This is an English translation. Read the Icelandic original
🏛️Democracy & Sovereignty

Is the EU introducing mass surveillance of private messages? (“Chat Control”)

No. “Chat Control 1.0” originally took effect in 2021 and allows messaging services to scan for child sexual abuse material. It is a temporary permission, not an obligation, and it is the companies that scan, not governments. The permanent regulation, “Chat Control 2.0”, is still a proposal and, as things stand, unlikely to pass.

The “Chat Control” debate often mixes up two separate files that have been moving in parallel through the EU institutions. They have little in common beyond their subject: the fight against child sexual abuse material online.

What is “Chat Control 1.0”?

“Chat Control 1.0” is Regulation (EU) 2021/1232, a temporary derogation from the privacy provisions of the ePrivacy Directive. It allows telecoms and messaging services, but does not oblige them, to scan unencrypted private messages and email for known child sexual abuse material (CSAM). In practice only a handful of mostly American, unencrypted services use the permission, among them Gmail, Facebook/Instagram Messenger, Snapchat, iCloud Mail and Xbox. Encrypted communications, such as Signal, WhatsApp and iMessage, have never been scanned under this regulation.

What is “Chat Control 2.0”?

“Chat Control 2.0” is the Commission's proposal from May 2022 for a permanent regulation against child sexual abuse (CSAR). In its original form it would have let authorities issue “detection orders” obliging services to search their users' communications — including scanning on users' own devices (client-side scanning), which would also reach encrypted services. It is this proposal that has drawn fierce criticism from data protection authorities, cryptographers and civil rights organisations.

What happened in March and July 2026?

On 26 March 2026 the European Parliament rejected an extension of the derogation regulation (1.0) and it expired on 3 April. This was widely read as “Chat Control stopped”. But in late June the Parliament's president, Roberta Metsola, reopened the file, and the Council sent it back to the Parliament just before the summer recess, under an urgent procedure.

The point most often misunderstood is the vote on 9 July: 314 MEPs voted against the extension and 276 for. A simple majority was thus against extending Chat Control 1.0. But because this was a second reading, rejecting the measure required an absolute majority of all 720 MEPs, i.e. 361 votes. That fell 47 votes short, so the extension went through, until 3 April 2028. Critics called this — with some justification — a “backdoor adoption”, because the timing just before the summer recess made an absolute majority harder to muster.

In substance, though, the extension changes little: it keeps the voluntary scanning permission that had applied since 2021 and obliges no one to do anything. The reopened text also added amendments that specifically exempt services using end-to-end encryption, though critics doubt how much that exemption changes in practice.

Where does “Chat Control 2.0” stand?

The permanent proposal remains stuck in negotiations between Parliament and Council. Germany declared in the autumn of 2025 that it would vote against mandatory scanning without reasonable suspicion. At that, the Danish presidency dropped detection orders from its proposals, and the Council adopted a softened negotiating position in November 2025. Five trilogue rounds between Parliament, Council and Commission from December 2025 to June 2026 produced no agreement; the fifth, on 29 June 2026, collapsed over whether “voluntary” suspicionless scanning should become permanent. Talks continue under the Irish presidency this autumn.

The European Parliament's position has been consistent throughout: detection orders should only target specific users or groups on the basis of reasonable suspicion, they should only be issued by a judicial authority, and they should never reach end-to-end encryption. The Council's own Legal Service has moreover concluded that general scanning of communications, without suspicion and without a court order, is not compatible with Article 7 of the EU Charter of Fundamental Rights, on respect for private life and communications.

What is true in the criticism?

Two things. First, the procedure in July 2026 was unusual: a law was extended although a majority of the MEPs voting were against it, on the strength of procedural rules and timing. Second, the Commission's original 2.0 proposal did involve mass scanning that would have undermined encryption. Experts also point to the base-rate problem: child sexual abuse material is a tiny fraction of total traffic, so even a scanning system with a 0.01% error rate would wrongly flag millions of messages with nothing wrong in them.

But the criticism has its limits too. The system in force today (Chat Control 1.0) is voluntary, does not touch encrypted communications, and gives governments no direct access to private messages. And the mass surveillance version of 2.0 has precisely not become law, because of democratic opposition within the EU system itself: from the European Parliament, from member states such as Germany, and from the Council's own Legal Service.

Does this matter for the membership question?

Less than one might think. The ePrivacy Directive that the derogation rests on is part of the EEA Agreement, and both Chat Control files are marked as EEA-relevant. Rules of this kind can therefore reach us through the EEA Agreement whether we join the EU or not. The difference membership would make is that we would have a vote in the Council and representatives in the European Parliament when files like these are drafted, debated and decided — precisely the arena where the mass surveillance ideas have been stopped so far.

In short: what was extended in July 2026 is the old, voluntary scanning permission for unencrypted services, controversial above all because of how it was adopted. The mass surveillance people fear — “Chat Control 2.0” with mandatory scanning — has not been adopted and remains stuck, precisely because the European Parliament and several member states reject scanning without reasonable suspicion.


Sources and further reading: