere, it’s a target. When Apple proposed a related mechanism for photo scanning, the backlash was immediate because security engineers saw the same pattern: once a scanning pipeline exists, it becomes an attractive target for attackers and a tempting lever for governments.

Privacy-rights groups warn that even without explicit mass scanning, the framework could normalize surveillance-by-default if risk-mitigation rules are interpreted broadly.

The long-term concern is precedent. The EU setting this framework gives authoritarian governments cover to do the same and far more aggressively. China, Russia, and others have already cited European data regulation as partial justification for their own internet control regimes. A working CSAM scanning infrastructure in Europe becomes the template.

Where the Institutions Stand

The European Parliament has been the most consistent defender of privacy throughout this process. Their 2023 mandate explicitly rejected indiscriminate scanning, protected encryption, and required judicial warrants before any scanning could take place. The March 2026 vote showed they’ll hold that line – barely, by a single vote on the key amendment.

The EU Council (representing member state governments) wants broad scanning capability. The Council’s position still allows “voluntary” mass scanning, mandatory age verification, and AI analysis of unknown content. 23 of 27 member states currently support the proposal. Only the Czech Republic, Italy, the Netherlands, and Poland oppose.

The European Commission has backed the Council throughout. Four EU Commissioners signed a statement insisting the protection of children, not the protection of perpetrators, must remain the guiding principle. Framing opposition to Chat Control as protecting criminals is a rhetorical move, not an argument.

The Council’s Legal Service issued an opinion on June 10 stating the proposal violates Article 7 of the EU Charter. They said it plainly: without a court order based on reasonable suspicion, you cannot authorise access to private communications. Any deal that ignores this finding will be challenged in the CJEU and will likely lose

What You Can Do

If you’re an EU citizen or resident, what happens Monday is partly within your reach. MEPs are accessible, and the Parliament is the last real firewall here.

Contact your MEPs – The negotiators shaping the final Chat Control 2.0 text are called the Trilogue Shadows. You can find them by country at fightchatcontrol.eu. A short, direct email explaining that you oppose mass scanning and mandatory age verification, and want targeted, judicially authorised alternatives is extremely important to send before Monday.

Contact your country’s Permanent Representation – These are the diplomats representing your government in Brussels. They influence the Council’s negotiating position.

What to ask for:

• No generalised scanning of private communications, voluntary or otherwise
• No mandatory age verification for encrypted services
• Any interception of private messages to require a court order based on specific, reasonable suspicion
• Judicial authority, not private companies or administrative bodies to authorise access to private chats

The alternative that actually works: targeted investigations with proper legal authority, supported by more resources for specialised police units, international cooperation, and addressing illegal content at its source rather than trying to catch it in transit across encrypted channels.

The Bottom Line

Chat Control is not dead. It came close to dying. Chat Control 1.0 expired in April, and Parliament rejected its extension by one vote. That was a genuine win.

But the permanent regulation is now in its final negotiating session Monday. And today, Friday, a separate attempt is apparently underway to bring Chat Control 1.0 back through a procedural workaround, bypassing the Parliament vote that killed it.

The proposal as the Council wants it would give tech companies – including US companies with no particular democratic accountability to European citizens the ability to read your messages before you send them. It would require you to prove who you are before you’re allowed to use encrypted communication. And it would do all this while exempting government communications from the same scrutiny.

The technical experts say it won’t catch the sophisticated abusers it’s supposedly targeting. The EU’s own Legal Service says it violates the EU Charter. The European Parliament has repeatedly rejected its core mechanisms. None of this has stopped the push.

The fight isn’t over. After years of political deadlock, 2026 is the year we will learn how far the EU is willing to go. Monday is when we find out

Track the negotiations live at fightchatcontrol.eu. Follow Patrick Breyer’s comprehensive tracker at patrick-breyer.de for document-level updates. EDRi’s Stop Scanning Me campaign at edri.org has the most detailed legal analysis.

FAQs

This post first appeared at - The CyberSec Guru