What is EU Chat Control?

EU Chat Control (formally the CSAM Regulation or CSAR) is a proposed EU law that would require messaging platforms to scan private communications — including encrypted messages — for child sexual abuse material. Critics say it amounts to mass surveillance that would undermine end-to-end encryption.

Does Chat Control break encryption?

The current proposal focuses on scanning non-encrypted or client-side content, but privacy experts warn this is a stepping stone to breaking end-to-end encryption entirely. Client-side scanning — scanning content on your device before it's encrypted — fundamentally undermines the promise of E2EE because it creates a surveillance checkpoint that can be expanded or exploited.

Is Chat Control passed yet?

As of May 2026, no. The proposal is in trilogue negotiations between the European Parliament, Council, and Commission. A final deal is expected by June 2026. The Parliament has opposed mass scanning, but the Council and Commission continue to push for it.

Which countries support Chat Control?

France, the Netherlands, and several other EU member states have pushed for scanning requirements. Germany has been more skeptical. The European Parliament has been the strongest institutional opponent of mass scanning mandates.

EU Chat Control Is Back: The Mass Scanning Law That Won't Die

In May 2022, the European Commission introduced a regulation it said would protect children. What it actually proposed was the largest mass surveillance infrastructure ever built in a democratic society. Three years, multiple rewrites, and three failed Council votes later, the proposal formerly known as "Chat Control" is back in trilogue negotiations — and it is closer to becoming law than it has ever been. The technical details have shifted. The fundamental demand has not: the EU wants to scan your private messages before you encrypt them, and it is willing to break end-to-end encryption to do it. Five years of Chat Control: a timeline The proposal has gone through more revisions than almost any other EU digital regulation in recent memory. Each iteration has been presented as a compromise while preserving the core mechanism: mandatory scanning of private communications. May 2022 — The European Commission publishes its original proposal: the Regulation laying down rules to prevent and combat child sexual abuse (CSAR). It would allow national authorities to issue "detection orders" requiring platforms to scan all user communications for CSAM, including end-to-end encrypted messages. Patrick Breyer MEP immediately labels it "Chat Control." November 2023 — The European Parliament adopts its negotiating position. Crucially, the Parliament rejects mass scanning and client-side scanning of encrypted communications. It limits detection orders to targeted cases with judicial authorization. This is the most privacy-protective position any EU institution has taken. December 2023 — The Council of the EU (representing member state governments) adopts its own position. It is dramatically broader than the Parliament's. The Council text allows for scanning of all users' communications on a given platform — not just targeted individuals — and does not exclude encrypted services. June 2024 — The Hungarian Council Presidency proposes a "compromise" text that would require platforms to scan images and URLs in non-encrypted traffic while claiming to preserve encryption. Privacy organizations point out that the text's "encryption safeguard" is functionally meaningless: if a platform offers E2EE, it would still be required to scan content on the device before encryption occurs. October 2024 — The first Council vote fails. Germany, Poland, and the Netherlands withhold support, denying the qualified majority. February 2025 — A second vote under the Polish Presidency also fails. The text has been adjusted but the scanning mandate remains. April 2026 — A third vote under the latest Presidency text fails again. The same blocking minority holds. But the file is not withdrawn — it moves to trilogue. May 2026 — Trilogue negotiations between the Parliament, Council, and Commission are underway. A final deal is expected by June 2026. The pattern is clear: every "compromise" preserves the surveillance capability while narrowing the language around it. What the current proposal actually says There are now three competing versions of the CSAR text. The final law will be negotiated behind closed doors in trilogue. The Commission's original text (2022): Allowed national authorities to issue "detection orders" requiring any platform to scan all communications for CSAM. No exemption for encrypted services. This was the most expansive version — a blanket surveillance mandate. The Parliament's position (2023): Rejected general scanning. Required individual judicial authorization before any detection order. Excluded end-to-end encrypted services from scanning requirements. This position was supported by EDRi, Access Now, and over 300 civil society organizations. The Council's position (2023, revised 2024-2026): Allows "upload moderation" — scanning content before it is sent, including on devices using E2EE. Claims to protect encryption by saying platforms won't be forced to "break" it, but mandates client-side scanning as an alternative, which achieves the same result through a different mechanism. The gap between the Parliament and Council positions is not a detail. It is the difference between targeted surveillance with judicial oversight and mass scanning of every private message in the European Union. Why client-side scanning breaks the E2EE promise The Council's text contains language that sounds like an encryption safeguard: platforms will not be required to "break, circumvent, or weaken" end-to-end encryption. This has been repeated by proponents as proof that Chat Control is compatible with encryption. It is not. Client-side scanning — the mechanism the Council text relies on — works by scanning your messages, photos, and files on your device before they are encrypted. The content is hashed and compared against a server-maintained database. If a match is found, the content is reported to a central authority. This process violates the core promise of end-to-end encryption in three ways: A third party enters the conversation. E2EE means only the sender and intended recipient can read the content. Client-side scanning inserts a mandatory reader — the scanner — into every conversation. The scanner may be automated, but it is reading your messages. The encryption still exists, but it no longer provides the guarantee it was designed for. The match list is opaque and extensible. The database used for matching is maintained remotely and can be updated without user knowledge or consent. A list built for CSAM detection today can be expanded to include other categories of content tomorrow. The architecture places no technical constraint on what can be scanned for. As the EFF has documented, this is the fundamental problem: the surveillance infrastructure does not come with a policy limiter. False positives are unavoidable at scale. Cryptographers at Princeton, ETH Zurich, and elsewhere have demonstrated that any client-side scanning system produces false positives that scale with the volume of content scanned. In a system scanning billions of messages daily across the EU, even a 0.01% false positive rate produces thousands of innocent people flagged for investigation. Apple abandoned its own client-side CSAM scanning proposal in 2022 for exactly this reason. The Council's "encryption safeguard" is a semantic trick. The encryption is not broken in transit. It is bypassed at the point of origin. The result is the same: your private messages are read by a system you did not consent to and cannot audit. The trilogue endgame Trilogue negotiations are closed-door meetings between representatives of the European Parliament, the Council, and the Commission. There is no public transcript. There is no live reporting. The outcome will be a single text that all three institutions must accept. Based on the positions each institution has staked out, the most likely outcome is a compromise that adopts the Council's scanning mechanism with some of the Parliament's procedural safeguards: Detection orders will likely require some form of judicial or administrative authorization, but may be issued at the platform level rather than for individual users. The encryption safeguard language will likely remain in the final text, preserving the claim that encryption is not "broken" while mandating client-side scanning as an alternative. A sunset clause or review mechanism may be included, but these have historically been weak — once surveillance infrastructure is built, it is not dismantled. Age verification requirements may be bundled in, requiring platforms to verify user age before allowing access to E2EE services — another mechanism that undermines anonymous, private communication. The Parliament's negotiators face pressure to accept a deal rather than let the file collapse entirely. The Council has shown it will keep bringing the text back under every Presidency until it passes. The Commission's original proposal was the most expansive version; every subsequent revision has been framed as a concession while preserving the surveillance mechanism. The voices pushing back The opposition to Chat Control has been sustained and technically grounded: Patrick Breyer, MEP (Pirate Party, Germany): Breyer has been the most consistent parliamentary opponent, maintaining a detailed archive of every Council text, legal opinion, and vote. He has called Chat Control "the end of digital privacy of correspondence in Europe" and has argued that the Council's "upload moderation" language is "mass surveillance by another name." The EFF: The Electronic Frontier Foundation has documented how the proposal's scanning requirements are incompatible with encryption, regardless of implementation. The EFF has also highlighted the risk of mission creep: "Once the scanning infrastructure exists, the political pressure to expand its use to other categories of content will be relentless." EDRi (European Digital Rights): EDRi has coordinated opposition across over 300 civil society organizations and helped organize open letters signed by more than 70,000 individuals. EDRi has emphasized that the proposal would make the EU the first democratic jurisdiction to mandate mass scanning of private communications. Access Now: Access Now has argued that the proposal violates Articles 7 and 8 of the EU Charter of Fundamental Rights — the rights to private life and personal data protection. The Council Legal Service issued a non-public opinion in 2023 reaching a similar conclusion, according to reporting by Politico Europe. Signal Foundation: Signal has repeatedly stated it would leave the EU market rather than implement client-side scanning. Signal President Meredith Whittaker has called client-side scanning "a surveillance system dressed up as a safety feature." The encryption "exception" that isn't The most consequential rhetorical move in the Chat Control debate has been the claim that the proposal "protects encryption." This claim rests on a narrow technical definition: the proposal does not require platforms to weaken the encryption algorithm itself. But encryption is not just an algorithm. It is a system. And the system that the Council's text mandates works like this: You compose a message. A scanner on your device reads the message and checks it against a database. If no match is found, the message is encrypted and sent. If a match is found, the message is reported before encryption. Step 2 is the surveillance. The encryption in step 3 provides no protection against it, because the content has already been read. This is not an exception for encryption. It is a bypass. The practical effect is that every encrypted messaging platform in the EU — Signal, WhatsApp, iMessage, Threema, Element — would need to install a scanner between the user and the encryption layer. The scanner would be mandatory, its database would be remotely controlled, and its operation would be invisible to the user. This is what "protecting encryption" means in the Council's text: the encryption still exists, but it is rendered meaningless by a mandatory surveillance checkpoint that operates before encryption is applied. How this fits the global pattern The EU's Chat Control proposal is not happening in isolation. It is part of a coordinated international effort to undermine encryption through legislative means. The UK's Investigatory Powers Act (2016, amended 2025): The UK used the IPA's Technical Capability Notice provision to secretly demand Apple build a backdoor into Advanced Data Protection. Apple refused and withdrew ADP from the UK in February 2025. UK users still do not have ADP. The IPA also includes Section 122, which gives the government power to issue notices requiring the removal of electronic protection — including encryption — from communications. Canada's Bill C-22: Canada's proposed lawful access legislation would give the Minister of Public Safety the power to issue Technical Capability Notices identical in structure to the UK's, including gag provisions that prevent companies from disclosing the existence of surveillance demands. As we've documented, C-22 would import the UK's secret backdoor framework into Canadian law. Australia's Assistance and Access Act (2018): Already in force. Allows the government to compel companies to build surveillance capabilities into their products. The details of specific notices are secret. Australia was the first Five Eyes nation to enact this type of legislation. The pattern across all four jurisdictions is the same: legislation that claims to target specific harms (CSAM, terrorism, organized crime) while creating surveillance infrastructure that is architecturally incapable of being limited to those targets. The infrastructure is general-purpose. The policy promises are not. What Europeans can do The trilogue negotiations will conclude in the coming weeks. The outcome is not yet determined. Here is what individuals and organizations can do: Contact your MEP. Members of the European Parliament are directly elected and responsive to constituent contact. Find your MEP through the European Parliament website. Tell them you oppose any version of CSAR that includes client-side scanning or mass detection orders. The Parliament's 2023 position rejecting mass scanning was the result of sustained public pressure. That pressure needs to continue. Use and support E2EE tools. Signal, Threema, Tuta, Element/Matrix, and Session all provide end-to-end encryption. Signal and Threema have committed to leaving the EU rather than implementing client-side scanning. Using these tools now strengthens the market position of companies that will resist compliance mandates. Support digital rights organizations. EDRi, Access Now, EFF, Digitale Gesellschaft, La Quadrature du Net, and national organizations across the EU have been the primary opposition force for three years. They coordinate legal analysis, organize public campaigns, and maintain the institutional memory that prevents each new "compromise" text from being accepted as novel. Follow the file. Patrick Breyer's Chat Control archive and EDRi's tracking page are the most reliable sources for updates on Council texts, vote schedules, and trilogue developments. Mainstream coverage is sporadic and often accepts the "encryption safeguard" framing at face value. Verify safety numbers. If you use Signal or any E2EE app, verify safety numbers with your contacts. If a platform is forced to implement client-side scanning, the safest way to detect a compromised build is to notice when encryption keys change unexpectedly. Prepare for platform exits. If Chat Control passes in a form that mandates client-side scanning, several major E2EE platforms have stated they will leave the EU. Have a backup communication plan. Keep offline records of your contacts. Identify which people in your network are on which platforms so you can coordinate a migration quickly. --- The EU has spent five years trying to pass a law that would make it the first democratic jurisdiction to mandate the scanning of every private digital communication. Each failure has been followed by a revision that narrows the language while preserving the mechanism. The trilogue is the last institutional checkpoint before the proposal becomes law. The claim that this can be done without breaking encryption is technically false. The claim that scanning infrastructure will be limited to CSAM is politically naive. The claim that this only affects the EU ignores the global pattern of copy-paste surveillance legislation. Five years of opposition have slowed Chat Control. They have not stopped it. The next few weeks will determine whether the EU becomes the testing ground for mass digital surveillance — or whether the Parliament's position holds. The scanner is not on your phone yet. Keeping it off requires continued attention, not assumed safety.