Chat Control hits the wall – what’s next?
The European Union has proposed the Child Sexual Abuse Regulation (CSAR), also known as “Chat Control,” to combat the sexual abuse of children. This controversial regulation, which involves scanning private messages, is intended to protect children from exploitation. As opposition mounts from several member states and the public, the EU is refining the proposal, with a final decision expected in 2026.
Author: Amelia Ochlanek
The mass-surveillance under the disguise of protecting children and unlimited access to the messages, photos, videos, and even private files, borders on a paradigm shift in digital privacy, challenging the very essence of confidential communication. No matter how extreme it may sound, this is a project proposed by the European Union, commonly known as Chat Control. On the 11th of March the European Parliament supported extending the “voluntary” Chat Control regulation. Digital rights advocacy groups and privacy-conscious citizens have voiced significant opposition. What does this mean for the users of telecommunication services? And what does the regulation imply according to European law?
The Chat Control 1.0 – where it all began
In 2021 the European Union accepted the first draft of the Child Sexual Abuse Regulation (CSAR). It allowed telecommunication service providers to scan messages and e-mails to search for illegal Child Sexual Abuse Material (CSAM). The EU Commission justified its decision arguing that the end-to-end encryption makes it impossible for police to find predators. The critics of this project called it Chat Control 1.0. due to its impact on private messaging. Initially, the procedure conducted by telecommunication service providers was not mandatory and excluded encrypted messages. However, it allowed tech giants such as Meta, Google, Microsoft to scan private messages, which created serious concerns regarding users privacy.
Chat control 2.0
Nevertheless, in 2022 a full, permanent version of the regulation was proposed. It suggested a shift from voluntary to mandatory scanning of all messages (included the encrypted ones). What is more, it included mandatory age verification (proven by providing an ID or a face scan), scanning of private storage, and network blocking. This met with an enormous disapproval from public opinion, both citizens as well as the LIBE committee, which opted for protecting encryption and limit scanning.
After such this significant backlash, further changes were made in 2024. This time, only files, URL addresses and multimedia were supposed to be scanned, nonetheless the project got rejected once more. Even though the measures were less drastic, they still violated privacy. These concerns led Poland to propose another draft, which excluded scanning encrypted messages. In 2025 a compromise was reached – the mandatory part of the scanning was removed but the project used vague language, such as “risk mitigation”, which provided a backdoor for tech companies.
The legal basis for these acts are expiring on April 3, 2026. The EU Commission requested an extension of the Chat Control 1.0 but the LIBE Committee rejected the demand. Currently there are four countries, which are opposing Chat Control: the Czech Republic, Italy, the Netherlands, and Poland.
Has Chat Control ever been a lawful project?
Considering project’s enormous impact on privacy, questions concerning its lawfulness are inevitable. Currently, the practice of voluntary scanning (Chat Control 1.0) is technically lawful because the EU enacted a temporary derogation from the ePrivacy Directive. This exemption allows online platforms to use specific tools to search for CSAM without violating any law.
However ePrivacy Directive is not the only regulation concerning online data protection. Under the General Data Protection Regulation (GDPR), advocates for data protection as well as the European Data Protection Supervisor argue that current voluntary scanning, without necessary safeguards, violates fundamental rights. According to the EDPS EU regulations should guarantee that scanning is not used as a mass-surveillance tool and that data processing has a legal foundation.
It comes as no surprise that if the „lighter” version of the projects caused such arguments, the Chat Control 2.0 turned out to be even more controversial. The European Court of Justice has set a precedent, often cited by critics of CSAR as an analogy: permanent, general, and indiscriminate automated analysis of private communications violates fundamental rights and is prohibited.
The right to privacy and the rights of children at stake
The „fundamental rights” usually cited by critics include the right to privacy and protection of personal data that can be found in e.g. Charter of Fundamental Right of the EU. However, the opponents argue that article 17 of the European Social Charter states „The right of children and young persons to social, legal and economic protection”.
Groups such as Eurochild and IWF believe that Chat Control will help protect children more effectively. As one of the examples they point that in 2020, when companies were unsure whether scanning was lawful, the number of CSAM reports drooped by 58% over 18 weeks. Moreover, they see scanning as a necessary response to the AI revolution, with an increasing number of CSAM generated by AI.
Nevertheless, it is important to note that scanning user’s devices completely destroys end-to-end encryption. In order to be able to scan encrypted messages companies must create „backdoors”, which creates safety gaps. Furthermore, according to German and Swiss law enforcement agencies, up to 80% of reports are false positives, including teenagers sexting or family vacation picture. Automated AI algorithms used to scan messages fail to understand jokes, right context and nuance, leading to frequent mistakes.
What’s next?
On 11th of March a decisive plenary vote was held in the European Parliament. MEP’s supported the extension of Chat Control 1.0 but they also implemented the LIBE’s committee recommendations, from now on scanning should concern only suspected individuals. Furthermore, the current mandate explicitly excludes the breaking of end-to-end encryption. However, it is not the end of the battle, the negotiations for the permanent law (Chat Control 2.0) are ongoing. Two more rounds of negotiations are scheduled to be held in 2026, if the political agreement is reached, the formal adoption of the Chat Control 2.0 regulation is expected in July 2026. There is no doubt that in the era defined by the ubiquity of AI, the early digital immersion of children and where data has become a primary global currency, establishing clear regulations is a crucial step for democratic societies. However, this legislative process should not compromise the right to privacy, it should include a balance between public opinion and experts testimony. Reconciling privacy with child safeguarding constitutes a formidable challenge, which requires consensus-driven solutions. That is the only way to ensure the effectiveness and resilience of such regulations.
Bibliography:
[1] Breyer, Patrick. “Historic Chat Control Vote in the EU Parliament: MEPs Vote to End Untargeted Mass Scanning of Private Chats.” Patrick Breyer (blog), March 11, 2026. https://www.patrick-breyer.de/en/historic-chat-control-vote-in-the-eu-parliament-meps-vote-to-end-untargeted-mass-scanning-of-private-chats/
[2] Fight Chat Control. “Fight Chat Control.” Accessed March 8, 2026. https://fightchatcontrol.eu/.
[3] Electronic Frontier Foundation. “Chat Control Is Back on the Menu in the EU—and It Still Must Be Stopped.” September 29, 2025. Accessed March 9, 2026. https://www.eff.org/deeplinks/2025/09/chat-control-back-menu-eu-it-still-must-be-stopped-0.
[4] European Data Protection Supervisor. “Extension of Interim Rules to Combat Child Sexual Abuse Online Must Address Shortcomings and Prevent Indiscriminate Scanning.” Press release, February 8, 2024. Accessed March 10, 2026. https://www.edps.europa.eu/press-publications/press-news/press-releases/2026/extension-interim-rules-combat-child-sexual-abuse-online-must-address-shortcomings-and-prevent-indiscriminate-scanning_en
[5] Heise Online. “Setback for the Commission: EU MEPs Let Chat Control Fail.” March 3, 2026. Accessed March 11, 2026. https://www.heise.de/en/news/Setback-for-the-Commission-EU-MEPs-let-chat-control-fail-11197237.html.
[6] Internet Watch Foundation. “Why the EU’s Temporary Law Allowing Companies to Detect Child Sexual Abuse Online Must Be Extended.” IWF Blog, February 22, 2024. Accessed March 8, 2026. https://www.iwf.org.uk/news-media/blogs/why-the-eu-s-temporary-law-allowing-companies-to-detect-child-sexual-abuse-online-must-be-extended/