Blog
Regulation·July 10, 2026·8 min read

Chat Control: who actually reads your messages, and what just happened in Brussels.

On 9 July, the European Parliament revived, until 2028, the regulation that lets messaging services scan your conversations for child sexual abuse material. Behind the nickname "Chat Control" hide two very different texts and a lot of confusion. What the law actually allows, who scans what, and what is still to be decided for your private messages.

ME
Mohamed ESSID
Founder — Trasimène

Three months when scanning was illegal

Hardly anyone noticed: between 4 April and 9 July 2026, major messaging services were no longer allowed to analyse your conversations in Europe. The regulation that had allowed it since 2021, the one nicknamed Chat Control 1.0, was due to expire in the spring. On 26 March, the European Parliament refused to extend it. The result: no legal basis at all for three months. A legal vacuum nobody had really planned for.

Then the file came back, and this time the rules of the game had changed. At second reading, rejecting the Council's position takes more than a majority of the MEPs present. It takes an absolute majority of all 720 members, 361 votes. On 9 July, 314 MEPs voted to reject, 276 voted against rejection, 17 abstained. 47 votes short. The text is therefore deemed adopted, and voluntary scanning is legal again until 3 April 2028.

One element of the same vote deserves attention. MEPs adopted an amendment that explicitly excludes end-to-end encrypted messaging from the scope of the regulation. But the Council still has to accept it, and as we publish, it is not in force.

What the law actually allows

The official text is Regulation (EU) 2021/1232. Adopted in July 2021, it opens a temporary exception to the ePrivacy Directive, the law protecting the confidentiality of your electronic communications. In practice, it allows email and messaging providers to analyse what passes through their servers in order to detect and report child sexual abuse material, and to spot adults trying to approach children.

A few misconceptions are worth clearing up first. No messaging service is required to scan anything: the regulation lifts a ban for those that choose to do it, and most large American platforms were doing it long before 2021. Nor does the derogation allow anyone to look for anything else. Your political opinions or heated arguments are not the target; the tools mostly compare your images against databases of fingerprints of material already identified by the authorities.

That leaves the word "temporary", which deserves its quotation marks. The regulation was meant to last three years. It was extended in 2024, expired in April 2026, and has just been renewed for two more years. After this many exceptional extensions, the exception is starting to look like a habit.

Who scans what, in practice

If you use Gmail, Outlook, Facebook Messenger, Instagram or Snapchat, the photos and messages that travel unencrypted through the servers can be checked against those fingerprint databases. The scale shows in the numbers of NCMEC, the US body that centralises reports: 20.5 million in 2024, almost all generated by the platforms' automated scans.

End-to-end encrypted messaging plays in a different league. WhatsApp, Signal, iMessage, and Messenger since late 2023: on these services, the content of your conversations is unreadable to the servers carrying them. Only your device and your contact's device hold the keys. That is mathematics, not regulation, and no regulation changes it.

Which is exactly why the real debate of recent years has moved to a far more intrusive idea: scanning messages directly on your phone, before encryption. More on that below.

Machines that get it wrong

At this scale, automated scanning inevitably produces errors, and they are not rare. Amazon acknowledges using a deliberately broad detection threshold which, in its own words, yields a high percentage of false positives. Stanford researchers found that nearly 80% of the reports labelled "generative AI" sent to NCMEC in the first half of 2025 contained no AI-generated child sexual abuse material at all.

Behind the statistics there are people. The best-known case is an American father who photographed his son's infection to send to a doctor during the pandemic. The photos, automatically backed up to the cloud, triggered Google's algorithms. His account was closed overnight, ten years of emails and photos gone, and a police investigation opened. The investigation concluded the obvious: nothing to report. Google never restored the account.

That is the system's blind spot. An automated report is not evidence, but its consequences land immediately, and sometimes for good, before any human has seriously checked anything.

The real debate is not over

The permanent regulation, proposed in May 2022 and nicknamed Chat Control 2.0, originally went much further. It provided for mandatory detection orders: the power to force a messaging service, including an encrypted one, to analyse its users' communications. That text is what mobilised cryptographers, data protection authorities and much of civil society for three years, and kept the file stuck in the Council.

In November 2025, the Council finally dropped mandatory scanning from its negotiating position. What remains on the table is not trivial: a permanent framework for voluntary scanning, age verification duties that would also apply to encrypted services, "risk mitigation" obligations vague enough to keep pressure on encryption, and a dedicated EU centre. Negotiations between Parliament and Council resume in September 2026 under the Irish presidency.

In short: 1.0 has been extended, 2.0 is still being negotiated, and the central question has not moved an inch. Can an encrypted messaging service be forced to look inside its users' messages, yes or no?

What this changes for you

  • On services that are not end-to-end encrypted (classic email, social network private messages), your content can legally be analysed by detection algorithms. That was true before April 2026; it is true again.
  • On end-to-end encrypted messaging, servers cannot read your conversations. Just check that encryption is actually on: it is by default on WhatsApp, Signal and iMessage, not everywhere else.
  • An account can be suspended on the strength of an automated report alone, with no human involved. Keep an independent backup of what really matters, photos and documents, rather than trusting a single ecosystem with everything.
  • And the debate will continue: on-device scanning will be back on the table when negotiations on the permanent regulation resume.
End-to-end encryption is not a fraudster's tool. It is the technology protecting your banking, medical and family conversations. The whole European debate comes down to whether it can be weakened "just a little" to allow scanning. Cryptographers have been giving the same answer for ten years: encryption weakened for one purpose is weakened for everyone.

What Trasimène does, and what it does not

Let's be straightforward: no antivirus and no VPN will stop a messaging service from analysing what passes through its servers. Scanning happens on the platform's side, on content you have handed over to it. A VPN encrypts the path between your device and the server, not what the platform does with your data afterwards. If someone sells you "protection against Chat Control", be wary of the seller.

Trasimène's ground is the other side of your privacy: spyware installed on your phone, apps that siphon your data, phishing aimed at your accounts, and the confidentiality of your traffic on networks you do not control. Against server-side scanning, your best lever fits in one sentence: choose end-to-end encrypted messaging, and know what each service can, or cannot, do with your content.

Keep the map of the subject rather than the noise around it. What is in force today is voluntary scanning, limited to child sexual abuse material, on unencrypted services, extended until April 2028. What is still being decided is the fate of encrypted messaging, in Brussels from September. In the meantime, the good habits do not change: end-to-end encrypted messaging for what is private, independent backups for what is precious, and a little attention to what each platform does with your content.

Sources
  1. Regulation (EU) 2021/1232, official text of the ePrivacy derogation (EUR-Lex, 2021)
  2. Regulation (EU) 2024/1307, first extension of the derogation until 3 April 2026 (EUR-Lex, 2024)
  3. The Register, "EU 'Chat Control' snoopfest returns after vote to kill it falls short" (9 July 2026)
  4. Patrick Breyer (former MEP), "EU Parliament greenlights Chat Control 1.0" (9 July 2026)
  5. CDT Europe, response to the European Parliament rejection of the Chat Control 1.0 extension (March 2026)
  6. eucrim, "CSA Regulation: Council Position Reached" (November 2025)
  7. EU Perspectives, "Strict combating child sexual abuse, no mandatory scanning. Council has a common position on 'chat control'" (November 2025)
  8. NCMEC, CyberTipline Data 2024 (20.5 million reports)
  9. Stanford Center for Internet and Society, "Letter to NCMEC about AI-CSAM Report Statistics" (2025)
  10. The New York Times, "A Dad Took Photos of His Naked Toddler for the Doctor. Google Flagged Him as a Criminal." (August 2022)
  11. Meta Newsroom, "Launching Default End-to-End Encryption on Messenger" (December 2023)
Trasimène — Mobile security

See what Trasimène protects

Download Trasimène →
Related articles
Back to blog