Chat Control Won't Die: Inside the EU's Latest Push
Key Takeaways
- Chat Control hasn't died. It changed its name and its timeline instead.
- The new plan would scan private messages before they get encrypted. That affects everyone, not just people suspected of illegal activity.
- EU lawmakers keep renewing "temporary" rules instead of writing a permanent law.
- Catching predators matters. Scanning every message in the EU isn't the only way to do it.
I've watched Chat Control get rejected, rebranded, and revived more times than I can count by now. The European Union's plan to scan private messages for child sexual abuse material keeps showing up under new names, new exemptions, and "temporary" extensions that never seem to actually expire. The latest move came in spring 2026, when the European Parliament voiced support for extending the current interim rules until August 2027. I think it's worth pausing on what this proposal actually asks for, why it keeps returning, and what it would mean if it ever became permanent.
What Chat Control Actually Does
At its core, Chat Control would require messaging apps and email providers to scan the content of your messages for known child abuse images, new images, and even signs of grooming conversations. Some versions of the plan ask messaging service providers to do this before a message gets encrypted, a method known as client-side scanning. In plain terms, that means software on your phone would check your messages before they're sent, even inside apps that promise end-to-end encryption.
This isn't the same as a company checking files that are already sitting on a public server. It's closer to having someone read your mail before you even lick the envelope. Supporters argue this is the only way to catch abuse material hidden inside encrypted chats. Critics, including Patrick Breyer's tracker of the chat control proposal, point out that scanning every message from every user turns a targeted investigation tool into mass surveillance of an entire population.
A Proposal That Won’t Stay Dead
The EU has been debating some version of this since 2022. The original proposal stalled more than once after member states and lawmakers raised concerns about encryption, false positives, and scope. Instead of disappearing, the debate shifted to a separate, narrower set of temporary rules that let companies voluntarily scan for abuse material under a temporary exemption from EU privacy law.
That temporary exemption keeps getting renewed. Civil liberties groups have pushed back on each extension, arguing that "temporary" measures with no real oversight have a tendency to become permanent by default. In March 2026, the European Parliament backed extending those interim rules until August 2027, according to the European Parliament's press release on the vote. Meanwhile, the broader mandatory scanning proposal hasn't gone away either. It resurfaces under new texts, new EU Council presidencies, and new framing every time momentum builds against it.
Why This Matters Beyond Brussels
It's easy to assume this is a Brussels problem that doesn't touch your daily life. I don't think that's true. If client-side scanning becomes mandatory, it would apply to ordinary people using ordinary apps, not just suspects under investigation. Scanning systems also make mistakes. Detection tools can flag innocent images, family photos, medical content, or content shared between consenting adults. A false flag can trigger an account suspension or even a police report before a human ever reviews the context.
There's also the question of precedent. Once a government builds a tool to scan private communications for one category of content, that infrastructure becomes available for other categories later. Encryption either protects everyone's messages, or it protects no one's. There's no technical way to build a backdoor that only the "good guys" can use.
None of this makes the underlying problem less real. Child sexual abuse material is a genuine crisis, and platforms and law enforcement need real tools to fight it. The question isn't whether to act. It's whether scanning every private message in the EU is an effective and proportionate way to do that, or whether it mostly creates new risks while burying investigators in false leads.
Safety and Privacy Aren’t Enemies
I don't buy the framing that you have to choose between child safety and privacy. That's a false choice, and I think groups on both sides of this debate know it. Targeted investigations, better funding for law enforcement units that already specialize in this work, and faster takedown cooperation with platforms can do real damage to abuse networks without scanning a continent's worth of private messages.
Privacy and free expression aren't luxuries for people with something to hide. They're basic conditions for a free society, the same way due process and a free press are. A surveillance tool built for one urgent cause today can be repurposed for a less urgent one tomorrow, under a different government and a different justification.
Chat Control keeps coming back because the political will to fight CSAM is real, and the public is, understandably, reluctant to be seen opposing child protection. But I think it's possible to support strong action against abuse material and still say no to a system that reads everyone's messages by default. Those two positions aren't in conflict. I'll keep watching where this goes next, because based on its track record, it isn't going away quietly.
Be part of the resistance, quietly.
Get Mysterium VPN

Gintarė is a cybersecurity writer at Mysterium VPN, where she explores online privacy, VPN technology, and the latest digital threats. With hands-on experience researching and writing about data protection and digital freedom, Gintarė makes complex security topics accessible and actionable.
