On July 9, 2026, the European Parliament reauthorized a law that lets tech companies scan your private messages without a warrant. Here is the part that should worry you: a majority of lawmakers voted against it.
314 MEPs voted to kill the law. 276 voted to keep it. The law passed anyway.
How? The rejection required an "absolute majority" of 361 votes out of 720 MEPs. Every absent MEP effectively counted as a yes. The vote was scheduled for the last day before summer recess, when many MEPs had already left Strasbourg.
The European People's Party, Parliament's largest group, used a rarely invoked urgency procedure (Rule 170) to force the vote onto the floor on July 7. Two days later, the deed was done.
What Chat Control 1.0 Actually Does
The law is technically called the ePrivacy derogation. It allows tech companies to voluntarily scan private, unencrypted messages and emails for known child sexual abuse material (CSAM), without a warrant or prior suspicion.
Platforms affected: Instagram DMs, Discord, Snapchat, Skype, Xbox messages, Gmail, and iCloud.
Platforms not affected: WhatsApp and Signal, because they use end-to-end encryption. Parliament did adopt an E2EE exemption amendment with 369 votes, excluding "communications to which end-to-end encryption is, has been or will be applied" from the scanning scope.
But here is the catch. Providers of E2EE services were not scanning messages anyway. The exemption preserves the status quo. It does not create new protections.
The scanning is limited to "known" CSAM material, meaning previously identified photos and videos. It does not detect new or unknown material. And it remains in effect until 2028, or until a permanent regulation is agreed.
The Numbers That Should Make You Doubt This Law
The EU Commission's own evaluation report gives Chat Control a very poor assessment:
- Only 0.00000077% of messages scanned in the EU actually contained illegal material (heise online)
- False positive rates of filter technologies reach up to 20% (heise online)
- 99% of Meta's reports consist of previously known material (Patrick Breyer)
- The Commission could not demonstrate a clear link between automated reports and actual convictions or rescued children (heise online)
- German BKA recorded no drop in suspicious activity reports after Chat Control expired in April 2026 (heise online)
- Since 2022, suspected abuse reports from US providers dropped by 50% due to growing use of encryption, not due to scanning (EU Commission report, CELEX:52025DC0740)
German BKA also reports that 48% of incoming alerts are not criminally relevant, and 40% of resulting investigations target minors themselves. The tool designed to protect children is, in practice, flagging children.
The Procedural Trick
This is not the first time Parliament has dealt with Chat Control. In March 2026, Parliament rejected the extension twice. The interim law expired on April 3. For three months, the scanning stopped.
Then the Council of EU member states sent the proposal back to Parliament for a second reading. The EPP, led by Manfred Weber, revived it. Parliament President Roberta Metsola insisted on putting it back on the agenda.
The urgency procedure to force the vote passed 331 to 304 on July 7. Two days later, the law was reauthorized.
MEP Sven Clement put it plainly: "The European Parliament voted AGAINST Chat Control. 314 to 276. And it passed anyway. They needed 361 votes to say no. On the last day before vacation. Every empty seat counted as a yes." (@svnee on X)
What About Chat Control 2.0?
Chat Control 1.0 is the interim measure. The permanent version, Chat Control 2.0, would go much further. It proposes client-side scanning, where your device scans messages before they are encrypted and sent. This is the part that would fundamentally break end-to-end encryption.
Here is why: end-to-end encryption means only you and the recipient can read the message. Client-side scanning requires access to message content before encryption. That creates a backdoor. Once the scanning capability exists on your device, it can be expanded, hacked, or repurposed. There is no such thing as a backdoor that only good actors can use.
Negotiations for Chat Control 2.0 resume in September 2026. The EP's amendments now go to the Council, which has three months to approve or reject them. If the Council does not accept all amendments, a conciliation process begins.
Patrick Breyer, the former Pirate Party MEP who led opposition, sees a silver lining: "The resistance we saw in Parliament today was so strong that finding a majority for permanent, suspicionless mass scanning in future negotiations is a complete pipe dream." (Cointelegraph)
Who Is Affected Outside Europe?
If you think this is a European problem, think again. The platforms doing the scanning are American: Meta, Google, Microsoft, Apple. The messages they scan belong to users worldwide, not just Europeans. EU regulations shape global privacy standards because these companies cannot easily separate European users from everyone else.
GDPR changed how the world handles data. Chat Control could change how the world handles private communications.
For users in countries like Bangladesh, where there is no strong data protection law, the risk is higher. Your Instagram DMs and Gmail messages can be scanned under this EU framework even if you have never set foot in Europe, because the platforms are US-based and comply with EU rules globally.
What You Can Actually Do
Switch to E2EE messaging. Signal and WhatsApp are excluded from Chat Control scanning. For email, Proton and Tuta provide end-to-end encryption and are European providers that have never implemented chat control measures.
Understand the limits. The E2EE exemption protects the transport layer. If you back up your WhatsApp messages to iCloud or Google Drive without encryption, those backups can be scanned.
Watch Chat Control 2.0. The September negotiations will determine whether client-side scanning becomes mandatory. That is the real fight. Follow MEPs like Marketa Gregorova, Sven Clement, and Patrick Breyer for updates.
Enable disappearing messages. If messages do not persist, they cannot be scanned retroactively.
The paradox of Chat Control is that it sacrifices the privacy of 450 million Europeans to scan for material that 99% of the time is already known, with no evidence that the scanning actually rescues children or secures convictions. As Breyer said: "Trying to protect children with suspicionless mass surveillance is like frantically mopping the floor while the faucet is still running."
314 lawmakers voted against it. The law passed anyway. The least you can do is understand what it means for your messages.
Sources
- Patrick Breyer: EU Parliament greenlights Chat Control 1.0
- European Parliament Press Release: Combating child sexual abuse: support for a more limited ePrivacy derogation
- heise online: Procedural trick before summer break: EU Parliament reactivates Chat Control 1.0
- Cointelegraph: EU parliament passes 'chat control,' allowing private chat scans until 2028
- Euronews: European Parliament aims to exclude end-to-end chats from message-scanning regime
- EU Commission Evaluation Report: CELEX:52025DC0740
- The Register: EU 'Chat Control' snoopfest returns after vote to kill it falls short
- Wired: A Majority of European Lawmakers Voted Against Letting Big Tech Read Our Messages. They're Going to Anyway
Top comments (0)