"A disaster waiting to happen" – The privacy tech world reacts to the new Chat Control bill

After three years of back-and-forth, the EU Council finally agreed on the controversial Child Sexual Abuse Regulation (CSAR) bill on November 26, 2025. The bill – which has gained the nickname, Chat Control – is now likely to become law.

Despite winning the majority, the compromise on voluntary chat scanning did not garner support from all states, with Italy, the Czech Republic, Poland, and the Netherlands still in opposition to the current text. And privacy experts aren't ready to celebrate, either.

"A very sad day for privacy and a missed opportunity to invest in efforts to effectively protect children," commented Belgian cryptographer Bart Preneel on LinkedIn. Preneel was among the scientists who signed an open letter a few days before the vote to warn that the compromise still "brings high risks to society."

According to former MEP for the German Pirate Party and digital rights jurist, Patrick Breyer, the EU Council has endorsed a Trojan Horse rather than fixing previous issues with the bill.

"By cementing 'voluntary' mass scanning, they are legitimizing the warrantless, error-prone mass surveillance of millions of Europeans by US corporations," he said. "This is not a victory for privacy; it is a disaster waiting to happen."

Despite the privacy backlash, the November 26 agreement means that the Danish proposal will continue to the final step of the legislative process. The EU Council, Parliament, and Commission are set to begin the trialogue negotiations to confirm the final text, with adoption expected by April 2026.

"Voluntary mass surveillance"

The biggest change with the new Danish Chat Control text is in its approach to chat scanning. From forcing messaging services – including those using end-to-end encryption – to perform indiscriminate scanning on the lookout for child sexual abuse material (CSAM), providers will now have the option to choose whether to scan all users' chats or not.

This has been considered a victory by many, as it saves encryption from being undermined with a backdoor. Director of Government Affairs and Advocacy at the Internet Society, Callum Voge, told TechRadar it was "a positive step forward for the security of communications of European residents."

But the devil may be in the details. The text does include a provision that could force companies to scan messages if their services are deemed to be "high-risk." The bill also includes the possibility for the European Commission to review the law every three years, so widespread scanning could be implemented at a later date.

And while Recital 17a says that "Nothing in this Regulation should be understood as imposing any detection obligations on providers," it's yet to be seen how this wording is interpreted at the trialogue negotiations.

What's certain is that, for Breyer, "voluntary" scanning still fails short in protecting EU citizens from mass surveillance. He said: "Calling this ‘voluntary’ does not make the violation of the digital secrecy of correspondence any less severe. We must stop pretending that 'voluntary' mass surveillance is acceptable in a democracy."

This stance is also shared by one of the best VPNs on the market, Mullvad VPN. "The EU Council failed to implement mandatory mass surveillance. However, in its proposal, they are laying the groundwork for mass surveillance in the future."

Beyond scanning and encryption

While the new Chat Control has tried to fix existing privacy and security issues around mandatory encryption backdoors, it has also added other provisions that experts fear could jeopardize EU citizens' digital rights.

Under the November 13 proposal, messaging service providers must take all necessary measures to protect children, including performing age verification checks to "reliably identify child users."

While the Council stressed that age verification methods must be "privacy-preserving," many think this will be impossible to achieve in practice.

"Even if age verification is done in a privacy-friendly way (unclear that this is how it will work), it is easy to bypass (just check what happened in the UK)," Preneel wrote on LinkedIn. He was likely referring to the spike in VPN usage linked to age verification laws.

All in all, Preneel says: "Age assessment is highly problematic for privacy. There is no scientific study demonstrating that these technologies are effective."

The bill's new text also contains provisions on website blocking obligations that worry the team at Mullvad. "Once this infrastructure is in place, it also opens the door to a slippery slope when it comes to censorship," said the Swedish VPN firm.

What's next?

Despite the controversy, the Danish Presidency managed to convince the majority of EU members to support its compromise, paving the way for the trialogue negotiations to finally kick off.

This means that the EU Parliament, Council, and Commission are now set to work together to agree on a final, binding text.

"My expectation is that there will be strong pressure to conclude these negotiations quickly," Voge told TechRadar. However, he said the April deadline may be too soon to finalize the bill.

As discussions are set to start soon, Mullvad is urging the Parliament to stand firm and not deviate from previous positions, urging MEPs to say "no to mass surveillance whatsoever without suspicion and a court order, no ID-verification requirements, and no censorship of legal content."

According to Voge, however, the EU Commission is most likely to put its foot down if needed. He said: "The Commission is the one that has an opposing view when it comes to encryption. We will need to watch the trilogue closely to see what trade-off the three parties might agree to."

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!