CLASSIFICATION: EU LEGISLATIVE STALEMATE STATUS: Paused at Council level — file remains open, returns under next Presidency WHAT WAS ON THE TABLE: Client-side scanning of every private message, photo and link before encryption, on every consumer device sold in the EU --- The vote that didn't happen The EU's so-called "Chat Control" proposal — formally the Regulation laying down rules to prevent and combat child sexual abuse — failed to clear a Council vote on the latest Presidency text in late April 2026. Germany, Poland and the Netherlands declined to back the compromise, denying the qualified majority a third time in three years. The proposal is now paused at Council level. It is not withdrawn. The file stays open and is expected to return under the next rotating Presidency, with new wording and the same underlying ask: mandatory scanning of private communications before they are encrypted. Why it matters even though it didn't pass The repeated near-misses have already had effects: Signal, Threema and Tuta have publicly committed to leave the EU market rather than implement client-side scanning. Signal President Meredith Whittaker has restated the position at every Presidency turn. WhatsApp and iMessage would face the same engineering choice: ship a scanner that bypasses end-to-end encryption, or pull from the bloc. Member states' own legal services — including the Council Legal Service in a 2023 opinion that has never been overturned — have warned the proposal likely violates Articles 7 and 8 of the EU Charter on private life and data protection. Children's rights organisations are split. Some support detection mandates; others (including Germany's Deutscher Kinderschutzbund) have argued client-side scanning normalises mass surveillance and produces overwhelming false-positive volumes that bury real cases. What "client-side scanning" actually does A client-side scanner runs on your device, before your messaging app encrypts anything. Every photo, every link, sometimes every text fragment, is hashed and matched against a server-supplied list. Matches are reported to a central authority. Three properties make this incompatible with end-to-end encryption as a security guarantee: The scanner is, by definition, a third party inside the conversation. E2EE means only the sender and recipient can read the message. Adding a mandated reader breaks that property regardless of where the inspection physically runs. The match list is opaque and remotely updatable. A list provided to combat CSAM today can be silently extended to copyrighted material, political imagery, dissident logos or "extremist" content tomorrow. The architecture does not constrain the policy. False positives scale with throughput. Apple's own 2021 attempt at client-side CSAM scanning was abandoned in 2022 after Apple's security team and outside researchers (including Princeton's Mayer & Kulshrestha) demonstrated unavoidable collision rates and re-targeting risk. Apple has not revived it. Who voted what (May 2026) Position breakdowns published by EDRi and Politico Europe show: Against / withholding consent: Germany, Poland, the Netherlands, Austria, Finland, Estonia, Czechia For: France, Spain, Italy, Ireland, Hungary, Cyprus, Sweden, Denmark, Croatia Abstaining / undecided: Belgium, Luxembourg, Slovenia, Slovakia, Greece, Portugal, Romania, Bulgaria, Lithuania, Latvia, Malta That alignment is not stable. Government changes in any single capital can flip the count under the next Presidency text. What changes for users right now Nothing on your phone changes today. Signal, WhatsApp, iMessage, Threema, Element/Matrix, Session and Tuta continue to operate normally inside the EU. The proposal is paused, not implemented. What does change: the political assumption that "the EU would never break encryption" is gone. Three Council votes in three years — each a single mid-sized member state away from passing — is the new baseline. What we're watching next The text drafted by the next Council Presidency (rotates 1 July 2026). Past form suggests new optional opt-outs, narrower scope language, or rebranding ("upload moderation," "detection orders"). The European Court of Justice referrals already lodged against earlier interim regulations permitting voluntary scanning by US providers. Member-state implementations that try to require scanning unilaterally — France's prior amendments to the Loi SREN, the UK's Online Safety Act Section 122 powers, and proposed Swedish legislation are the closest active examples. Whether Apple or Meta publicly restate their positions if the text returns. How to prepare without panicking If you want to harden against a future where some platforms comply and others exit: Use at least one E2EE messenger that has publicly committed to leave rather than scan (Signal, Threema, Tuta) so you have a fallback channel. Verify safety numbers / security codes with people you actually rely on, so a future compromised build is detectable. Keep a non-cloud backup of your contacts so you can rebuild a network on a new app within an hour, not a week. Follow the file through EDRi, Patrick Breyer's archive, and your national digital-rights organisation. The vote that finally passes — if one does — will be telegraphed weeks in advance. The Regulation has not passed. The architecture it proposes has not been built. Both of those things remain true only as long as people keep paying attention.