9 July 2026 – The European Parliament today cleared the way for the re-enactment of the so-called “voluntary chat control”. Behind the technical term lies a question that concerns everyone who uses a smartphone: may private messages be searched automatically, without any concrete suspicion? In this article, we explain the legal substance of the decision and what it means for fundamental rights, companies and citizens.

The Decision
Parliament allowed the re-enactment of the interim regime to pass. Providers of messaging, e-mail and hosting services may therefore once again voluntarily scan private, unencrypted communications for child sexual abuse material (CSAM) on an automated basis – by way of derogation from the ePrivacy Directive, which otherwise strictly protects the confidentiality of electronic communications. The regime applies until 2028, or until agreement is reached on the permanent CSA Regulation.
One notable point: end-to-end encrypted communications were expressly excluded from the scope of the regulation. In practice this changes little – providers could never read encrypted content anyway – but as a matter of law, the clarification is an important signal for the protection of encryption, one that Europe’s data protection authorities have been demanding for years.
What Is This Actually About? “Chat Control 1.0” and “2.0”
The term “chat control” covers two distinct legislative projects that must be kept legally separate:
“Chat Control 1.0” is the temporary Regulation (EU) 2021/1232 (Interim Regulation). It allowed providers such as Meta, Google or Microsoft to scan unencrypted messages and files for known abuse material voluntarily, in derogation from the ePrivacy Directive. That exemption expired in early April 2026. Parliament today allowed its re-enactment, limited until 2028, to pass.
“Chat Control 2.0” is the far more sweeping CSA Regulation proposed by the European Commission in May 2022. It would oblige providers to scan on the basis of administrative “detection orders” – under the original draft even on end-to-end encrypted services, using client-side scanning, i.e. inspecting content directly on the user’s device before encryption. Parliament, Council and Commission are still negotiating this regulation in trilogue. Today’s decision does not directly concern it – but it shows the direction in which the European debate on the confidentiality of digital communications is heading.
One point is essential to understand: “voluntary” does not mean that users consent to the scanning. The choice is voluntary only for the provider – whose messages are searched is decided neither by the person concerned nor by any independent body.
The Fundamental Rights Dimension: Why Scanning Private Communications Is So Sensitive
Protecting children from sexual violence is an objective of the highest order – no serious data protection critique questions that goal. The legal question is a different one: is the suspicionless screening of everyone’s communications a proportionate means?
Core fundamental rights are at stake:
The confidentiality of communications forms part of the right to respect for private life under Article 7 of the EU Charter of Fundamental Rights, complemented by the right to the protection of personal data under Article 8 of the Charter. In Germany, Article 10 of the Basic Law additionally protects the secrecy of telecommunications – the digital counterpart of the secrecy of correspondence.
The Court of Justice of the European Union has, in settled case law (including Digital Rights Ireland, Tele2 Sverige/Watson and La Quadrature du Net), drawn tight limits around suspicionless surveillance. Particularly relevant here: measures granting authorities generalised access to the content of communications are, under this case law, liable to affect the essence of the rights guaranteed by Articles 7 and 8 of the Charter – the inviolable core that even legitimate objectives may not touch.
This is precisely where the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) direct their criticism. In their Joint Opinion 04/2022 on the CSA Regulation, both institutions conclude that the detection of previously unknown material and of “grooming” in particular – given its intrusiveness, its probabilistic nature and the error rates of the technologies involved – goes beyond what is necessary and proportionate. On encryption, the EDPB and EDPS expressly call for a statutory clarification that nothing in the regulation may be interpreted as prohibiting or weakening encryption (Joint Opinion 04/2022). End-to-end encryption technically guarantees that only sender and recipient can read content – any scanning infrastructure, whether server-side or on the device, structurally breaks that promise and creates security gaps that criminals and foreign states can exploit as well.
What Does the German Data Protection Authority Say? The BfDI’s Position
The German Federal Commissioner for Data Protection and Freedom of Information (BfDI) has taken a repeated and unambiguous stance: while the objective of fighting abuse deserves full support, the EU legislator’s proposal clearly overshoots the mark. In the BfDI’s assessment, chat control would offer children little protection but would mark Europe’s entry into suspicionless, blanket surveillance of private communications, respecting neither the requirements of proportionality nor the fundamental rights guaranteed by the EU Charter and the German Basic Law.
Three points of the BfDI’s analysis deserve particular attention:
No protection for professional secrecy: The scanning obligations envisaged in the CSA Regulation provide for no exemptions – not even for communications between lawyer and client or doctor and patient. Legally protected professional secrecy (Section 203 of the German Criminal Code, Section 43a of the Federal Lawyers’ Act) would effectively be hollowed out.
Untenable error rates: According to the BfDI, some of the detection technologies still show error rates of up to 12%. On a service like WhatsApp, with roughly two billion users worldwide, up to 240 million people could be wrongly accused of distributing abuse material. The EDPB and EDPS make the same point: given the sheer volume of communications, even a very low false-positive rate translates into an enormous absolute number of wrongful suspicions – with severe consequences for those affected.
A weak role for supervisory authorities: Data protection authorities would merely be consulted through non-binding opinions before a technology is deployed, with no ongoing oversight afterwards. For interferences of this gravity, the BfDI considers that plainly insufficient.
Consequences for Tech Companies
For providers of communication and hosting services, today’s decision has immediate compliance relevance:
Legal basis restored: Providers regain an EU-law basis for voluntarily scanning unencrypted content – subject to the conditions and reporting duties of the interim regulation. “Voluntary” means: the decision whether and how to scan lies with the provider, not with an authority and not with the user. Companies that scan must observe transparency obligations (Articles 13 and 14 GDPR), data subject rights and the principle of data minimisation; the false-positive risk remains a substantial liability and reputational issue.
The April-to-July gap remains sensitive: Providers that continued scanning after the old regime lapsed in April did so without an EU-law derogation – for that period, data protection risks persist and are not retroactively cured by today’s decision.
For end-to-end encrypted services, the decision changes nothing – the interim regime now even expressly excludes encrypted communications. The real strategic decision will be taken in the trilogue on the CSA Regulation. Companies should use this moment to review which of their communication channels are genuinely end-to-end encrypted, which data sits with providers that scan voluntarily, and whether confidential internal and external communications (for instance with legal counsel) run through appropriate channels.
Consequences for Citizens
For the roughly 450 million people in the EU, suspicionless scanning means that private messages, family photos and intimate conversations are algorithmically searched without any concrete suspicion – as if every letter were opened before delivery. Anyone wrongly flagged risks having their data forwarded to reporting bodies and law enforcement, with all the burdens such a suspicion entails. The EDPB and EDPS also warn of a chilling effect on free communication: people who must expect to be read along with communicate differently – a burden that falls hardest on journalists, whistleblowers and people in sensitive situations.
Outlook
Today’s vote is only one stage. The decisive battle over mandatory chat control – including the question of whether end-to-end encryption may be touched at all – will be fought in the trilogue on the CSA Regulation; negotiations resume in September. The CJEU’s case law sets the legislator narrow limits here; should a suspicionless scanning obligation be enacted, litigation up to the CJEU is a near certainty. Effective child protection and the protection of confidential communications are not opposites – targeted, suspicion-based and proportionate measures can achieve both. That is exactly what Europe’s data protection authorities have been urging since 2022.
Wondering what the new legal situation means for your communication services, internal processes or data protection compliance? The Legal Living Hub team is happy to advise – practical, accessible and up to date with the latest European legislation.
Sources: Regulation (EU) 2021/1232; Proposal COM(2022) 209 final (CSA Regulation); EDPB-EDPS Joint Opinion 04/2022 of 28 July 2022; BfDI, briefing on the planned EU Regulation to prevent and combat child sexual abuse; European Parliament voting results of 11 March, 26 March and 7 July 2026.




