Untargeted mass scanning of your private chats. That's what Big Tech has been allowed to do since 2021 on a voluntary basis — until now.
What's been dubbed Chat Control 1.0 is the interim law that gives the green light for messaging services and social media providers to scan our communications in the lookout for child sexual abuse material (CSAM).
Article continues belowCSAM scanning will now need to be “proportional and targeted”, and end-to-end encrypted communications, such as WhatsApp, Signal, and Telegram, for example, are out of scope
While this is very much a battle won for the digital rights-conscious citizens of Europe, it’s still just an interim measure. With the EU Council, Commission, and Parliament still debating the details of the Child Sexual Abuse Regulation (CSAR) Bill – what critics have labelled Chat Control 2.0 – the privacy war rages on.
What’s wrong with untargeted CSAM scanning
The problem with untargeted CSAM scanning lies in its potential for mass surveillance and the inherent technical and legal flaws.
Prior to the Wednesday vote, Chat Control 1.0 — officially interim ePrivacy derogation 2025/0429(COD) — enabled internet service providers to automatically check all users' private messages in the lookout for illegal material. Chats were scanned, and suspicious images and videos compared with databases of known CSAM.
This practice, however, is legally problematic — the confidentiality of electronic communications is a fundamental principle of the ePrivacy Directive.
🗳️@Europarl_en has endorsed extending a current ePrivacy derogation so that service providers can voluntarily detect child sexual abuse material- support for extension until 3 Aug 2027- MEPs want to keep encrypted communications out of scopeNext: talks w/@EUCouncil 1/2 pic.twitter.com/etUSugWObxMarch 11, 2026
Privacy experts have long warned that mass, untargeted scanning, even when voluntary (i.e. even when the companies are not forced to do it), still harms security and privacy. What’s more, the last five years of open CSAM scanning have uncovered mostly legal shortcomings and false positives, and very little actual prevention of CSAM.
In fact, as digital rights experts at Netzpolitik noted, the latest CSAM scanning evaluation published by the EU Commission in November still "fails to provide sufficient facts and statistics to judge the proportionality of voluntary chat monitoring."
On February 16, the European Data Protection Supervisor (EDPS) — an independent supervisory authority with responsibility for monitoring the processing of personal data by EU bodies — also published its opinion, arguing that the Chat Control 1.0 extension “must address shortcomings and prevent indiscriminate scanning."
Finally, a coalition of 50+ civil society organizations, cryptographers, computer scientists, and other digital rights experts signed an open letter to urge lawmakers to vote against the extension, arguing that the interim law would "allow Big Tech companies to continue to scan billions of private messages (chats), emails and social media posts of people across the EU, and report them to a US center in case they suspect abuse material is being shared."
In the end, it seems, it was enough to make legislators think twice, at least for now.
How the new rules look like
At Wednesday’s plenary vote, lawmakers agreed to limit the scope of the scanning.
They have inserted a new clause which states that data processing must be targeted, specified, and limited to individual users or specific groups (such as subscribers to a specific channel).
Additionally, this targeted processing is only permitted when there are reasonable grounds of suspicion of a link to child sexual abuse material, and the targets must be identified by a competent judicial authority.
The new rules explicitly exclude end-to-end encrypted communications and the scanning of audio messages from the scope of the law.
What's next for our privact chats
After years of campaigning, the EU Parliament’s response to the complaints is heartening for digital rights activists, but the recent concessions may not reflect the final decision.
The EU Council, Commission, and Parliament are currently going through the remaining negotiations on the permanent legislation that will replace the interim CSAM scanning law.
The Council may have reached an agreement at the end of last year, but the proposal going to the trialogue is still "a disaster waiting to happen" according to technologists and privacy experts because "voluntary CSAM scanning" is still a main component with few strong provisions to protect encrypted communications.
Yet, since the November vote on Chat Control, there have been some changes to the discussion. Back in December, the EU Commissioner for Home Affairs, Magnus Brunner, backed the Parliament line on targeted monitoring.
Now, the EU Parliament's strengthened stance on encryption and targeted scanning shows us that some other lawmakers are ready to fight against rules that could inadvertently put Europe into a downward spiral of mass surveillance.
The CSAM bill still includes provisions on age verification that remain problematic for privacy, according to over 400 scientists who are calling for a halt to these measures until a "scientific consensus" regarding the technical feasibility and benefits is reached.
With all this mounting pressure on Chat Control, the digital rights lobby might smell victory, but the matter is far from decided and, how Big Tech might feel about the outcome, well, that’s another story.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.