Chat Control 1.0 Revived in the EU: The Scanning Loophole Returns

Published by

The European Parliament has extended Chat Control 1.0 through a contentious procedural vote, keeping a controversial scanning loophole active until 2028. While the rule permits tech companies to voluntarily scan private communications for abuse material, it has reignited fierce debates over encryption standards and legislative transparency.



Chat Control 1.0 Revived in the EU After Controversial July Vote

The temporary scanning loophole that was supposed to expire in April has been extended until 2028, and the procedural trick Brussels used to get there is already sparking backlash from tech lobbyists and privacy advocates.

Chat Control 1.0 isn’t actually new software. It’s the public nickname for Regulation (EU) 2021/1232, a temporary derogation from the ePrivacy Directive adopted back in September 2021. The original deal was straightforward. It let online service providers voluntarily scan private communications for known child sexual abuse material while the EU figured out how to build a permanent framework. It was supposed to be a stopgap. It was supposed to die on April 3, 2026, when its clock ran out.

Instead, it came back.

Chatcontrol

On July 9 and 10, European Parliament President Roberta Metsola invoked Rule 163, an urgent procedure clause, to force a second reading of the expired regulation. The real twist came with how the vote was structured. Rather than voting on whether to pass the extension, MEPs were asked to reject it. Under parliamentary rules for a second reading, killing the law requires an absolute majority of the full 720-seat chamber. That means 360 votes.

Only 607 lawmakers showed up to vote that Thursday. When the ballots were counted, 315 had voted to scrap the derogation. It was enough to show majority opposition, but it fell short of the threshold. Chat Control 1.0 was effectively resurrected.

What the Revived Rule Actually Means for Tech

The revived derogation doesn’t force companies to scan user data. It just hands them a legal umbrella to do so without warrants. Service providers can now conduct voluntary scans for CSAM while remaining compliant with EU privacy law. The catch is that "voluntary" in Brussels tends to mean market pressure will eventually make it mandatory anyway.

If you run an email or messaging service operating in the EU, you’re looking at a gray zone. The rule applies to interpersonal communications services, which covers Gmail, iCloud Mail, Hotmail, Discord (which already had issues with Minecraft images), Slack, Microsoft Teams, Snapchat, and Xbox messaging. End-to-end encrypted platforms got a separate vote last week and remain exempt, but that shield is fragile. The regulation’s scope also spills into cloud file-sharing. Google Drive links or shared folders could theoretically fall under the scanning net once the Council finalizes the amendments.

The European Council has three months to approve or reject the extended derogation. If the member states push back, a conciliation committee will be convened. The timeline keeps shifting because the permanent legislation, officially the CSAR regulation or Chat Control 2.0, is still stuck in trilogue negotiations. Five rounds of talks, including one on June 29, ended without agreement. The proposed EU Centre on Child Sexual Abuse never materialized. Client-side scanning requirements remain theoretical.

The Backlash and the Broader Context

Patrick Breyer, the German MEP who has tracked this file since 2021, called the July maneuver a farce that damages democracy. He’s not wrong about the procedural optics. Scheduling a vote on the eve of the summer recess, flipping the threshold, and forcing a second reading on an expired law reads like a legislative backdoor.

Privacy groups have been screaming about this for months. Signal’s Meredith Whittaker and Tuta Mail’s Matthias Pfau both threatened to exit the EU market if the permanent CSAR proposal passes. The technical concerns are just as loud. Independent studies from the European Parliament’s research service point to the base rate problem. CSAM is an infinitesimally small fraction of total network traffic. Even a 0.01% false positive rate in a system scanning billions of messages will flag millions of innocent files. Teenagers already report feeling anxious when consensually shared images get caught in these dragnets.

Public opinion here is fractured. A 2026 CEDMO survey across nine EU member states found that 60% of respondents think Chat Control 2.0 will improve online safety. Roughly one in five is willing to protest. The rest are just watching to see how it plays out.

Keep in mind that the revived derogation remains valid until 2028, or until the EU finally passes a permanent solution. Tech compliance teams are currently auditing their scanning infrastructure. If you manage a platform or work in policy, you need to track the Council’s three-month window closely. The final amendments will dictate whether voluntary scanning stays theoretical or becomes de facto mandatory across the digital single market.