Europe just voted to spy on your private messages

Europe just voted to spy on your private messages

Europe did not wake up on 9 July 2026 under a brand-new, fully operational Orwell machine. The worse truth is more bureaucratic and more familiar: Parliament failed to bury a system that treats private communication as searchable infrastructure. The European Parliament’s own press release says MEPs adopted amendments to the Council position on a derogation from ePrivacy rules that would allow electronic communication services to voluntarily detect child sexual abuse online. The same release says the amended position now goes to the Council, which has three months to accept or reject it; if the Council refuses all amendments, conciliation follows. That matters because the day was not a final moral victory for child protection. It was a procedural rescue operation for a scanning regime that had expired in April.

Table of Contents

Parliament did not kill the scanning comeback

The central fact is ugly even when described politely. A lapsed temporary law was pulled back onto the track after Parliament had already rejected the Commission’s extension in March. The earlier interim framework, Regulation 2021/1232, had allowed number-independent interpersonal communication providers to derogate from ePrivacy confidentiality rules so they could process personal and other data for the stated purpose of fighting online child sexual abuse. That law was adopted in 2021, extended in 2024, and expired on 3 April 2026 after the institutions failed to agree on another extension.

The result is not technically identical to the Council’s clean revival. Parliament added a restriction: communications to which end-to-end encryption is, has been, or will be applied should be excluded from the scope. That amendment is better than the Council’s position, but it does not repair the deeper mistake. A legal framework that authorises companies to scan private communications still normalises the idea that secrecy in everyday life is conditional, revocable, and dependent on the kindness of platforms. The difference between “mandatory” and “voluntary” feels reassuring only until the largest services volunteer on behalf of hundreds of millions of users who never had a meaningful vote.

This article is an editorial analysis, not a court judgment. The verified record shows a temporary derogation, a March rejection, a July Council move, an urgent parliamentary path, and a second-reading outcome that kept the revival alive. The political judgment is harsher: child protection was used as the passport for a surveillance architecture that Europe should have been dismantling, not refurbishing. A democracy that cannot protect children without scanning the innocent has admitted a failure of imagination. It has chosen an administrative shortcut over hard policing, victim support, offender disruption, and privacy-preserving safety work. The slogan is protection. The mechanism is suspicion by default.

The most dangerous part is not one vote, one text, or one institution. It is the habit being formed. Each emergency derogation trains policymakers to see confidentiality as a negotiable obstacle. Each “temporary” measure survives long enough to become operationally convenient. Each attempt to limit scanning is described as irresponsibility toward children. That is how exceptional access becomes ordinary law. The Parliament’s amendments may delay the worst version, and the Council may still refuse them. But the privacy loss has already happened at the level of political culture. The private message has been moved from a protected zone into a policy object, and Europe is congratulating itself for doing it with procedure.

The July record therefore needs careful wording. It is not accurate to say that every private message in Europe is now being read by the state. It is accurate to say that Parliament kept alive a legal path for providers to resume voluntary scanning after the prior derogation had expired, while adding amendments that the Council may still contest. That distinction matters because overstatement lets supporters dismiss the whole critique. The danger is not fantasy. It is the verified combination of a revived derogation, a higher rejection threshold, provider discretion, and ongoing permanent-law negotiations. When those pieces sit together, privacy becomes a bargaining chip. Europeans are asked to accept a smaller version today so that lawmakers can keep debating a larger version tomorrow. The honest question is not whether child abuse material should be fought. It must be. The question is whether Europe can fight it without treating confidential communication as a resource to be mined whenever a platform says it is helping.

That is the point citizens should keep. The danger is legal normalisation: once the exception is restored, the next debate starts from scanning as an existing practice, not as an extraordinary intrusion.

The procedure mattered as much as the text

The July vote was not only about scanning. It was about the rules used to make scanning easier to revive. Parliament’s briefing before the vote said the Council had adopted its position on 2 July, triggering a second reading. Under that stage, Parliament had three months to reject or amend the Council position, or it would be deemed adopted. Any amendment needed an absolute majority of MEPs, then stated as 360. The same briefing said plenary would first vote on an urgent procedure request; if approved, the substance would be handled later in the same week. Procedure became the battlefield because procedure changed the threshold.

The urgent-procedure vote on 7 July showed how thin the margin was. HowTheyVote records 331 in favour, 304 against, and 11 abstentions on the request for urgent decision. In total, 646 MEPs voted and 73 did not. That was not a calm legislative consensus. It was a narrow procedural opening, taken under conditions where absence mattered and where opponents of the revival needed more than a simple majority at the decisive stage. A law that touches private communications should not be revived on arithmetic that rewards speed and attendance games.

The 9 July outcome followed the same logic. Parliament’s press release says an initial vote had a simple majority for rejecting the Council position, 314 in favour, 276 against, and 17 abstentions. But at second reading, that was not enough. Later, there was no majority in favour of rejecting the amended European Parliament position, with 276 in favour, 286 against, and 30 abstentions, and the second reading was closed. The public headline becomes “support for a more limited derogation,” but the institutional story is stranger: a chamber where more MEPs initially favoured rejection still failed to kill the file because the applicable threshold was higher.

That procedural structure matters because it hides responsibility. Supporters can say they are merely restoring a stopgap measure. Opponents can say Parliament did not positively endorse the Council’s original text. Institutions can point to the next step and insist the process is unfinished. The citizen hears only that scanning has survived. Democratic accountability blurs when the most consequential choice is buried inside second-reading mechanics. A privacy law should not depend on whether the public understands absolute majorities, deemed adoption, urgency requests, and conciliation timetables. Those details are real, but they should not be a shield from political judgment.

The European People’s Party’s role became part of the public controversy because press coverage described a strategy to revive the interim scheme through a rarely used route after March negotiations collapsed. Euronews reported that the legal framework had expired on 3 April, that the Parliament rejected the Commission’s earlier temporary extension in March by 311 votes against, 228 in favour, and 92 abstentions, and that the new route gave supporters an advantage because the text would pass unless an absolute majority rejected or amended it. That is not conspiracy; it is institutional hardball.

The scandal is not that politicians used parliamentary rules. Legislatures have rules, and majorities use them. The scandal is the mismatch between the gravity of private-message scanning and the casualness of the revival. Europe likes to describe itself as the continent of rights, proportionality, and safeguards. Then, when surveillance loses a straight fight, it returns through urgency. If a measure is too intrusive to pass under normal deliberation, making it procedurally easier does not make it more legitimate. It makes the privacy bargain look prearranged.

The legitimacy problem grows because urgency also narrows public reaction time. Civil society groups can alert supporters, but most citizens learn about the vote only after the decisive procedural step has passed. The vote-count record shows that 73 MEPs did not vote on 7 July; in an absolute-majority environment, absence can decide rights. A privacy rule should not turn on holiday-week arithmetic when it governs intimate communication, cloud files, and email. The Parliament could have insisted on normal committee scrutiny, fresh public explanation, and a direct comparison between the March compromise and the Council text. Instead, citizens were left reading after-the-fact institutional language. That is not enough for a measure that alters confidentiality. Democratic procedure should make rights conflicts more visible. Here, it made the conflict harder to see and easier to survive.

A privacy vote should be politically legible. People cannot defend rights they cannot see being traded, and the July timetable made the trade visible mostly to specialists.

The cure is direct accountability. Publish the stakes before the vote, not after citizens discover that procedure decided them.

Voluntary scanning still changes the privacy bargain

The word “voluntary” does a lot of political work here. It invites citizens to imagine restraint. Nobody is forcing every platform to scan every message, we are told; providers merely receive legal permission to use technologies they may choose. But voluntary for a platform is not voluntary for the people inside the platform. A billion-user service can “volunteer” and instantly convert private communications into material subject to automated inspection. The individual user usually cannot negotiate the scanning architecture, cannot audit the classifier, cannot see the hash list, and cannot tell whether a human reviewer eventually sees a false flag.

Regulation 2021/1232 was framed as a temporary derogation from certain ePrivacy provisions for number-independent interpersonal communication services. The point was to allow processing of personal and other data for detecting and reporting online child sexual abuse. It did not impose a general obligation to scan, and that is exactly why supporters prefer the word voluntary. Yet the law still created a permission structure for scanning communications that would otherwise sit under confidentiality rules. A derogation is not harmless because it is optional for companies. It changes what the law treats as acceptable conduct.

The ePrivacy Directive’s Article 5 is built around confidentiality of communications. Member States must ensure confidentiality through national law, and listening, tapping, storage, or other kinds of interception or surveillance are forbidden without user consent, except where legally authorised under Article 15. That architecture is not decorative. It recognises that communication data is not like a shipping label on a parcel. Messages carry relationships, health details, business plans, political beliefs, family crises, location clues, and intimate photos. The content of ordinary communication is a map of a life.

Voluntary scanning also places too much trust in corporate incentives. Some providers may scan because they believe it protects children. Some may scan because they fear reputational damage. Some may scan because legal cover makes it easier to avoid future liability. Some may scan because automated reporting is cheaper than building safer products or funding better moderation. The user sees the same result either way: the platform becomes a deputised gatekeeper for private life. Rights should not depend on the internal risk committee of a technology company.

Supporters correctly point out that online child sexual abuse is real and brutal. NCMEC says its CyberTipline was created in 1998 to receive reports of suspected child sexual exploitation from the public and electronic service providers, and the Internet Watch Foundation’s 2025 report says it assessed 451,210 reports and confirmed 311,610 reports containing or leading to child sexual abuse material. Those numbers are grim. They demand action. They do not automatically justify suspicionless scanning of private communications. The size of a crime problem does not erase the need for targeted power.

The practical risk is that voluntary scanning becomes a legal holding pen while permanent law is negotiated. Once companies invest in tools, workflows, reviewer teams, escalation routes, and law-enforcement reporting channels, the system gains institutional defenders. The temporary permission becomes an argument for continuity. The continuity becomes evidence that society has accepted the practice. Then critics are told they are trying to remove an established safety tool. That is how the privacy bargain is rewritten without saying so. Nobody announces the end of confidential messaging; they merely renew an exception until the exception feels normal.

The user’s so-called choice is also weak. Leaving a dominant platform can mean losing contact with family, schools, public services, colleagues, customers, or community groups. Consent buried in terms of service is not a democratic mandate for surveillance. Network dependence turns platform choice into a fiction for many people. Even users who move to encrypted alternatives may still keep old email accounts, cloud backups, work chats, or family messaging groups on scanned services. That is why voluntary scanning must be judged at population level, not as an individual preference setting. A provider can make one compliance decision and alter the privacy environment for an entire society. The law should restrain that power, not bless it because the provider uses the language of safety. Where truly targeted intervention is needed, the state should carry the burden of legal authorisation instead of outsourcing suspicion to corporate systems.

That population-level effect is why the word voluntary should be retired from public comfort. The provider volunteers the user, while the user inherits the consequences.

A rights framework should start from users. No one should be volunteered into surveillance by a provider’s compliance preference.

The child safety claim deserves better than mass suspicion

Child sexual abuse is not a rhetorical device. It is a crime against children, victims, families, and society. Any serious privacy critique has to start there, because pretending the harm is exaggerated would be dishonest and cruel. The strongest case for detection systems comes from the fact that abuse material is created through real violence and then circulated as continuing harm. Every redisplay of abuse material can renew the injury to the victim. The IWF’s work exists because removal, blocking, hashing, reporting, and victim identification can reduce harm when they are used with care and legal discipline.

But protecting children is not the same as maximising the number of private files scanned. Policy should be judged by whether it finds victims, stops offenders, preserves evidence, supports prosecutions, funds prevention, and reduces abuse. A dragnet may generate reports while still missing the people who are most dangerous, especially when offenders move to closed groups, self-encrypt files, use code words, fragment images, or operate outside mainstream platforms. Mass inspection is politically visible, but visibility is not proof of effectiveness. It can become a performance of care that substitutes volume for results.

The child safety argument is often presented as though the only choices are broad scanning or indifference. That is false. Targeted warrants, undercover investigations, victim reporting channels, offender treatment programmes, school-based prevention, takedown cooperation, hash matching on public or shared hosting spaces, financial disruption of commercial abuse markets, and international police work all address real harms without declaring every private conversation eligible for inspection. A rights-respecting system makes state power sharper, not wider. It asks who is at risk, what evidence exists, which authority approves action, and how mistakes are remedied.

The European data protection authorities made this distinction in their 2022 joint opinion on the permanent CSAM proposal. They recognised child sexual abuse as a particularly serious crime and an objective of general interest. At the same time, they warned that the proposal raised serious concerns about necessity and proportionality, especially for detecting unknown material and grooming in interpersonal communication services because of intrusiveness, probabilistic technologies, and error rates. That is the adult position: the crime is grave, and the power still needs limits.

The emotional shield around “for the children” is dangerous because it punishes precision. Ask for judicial authorisation and you sound slow. Ask for suspicion and you sound indifferent. Ask for evidence of effectiveness and you sound technical. Ask whether encrypted communication should remain secure for children, journalists, activists, lawyers, doctors, and domestic-violence survivors, and you are accused of helping predators. That tactic is morally cheap. Children also need private and secure communication. They need safe ways to contact trusted adults, helplines, doctors, lawyers, and friends without every channel becoming a surveillance surface.

A serious child protection policy would not treat privacy as the enemy. It would treat privacy as one part of safety. Children live online too. They are targets of coercion, sextortion, doxxing, stalking, domestic abuse, and peer harassment. Weak confidentiality can hurt them. A system built for scanning may expose intimate material during review, generate false reports against minors, or push vulnerable young people away from mainstream channels where support exists. The slogan protects children; the mechanism may expose them. Europe owes children more than a database of everyone’s messages and a promise that the machine will behave.

A child-centred approach would also ask who is harmed by bad enforcement. False reports, unnecessary exposure of intimate material, and loss of trusted channels can fall on minors themselves. Children are not only the beneficiaries of safety policy; they are also users of communication tools. A policy made in their name can still damage their rights. The better test is practical: does the measure reduce abuse without creating avoidable harm to lawful users and victims? Does it help investigators find abusers rather than inflate report queues? Does it protect secure channels children use to seek help? If lawmakers cannot answer with evidence, they are not doing child protection. They are doing moral theatre with other people’s privacy. Europe should be mature enough to reject that trade.

That is also why criticism must remain sharp. Bad surveillance is not compassion; it is a way for institutions to look protective while avoiding harder work.

That standard is demanding because the harm is serious. Children deserve proof, not slogans, and citizens deserve rights.

So ask for the evidence. Care is measurable.

ePrivacy exists because messages are not ordinary data

The ePrivacy framework is sometimes discussed as an obstacle to safety. That is backwards. It is one of the legal reasons Europeans can communicate without assuming that service providers, employers, advertisers, or governments are silently inspecting every message. Directive 2002/58/EC was adopted to address privacy and personal data in the electronic communications sector, including confidentiality. The law protects communication because communication is where private life happens. It is not only about secrecy. It is about trust, autonomy, association, journalism, legal defence, medical disclosure, political organising, and ordinary human intimacy.

The temporary derogation matters because it cuts into that architecture. Regulation 2021/1232 allowed certain providers to process personal and other data for online child sexual abuse detection despite ePrivacy restrictions. The official legislative train describes it as an interim regulation for number-independent interpersonal communication services such as webmail, messaging services, and internet telephony. It was adopted in July 2021 and entered into force in August 2021. A temporary exception to confidentiality became the policy bridge for years of scanning politics.

Messages are different from ordinary data because they are relational. A single message can reveal both sender and recipient, and often third parties who never consented to any platform policy. A photo in a chat may identify a child, a home, a school uniform, a medical condition, or a political meeting. An email can contain privileged legal advice or commercial secrets. A cloud file can include family documents, passports, intimate images, or whistleblower records. Scanning communications is never just scanning content; it is scanning social life.

That is why “only known CSAM” does not settle the issue. Known-image hash matching is narrower than AI-based detection of unknown material or grooming language, but it still requires a system that accesses user content, compares it against reference sets, creates alerts, and escalates selected material. That system must be built, maintained, secured, audited, and protected against expansion. The legal question is not only whether one category of crime is horrific. It is whether the infrastructure for automated inspection is proportionate, accountable, and confined. Infrastructure has politics of its own.

European rights law also treats communications confidentiality as linked to broader liberties. Article 7 of the EU Charter protects respect for private and family life, while Article 8 protects personal data. The Fundamental Rights Agency’s Charter explainer says everyone has the right to protection of personal data, fair processing for specified purposes, access and rectification, and oversight by an independent authority. When private-message scanning touches both content and metadata, it sits directly inside that rights zone. The burden should be on the state and providers to justify intrusion, not on citizens to justify privacy.

The recurring European mistake is to treat ePrivacy as old paperwork built for a less dangerous internet. The opposite is true. The more our lives move through private digital channels, the more confidentiality matters. Work, education, banking, healthcare, dating, family care, activism, migration, journalism, and childhood friendships all depend on reliable channels. If those channels become conditional on automated suspicion, people behave differently. They censor themselves. They avoid help. They stop trusting services. A society without trusted communication becomes easier to govern and harder to live in.

Communications confidentiality also supports democracy at the group level. Political parties, unions, churches, NGOs, newsrooms, small businesses, and community organisations depend on private coordination. The harm from weakened confidentiality is not limited to embarrassment. It can change who dares to organise, report, dissent, or ask for help. That is why ePrivacy should not be treated as a technical sister of cookie law. It is part of the infrastructure that lets people rely on digital intermediaries without surrendering the substance of their lives. The temporary derogation cuts into precisely that trust. Even when the purpose is grave and legitimate, the legal form teaches a dangerous lesson: confidentiality holds until policymakers decide a platform’s scanning system is useful enough to excuse the intrusion.

The right lesson is simple. Confidentiality must be the default, and every exception must be narrow, proven, supervised, and difficult to renew.

This also explains why ePrivacy exceptions should be rare. A message is not only data moving through infrastructure; it is the act of trusting another person through an intermediary. Law should protect that trust before it licenses inspection. The EU can regulate platforms, punish offenders, and remove confirmed abuse material without teaching providers that private channels are open to routine analysis. If confidentiality becomes merely one interest among many in every safety debate, it will lose by repetition.

Known CSAM hashing is not the whole story

Defenders of the derogation often begin with known CSAM hashing because it sounds precise. A platform compares uploaded or transmitted material against a database of hashes linked to previously identified abuse material. If the hash matches, the item can be reported and removed. That tool is not the same as a broad AI system that guesses whether an unknown image is abusive or whether a conversation is grooming. Known-content matching is the narrowest and strongest part of the pro-scanning argument. It can help stop recirculation of material that has already been confirmed as criminal.

But the political debate never stays limited to the easiest case. The 2022 Commission proposal for permanent rules covered detection, reporting, removal, and blocking of known and new online child sexual abuse material, as well as solicitation of children. The EDPB and EDPS joint opinion drew a sharp distinction between those categories and expressed particular concern about unknown CSAM and grooming in interpersonal communication services because those technologies are probabilistic and intrusive. The move from matching known images to interpreting unknown content changes the rights analysis.

Probabilistic detection matters because errors have victims too. A false positive can expose lawful intimate images, family photos, medical material, or teenage self-generated content to reviewers and law enforcement. A false negative can leave a child unprotected while policymakers boast about scanning volume. Even a high accuracy rate can produce large numbers of mistakes when applied to enormous communication systems. At European scale, small error rates do not stay small. The denominator is millions or billions of files and messages, not a laboratory dataset.

The technical literature reflects this difficulty. A 2024 study on CSAM-context explicit-content detection reported promising results for one end-to-end classifier after adding neutral samples and adult pornography, but the same abstract notes legal limits on data access, remote execution on isolated servers, and the importance of interpretable results. That is useful research. It is not a blank cheque for scanning private communications across the EU. A model that performs in a constrained research setting is not automatically safe as a civil-liberties filter.

Hash systems also require governance. Who creates the reference database? How are entries verified? How are mistakes removed? Can political categories be added later? Can authoritarian governments pressure providers through local law? Can attackers poison hash lists, exploit reporting mechanisms, or frame users? The answers determine whether a tool is a focused child-protection measure or a generalised content-control mechanism waiting for new labels. The hash list is a constitutional object when it decides which private files trigger police attention.

That is why the “known CSAM only” defence should be treated as a floor, not a conclusion. A narrow tool used on public hosting, with independent oversight, transparent audit, verified databases, strict purpose limitation, and strong remedies looks very different from private-message scanning authorised by a broad derogation. The July revival keeps alive a model in which the legal permission precedes the democratic settlement about limits. Europe is building the permission layer before earning public trust in the safeguards. That order is wrong.

The governance burden should increase as detection moves away from exact matching. Known-content matching at least starts from confirmed material. Unknown-content detection and grooming detection ask machines to classify context, age, intent, sexuality, coercion, and language. That shift moves from identification toward judgment. It is a different kind of power. A hash match can still be wrong if the database is wrong or the context is misunderstood, but a grooming classifier may be wrong because ordinary human communication is messy. Jokes, therapy, education, family conflict, survivor disclosure, and police work can all contain words that look suspicious to a model. A lawful system must not let the easiest technical story define the hardest legal category. Europe should separate these tools instead of wrapping them together under the comforting label of child safety.

Lawmakers should therefore legislate by detection type. Known hashes, unknown-image classifiers, and grooming models are different powers, and pretending otherwise hides risk.

The law should also require public evidence about each detection method. How often does it identify victims? How often does it duplicate old reports? How often does it misclassify lawful material? Accuracy without context is not accountability. Europe should not accept vendor assurances or platform summaries as enough. Detection tools that affect private communication need independent evaluation, narrow deployment, and clear consequences when they fail.

Separate the tools. Precision matters here.

End-to-end encryption remains the legal fault line

Parliament’s 9 July amendment excluding communications to which end-to-end encryption is, has been, or will be applied is not a small detail. It is the line between a bad scanning framework and a catastrophic one. End-to-end encryption means the message is readable only by the endpoints, not by the provider in the middle. The Internet Society puts the principle plainly: decrypted data can be seen and read only by the sender and intended recipient, and exceptional access breaks that basic promise. Once the provider can inspect the content, end-to-end encryption has lost its core meaning.

This is why client-side scanning became the permanent fight. If providers cannot read encrypted messages in transit, the detection has to move before encryption or after decryption. That means the user’s own device becomes the checkpoint. Max Planck’s public explainer says client-side scanning checks content on the sender’s device before encryption; once content becomes accessible to a party other than sender or recipient, the protection given by encryption disappears. Calling encryption “technically intact” while scanning before encryption is wordplay, not security.

The July text, if the Council accepts the Parliament amendment, would not impose that client-side model through Chat Control 1.0. That is worth saying clearly. The immediate fight is not the same as the worst version of Chat Control 2.0. But the fights are connected because the temporary derogation keeps alive the political premise that automated inspection of communications is an acceptable child-protection baseline. Once that premise is accepted for unencrypted channels, pressure returns to encrypted channels. The argument becomes: why should criminals escape merely by choosing stronger security?

The EDPB and EDPS warned in 2022 that encryption technologies contribute in a fundamental way to private life, confidentiality of communications, freedom of expression, innovation, and digital-economy trust. They said the proposal should clearly state that nothing in it may be interpreted as prohibiting or weakening encryption. Those warnings were not ideological decorations. They were legal and technical guardrails from the EU’s own data-protection institutions. Encryption is infrastructure for rights, not a loophole for wrongdoing.

Security researchers have made the same point in sharper technical language. “Bugs in our Pockets,” a 2021 paper by well-known cryptography and security experts, argues that client-side scanning creates serious security and privacy risks for society, can fail, can be evaded, and can be abused. The paper rejects the idea that on-device scanning neatly solves the encryption-versus-public-safety dispute. A surveillance tool placed on the device becomes part of the attack surface.

End-to-end encryption also protects children. A child seeking help from an abusive household may need secure messaging. A teenager targeted by sextortion may need confidential contact with a helpline. A young LGBTQ person in a hostile family may need private support. Journalists, lawyers, doctors, dissidents, migrants, and small businesses all need it too. The scandal of Chat Control politics is that encryption is treated as a privilege to be tolerated until safety rhetoric needs a villain. Secure communication is not the enemy of child safety; it is one of its conditions.

The encryption carve-out also needs to be durable. A safeguard that survives one parliamentary amendment can disappear in Council resistance, conciliation compromise, or the permanent regulation. The phrase should be treated as a red line, not a bargaining token. If the Council rejects Parliament’s amended position because it protects encrypted communication, citizens should understand what that means: the fight is not about a minor drafting preference but about whether secure channels can remain outside scanning mandates. European institutions often speak about cyber resilience, secure digital identity, industrial competitiveness, and protection from hostile states. Those goals collapse if the same institutions normalise designs that inspect content before it is protected. A continent cannot demand secure systems in one file and undermine their premises in another.

The safest rule is bright and boring. No encrypted channel should be redesigned for detection, whether through server access, device scanning, or regulatory pressure.

The technical distinction should be written in law with no loophole. Scanning a message before encryption, compelling a provider to alter an encrypted service, or punishing a provider because encryption prevents scanning all attack the same guarantee. The guarantee is user confidentiality. A legal text that protects encryption in one recital while pressuring detection in another invites years of dangerous interpretation.

Anything weaker invites evasion by drafting. Encryption needs legal certainty.

No exception should smuggle scanning back. Secure means secure.

The March privacy compromise was not an accident

March 2026 matters because Parliament had already drawn a more careful line. On 11 March, MEPs supported a temporary extension only with narrower safeguards, including limits on scope and judicial approval. The Parliament’s later July press release says MEPs had voted to limit detection measures and require judicial approval before negotiations with the Council failed. The legislative train records that Parliament’s 11 March position favoured extension until August 2027 and a narrower scope to ensure proportional and targeted measures. That was the serious compromise: temporary, narrower, targeted, and supervised.

The March position did not deny child abuse online. It tried to force the institutions to respect the difference between fighting crime and scanning populations. A targeted approach means authorities need suspicion, legal approval, and a defined scope before private communications are searched. That is not bureaucratic laziness; it is the architecture of rights. The Council’s refusal to accept those limits reveals the conflict. The argument was never only about children; it was about whether suspicionless scanning would remain available. Reuters reported in March that talks failed after Parliament insisted the temporary rules should not apply to end-to-end encrypted communications, among other changes.

Table 1. The 2026 derogation fight in verified milestones

DateEventPrivacy meaning
11 March 2026Parliament backs a narrower temporary extensionTargeting, proportionality, and judicial approval gain support
26 March 2026Parliament rejects the extension after talks failThe interim law is allowed to lapse
3 April 2026Previous derogation expiresVoluntary scanning loses its specific EU legal cover
2 July 2026Council adopts a position to reinstate the measureThe expired scheme is revived through second reading
7 July 2026Urgent procedure passes 331 to 304Speed and threshold rules shape the outcome
9 July 2026Parliament adopts amendments and closes second readingThe file moves to Council with E2EE exclusion language

The table shows the core political pattern: Parliament first tried to narrow the derogation, then rejected the extension, then faced a Council-backed revival under a procedure that made rejection harder.

The July maneuver should be judged against that March background. If Parliament had never acted for safeguards, supporters could claim the file merely moved through ordinary delay. But Parliament did act. It demanded limits. The Council did not agree. The law expired. Then the Council moved to reinstate the measure as soon as possible until 3 April 2028, saying the temporary measure was needed to avoid a prolonged legal gap while long-term talks continued. A legal gap for scanning is not the same thing as a legal gap for child protection. Other laws against abuse, reporting duties, police powers, takedown tools, and investigations did not vanish.

The strongest critique of July is therefore not that every MEP suddenly voted for maximal surveillance. The record is messier. Parliament adopted amendments, including an encryption exclusion, and the file is not finished until the Council accepts or rejects them. The critique is that an expired scanning permission returned after the institution had already refused the Council’s broader approach. When a privacy-protective compromise loses, the answer should be better negotiation, not procedural resurrection. Europe should have treated March as a warning. Instead, July treated it as an obstacle to route around.

The March compromise also showed that privacy advocates were not asking Parliament to walk away from children. They were asking it to make the extension conditional on proof, targeting, and independent approval. That is the difference between governance and panic. Judicial authorisation is not a magic shield, but it forces a reasoned decision before intrusion rather than a review after mass processing. A narrower duration matters because “temporary” laws gain inertia. Scope limits matter because scanning technologies expand by category. The July revival weakened the political force of those March choices. Even with the encryption amendment restored, the institutional message is that targeted safeguards are negotiable whenever the Council wants continuity more than restraint.

The Council’s resistance to the March limits should therefore be treated as evidence in itself. If the narrower version truly preserved enough capability to protect children, refusing it looks like a preference for wider scanning. If the Council believed the narrower version was ineffective, it should have published a detailed case explaining why targeted detection, judicial approval, and encryption exclusions would fail. A claim of ineffectiveness is not proof of ineffectiveness. In rights law, the institution seeking broader intrusion must show necessity. It cannot merely say that safeguards make enforcement inconvenient. The March compromise was the point where Europe could have admitted the trade-off honestly: accept a tighter tool or prove why no tighter tool works. July avoided that confrontation.

The public should remember that the March line was not radical. It did not ban all provider action. It asked for a shorter extension, narrower scope, and judicial control. That is moderate rights policy. If even that was unacceptable to the Council, then the Council should explain which safeguard it cannot live with and why. Democracy needs that argument in daylight. Without it, July looks less like compromise and more like a refusal to accept privacy limits.

The Council turned an expiry into a second reading trap

The Council’s 2 July press release was blunt about its objective. It said the Council adopted its position on a regulation to allow online service providers to resume voluntary detection and removal of child sexual abuse material, and it wanted the regulation to enter into force as soon as possible. It also said the previous interim measure expired on 3 April 2026 and that the Council wanted an interim measure reinstated until 3 April 2028. The Council did not hide the goal: bring back the lapsed scanning permission quickly.

The institutional trick was subtler. Once the Council position reached Parliament at second reading, the default changed. Parliament could approve, amend, or reject, but rejecting or amending needed an absolute majority. The Parliament’s own briefing explained that if Parliament did not reject or amend within three months, the Council position would be deemed adopted. That puts the burden on privacy defenders to assemble not merely a majority of those voting, but a majority of all MEPs. Silence, absence, and procedural fatigue become allies of surveillance.

Supporters will object that this is how the ordinary legislative procedure works. True. The point is not that the rule was invented on the day. The point is that the rule was used after Parliament’s earlier rejection and after negotiations over safeguards collapsed. A democratic system can follow its rules and still produce a legitimacy problem. Procedure can be legal and still be politically abusive when it revives a rights-intrusive measure under conditions that make blocking it harder than supporting it.

The Council framed the measure as protection while the permanent framework remains under negotiation. That phrase sounds reasonable until one remembers that temporary EU digital measures often stretch, renew, and harden. The initial interim regulation was adopted in 2021, extended once in 2024, and then revived in 2026 after expiry. A “bridge” lasting years stops looking like a bridge and starts looking like a policy preference. Temporary law is a poor place to store permanent surveillance capacity.

The July sequence also shows the danger of legislative dependency. The permanent CSAM Regulation has been stuck because institutions cannot settle the encryption and scanning questions. Instead of accepting that deadlock as a sign that the measure is too intrusive, the Council treated the interim derogation as a pressure valve. Keep the temporary scanning permission alive, then negotiate the permanent framework under the shadow of existing practice. The interim law becomes leverage for the permanent law.

This is why privacy advocates describe the revival as a back door. The phrase is heated, but the structure supports the concern. A law expires because Parliament and Council cannot agree on safeguards. The Council revives it through a fresh position. Urgency compresses scrutiny. Second-reading thresholds make rejection difficult. The result is not the normal democratic birth of a rights-limiting measure. It is the reanimation of an expired exception. Europe should not build surveillance continuity from procedural leftovers.

A second-reading trap is especially troubling because it flips democratic psychology. Normally, those who want a rights-limiting measure should persuade the public and its representatives. Here, once the Council position moved, those who wanted to stop or change the measure needed to clear the higher hurdle. The burden shifted from power to privacy. That inversion matters. Rights are supposed to be barriers against easy state and corporate intrusion. They are not supposed to depend on whether enough MEPs are physically present to block an expired exception. If the Council believes scanning permission is indispensable, it should have accepted the burden of proving necessity under a fresh, fully scrutinised proposal. Reanimating a lapsed measure through procedural momentum makes the privacy side fight uphill by design.

The expiry should have strengthened privacy’s position. Once the old derogation lapsed, Europe had a chance to reassess whether years of interim scanning had delivered enough value to justify renewal. Instead, the Council framed the lapse as a vacuum and sought rapid reinstatement. Calling an expired surveillance permission a vacuum is revealing language. It assumes that the normal state is legal cover for scanning, not confidentiality. A healthier legal culture would see expiry as the default reassertion of rights unless fresh evidence supports intrusion. That inversion is the heart of the problem.

Expiry also matters symbolically. A sunset date is supposed to force lawmakers to decide again under full scrutiny. A sunset without consequence is decoration. Temporary powers should not be treated as permanent expectations.

False positives are not a rounding error

Every scanning system makes mistakes. That is not a smear; it is how classifiers, hash systems, databases, human escalation, and reporting pipelines work. Even exact matching depends on the accuracy of the reference set and the integrity of the workflow. AI-based detection of unknown images or grooming is much riskier because it assigns probability to ambiguous material and language. A false positive in this context is not a minor inconvenience. It can put a lawful user, a teenager, a parent, a journalist, or a medical professional into a child-abuse reporting chain.

The EDPB and EDPS focused on this problem in their 2022 joint opinion. They said measures for detecting unknown CSAM and grooming in interpersonal communication services were especially concerning because of intrusiveness, probabilistic nature, and associated error rates. They considered the interference beyond what is necessary and proportionate for those categories and warned that generalised access to communication content for detecting solicitation could affect the essence of Charter rights. That is not a privacy lobby talking; it is the EU’s data-protection establishment warning about proportionality.

False positives become more serious when private images are involved. Family photos of children bathing, medical images, sexual health materials, breastfeeding pictures, art, forensic evidence, or images shared with doctors or lawyers may be lawful and sensitive. A scanning system cannot understand context the way a competent human investigator can. Once flagged, the material may move through reviewers, trust-and-safety systems, reports to clearinghouses, and law-enforcement channels. The privacy injury can occur even if the person is eventually cleared.

The scale problem is unforgiving. If a service scans millions of files daily, a tiny false-positive rate can produce many wrongful flags. If reviewers are overloaded, quality drops. If companies fear liability for missing abuse, they may over-report. If law enforcement receives noise, attention may shift away from urgent cases. The system then harms both privacy and child protection. Bad signals do not become good evidence because they arrived from a machine.

The effect on teenagers deserves special attention. Many cases of youth-produced sexual imagery involve coercion, peer pressure, sextortion, or poor judgment, and some involve victims needing help rather than criminal suspicion. Automated scanning can collapse those distinctions. It may treat a child’s distress evidence as contraband, route it through punitive systems, or discourage minors from seeking assistance. A system built to find abuse material can mishandle abused children if it lacks context and care.

Supporters often answer with safeguards: human review, reporting thresholds, audit logs, appeals, and restricted use. Safeguards are necessary, but they do not erase the initial intrusion. The EDPB and EDPS said procedural safeguards cannot fully replace substantive safeguards. That line is crucial. If the initial permission is too broad, later review cannot make it proportionate. The first safeguard is not a reviewer; it is the decision not to scan innocent people in the first place.

False positives also create data-protection problems after the first report. Once an item is flagged, copies, logs, reviewer notes, account identifiers, IP addresses, device data, and escalation decisions may be stored or shared. The error becomes a record. Even if the user is never prosecuted, the existence of a report can affect account access, internal risk scoring, future moderation, or law-enforcement triage. Remedies are often opaque because companies will not reveal detection rules and authorities may not disclose investigative details. That leaves innocent users with a practical impossibility: prove that a secret system misread a private file. A proportional regime should minimise the creation of such records by requiring suspicion and authorisation before content inspection whenever private communications are involved.

Mistaken flags also affect trust in child-protection systems. People who see innocent material mishandled may become less willing to cooperate with platforms or authorities. Communities already suspicious of policing may interpret scanning as another form of monitoring. A system that burns trust can reduce reporting from the people who most need help. The risk is not abstract. Safety systems depend on legitimacy, especially when victims must disclose humiliating or frightening details. If automated suspicion becomes the first face of protection, many people will hide rather than seek help. That outcome would harm the very children the policy invokes.

The fear of being falsely flagged is not the only harm. Some people will avoid storing lawful sensitive material in mainstream services, even when those services are secure against ordinary threats. A safety tool can push users toward less safe behaviour. That perverse effect deserves attention before lawmakers celebrate detection capacity.

Corporate discretion is a weak substitute for rights

The revived derogation rests on a strange form of trust: private companies are allowed to scan, report, and remove, and citizens are expected to believe that this will remain narrow, accurate, and well governed. That is an astonishing amount of constitutional weight to place on corporate discretion. Platforms are not courts, not child-protection agencies, and not democratic institutions. They are businesses with legal teams, compliance incentives, public-relations fears, cost pressures, and opaque moderation systems. Some act responsibly. That does not make them proper guardians of communications confidentiality.

The Council argues voluntary provider activity helps identify, investigate, and prosecute offenders and contributes to rescuing victims and reducing the spread of abuse material. That claim may be true in some cases. It is also incomplete. The same activity can expose lawful private material, create over-reporting incentives, and establish monitoring capacity that later becomes politically useful for other purposes. Corporate safety operations need law; they should not become law by habit.

NCMEC data shows why providers are powerful gatekeepers. The CyberTipline receives reports from the public and electronic service providers, with most reports coming from providers. NCMEC says more than 2,000 providers are registered, just over 300 companies submitted reports in 2025, and five providers accounted for more than 75 percent of reports. A handful of companies already shape the visibility of online child sexual exploitation for law enforcement. Giving them broader legal comfort to scan private spaces concentrates more social power in systems ordinary users cannot inspect.

Corporate discretion also produces unequal privacy. A privacy-protective service may refuse broad scanning; a larger platform may scan aggressively; a cloud provider may interpret the law differently from a messaging service; a smaller company may lack resources to contest official pressure. Users do not experience one coherent European rights regime. They experience whatever their provider’s lawyers and engineers implement. Fundamental rights should not vary by app settings and platform appetite.

The problem deepens when voluntary scanning becomes a liability shield. Once lawmakers praise detection, a provider that declines to scan may be portrayed as negligent. A voluntary system can become de facto mandatory through reputational pressure, insurance pressure, investor pressure, or later enforcement expectations. The law says “may.” The market hears “should.” The public hears “safe companies do.” Soft mandates are still mandates when refusal becomes politically toxic.

Private companies also face demands from many states. A tool built for CSAM in Europe may attract requests elsewhere for terrorism, extremism, copyright, blasphemy, protest, drugs, migration enforcement, or political dissent. European law may restrict purpose today, but technology travels, vendors sell, and compliance teams reuse infrastructure. The risk is not that every provider is evil. It is that surveillance systems outlive their first justification. Rights are safer when the infrastructure for abuse is never built at scale.

The accountability gap is obvious when something goes wrong. If a lawful image is reported, the provider may blame legal expectations, the lawmaker may blame provider implementation, the regulator may point to safeguards, and police may say they merely received a report. Distributed systems are excellent at distributing blame. For the affected user, that is not governance. It is a maze. Strong rights require clear duties: who authorised scanning, who verified the database, who reviewed the flag, who shared the data, who deletes mistakes, and who compensates harm? Voluntary scanning blurs these lines because it lets private actors initiate state-relevant processes while public institutions claim the activity is not mandatory. That blur is precisely why the model should be narrowed rather than revived.

Clear accountability would also discipline technology vendors. Providers should not be allowed to hide behind purchased tools whose performance is unknown to the public. If a classifier or hash-matching system is used in private communication, independent experts should be able to examine its governance, error handling, access controls, and audit trails. No secret system should trigger public power without public-grade oversight. This does not require publishing illegal material or giving attackers a manual. It requires controlled inspection by trusted bodies and meaningful reporting to citizens. Without that, voluntary scanning asks Europe to accept invisible law enforcement by software procurement.

The user needs a clear path too. If a report was wrong, there must be deletion, correction, appeal, and notice where legally possible. A right without a remedy is theatre. Voluntary scanning offers too little confidence that such remedies will exist in practice.

That is why the permission should be narrow. Power needs an owner.

Courts have already warned against generalised surveillance

Europe’s legal tradition already contains a warning label for broad communications surveillance. The Court of Justice of the European Union has repeatedly rejected general and indiscriminate retention or transmission of communications data except under tightly limited circumstances. In La Quadrature du Net, the Court confirmed that EU law precludes national legislation requiring providers to carry out general and indiscriminate transmission or retention of traffic and location data for combating crime in general or safeguarding national security. That case concerned metadata, but the principle is even sharper for message content.

The Chat Control debate is not identical to data retention case law. It deals with voluntary provider scanning, temporary derogations, and content detection for a grave crime. But the constitutional instincts overlap: broad measures affecting innocent users must face necessity, proportionality, legal clarity, purpose limitation, and independent oversight. The EDPB and EDPS explicitly assessed the 2022 CSAM proposal through that rights lens and warned that the interference with confidentiality of communications might become the rule rather than the exception. That is the line Europe keeps approaching.

Article 52 of the EU Charter requires limitations on rights to respect their essence and, subject to proportionality, to be necessary and genuinely meet objectives of general interest or protect rights and freedoms of others. Child protection clearly qualifies as a serious objective. The hard question is whether suspicionless scanning of private communications is necessary and proportionate. A noble objective does not validate every means. European rights law is built precisely to stop that shortcut.

Generalised surveillance has two harms. First, it intrudes on private life directly. Second, it changes behaviour. People who know messages may be inspected may avoid sensitive conversations, legal advice, medical disclosure, political discussion, or requests for help. That chilling effect is not paranoia; it is a predictable response to uncertain monitoring. Confidentiality is valuable because people rely on it before they speak. Once the trust is broken, later safeguards do not fully restore it.

The legal risk is not limited to the state. When the state authorises or encourages private actors to conduct scanning that would otherwise conflict with ePrivacy, it cannot wash its hands of the rights impact. Outsourcing the first scan to companies does not make the interference purely private. The law creates the permission, defines the category, blesses the activity, and receives the reports. A surveillance public-private partnership still has constitutional consequences.

That is why the July revival is more than a policy disagreement. It tests whether Europe’s privacy doctrine has teeth when the political pressure is strongest. If generalised content scanning survives because it is labelled temporary, voluntary, and child-protective, then the proportionality test becomes fragile exactly where it should be strongest. Rights that disappear under sympathetic slogans are not rights; they are permissions awaiting revocation.

The same logic applies to content even if courts have not decided this exact derogation in these exact terms. Message content is more intimate than traffic data in many cases. If generalised retention of metadata triggers strict scrutiny, broad scanning of content should face at least as much skepticism. The more revealing the data, the heavier the justification must be. Child protection is a strong objective, but proportionality also asks whether less intrusive means can achieve the aim. Targeted warrants, public-hosting takedowns, hash matching in defined non-private contexts, victim reporting, and specialist investigations are not imaginary alternatives. They exist. A legislature that leaps to private-message scanning without proving those alternatives insufficient is not satisfying the spirit of European rights law.

Courts may eventually be asked to examine the revived framework, especially if the final text allows broad scanning without strong suspicion or judicial approval. That litigation would come after the privacy damage begins. Judicial review is a backstop, not a design strategy. Lawmakers should not pass intrusive frameworks and wait for judges to rescue proportionality years later. The better approach is to draft as though the Charter matters at the start: define the target, demand necessity evidence, exclude encryption weakening, require independent authorisation, and create remedies for mistakes. Anything less treats fundamental rights as obstacles for courts to tidy up.

The proportionality question is therefore not anti-police. It is pro-law. Investigators should receive evidence gathered through powers that courts can trust. Broad private scanning risks producing contested evidence while damaging privacy before any judge sees the case.

That discipline should come before enactment. Rights-first drafting is cheaper than litigation.

That is the minimum discipline. Rights need front-loaded proof.

Children need targeted protection, not lazy dragnet politics

A serious child-safety strategy starts with victims and offenders, not with everyone’s messages. The worst online abuse often involves grooming, coercion, blackmail, commercial distribution, production networks, livestreaming, dark-web communities, payment systems, and repeated victimisation. Some of that activity can be disrupted by technology. Much of it requires trained investigators, cross-border cooperation, victim identification, school and family support, helplines, social services, and faster takedowns. The hard work is targeted, human, expensive, and slow. That is why politicians prefer scanning: it looks decisive from a podium.

Europol and national police need lawful evidence that can survive court scrutiny. Flooding agencies with machine-generated reports can help in some known-content cases, but it can also bury urgent leads. The question is not whether reports are useful. The question is whether a broad scanning regime produces the right reports, at the right quality, with enough context, and without turning innocent users into raw material. Child protection fails when signal becomes noise.

The Internet Watch Foundation’s 2025 report shows the scale of online abuse material and the need for coordinated action. It assessed 451,210 reports and confirmed 311,610 reports containing or leading to child sexual abuse material. The same page describes IWF as operating Europe’s largest centre for assessing, grading, and securing removal of abuse material, with services used by companies, financial bodies, and law enforcement. That kind of specialist work is closer to a serious model than indiscriminate private-message scanning.

Targeted protection also means preventing abuse before images exist. Education about coercion, sextortion, and manipulative adults matters. Trusted reporting channels matter. Rapid support for children whose images are circulating matters. Offender deterrence and treatment matter. Financial investigation matters where abuse is monetised. Platform design matters when recommendation systems, discovery features, and weak reporting tools expose minors to adults. Scanning is often downstream of the harm. By the time a file is matched, a child may already have been abused.

A narrow hash-matching system for confirmed abuse material on public hosting may be defensible under strict governance. That is different from scanning private interpersonal communications. A democratic child-protection policy should preserve that distinction instead of collapsing it. The Council’s broad revival language does not give citizens confidence that the distinction will hold. If the state wants intrusive power, it should ask for it case by case.

The lazy politics is the binary: either accept mass scanning or accept abuse. That argument insults both children and citizens. It implies that Europe’s police, prosecutors, social workers, teachers, technologists, courts, and communities cannot build sharper tools. It treats privacy as indulgence and suspicion as compassion. A better Europe would reject that bargain. Children deserve protection that works, and adults deserve rights that survive moral panic.

Targeting is also better for investigators. A suspect-based approach lets police combine platform reports with payment traces, device forensics, victim statements, undercover work, and international cooperation. A population scan starts with vast material and asks authorities to find meaning afterward. Good investigations move from evidence to intrusion, not from intrusion to evidence. That order protects both children and due process. It helps ensure that resources follow credible risk rather than machine suspicion alone. Politicians who dismiss targeting as weakness are really admitting that they prefer an administratively simple dragnet to the difficult work of building lawful investigative capacity. Europe should fund that capacity instead of lowering the privacy standard for everyone.

The same targeted mindset should shape prevention. Platforms can investigate accounts repeatedly reported by minors, identify suspicious adult-minor contact patterns with strict metadata limits, and escalate credible threats through trained teams. Those tools still need oversight, but they begin from risk rather than universal inspection. Risk-based protection is not the same as mass suspicion. It can be stricter on dangerous behaviour while less invasive for everyone else. Europe should demand that distinction in law. Otherwise, the easiest compliance story will keep winning: scan broadly, report often, and call the volume proof of care.

Targeting also lets public authorities prioritise severity. A credible live threat, an identified victim, or a known offender network should outrank automated low-confidence flags. Priority is a child-safety tool. Mass scanning often hides priority behind volume.

Prevention, investigation, and support all work better when they start from concrete risk. Children need prioritised protection, not a statistical sweep of everyone’s intimate exchanges. A targeted model lets authorities move faster on credible threats while preserving trust for lawful users.

The permanent proposal keeps the threat alive

Chat Control 1.0 is the temporary fight. Chat Control 2.0 is the structural fight. The Commission’s 2022 proposal for permanent rules would lay down rules to prevent and combat child sexual abuse, including obligations for providers of hosting services and interpersonal communication services around detection, reporting, removal, and blocking of known and new abuse material and solicitation. It also proposed a new EU Centre on Child Sexual Abuse. The permanent proposal is where temporary scanning logic tries to become a lasting regulatory system.

The Parliament’s legislative train says the permanent proposal was published on 11 May 2022 with the Better Internet for Kids strategy and was intended to replace the interim regulation. It describes proposed obligations to detect, report, and remove abuse material, with risk assessment and mitigation duties, proportionate measures, conditions, safeguards, and an EU Centre. It also says the interim regulation would be repealed if the long-term legislation enters into force before the temporary regulation expires. The temporary law and permanent law are not separate universes; they are legally and politically linked.

The permanent file has repeatedly stalled because institutions cannot resolve the core dispute: whether detection can be made compatible with encryption and fundamental rights. The European Parliament’s July press release says talks on a permanent regime are ongoing and that most aspects were agreed under the Cyprus Presidency in the first half of 2026, leaving certain aspects still to be discussed. Fight Chat Control’s timeline says Chat Control 2.0 remained unagreed after five trilogue rounds, with scanning of unsuspected citizens and end-to-end encrypted messages as unresolved red lines. The unresolved red line is the whole battle.

EFF’s December 2025 analysis said the Council position removed the most controversial forced requirement to scan encrypted messages, but warned that the plan still had serious problems. The Global Encryption Coalition statement hosted by CDT said making scanning voluntary permanently opens the door to continued mass scanning of private unencrypted communication. These critiques differ in timing and emphasis, but they point to the same danger: voluntary scanning becomes the compromise that normalises monitoring while avoiding the word mandate.

Permanent law also changes incentives. Once a regulation creates risk assessments, mitigation duties, coordinating authorities, a technology committee, an EU Centre, reporting routes, and penalties, companies will design systems around compliance. The pressure to scan will not always need a direct order. It can come from risk classification, regulator expectations, fear of criticism, and the need to prove action. Compliance architecture can produce surveillance without a dramatic surveillance command.

That is why the July revival is so damaging. It keeps the interim practice alive while permanent negotiations continue. It tells the Council that refusal to accept narrow safeguards can be rewarded. It tells companies that scanning remains politically favoured. It tells citizens that expired privacy exceptions can return if enough officials want them. The temporary comeback makes the permanent mistake easier to sell.

The permanent proposal also creates a ratchet effect. Once risk-assessment duties exist, providers may over-comply to avoid being labelled unsafe. Once mitigation expectations exist, scanning may be treated as evidence of seriousness. Once a centre and authorities evaluate technologies, vendors will frame their tools as compliance necessities. A law can pressure scanning without using the word mandatory. That is why civil society focuses not only on explicit detection orders but also on the surrounding architecture. The shape of obligations matters. If a provider believes the safest legal posture is to inspect more content, users lose even without a direct command. A rights-respecting permanent regulation must make clear that refusing broad private-message scanning is lawful, responsible, and protected.

The long-term file also threatens to lock Europe into outdated assumptions. Technology, offender behaviour, encryption deployment, AI-generated abuse, and platform design keep changing. A permanent regulation built around broad detection duties may become both intrusive and ineffective as offenders adapt. Permanent surveillance rules age badly because they preserve yesterday’s technical compromise while expanding tomorrow’s enforcement expectations. A better law would require periodic public review, strict sunset clauses for intrusive tools, and proof that each measure remains necessary. Without that, Chat Control 2.0 could become a standing authorisation for monitoring technologies that fail to protect children in practice.

That is why the permanent law must do more than avoid the worst encryption mandate. It must prevent indirect coercion toward broad monitoring. No provider should have to scan private chats to prove responsibility. Safety duties should be compatible with strong confidentiality by design.

Client-side scanning breaks the promise before encryption

Client-side scanning is often marketed as a technical compromise: keep end-to-end encryption in transit, but inspect content before it is encrypted. That description is accurate enough to be dangerous. It makes the method sound elegant, when the essence is simple: the device becomes a checkpoint. A message that is read before encryption is not private in the ordinary sense. The user may see a lock icon, but the inspection has already happened inside the trusted space where the message was composed.

Max Planck’s explanation captures the contradiction. With client-side scanning, end-to-end encryption remains in place formally, but it is fundamentally circumvented because content must be checked on the sender’s device before encryption. Detection software embedded in the messaging app or operating system can scan chat content and forward flagged material. Once content is accessible to someone other than sender or recipient, the protection disappears. That is not a backdoor in the old key-escrow sense; it is a side door placed before the lock.

The security objection is practical. Any system powerful enough to inspect private content for one category can be modified, pressured, hacked, repurposed, or misconfigured. The classifier needs updates. The hash list needs distribution. The app needs privileges. The device needs to decide whether to report. Each part becomes a target. “Bugs in our Pockets” argues that client-side scanning can fail, be evaded, and be abused, and that it creates serious security and privacy risks. The more privileged the scanner, the more valuable it becomes to attackers.

The evasion problem cuts against the whole premise. Sophisticated offenders can compress files, alter images, use custom encryption, move to noncompliant apps, self-host systems, or trade through channels beyond mainstream providers. Ordinary users, by contrast, remain inside the scanned environment. That asymmetry should trouble policymakers. The dragnet catches the easy-to-monitor population first. The most dangerous actors adapt, while everyone else inherits a weaker security model.

The rights objection is equally strong. Client-side scanning moves suspicion onto the device, which is today a diary, wallet, camera, workplace, medical portal, political organiser, and family archive. A phone is not only a communication endpoint. It is the most intimate computing object most people own. Putting state-approved scanning logic there changes the relationship between citizen and device. The phone stops being merely yours and becomes partly an inspection terminal.

The July Parliament amendment excluding end-to-end encrypted communications from the temporary derogation, if accepted by Council, would reduce this immediate threat under Chat Control 1.0. But the permanent debate continues. Europe should not wait for the next draft to state the principle: no client-side scanning mandate, no coerced weakening of encryption, no legal fiction that pre-encryption inspection preserves confidentiality. Encryption either protects the message from outsiders or it does not.

Client-side scanning also damages software trust. Users install operating systems and messaging apps because they expect those tools to serve them. If the app must inspect their private content for authorities or provider reporting systems, the trust relationship changes. The device becomes loyal to a policy before it is loyal to the user. That is a serious cybersecurity and autonomy problem. It could also fragment the market as privacy-focused services leave jurisdictions, disable features, or redesign products defensively. The result would not be universal child safety. It would be a weaker, more divided communications environment where sophisticated offenders route around controls and ordinary users absorb the loss. Europe should not mistake that for progress.

There is also a democratic problem with device-level mandates. The user buys the phone, installs the app, and believes private content is under personal control. A hidden or mandatory scanner changes that relationship without the clarity of a search warrant. The search moves from the courthouse to the software update. That should be unacceptable in a constitutional democracy. If the state wants to inspect a person’s device, it should meet a legal threshold and name the target. It should not conscript every device into permanent pre-screening because some future material may be illegal.

A device-level scanner also creates a precedent for other device-level policy controls. Once accepted, the argument will return for different harms. The user’s device should not become Europe’s favourite enforcement venue. The line should be drawn before that habit forms.

The political appeal of device scanning is clear: it promises access without admitting that encryption is being broken. That promise is false comfort. If inspection happens before protection, the protected channel has already been compromised.

Cloud photos and email deserve the same suspicion test

The public debate often says “chat,” but the legal and practical field is wider. The interim regulation was about number-independent interpersonal communications services such as webmail, messaging services, and internet telephony. The Council’s July language referred to online service providers resuming voluntary detection and removal of child sexual abuse material on their platforms. The ordinary user experiences this as messaging, email, shared files, cloud photos, and service ecosystems. The privacy issue is not limited to a chat bubble.

Cloud storage creates a particularly uncomfortable case. People store family archives, children’s pictures, scanned documents, identity papers, intimate photos, medical images, school materials, and workplace files. Some of those files are automatically synced from phones. Users often do not think of cloud storage as publication or distribution; they think of it as storage. Scanning that space changes the meaning of backup. A private archive becomes a searchable evidence pool.

Email is no less sensitive. It carries legal advice, therapy appointments, labour disputes, immigration documents, confidential business plans, political organising, and family conflict. A scanning system aimed at attachments still operates inside a communication channel. Metadata and content sit close together. A false flag can expose not only a file but a network of relationships. Email privacy is not nostalgia; it is still central to civil life.

Supporters may argue that cloud and email providers have long used automated tools for malware, spam, and abuse detection. True, but categories matter. Spam filtering protects the user from unwanted content and is usually configurable or expected. Malware detection protects system integrity. CSAM scanning can send private material into law-enforcement pipelines and trigger criminal suspicion. Not all scanning has the same legal meaning. A virus scan and a police-relevant content report are not morally equivalent.

The same suspicion test should apply across services. If authorities have grounds to believe a user or group is involved in abuse, seek targeted legal authorisation. If material is publicly hosted or reported by a victim, use removal and investigation channels. If hash matching is used, confine it to clearly defined contexts with verified databases and independent oversight. The location of the file should not erase the principle of targeted power.

The danger of the Chat Control frame is that it narrows public imagination. People think of Messenger or WhatsApp and miss the broader architecture of communications and storage. Once the state normalises private-message scanning, cloud scanning feels like the next administrative category. Once cloud scanning exists, file-sharing and productivity suites follow. The boundary moves service by service. Privacy disappears less like an explosion and more like a settings migration.

Backups deserve special caution because users often create them automatically. A person may not remember which files synced, which old photos remain in storage, or which shared folder contains sensitive material from years ago. Automated storage plus automated scanning creates accidental exposure. That risk is higher for families, schools, medical workers, lawyers, journalists, and anyone who keeps evidence of abuse for reporting or legal reasons. A policy that treats stored private files as easier to inspect than encrypted chats invites companies to draw arbitrary privacy lines around product categories. The principle should be consistent: private material requires a targeted basis before it is moved into a criminal reporting workflow. Convenience for providers is not a rights test.

The same principle applies to workplace storage. Employees may keep HR complaints, whistleblower material, legal documents, or security reports in shared systems. Automated scanning rules designed for consumer safety can collide with professional confidentiality and labour rights. Private context does not disappear because a file sits on a corporate server. Lawmakers should not let product categories decide rights. A file sent in chat, saved in email, synced to cloud storage, or attached to a case file may deserve the same baseline: no criminal-content inspection without a targeted basis, except in tightly defined public-distribution contexts.

Cloud systems also cross borders and jurisdictions. A European permission may interact with non-EU laws, corporate policies, and global review teams. Private European data can enter global compliance machinery. That risk demands stricter limits, not broader discretion.

This is especially true for shared family accounts and school systems, where children’s files, parental documents, and teacher communications can mix. Context becomes impossible to preserve at scale. A lawful photo, a safeguarding record, or evidence collected for reporting can look suspicious without the human story around it.

Private archives deserve that respect. Storage is not publication.

The EU centre model centralises sensitive power

The permanent CSAM proposal’s EU Centre sounds sensible at first glance. Coordination is useful. Expertise is useful. Victim identification, technology assessment, provider guidance, and cross-border cooperation all need institutions. The problem is not the word centre. The problem is the power that can accumulate around detection technologies, reporting flows, databases, and law-enforcement links. A central hub for abuse detection can become a central hub for communications surveillance if its mandate and safeguards are weak.

The EDPB and EDPS described the proposed EU Centre as part of a system involving detection, reporting, removal, blocking, coordinating authorities, and Europol cooperation. Their opinion welcomed some involvement of data-protection authorities but warned about roles, legal clarity, and the need to regulate relationships between bodies. It also noted concerns around access to information systems and personal-data transmission. Institutional design matters because sensitive power tends to expand through routine cooperation.

A centre that validates technologies or supports hash lists can shape what providers build. A centre that receives or routes reports can shape what police see. A centre that maintains expertise can shape regulatory expectations. Even without malicious intent, it can become the place where “best practice” hardens into de facto obligation. Companies may comply with guidance because refusal looks reckless. Regulators may treat guidance as the baseline. Soft institutional power often becomes hard compliance pressure.

The database problem is especially sensitive. CSAM hash lists and classifiers require strict control, because the underlying material is illegal, traumatic, and dangerous to mishandle. Access must be minimal. Verification must be rigorous. Errors must be removable. Audit must be real. Abuse by insiders, contractors, or attackers would be catastrophic. The same data that helps identify victims can harm them again if governance fails.

The technology committee idea also carries risk. Once official bodies assess detection tools, vendors gain incentives to lobby, sell, and shape standards. A market for compliant surveillance grows around the law. Commercial actors may promise accuracy and safety beyond what evidence supports. Governments under pressure may prefer optimistic vendor claims to messy policing realities. The surveillance industry does not need evil politicians; it only needs procurement.

Europe should be building child-protection institutions, but not ones that make broad communications scanning feel inevitable. A responsible centre would focus on victim identification, takedown coordination, support for investigations, prevention research, transparent auditing, and privacy-preserving methods. It would not become the engine that pushes providers toward permanent monitoring. Central coordination is acceptable only if it narrows power rather than expanding it.

The EU also has to consider mission creep through expertise. Once a centre becomes the official place for assessing detection tools, it may be asked to advise on adjacent harms. Policymakers facing another crisis will naturally look to existing institutions. A body built for one emergency can become the template for the next. Strong statutory limits, independent privacy review, public reporting, and judicially enforceable boundaries are therefore not optional. They are what keep a child-protection centre from becoming a general content-security agency. Europe should build institutional capacity around victims and investigations, not around a standing expectation that private communications are available for automated inspection whenever a social harm is severe.

A centre focused on victims would look different. It would measure how quickly victims are identified, how many takedowns prevent recirculation, how survivors access support, and how investigators cooperate across borders. It would publish privacy impact assessments and invite independent challenge. The centre’s success should be measured by harm reduction, not detection expansion. If the institution’s prestige depends on approving more scanning tools, it will drift toward surveillance. If its mandate depends on victim outcomes and rights compliance, it can become useful. The difference has to be written into law, not hoped for.

The safest institutional design would keep the centre away from operational pressure to expand scanning. It should advise, audit, and support victims, not become a factory for detection expectations. Institutional incentives must be privacy-safe from the start. Later promises will not be enough.

A privacy-safe centre would also publish clear boundaries around Europol cooperation, provider guidance, and technology assessment. Centralisation must come with hard walls. The more sensitive the data flow, the more precise the mandate must be. Otherwise, the centre risks becoming a respectable name for permanent detection expansion.

The centre should also avoid vendor capture. Tool approval can become policy pressure when companies sell compliance as safety. Procurement rules, conflict disclosures, and public evaluation should be mandatory.

Law enforcement needs evidence, not oceans of noise

Police and prosecutors do not need a symbolic mountain of alerts. They need timely, reliable, contextual evidence that identifies victims, locates offenders, supports warrants, and survives legal challenge. A scanning regime that produces low-quality reports can waste investigative time and delay urgent cases. The success metric should be rescued children and convicted offenders, not scanned files or report counts. Europe’s debate keeps drifting toward the easier metric because volume is politically useful.

NCMEC’s CyberTipline role illustrates both the importance and the fragility of reporting pipelines. It receives reports from electronic service providers and the public, helps law-enforcement efforts, and supports stopping circulation of CSAM. Yet NCMEC also says five providers accounted for more than 75 percent of reports in 2025. That concentration means law enforcement visibility depends heavily on a few corporate systems. When a few companies define the evidence stream, their error patterns become public-safety problems.

The Reuters March report captured the competing institutional pressure. The Cyprus presidency said Parliament’s proposed narrowing would make the interim measure ineffective, while lawmakers insisted on excluding end-to-end encrypted communications and other changes. Both sides claimed child safety. The dispute was about what kind of evidence system Europe should accept. A system is not better because it sees more; it is better when it sees lawfully and accurately.

Law enforcement also needs public trust. If citizens believe private channels are scanned broadly, victims may hesitate to report, teenagers may avoid help, vulnerable people may move to unsafe services, and communities may treat police-linked detection as surveillance rather than protection. Trust is not sentimental. It affects whether people cooperate, disclose, and seek support. Privacy can improve safety because trusted channels bring victims forward.

Evidence quality matters in court. A machine flag is not the same as proof of criminal intent, production, distribution, or possession. Investigators still need chain of custody, context, user attribution, device analysis, and legal authority. Overbroad scanning risks creating investigative starts that are weak, contaminated, or disproportionate. That can hurt prosecutions and defendants’ rights at the same time. Bad process can damage good cases.

A better model would fund specialised police units, cross-border victim identification, faster lawful access after judicial approval, better cooperation on public hosting and commercial abuse markets, and support for children whose material circulates. It would measure case outcomes, not scanning scale. The state should become better at investigating suspects, not better at treating everyone as a suspect. That is the difference between public safety and administrative surveillance.

Noise also has an opportunity cost for children. Every hour spent clearing weak reports is an hour not spent identifying a victim, analysing a suspect device, supporting a traumatised child, or coordinating with another jurisdiction. Bad surveillance wastes the time of good investigators. The political debate rarely accounts for that cost because report volume sounds like action. Serious evaluation would ask how many reports lead to victim safeguarding, how many are duplicates, how many involve already known material, how many are false or low value, and how many prosecutions rely on them. Without those metrics, lawmakers are buying a bigger funnel and calling it protection. A child-centred system would care about outcomes, not administrative throughput.

Quality control should therefore be mandatory. Reports should be categorised by source, detection method, confirmation status, duplicate rate, and investigative outcome, with privacy-preserving public statistics. Authorities should know which providers generate useful leads and which generate noise. A report pipeline without feedback is policy blindness. Providers need to know when their systems waste investigators’ time, and lawmakers need to know whether the intrusion produces results. If such evaluation cannot be done safely, that is an argument against broad scanning, not an excuse to proceed without evidence.

Feedback loops should include independent child-safety experts as well as privacy experts. Investigators may value a report type that privacy lawyers dislike, or privacy auditors may identify harms police miss. Good evaluation needs both disciplines. A scanning regime assessed only by its supporters will overstate success.

The same discipline should apply to emergency claims. If supporters say a gap is dangerous, they should show which investigations failed, which victims were not identified, and which narrower measures could not work. Evidence should lead urgency, not follow it. Otherwise, urgency becomes a substitute for proof.

The feedback should also reach Parliament before any renewal. No evidence, no extension. If lawmakers cannot see whether the system works, they cannot honestly claim it is necessary.

The vote exposes Europe’s institutional incentives

The July sequence reveals a familiar EU pattern: when institutions cannot agree on a rights-sensitive permanent framework, they preserve the temporary exception and call it pragmatism. The Council says it wants to avoid a legal gap. Parliament says it narrowed the scope. The Commission keeps pointing to the need for a long-term regime. Providers ask for legal certainty. Child-protection organisations demand continuity. Privacy groups warn about surveillance. Every actor has an incentive to keep the machine moving. The citizen’s incentive, secure private life, is diffuse and easily traded away.

The table below separates the institutional incentives from the public language. It does not prove bad faith. It shows why the outcome keeps bending toward scanning even after rejection, expiry, and unresolved legal concerns.

Table 2. Public arguments and institutional incentives

ActorPublic argumentInstitutional incentive
CouncilAvoid a legal gap while permanent law is negotiatedPreserve scanning continuity and pressure Parliament
CommissionCreate stable child-protection rulesRescue a stalled policy architecture
Parliament majority factionsAdd safeguards and keep talks aliveAvoid blame for blocking child-safety measures
Large platformsObtain legal certainty for detectionReduce liability and shape compliance expectations
Civil society criticsProtect confidentiality and encryptionForce suspicion, warrants, and proportionality
Law enforcement bodiesReceive reports and identify victimsMaintain or expand evidence streams

The pattern is plain: the policy rewards actors who can point to child safety while avoiding a direct defence of suspicionless monitoring. That makes privacy politically lonely.

The European Parliament’s final 9 July statement softened the story by saying MEPs supported a more limited derogation and excluded end-to-end encrypted communications. Those amendments matter, but they do not erase the political lesson. A measure that failed in March returned in July because institutional incentives favoured continuity over closure. The file was too useful to let die.

The Council’s incentive is clearest. Its press release says the previous interim measure expired on 3 April and that reinstatement was needed until 3 April 2028. The Council wanted entry into force as soon as possible. That is a continuity argument, not a fresh democratic mandate. The gap being closed was the gap in legal cover for voluntary scanning. Child abuse remained illegal. Police powers remained. Provider takedown duties under other frameworks remained.

Platforms also benefit from legal certainty. Without a derogation, they face conflicting pressures: privacy law on one side, child-safety expectations and reputational risk on the other. A revived derogation tells them they may scan under EU cover. That may help genuine abuse removal, but it also protects corporate monitoring choices from sharper legal challenge. Legal certainty for companies can mean legal uncertainty for users.

Parliament’s incentive is more complicated. Many MEPs genuinely want safeguards. Many also fear being framed as soft on child abuse. That fear distorts deliberation. It encourages compromise with intrusive systems rather than a clean demand for targeted alternatives. Rights lose when legislators vote under accusation rather than evidence. The July outcome is therefore not only a privacy defeat. It is a case study in how moral pressure, corporate convenience, and procedural design combine inside EU lawmaking.

Institutional incentives also explain why “temporary” keeps winning. No institution wants to own the headline that detection stopped during negotiations. No platform wants legal exposure. No minister wants to be accused of leaving children unprotected. No parliamentary group wants attack ads about abuse. Privacy has fewer immediate political rewards than surveillance justified as safety. That imbalance is why safeguards must be written into law rather than left to goodwill. The incentives will not fix themselves. Without firm limits, each actor can make a locally rational choice that produces a collectively dangerous system: more monitoring, more legal cover, more dependence on platforms, and less space for confidential life.

The incentives also punish restraint. A platform that scans less may be accused of negligence. A minister who demands limits may be accused of weakness. An MEP who asks for evidence may be accused of delay. The politics rewards visible intrusion and punishes careful design. That is precisely why rights cannot be left to political mood. They need hard thresholds: suspicion, authorisation, scope, duration, audit, deletion, and remedy. The July vote showed what happens when those thresholds are negotiable. Institutions choose the path that keeps everyone covered except the citizen.

The same incentive map should guide citizens’ pressure. Ask each institution what limit it will defend when the next compromise arrives. A safeguard nobody will defend is not a safeguard. The encryption exclusion is the first test, not the last.

The July record shows that rights can lose even when nobody admits to opposing rights. Each actor says it is balancing, bridging, limiting, or protecting. The cumulative result is still monitoring capacity. Citizens should judge the system by that result, not by the soothing verbs around it.

The lesson is structural, not personal. Good intentions can still build bad systems when every institution is rewarded for continuity and nobody is rewarded for saying no.

Tech companies gain legal cover and political leverage

Large technology companies sit at the centre of this story, even when the argument is framed as a fight between Parliament and Council. Providers operate the communication systems, detect material, file reports, remove content, and decide what technologies to deploy. The derogation gives them legal comfort to do work that privacy law would otherwise constrain. That legal cover is valuable corporate infrastructure. It reduces uncertainty, supports internal compliance teams, and helps companies tell regulators and the public that scanning is not only permitted but socially expected.

Some companies may genuinely prefer clear rules because they encounter abuse material and need safe ways to act. That does not make the legal structure benign. When a platform gains permission to inspect private communications, it also gains leverage over future policy. It can present its existing scanning system as proof that the practice is normal, necessary, and operationally mature. The fact that a company built a system becomes an argument for keeping the system.

The Guardian reported in April 2026 that Google, Meta, Snap, and Microsoft criticised the lapse of the temporary law after Parliament failed to extend it, while child-safety advocates warned about reduced detection and privacy critics warned about surveillance. That episode showed the corporate stake plainly: the biggest providers wanted legal conditions under which their detection programmes could continue. Big Tech does not enter this debate as a neutral public servant.

Legal cover also shapes product design. If scanning is permitted and praised, services may prioritise detection integration over privacy-preserving alternatives. They may avoid deploying stronger encryption in some contexts because it complicates monitoring. They may design reporting flows around centralised review. They may treat user privacy as a compliance variable rather than a product commitment. Law does not merely regulate technology; it teaches companies what to build.

At the same time, companies can use privacy arguments selectively. Big Tech has often resisted mandatory obligations that would create costs, liability, or product disruption. It may support voluntary regimes because voluntary regimes preserve discretion. That discretion lets providers choose the tools, thresholds, and implementation details while still receiving political credit. A voluntary scanning regime can be the best of both worlds for platforms and the worst of both worlds for users.

Europe should be wary of making private companies the operational guardians of fundamental rights. If scanning is truly necessary in a specific case, public authority should carry responsibility through transparent law, judicial approval, and remedies. If companies act on their own, users need enforceable rights, audits, and meaningful choice. The present model risks privatising surveillance while socialising the consequences. Users absorb the privacy loss; companies receive the legal certainty; politicians receive the child-safety headline.

The same companies also control transparency. They decide what statistics to publish, how to describe detection methods, which error rates to disclose, and how much detail users receive after enforcement. Researchers often cannot independently verify claims because CSAM data is rightly restricted and detection systems are proprietary. Public policy then rests on corporate black boxes. That is unacceptable when the affected right is communications confidentiality. If Europe permits any scanning, it must require independent audits that can examine systems without exposing illegal material or security-sensitive details. Otherwise, lawmakers are asking citizens to trust companies that have every incentive to present their tools as accurate, necessary, and safe.

This leverage will matter in the permanent negotiations. Providers that already scan can argue that new rules should accommodate their existing systems. Providers that do not scan may be pressured to match industry practice. Regulators may treat the largest platforms’ workflows as the benchmark. Corporate practice can become regulatory gravity. That is a poor way to build rights law. Europe should decide the acceptable scope first, then require companies to fit it. It should not let existing monitoring systems define what proportionality means.

Independent research access is difficult because illegal material must remain controlled, but difficulty is not an excuse for secrecy. Trusted auditors can inspect processes, governance, and aggregate outcomes. Black-box enforcement is incompatible with democratic trust. Europe should make auditability a condition of any permission.

That is why transparency cannot be optional. Providers should publish meaningful aggregate data on detection categories, error handling, appeals, and referrals, subject to safety limits. Public power needs public evidence. Without it, companies become unreviewable intermediaries between private life and law enforcement.

Users also need meaningful notice. Secret moderation cannot carry public legitimacy when it touches criminal suspicion. Transparency should be designed into the permission, not added later.

Privacy losses rarely stay confined to the first category

Surveillance powers are usually introduced with narrow promises. The target is terrorism, child abuse, organised crime, cybercrime, foreign influence, copyright, fraud, misinformation, or another serious harm. The first category is chosen because it is hard to oppose. The political sale depends on moral asymmetry: only a monster would resist. The risk is not that today’s lawmakers secretly want every future abuse; the risk is that the infrastructure they authorise can be repurposed.

Chat Control 1.0 is formally about online child sexual abuse. That category is grave. But the technical architecture of scanning, flagging, reporting, and database matching does not inherently know moral boundaries. Change the reference set, the classifier, the reporting rule, or the legal mandate, and the same pipeline can serve other purposes. Purpose limitation is a legal safeguard. It is not a physical law of computing. A system built to search private messages can search private messages for whatever future law defines.

European policymakers often answer that EU rights law would prevent abusive expansion. The answer is partly true and not enough. Rights law slows some expansion, but emergency politics can be inventive. National security claims, crisis legislation, and “temporary” derogations have a long record of stretching boundaries. The CJEU’s data-retention case law exists because Member States kept testing the limits of generalised communications surveillance. The law pushes back only after someone has already pushed too far.

Private infrastructure adds another route for expansion. A provider that scans for CSAM can be pressured by another jurisdiction to scan for extremist material. A vendor that sells detection tools can market adjacent capabilities. A hash database governance model can inspire new lists. A reporting workflow can be adapted. Even if the EU keeps strict purpose limits, global platforms operate under many laws at once. European permission can normalise a tool that travels beyond European safeguards.

The “slippery slope” argument is often mocked because not every slope is slippery. But some slopes are engineered. When law creates scanning infrastructure, trains staff, builds databases, establishes reporting routes, and habituates citizens, expansion becomes cheaper. Policymakers no longer ask whether private-message scanning should exist. They ask which harms should be added. The first authorisation changes the question for every later debate.

A rights-respecting Europe would refuse to build general-purpose scanning capacity in private channels. It would focus on targeted investigation, public-hosting abuse, victim reporting, offender disruption, and privacy-preserving safety methods. The problem is not that CSAM enforcement should be weak. The problem is that strong enforcement should not require a tool that future governments will be tempted to reuse. Do not build a surveillance machine and trust politics never to touch the settings.

History does not need to repeat perfectly to teach caution. Data retention, anti-terror powers, platform moderation systems, and financial surveillance all show how exceptional tools acquire new justifications. Each expansion is framed as reasonable because the infrastructure already exists. The second use is always easier than the first. Chat Control’s defenders may sincerely intend a narrow child-safety tool, but future lawmakers will inherit a working model for private-content inspection. The safer course is architectural restraint: design systems so expansion is technically, legally, and politically difficult. Once mass scanning becomes ordinary compliance, restraint depends on politicians saying no to the next emergency. That is a weak defence.

The first category also shapes public tolerance. People who accept scanning for one heinous crime may become less alarmed when politicians propose scanning for another severe harm. Each step is defended as limited. Each database is said to be controlled. Each extension is described as common sense. Normalisation is the slope. The answer is not to minimise child abuse. The answer is to recognise that the seriousness of the first category makes it easier to build infrastructure that later escapes it. A rights-based society refuses that architectural bargain.

Purpose limitation also needs technical support. Systems should be designed so new categories cannot be added casually. Legal limits should be backed by architectural friction. If expansion requires new law, new audit, and new technical deployment, abuse becomes harder.

A strict anti-expansion rule would require new democratic approval for any new detection purpose, plus technical separation from existing systems. Reuse should be difficult by design. If policymakers know expansion will be costly and visible, they will be less tempted to treat scanning infrastructure as a ready-made answer.

That friction should include deletion duties. Data created for one purpose should not become a general archive for future enforcement experiments.

The debate is not privacy versus children

The most dishonest sentence in this debate is the implied one: privacy advocates care about privacy, child-safety advocates care about children. Many privacy critics of Chat Control care deeply about child protection. Their argument is that mass scanning is a bad way to do it. The real debate is targeted child protection versus suspicionless infrastructure. Framing it as privacy versus children protects weak policy from scrutiny and turns legal questions into moral accusations.

Children are privacy holders too. The EU Charter does not reserve private life, data protection, or confidentiality for adults. Minors need confidential access to support, health advice, counselling, legal help, friendship, and safe adults. Some live with abusers. Some are being blackmailed. Some are exploring identity in hostile environments. Some need to document abuse safely. A child’s secure message may be the first step toward protection.

Scanning systems can also create child-specific harms. A teenager coerced into sending an intimate image may be flagged by a system that treats the image primarily as contraband. A child trying to report abuse by sharing evidence may trigger automated escalation. A young person may avoid mainstream services if they believe every private file is subject to inspection. Safety policy that ignores children’s privacy can make children less safe.

This does not mean providers should ignore abuse on their services. It means intervention must be designed around victims and evidence. A child reporting tool should be easy, confidential, and connected to trained support. A takedown system should reduce recirculation without exposing victims to unnecessary review. A police investigation should be targeted and authorised. A platform design should reduce adult access to minors where risk is known. Protection can be strong without being indiscriminate.

The Internet Society’s point about end-to-end encryption is relevant here because encryption protects legitimate users as well as criminals. Exceptional access breaks the basic principle that only endpoints read the message. That matters to children contacting helplines, families under threat, and communities in authoritarian environments. Weakening secure channels does not only expose suspects; it exposes the vulnerable.

Europe needs to retire the lazy binary. A policy can be anti-abuse and anti-dragnet. It can fund victim identification and reject client-side scanning. It can require fast removal of confirmed public abuse material and protect encrypted messaging. It can support law enforcement and demand warrants. It can value children and privacy at the same time. The opposite of Chat Control is not doing nothing; it is doing the harder, narrower, rights-respecting work.

The binary framing also prevents learning from survivors and frontline workers. A survivor may want faster takedown of known material, better victim identification, confidential counselling, and stronger investigation of offenders, while still fearing broad exposure of private images. A teacher may want safer reporting channels rather than automated surveillance of students. A parent may want police to catch predators without weakening the secure apps used by the family. Real child safety is more specific than the slogan allows. Lawmakers should listen to those concrete needs instead of treating privacy questions as sabotage. A policy that cannot survive detailed questions from privacy experts, child-rights advocates, and technologists is not a strong policy. It is a slogan with a legal department.

A better public debate would put two sentences side by side: child sexual abuse online is a grave crime, and mass scanning of private communications is a grave interference. Both are true. Moral seriousness belongs on both sides of the sentence. Once that is accepted, the policy question becomes practical and legal rather than theatrical. Which measures work? Which are targeted? Which protect victims? Which preserve secure channels? Which fail the evidence test? That debate would be harder for politicians, but far healthier for children and democracy.

That framing would also reduce intimidation. People could oppose mass scanning without being accused of indifference, and supporters could defend targeted tools without dismissing rights. Better language would produce better law. The current rhetoric produces fear first and policy second.

The public also needs to hear from children’s rights experts who understand both abuse and privacy. Children are not props for either side. Their safety includes rescue from offenders, removal of abuse material, secure support channels, and freedom from unnecessary exposure by the systems meant to help them.

The debate should also respect secure childhood. A child’s right to help can depend on confidentiality. Weak privacy can silence the very people policy claims to defend.

Better child protection starts closer to the abuse

The closer policy gets to actual abuse, the more legitimate and useful it becomes. A child who is being coerced needs a safe reporting path. A platform where adults repeatedly contact minors needs design restrictions. A known offender network needs investigation. A commercial abuse site needs financial disruption and takedown. A confirmed abuse image needs rapid removal and victim-identification work. These interventions begin from risk, evidence, or victim need. They do not begin from the assumption that every private conversation should be scanned.

Prevention matters because scanning often arrives after harm. Grooming can unfold through trust, secrecy, threats, gifts, shame, and manipulation long before any known CSAM hash appears. Online sextortion may involve coercive demands and payment routes. Abuse production may occur offline and circulate later. A system obsessed with detecting files can miss the social process that creates them. Children are not protected only by finding images after the abuse has happened.

Platform design can reduce risk without reading every message. Services can limit unknown adult contact with minors, strengthen reporting flows, detect suspicious account behaviour without inspecting content, disrupt rapid friend requests or group invitations, improve default privacy for minors, and respond quickly to victim reports. Some measures still need safeguards, especially when metadata or behavioural analysis is used, but they can be narrower than content scanning. Safety-by-design should mean reducing risky affordances, not opening everyone’s private files.

Law enforcement also needs resources outside the scanning debate. Specialist investigators, digital forensics, victim identification teams, cross-border cooperation, translation capacity, prosecutor training, trauma-informed interviewing, and support services all cost money. Politicians often prefer technology mandates because they outsource cost to platforms and create a visible legal act. The serious work of protecting children is less photogenic and more expensive.

Research into offender behaviour and help-seeking should be part of the strategy. Studies of CSAM use on hidden services, offender pathways, and intervention opportunities suggest that some users can be diverted or detected through public-health and investigative methods not reducible to platform scanning. That does not soften the crime. It recognises that prevention must attack demand, access, and escalation, not only distribution. A strong policy should make offending harder before a child is harmed.

Europe could build a better package: targeted judicial orders, strict public-hosting hash matching, victim-centred reporting, removal support, privacy-preserving age-appropriate design, more investigators, international cooperation, commercial-market disruption, and independent evaluation of outcomes. That package would not give politicians the same dramatic line as “we scan to save children.” It would be better. The question is whether Europe wants child protection or the appearance of control.

Funding is the honesty test. If leaders truly believe child protection is urgent, they should put money into investigators, victim services, prevention, and cross-border cooperation instead of relying mainly on provider scanning. Mandating or permitting surveillance is cheaper than building protection capacity. That cost difference explains much of the political temptation. Platforms absorb technical work, users absorb privacy risk, and politicians claim action. A better programme would be less glamorous but more accountable: publish budgets, hire trained staff, reduce backlogs, measure victim outcomes, and audit takedown times. The EU should not confuse a law that makes scanning easier with a strategy that makes children safer.

Prevention also means challenging business models that expose minors to risk. Discovery features, adult recommendation paths, weak default privacy, manipulative engagement loops, and poor reporting tools can all contribute to harm. Design choices can create risk before any message is scanned. Regulators should attack those choices directly. It is perverse to let platforms build risky environments and then praise them for scanning the private communications that result. A child-safety law should make services safer by design, not merely more surveilled after design failures produce danger.

The same design lens should apply to generative AI, payment systems, and hosting services. Each risk needs a specific intervention. Specific harms need specific tools. Private-message scanning is too blunt to serve as Europe’s default answer.

Age-appropriate design, friction for risky adult contact, better reporting buttons, and faster human response can reduce harm without opening every message. Design prevention is upstream protection. Europe should force platforms to remove avoidable risks before it authorises them to inspect the private spaces where those risks surface.

The same is true for reporting. A trusted report button can beat a hidden scanner when it connects a frightened child to trained help quickly and safely.

Civil society was right to call this a back door

Civil society groups have used fierce language about Chat Control because the institutional path has been fierce in quieter ways. Fight Chat Control’s July 2026 timeline says the temporary derogation expired, the Council moved to resurrect it, Parliament approved urgency by 331 to 303 with 11 abstentions, and the permanent proposal remained unresolved after multiple trilogues. Its interpretation is openly activist, but many underlying milestones are confirmed by official Parliament, Council, and vote records. The phrase “back door” fits the political structure, not just the technology.

EDRi, CDT, EFF, the Internet Society, the Global Encryption Coalition, and security researchers have not all made identical claims. Some focus on encryption. Some focus on private unencrypted communication. Some focus on client-side scanning. Some focus on fundamental rights. The shared warning is coherent: broad detection mandates or permissions risk normalising mass scanning and weakening secure communication. This is not a fringe panic; it is a sustained civil-liberties critique backed by technical expertise.

Civil society also played a crucial role in explaining procedure. Most citizens do not follow second readings, urgency requests, conciliation, or absolute-majority thresholds. Activist trackers translated those mechanics into plain stakes: if enough MEPs were absent or if opponents failed to reach the required threshold, a lapsed scanning regime could survive. That public education matters. Rights are easiest to lose when the losing mechanism is too boring to share.

Critics can overstate at times, and factual discipline matters. The 9 July Parliament outcome did include an amendment excluding end-to-end encrypted communications and did not instantly enact the Council’s original text. Saying “the EU now reads every encrypted message” would be false. But saying the vote kept alive a revived voluntary scanning framework for private communications is supported by the record. The right criticism is strong enough without exaggeration.

Civil society is also right to reject the idea that “voluntary” resolves the rights problem. The Global Encryption Coalition statement hosted by CDT says the Council position safeguarded encrypted communication but, by making scanning voluntary, permanently opened the door to continued mass scanning of private unencrypted communication. That distinction is exactly where the debate should sit. A regime can spare encryption today and still normalise scanning elsewhere.

The back-door critique is ultimately democratic. If lawmakers believe mass scanning of private communications is necessary, they should defend that claim directly, publish evidence of effectiveness, prove proportionality, and accept hard limits. They should not rely on temporary derogations, procedural thresholds, and moral intimidation. A rights-limiting law should enter through the front door, with the lights on. Chat Control keeps arriving by side entrance.

Civil society also supplies memory. Officials often present each draft as a new compromise, but campaigners track the sequence: the 2021 derogation, the 2024 extension, the 2026 expiry, the Council revival, the permanent-file negotiations, and repeated pressure around encryption. Memory is a safeguard against policy laundering. Without it, every return of the same idea can be sold as a fresh emergency. The back-door label is useful because it forces attention to continuity. The question is not only what today’s text says. It is how today’s text fits a multiyear effort to preserve and expand scanning capacity despite unresolved legal and technical objections.

The movement also reminds citizens that procedural fights are worth having. A single amendment, committee vote, or absolute-majority threshold can decide whether encryption is protected or whether scanning continues. That may feel technical, but rights often live in technical clauses. Privacy survives through detail. Campaigners who publish vote trackers and explain legislative steps are doing democratic work. Their tone may be angry because the subject deserves anger. Polite confusion has been one of surveillance policy’s best allies.

That detail includes vote records. Citizens should know which representatives supported urgency, which defended encryption, and which were absent. Accountability starts with names and votes. Privacy should not disappear into institutional anonymity.

The anger also reflects exhaustion. Privacy groups have watched the same idea return through new labels: temporary, voluntary, targeted, compromise, revived. Rebranding surveillance does not change its substance. When institutions keep asking for the same power after losing earlier fights, civil society is right to answer loudly.

Civil society’s role is not to make officials comfortable. Its role is to make rights harder to trade away. On Chat Control, that discomfort is necessary, factual, and democratic. A political class that dislikes being watched by citizens should not ask citizens to accept being watched by platforms.

Ordinary Europeans are the compliance surface

Most people will not read the regulation, the Parliament briefing, the Council press release, or the EDPB opinion. They will experience the policy through apps. A warning in a privacy policy. A scanned attachment. A disabled account. A report they never see. A photo removed from cloud storage. A message that becomes evidence because a machine and a reviewer agreed. The citizen becomes the compliance surface for an institutional compromise.

The phrase “private communications” sounds abstract until one names the messages. “When are you coming home?” “I need help.” “Here is the medical photo.” “Send the contract.” “Do not tell my husband.” “I think my teacher is abusing me.” “Can you keep this safe?” These are not edge cases. They are the texture of ordinary digital life. A society that scans private channels changes the psychology of speaking.

Some users may switch to stronger encrypted services. Others may not know how. Some may stay because family, school, work, or community depends on a dominant platform. Some may accept scanning because they are told it protects children. Some may assume innocence protects them. That assumption is naïve. Innocence does not prevent false positives, context collapse, data breaches, account loss, or chilling effects. Privacy protects the innocent precisely because innocence is not self-enforcing.

The burden will fall unevenly. Journalists, lawyers, doctors, activists, minority groups, migrants, abuse survivors, sex workers, political dissidents, and teenagers have more to lose from exposure. Wealthier users may pay for privacy tools or move services. Less technical users may remain in scanned systems. Children may be monitored in the name of child protection while losing confidential support channels. Surveillance always finds the least powerful first.

Ordinary Europeans also face opacity. What exactly is scanned? Which files? Which chats? Which languages? Which classifier? Which hash database? Which reviewer team? Which law-enforcement destination? Which appeal route? The answers may be buried in terms of service, trade secrets, security restrictions, or law-enforcement confidentiality. You cannot meaningfully consent to a system you cannot inspect.

That is why the July vote should anger people who never follow EU procedure. It says private communication can be made conditional through institutional bargaining. It says the practical limits will be worked out later by Council, Parliament, platforms, regulators, and perhaps courts. The citizen is told to trust. Europe has earned trust on privacy when it limits power, not when it asks people to stop worrying about it.

For most citizens, the harm may be invisible until it is personal. They will not know which messages were scanned if nothing is flagged. They will not see the files discarded by a classifier. They will not know whether a reviewer saw something intimate and decided it was harmless. Invisible surveillance still changes the terms of private life. The absence of a police knock is not proof that no right was affected. Confidentiality is valuable because nobody had access in the first place. Once access exists, even selectively and automatically, the relationship changes. Europe should not ask ordinary people to accept that change merely because the scanning happens quietly inside systems they cannot observe.

The personal effect may also be anticipatory. People do not need to know the exact scanning rules to self-censor. Rumours, headlines, and partial knowledge can make users avoid intimate jokes, political discussion, medical disclosure, or evidence-sharing. Chilling effects begin before enforcement. That matters because confidentiality is partly a feeling of safety. Once public institutions teach citizens that private channels may be inspected for broad social goals, the feeling changes. Europe should not be casual about that psychological cost. It is part of the rights interference.

Trust, once lost, is expensive to rebuild. People who feel watched may not return to mainstream services even after safeguards improve. Policy can create long-lived distrust. Europe should count that cost before normalising private-channel inspection.

Ordinary users also face account-level punishment. A mistaken report can lead to suspension, lost photos, lost contacts, or years of cloud archives becoming inaccessible. Platform penalties can arrive before legal clarity. For many people, losing an account is not a minor inconvenience; it is losing a piece of life.

Account recovery, appeal rights, and deletion rights should be explicit. A false flag must not become a life sentence in platform records. Users need remedies that work across borders. They also need proof that mistaken reports are erased from provider systems, not merely ignored after damage is done.

Business users should read this as a security warning

Chat Control is often framed as a consumer privacy issue, but businesses should pay attention. Companies use messaging, email, cloud storage, and collaboration tools for contracts, intellectual property, legal advice, HR disputes, incident response, merger talks, security reports, and whistleblower communications. A legal culture that normalises scanning private communications weakens commercial confidentiality too. The target category may be CSAM, but the inspection architecture lives inside tools businesses rely on daily.

End-to-end encryption is not only for activists and teenagers. It protects trade secrets, client data, product plans, credentials, security vulnerabilities, and regulated information. The Internet Society’s definition of end-to-end encryption captures why businesses need it: only the endpoints should read the decrypted data. If exceptional access or pre-encryption scanning becomes normal, the assurance businesses depend on becomes harder to verify. A lock that allows official inspection is also a lock with more failure modes.

Client-side scanning would be especially alarming for enterprise security. It places privileged detection logic on devices or inside apps that process sensitive material. That logic requires updates, policy inputs, and reporting channels. Attackers love privileged pathways. “Bugs in our Pockets” warns that client-side scanning creates serious security and privacy risks and can be abused or evaded. Businesses should treat scanning mandates as supply-chain and endpoint-security risks.

Even voluntary scanning creates uncertainty. A cloud provider may scan consumer accounts but not enterprise tenants. A collaboration platform may apply different rules by region. A service may report suspicious files without fully disclosing the process. Cross-border teams may face different legal expectations. Regulated industries may need to assess whether scanning conflicts with confidentiality duties. Compliance teams should not assume child-safety derogations have no corporate impact.

There is also a competitiveness issue. Europe often says it wants digital sovereignty, secure infrastructure, and trustworthy technology. Normalising communications scanning points in the opposite direction. Secure European services should compete on strong confidentiality, transparent governance, and privacy-preserving safety methods. If EU law rewards monitoring capacity, it may push providers toward designs that undermine trust. A privacy-first market cannot grow under a surveillance-first legal mood.

Companies should therefore support narrow, targeted, legally supervised approaches. That is not selfish. It aligns business security with civil rights. Firms need protected channels to report vulnerabilities, investigate breaches, defend legal claims, and support employees. Once private communications become a routine inspection zone, everyone who depends on confidentiality pays. Chat Control is not only a social policy fight; it is a security architecture fight.

Business resistance should therefore be principled, not only self-interested. The same confidentiality that protects a boardroom protects a teenager asking for help and a journalist protecting a source. Security communities should defend encryption as public infrastructure. They should also warn against endpoint scanning obligations that create privileged code paths and uncertain reporting duties. A fragmented European approach would make compliance more costly and security less clear. Companies should ask lawmakers for narrow warrants, clear liability rules for targeted cooperation, and explicit protection for strong encryption. Those demands support child protection better than broad permission to monitor private tools, because trusted systems are easier to secure, audit, and defend.

There is a procurement risk too. Once scanning becomes a compliance expectation, vendors will sell tools that promise detection, audit, and reporting. Enterprises may be pushed to buy systems they do not fully understand, integrating them into communication stacks and endpoint controls. Compliance software can become surveillance infrastructure by another name. Security officers should ask who updates the rules, where reports go, how false positives are handled, and whether the tool can be repurposed. Those are not political questions only. They are basic risk-management questions.

Insurers, auditors, and customers may also ask whether communication tools are subject to scanning regimes. That can affect procurement, contracts, and risk assessments. Privacy law becomes business risk when confidentiality is uncertain. Companies should say so publicly.

Boards should ask whether vendors, cloud providers, and messaging services can explain their scanning exposure in plain terms. Security due diligence now includes surveillance due diligence. If a provider cannot state what is scanned, where reports go, and how errors are fixed, that uncertainty belongs on the risk register.

This is not abstract for regulated sectors. Law firms, clinics, banks, and security teams live on confidentiality. If communication tools lose trust, compliance and safety both suffer. A Europe that wants secure digital business should not normalise monitoring pathways that make trusted services harder to prove.

Democratic legitimacy suffers when procedure beats deliberation

Democracy is not only counting votes. It is also making sure the public can understand what is being decided, why it matters, which rights are affected, and who bears responsibility. The Chat Control 1.0 revival failed that test. A lapsed derogation returned through Council action, urgency, second-reading thresholds, amendments, and a closed stage that now sends the text back to Council. The legal path may be valid, but the democratic signal is rotten.

The public can follow a direct vote: yes or no to private-message scanning. It is much harder to follow an initial simple-majority rejection that fails because an absolute majority is required, followed by an amended position that survives because rejection lacks enough votes. Parliament’s press release records those numbers, but few citizens will parse them. When the rules become the story, accountability gets foggy.

This fog benefits intrusive policy. Supporters can say Parliament adopted safeguards. The Council can say it acted to protect children. Opponents can say they tried to reject the text. Platforms can say they await legal certainty. The citizen is left with a revived scanning permission and no clean line of accountability. A rights loss with distributed responsibility is still a rights loss.

Urgency is especially troubling. Child sexual abuse is urgent as a social problem, but the legal architecture of private-message scanning is not a fire alarm that prevents deliberation. The interim regulation existed for years. The permanent proposal has been debated since 2022. The March breakdown was known. The expiry date was known. A crisis created by institutional deadlock should not become a reason to compress scrutiny.

The EU often suffers from a distance problem. Citizens perceive decisions as remote, technical, and inevitable. Chat Control feeds that perception. It tells people that even when Parliament rejects a measure, another institutional route may bring it back. That does lasting damage. Privacy law relies on legitimacy because people must believe the rules protect them, not manage them.

A more legitimate process would have admitted the stakes plainly: whether Europe should permit voluntary scanning of private communications after the previous derogation expired, under what exact limits, with what evidence of effectiveness, and with what remedy for users. It would have published clear comparisons between Council and Parliament positions. It would have refused urgency. It would have treated confidentiality as a right, not a drafting inconvenience. Europe cannot defend democracy by making surveillance procedurally dull.

The legitimacy damage will not stay inside this file. Each time the EU uses procedural complexity to revive an intrusive measure, it feeds public cynicism about Brussels. Citizens who already suspect that decisions are made over their heads see confirmation. A privacy defeat delivered by procedural fog becomes a democratic defeat too. That is dangerous for every future digital law, including good ones. Trust in regulation depends on the belief that lawmakers explain trade-offs honestly and accept limits. Chat Control does the opposite when it hides a rights conflict behind urgency and second-reading arithmetic. A confident democracy would slow down, publish the stakes, and dare to hold a direct argument.

Deliberation would also have forced better language. Officials could have stopped saying “legal vacuum” when they meant the absence of a special scanning permission. They could have stopped implying that privacy safeguards equal indifference to abuse. They could have admitted that voluntary scanning still affects non-consenting users. Clear language is a democratic safeguard. When the words are muddy, the power grows unnoticed. The July process produced too much mud: temporary, voluntary, urgent, limited, reinstated, amended, deemed adopted. The citizen deserved plain speech.

Plain speech would also help supporters of child protection. If a measure is genuinely necessary, it should survive honest description. A good law does not need euphemism. Chat Control has been wrapped in too many soft words.

A direct debate would also show which politicians believe privacy is a real limit and which treat it as a public-relations phrase. Votes reveal values when language does not. The July process blurred that distinction, and the blur helped the measure survive.

The EU can still repair that damage by slowing the file and explaining the conflict honestly. Deliberation is not delay when rights are at stake. It is the price of legitimacy. Citizens can accept difficult trade-offs when leaders name them plainly; they lose trust when leaders bury those trade-offs inside procedure. That honesty should have come before urgency. Not after. Ever.

A responsible alternative would be narrower and harder

A better law would be harder to pass because it would be more honest. It would say that child sexual abuse online is grave, that confirmed abuse material must be removed quickly, that victims need support, that offenders must be investigated, and that private communications cannot be scanned without targeted legal basis. The first design principle should be suspicion before intrusion. Not suspicion as a vague platform feeling, but evidence reviewed by an independent authority.

Such a framework could allow narrowly defined hash matching for confirmed CSAM in contexts closer to public distribution or hosting, with verified reference databases, independent audit, strict access controls, purpose limitation, and transparent reporting. It could allow urgent preservation requests and judicial orders where evidence points to a user, group, or service being misused. It could fund cross-border investigative teams and victim identification. Targeted power can be strong without becoming generalised power.

For grooming, the law should be even more cautious. Text detection is contextual, language-dependent, culturally variable, and prone to misunderstanding. A conversation between a child and a therapist, teacher, parent, peer, or abuse survivor can contain sensitive words without criminal intent. Automated grooming detection inside private chats should not become a routine provider duty. The EDPB and EDPS warned that measures detecting solicitation in interpersonal services were especially intrusive and should be removed from the 2022 proposal. That warning should be treated as a baseline, not a negotiating chip.

For encryption, the rule should be simple: no weakening, no client-side scanning mandate, no indirect pressure that makes secure services legally risky. Providers should not be forced to redesign secure channels into inspection channels. Voluntary scanning of encrypted messages should not be praised as responsible behaviour. End-to-end encryption should remain end-to-end. That protects children, businesses, journalists, lawyers, and ordinary families.

For accountability, users need notice, remedies, and public statistics that do not compromise investigations. Independent auditors should assess false-positive rates, database governance, reporting quality, and human-review processes. Regulators should measure outcomes: victim identification, offender prosecution, takedown speed, repeat circulation reduction, and harm to lawful users. If a child-safety measure cannot prove results, it should not survive on sentiment.

The hard part is political courage. A narrow law will be attacked as weak because it refuses the easy promise of scanning everyone. But democracies are supposed to reject easy power when rights are at stake. Europe can protect children without teaching every platform to inspect private life. The responsible alternative is not softer on abuse; it is stricter about power.

A responsible alternative would also include sunset discipline. If an interim measure is truly temporary, expiry should mean expiry unless a fresh evidence review proves necessity. Renewals should require positive approval, not survival through failure to reject. Temporary surveillance should die automatically unless democracy actively revives it. That reverses the current incentive. It makes the state justify intrusion again instead of making privacy defenders assemble enough votes to stop continuity. The law should also require public evaluation before renewal: outcomes, errors, costs, rights impacts, and less intrusive alternatives. Without that discipline, temporary derogations become policy storage units where controversial powers wait until the politics improve.

A narrower law should also separate provider cooperation from provider surveillance. When a provider discovers confirmed abuse material in a lawful, limited way, reporting should be clear and protected. That does not mean providers should search private channels proactively without suspicion. Duty to report is not duty to hunt. Collapsing those ideas creates pressure for constant monitoring. Europe should define safe reporting, targeted preservation, and lawful cooperation while rejecting broad content inspection. That structure would help responsible companies act without turning every service into a private police filter.

This distinction would help companies too. They could report what they actually find without being pressured to search everything. Clear limits protect responsible providers. Ambiguous permission rewards overreach and punishes restraint.

A strict renewal test would change incentives. Instead of asking privacy defenders to stop a revived exception, lawmakers seeking scanning would need fresh proof of necessity. The burden belongs on intrusion. That single rule would prevent many temporary measures from quietly becoming permanent habits.

The same law should ban indirect punishment of privacy-protective design. Strong encryption should never count as suspicious non-cooperation. Providers must be free to build secure services. If regulators want cooperation, they should reward targeted lawful response, not pressure companies toward permanent monitoring. That principle belongs in black-letter law.

Europe can still stop the permanent mistake

The July outcome is bad, but it is not the end of the story. Parliament’s amended position goes to the Council, which has three months to approve or reject the amendments. If the Council does not accept all amendments, Parliament and Council move to conciliation. That means the immediate text still has institutional steps ahead. Citizens should treat this as a live fight, not a completed defeat.

The most important demand now is to preserve and strengthen the exclusion for end-to-end encrypted communications. The Council should not reject that safeguard. Parliament should not trade it away in conciliation. The permanent CSAM Regulation should state clearly that nothing in EU law may prohibit, weaken, circumvent, or pressure end-to-end encryption, including through client-side scanning. No private-message safety regime is acceptable if it turns secure devices into inspection points.

The second demand is to reject suspicionless scanning of private unencrypted communications. The fact that a channel is not end-to-end encrypted does not make it public. Email, cloud files, backups, and ordinary chats still deserve confidentiality. Voluntary provider scanning should be confined, audited, and replaced where possible by targeted, judicially supervised measures. Unencrypted does not mean unprotected.

The third demand is evidence. Lawmakers should publish and debate concrete data about detection effectiveness, false positives, investigative outcomes, victim rescues, prosecution quality, and harms to lawful users. Child-safety policy cannot be evaluated by slogans or provider pressure. It needs results. If the system scans millions but protects poorly, it is a surveillance success and a child-protection failure.

The fourth demand is investment outside scanning. More victim support, better reporting paths, faster takedowns, specialised investigators, school prevention, offender disruption, commercial-market enforcement, and privacy-preserving safety design would do more than another temporary derogation. Europe should stop pretending that scanning is the only measure with moral urgency. The children invoked in this debate need services, investigators, and support, not just algorithms.

The final demand is democratic honesty. If Europe wants to authorise mass scanning, it should say so plainly and accept the constitutional fight. If it claims to defend privacy, it should stop reviving expired exceptions. The continent that wrote the GDPR should not now teach the world how to launder surveillance through child-protection language. Chat Control 1.0 came back through the side door; Chat Control 2.0 must not be allowed through the front one.

Europe still has leverage because the Council must decide whether to accept Parliament’s amendments. If it refuses, the conflict returns in conciliation. That is where citizens, journalists, businesses, child-rights experts, security researchers, and national parliaments should apply pressure. The immediate demand is simple: no restoration of broad scanning without hard limits. The permanent demand is stronger: no law that makes private-message scanning the default safety model. The EU can still choose targeted enforcement, secure encryption, victim support, and serious investigation. Or it can keep pretending that every expansion of monitoring is merely a temporary inconvenience on the road to safety. The first path protects children and citizens. The second path protects an illusion.

The choice is still political. Council governments, MEPs, and the Commission can decide that children are better served by precise enforcement than by mass suspicion. They can accept that secure communication is part of European safety. They can stop treating expiry dates as inconveniences. Privacy is not free, and neither is surveillance. Surveillance costs trust, security, legitimacy, and sometimes the safety of the people it claims to protect. If Europe pays that price again for a temporary shortcut, it should at least stop calling the bill protection.

The final decision should be remembered by voters, not hidden in process files. Private life deserves political memory. If lawmakers revive scanning now and expand it later, citizens should know who opened the door.

The next months should therefore be noisy. Contact MEPs, question national ministers, demand public explanations, and reject vague safety language. Silence is how temporary powers mature. Europe still has a chance to choose a narrower path, but only if citizens make the cost of scanning politically visible.

The permanent fight matters even more than this revival. A temporary derogation can be repealed; a permanent architecture becomes harder to unwind. Europe should stop it before it settles. Once agencies, vendors, compliance teams, and reporting systems depend on scanning, political reversal becomes far harder than prevention. Waiting will only make the system more entrenched. The clock matters. Right now.

Questions Europeans are asking about Chat Control

Did the European Parliament finally pass Chat Control 1.0 on 9 July 2026?

Not finally. Parliament adopted amendments to the Council position and closed its second reading, sending the amended text back to the Council. The scanning revival is still alive, not fully settled.

Does this mean every private message is now being read?

No. The verified record does not support that claim. The danger is the renewed legal path for providers to resume voluntary scanning of private communications under a derogation.

Did Parliament protect end-to-end encryption?

Parliament’s amendment excludes communications to which end-to-end encryption is, has been, or will be applied. That safeguard still depends on the next institutional steps.

Why are critics calling this Chat Control?

Critics use the name because the framework permits or encourages automated scanning of communication services for child sexual abuse material, raising privacy and encryption concerns.

Was the old derogation already expired?

Yes. The previous interim measure expired on 3 April 2026 after Parliament and Council failed to agree on an extension.

Does voluntary scanning mean users consent?

No. Voluntary for a provider is not voluntary for users. A platform can choose scanning rules that affect millions of people who never meaningfully approved them.

Is fighting CSAM a legitimate public goal?

Yes. Child sexual abuse material is a grave crime and its circulation harms victims. The dispute is whether suspicionless private-message scanning is necessary and proportionate.

What is the strongest privacy objection?

The strongest objection is that broad scanning treats innocent people’s private communications as material for automated inspection before suspicion, warrant, or targeted evidence.

What is client-side scanning?

Client-side scanning checks content on a user’s device before encryption or upload. Security experts warn that this circumvents the protection users expect from encrypted systems.

Could false positives harm innocent users?

Yes. False positives can expose lawful intimate, medical, family, or evidentiary material to reviewers or reporting pipelines before context is understood.

Does known CSAM hash matching raise the same risks as AI grooming detection?

No. Known hash matching is narrower than AI systems that infer unknown abuse material or grooming. Different detection tools require different legal limits.

Why did procedure matter so much in July?

At second reading, rejection or amendment required an absolute majority of all MEPs, so procedural thresholds shaped whether the revived measure could be stopped.

What happens next?

The Council has three months to approve or reject Parliament’s amendments. If it rejects them, Parliament and Council move toward conciliation.

Is Chat Control 2.0 still being negotiated?

Yes. The permanent CSAM Regulation remains under negotiation, with unresolved disputes around scanning and encrypted communications.

What would a better child-protection model look like?

It would focus on targeted judicial orders, confirmed public abuse material, victim reporting, takedowns, specialist investigators, prevention, and secure support channels.

Are privacy advocates against protecting children?

No. Many privacy advocates argue for stronger targeted child protection and against mass scanning because weak confidentiality can also harm children and victims.

Should businesses care about Chat Control?

Yes. Business communication, legal documents, incident reports, and confidential cloud storage all depend on trustworthy communication systems and strong encryption.

What should citizens demand from lawmakers?

Citizens should demand no weakening of encryption, no suspicionless scanning of private communications, independent audits, clear remedies, and evidence that measures actually protect children.

What is the core issue in one sentence?

The core issue is whether Europe will protect children through targeted lawful power or normalize mass suspicion as the price of digital life.

Author:
Jan Bielik
CEO & Founder of Webiano Digital & Marketing Agency

Europe just voted to spy on your private messages
Europe just voted to spy on your private messages

This article is an original analysis supported by the sources cited below

Combating child sexual abuse online: support for more limited ePrivacy derogation
European Parliament press release describing the 9 July 2026 second-reading outcome, amendments, encryption exclusion, vote figures, and next procedural steps.

Combating child sexual abuse online: vote to reinstate ePrivacy derogation
European Parliament plenary briefing explaining the Council position, second-reading procedure, absolute-majority requirement, urgent procedure, and background to the expired derogation.

Council moves to reinstate interim measure to combat child sexual abuse online
Council of the EU press release setting out the Council’s July 2026 position to reinstate voluntary detection until April 2028.

Temporary derogation from certain provisions of the ePrivacy Directive to combat online child sexual abuse
HowTheyVote record of the 7 July 2026 urgent-procedure vote, including votes for, against, abstentions, total participation, and non-voting MEPs.

Regulation (EU) 2021/1232
EUR-Lex text of the original temporary derogation from certain ePrivacy rules for providers processing data to combat online child sexual abuse.

Directive 2002/58/EC
EUR-Lex text of the ePrivacy Directive, the legal framework whose confidentiality protections are central to the derogation debate.

Regulation (EU) 2024/1307
EUR-Lex text of the 2024 extension of Regulation 2021/1232 before the later 2026 expiry and revival attempt.

Proposal for a Regulation laying down rules to prevent and combat child sexual abuse
European Commission proposal for the permanent CSAM Regulation, including provider duties and the planned EU Centre on Child Sexual Abuse.

Combating child sexual abuse online
European Parliament legislative-train page explaining the interim regulation, its expiry, and the permanent CSAM proposal’s relationship to it.

EU Strategy for a more effective fight against child sexual abuse
European Parliament legislative-train page summarising the 2026 timeline, the March Parliament position, expiry, and ongoing permanent-rule negotiations.

EDPB-EDPS Joint Opinion 04/2022 on the proposal for a regulation to prevent and combat child sexual abuse
Joint opinion by the European Data Protection Board and European Data Protection Supervisor assessing necessity, proportionality, encryption, and fundamental-rights concerns.

EC Proposal to Prevent and Combat Child Sexual Abuse
Internet Society impact brief explaining end-to-end encryption, exceptional access, backdoors, and client-side scanning concerns in the EU CSAM proposal.

After Years of Controversy, the EU’s Chat Control Nears Its Final Hurdle: What to Know
Electronic Frontier Foundation analysis of the Council position, encryption issues, and continuing risks in the Chat Control negotiations.

Global Encryption Coalition Steering Committee Statement on Council of the EU Position on the European CSA Regulation
Center for Democracy and Technology publication of the Global Encryption Coalition statement on voluntary scanning, encrypted communication, and private unencrypted communication.

More monitoring, but not more protection
Max Planck Society explainer on client-side scanning, pre-encryption inspection, and the security meaning of end-to-end encryption.

Bugs in our Pockets: The Risks of Client-Side Scanning
Security research paper by cryptography and computer-security experts analysing client-side scanning risks, failure modes, evasion, and abuse.

Chat Control or Child Protection?
Ross Anderson’s response paper discussing EU and UK child-safety scanning proposals, privacy law, policing priorities, and technical limits.

YASM (Yet Another Surveillance Mechanism)
Academic paper analysing client-side scanning, surveillance risks, cybersecurity concerns, and human-rights implications.

Detecting sexually explicit content in the context of the child sexual abuse materials (CSAM): end-to-end classifiers and region-based networks
Academic paper on CSAM-related explicit-content classification methods, data-access constraints, model accuracy, and interpretability limits.

EU to extend temporary message-scanning regime to detect child sexual abuse online
Euronews report on the July 2026 revived temporary scanning regime, political procedure, EPP role, March rejection, and privacy criticism.

EU fails to extend rules on child abuse content detection by online platforms
Reuters report on the March 2026 failure to agree an extension, the expiry timeline, and disagreements over encryption and scope.

‘Irresponsible failure’: Google, Meta, Snap and Microsoft slam EU over child sexual abuse law lapse
Guardian report on the April 2026 lapse, platform reaction, legal uncertainty, and child-safety arguments around report visibility.

CyberTipline Data
National Center for Missing and Exploited Children data page describing CyberTipline reporting, electronic service provider reports, and 2025 reporting concentration.

Internet Watch Foundation Annual Report 2025
IWF annual data and insights report with 2025 figures on reports assessed, confirmed CSAM-related reports, hash-list additions, and online abuse trends.

Chat Control 1.0 vs 2.0
Fight Chat Control timeline and advocacy overview tracking the 2026 expiry, Council revival, urgent procedure, and continuing permanent-law negotiations.

La Quadrature du Net and Others
EUR-Lex summary of the CJEU judgment on general and indiscriminate communications data retention and EU fundamental-rights limits.

Article 8 – Protection of personal data
European Union Agency for Fundamental Rights explainer on Article 8 of the EU Charter and the right to protection of personal data.

Citing this article? Brief excerpts are welcome. Please credit Webiano.digital, name the author where stated, and include a link to https://webiano.digital and to this original article. Full or substantial republication requires prior written permission. Read our Copyright and Content Use Policy.