331:304 — EU Parliament Resurrects Chat Control: Your Encrypted Messages May No Longer Be Private

331:304 — EU Parliament Resurrects Chat Control: Your Encrypted Messages May No Longer Be Private

PrivacyEncryptionEULawCybersecurity

Sources:HN + web research · HN

On the afternoon of July 7, 2026, in Strasbourg, France, the European Parliament voted 331 to 304 — with 11 abstentions — to pass an urgent motion. The motion, reduced to a single sentence: allow tech companies to scan your private chat messages. WhatsApp, Signal, iMessage — if the service provider is willing, every message you send can be inspected.

Three months earlier, the same Parliament had rejected the very same proposal.

On March 26, 2026, 311 MEPs voted against it (228 in favor, 92 abstentions). The crucial Amendment 34 — which rejected “automated assessment of unknown photos and texts” — passed by a single vote, 307 to 306. The law expired.

How does something voters rejected come back? That’s the story today.

European Parliament building exterior The European Parliament building in Strasbourg, France. Multiple rounds of Chat Control voting have taken place here. Source: Shutterstock / Tero Vesalainen, via heise online


Two Laws, One Name

To understand what’s happening, we need to untangle a common confusion. What the news calls “Chat Control” is actually two separate pieces of legislation — advancing in parallel through the EU’s legislative machinery, entangled with each other.

Chat Control 1.0, formally EU Regulation 2021/1232, was adopted in July 2021. At its core, it was a “temporary pass”: it allowed (but did not require) tech companies to voluntarily scan users’ private messages, emails, and chats, with the stated goal of detecting child sexual abuse material (CSAM). It was a temporary law, originally set to expire in August 2024, later extended to April 3, 2026. When it expired, Parliament refused another extension — it was dead.

Chat Control 2.0, formally the CSA Regulation, was formally proposed by the European Commission in May 2022. If 1.0 was a temporary pass, 2.0 aims to write “scanning private chats” into law as a permanent obligation. The original proposal was sweeping: mandatory scanning of all content, including end-to-end encrypted communications, with no requirement for reasonable suspicion against any particular user — indiscriminate, universal surveillance. Over the past five years, Parliament and the EU Council have held five rounds of trilogue negotiations on 2.0. All five collapsed. The most recent, on June 29, 2026, broke down over the core question of whether indiscriminate scanning of unsuspected citizens is permissible. Negotiations have been postponed until after Ireland assumes the rotating presidency.

Two tracks, running in parallel. And in recent months, all the action has been on the first track.


How a Dead Law Gets Resurrected: A Procedural Magic Trick

If you think “something Parliament rejected shouldn’t come back,” the following operation may recalibrate your understanding.

According to tracking by fightchatcontrol.eu, the entire process unfolded in seven steps:

  1. June 26: EU member state ambassadors agreed to push forward a draft regulation that was “formally new, substantively identical.” The key detail: because the original regulation had already expired, it couldn’t technically be “extended” — it had to be repackaged under the banner of a new law.
  2. July 2: The EU Council, through written procedure, formally adopted its position on this “new” law.
  3. July 7: Under the arrangement of Parliament President Roberta Metsola, the urgent motion was squeezed into that day’s agenda. At this point, fewer than 48 hours remained before Parliament’s summer recess.

There was a crucial procedural asymmetry at play: because the bill had entered “second reading,” amending or rejecting it required an absolute majority of all 720 MEPs — at least 361 votes — but passing it only required a simple majority of those present on the day. And this Thursday was the last working day before summer recess — a large number of MEPs had already left.

In other words: to block it, you needed to muster 361 no votes (absent MEPs counted against you); to pass it, you just needed more yes votes than no votes among whoever was in the room.

Chat Control legislative process diagram The legislative path of the Chat Control bill through EU institutions. Source: closednetwork.io

One HN user cited former European Commission President Jean-Claude Juncker’s famously candid admission: “We decide on something, leave it lying there and wait and see what happens. If no one kicks up a fuss — because most people don’t grasp what has been decided — we continue step by step until the point of no return.” Another user wrote: “Democracy is when unpopular laws are pushed repeatedly until they pass — the more times they’re pushed, the more democratic it becomes.”

This time, the push to resurrect the bill was led by the center-right European People’s Party (EPP). The critical turning point was the defection of the Social Democrats group: the S&D group changed its position before the vote, announcing support for the urgent procedure and providing the margin needed for the motion to pass. Parliament’s Chat Control rapporteur Birgit Sippel (S&D) called it “an unfair move by member states,” but withheld her own support — her group didn’t listen to her.


Can Encrypted Chats Really Be “Scanned”?

At this point, a technical question naturally arises: my messages are encrypted. Even WhatsApp itself can’t read them. How do you scan them?

This question hits exactly the core of the entire controversy.

Let’s start with an analogy. End-to-end encryption (E2EE) works like this: you and a friend agree on a special way to send letters. You write a letter, put it in a lockbox, and only you and your friend have the key. The post office, the courier company, even the factory that made the lockbox — none of them have the key. Mathematically, this means: aside from the two communicating parties, no third party can read the message content.

In reality, when you send a message on Signal or WhatsApp, it’s encrypted on your phone. Only the recipient’s phone can decrypt it. Every server in between sees nothing but gibberish.

So how would “scanning” work? Two technical approaches are under discussion:

The first is called “Client-Side Scanning.” Before your message leaves your phone, a local AI program inspects it. If the AI thinks “this image looks suspicious,” it flags it, encrypts it, and reports it to the platform. From a communications standpoint, the message is indeed encrypted before transmission — but your phone has already “rummaged through the box” on behalf of authorities before locking it. In the analogy, it’s like someone installing a scanner inside the lockbox before it’s sealed. It bypasses the encryption itself by executing the inspection at the source — on your device.

The second is called “encryption bypass.” This means legally requiring communications providers to insert a “backdoor” into the encryption system — an entry point accessible only to law enforcement under specific conditions. This is the scenario the technical community fears most, because it means the mathematical foundations of encryption algorithms have been deliberately weakened. In the analogy: the government requires the lock factory to build a “master key” into every lock.

Currently, Chat Control 1.0’s legal text claims it “does not touch encrypted communications,” but in practice allows service providers to deploy client-side scanning. Chat Control 2.0 — the real battlefield — has from the start demanded inclusion of end-to-end encrypted communications. All five rounds of trilogue negotiations have stalled on precisely this point.

A board member of the German Informatics Society (Gesellschaft für Informatik) filed an urgent application to the German Federal Constitutional Court on this basis. The core argument: the false positive rate of current AI image recognition is “unacceptably high” — and at the scale of billions of messages per day, even a 0.01% error rate means millions of normal conversations get flagged as suspicious every day and enter human review.


Proponents and Opponents: Neither Side Is Making Things Up

At this point, it’s only fair to acknowledge: the people pushing Chat Control aren’t speaking in empty slogans.

Before the vote, four EU Commissioners sent a joint letter to Parliament with urgent language: “Without detection mechanisms, perpetrators go free, and virtually all child sexual abuse material will go undetected.” Opponents point out that Meta and Google continued submitting reports even after the regulation expired, but the proponents’ core pressure is this: during the two-month summer “vacuum,” every case that goes undetected means a child is being harmed right now.

The EPP’s logic during the voting debate was: we can’t wait two months for summer recess. Put the “temporary” framework back in place first, then resume the slow negotiations on 2.0 after the summer.

The opposing side’s arguments carry equal weight. Pirate Party MEP Markéta Gregorová accused the EPP of “staging a farce.” AfD MEP Mary Khan said: “Nobody wants to weaken child protection. But that shouldn’t become a pretext for placing all citizens under general suspicion and enabling mass surveillance.”

Between these two poles, HN user mikaeluman’s comment offered a more nuanced view: “The vast majority of people want to see more action against child sexual abuse. But this law is classic ‘give me dictatorial powers so I can do good’ — it could have been written as a narrow, precisely targeted bill focused on specific suspects, but instead it became a tool that sweeps up every ordinary person’s communications.”

On the technical side, a risk that keeps getting raised: once major platforms embed scanning functionality into devices as required, they simultaneously create a brand-new attack surface. Malware authors, nation-state hackers, even platform insiders could exploit this entry point. As HN user summerlight put it: “You’ve built a master key and told the world only good guys will use it.”

Additionally, the Council’s own legal service issued an opinion on June 10, finding that even a “voluntary” scanning scheme in practice constitutes “generalized surveillance” of communications — without reasonable suspicion or prior judicial authorization, this contradicts Article 7 of the EU Charter of Fundamental Rights. In other words, even the Council’s own lawyers think this approach has problems.


What This Has to Do With You

If you’re not in Europe, you might think this is far away. Two facts are worth noting:

First, internet services don’t respect borders. WhatsApp and Signal aren’t going to maintain a “scannable” version for European users and a “real end-to-end encryption” version for everyone else. Once client-side scanning mechanisms are deployed into the app for compliance, they’ll almost certainly be rolled out as a global feature for all users. The cost is borne by everyone.

Second, the precedent effect. As HN user harrisoned pointed out: “Some countries love copying this kind of regulation. Once service providers start complying with EU requirements, other governments will come knocking: ‘You can do it for the EU, so you can do it for us too, right? Technically it’s not impossible.’”

EU Chat Control legislative process tracking Key legislative milestones for the EU Chat Control bill, 2024–2026. Source: byteiota.com

There’s also an easily overlooked point: the resurrection of Chat Control 1.0 may actually delay the more precisely targeted Chat Control 2.0 negotiations. Privacy advocates fear that once the temporary framework is back in place, EU governments lose the urgency to advance a genuinely “surgical strike” law — after all, the “temporary” solution works well enough. The likely outcome: a temporary regulation that should have been replaced in 2024 becomes semi-permanent.


July 9: The Last Line of Defense

This Thursday (July 9), Parliament will hold the final vote on the substantive content of Chat Control 1.0.

Blocking it requires 361 votes — an absolute majority of all MEPs. Given how many have already left ahead of summer recess, that threshold is hard to reach. But if 361 no votes can’t be mustered, this bill — rejected by the same Parliament just three months ago — will pass automatically.

This is an asymmetric confrontation written into the procedural rules. And the consequences of this confrontation will ripple through every chat app you use for years to come.

Reference links: