The EU debate over end-to-end encrypted messaging has reached a new flashpoint, just days before the European Parliament’s summer recess. After Chat Control 2.0 — the proposal that would require mandatory, suspicionless scanning of all encrypted communications — stalled due to sustained parliamentary resistance, the Council of the EU has now moved with a procedural maneuver.
What happened
The original Chat Control 1.0 regulation expired on 3 April 2026. That regulation temporarily allowed tech companies to voluntarily scan private messages for known child sexual abuse material (CSAM) using AI and hash-matching, despite the EU’s strict e-Privacy rules. Parliament and Council couldn’t agree on an extension, so it lapsed.
The Council’s problem: an expired regulation cannot simply be extended. So rather than extending it, the Council drafted a new regulation — with largely identical content — and adopted it via written procedure on Thursday.
The new text is now being pushed into Parliament’s agenda as an emergency item for Tuesday, aiming for a vote on the last session day before summer recess, when many Members of Parliament have already travelled home.
Why timing matters
The proposal is in its second reading. At this stage, stopping or amending it requires an absolute majority of all MEPs — not just a majority of those present. That threshold is extremely difficult to reach in the final days before a summer break, when attendance is lowest.
Critics are calling this deliberate: force a vote when as many opponents as possible are absent.
What the regulation actually does
Despite the Council’s assurances that scans would be “limited to what is strictly necessary,” the regulation is broad:
- Voluntary scanning by email and messaging providers for CSAM using AI and hash-matching
- Traffic and content data may be retained for up to 12 months after a detection, unless a concrete suspicion emerges
- No general mass surveillance — officially — but the infrastructure for it would be built and operational
Once this infrastructure exists, extending its scope becomes a political decision, not a technical one.
What this means for you
This version is about voluntary scanning — providers opt in. But if Chat Control 2.0 eventually passes, scanning would become mandatory, including for end-to-end encrypted services like WhatsApp, Signal, and iMessage.
What most people don’t realise is that significant exposure already exists right now, before any new law:
- WhatsApp backups stored on Google Drive are not end-to-end encrypted by default
- Gmail and Google Photos scan your content for policy violations and advertising
- Most cloud storage (Dropbox, iCloud) can read your files unless you use client-side encryption
Chat Control would add one more layer on top of surveillance infrastructure that is already largely in place.
What you can do
The practical answer isn’t panic — it’s preparation. Encrypting your files before uploading them, knowing which services read your content, and understanding where your data is actually stored gives you meaningful control regardless of what legislation passes.
I’m putting together a practical privacy guide for Belgian IT professionals covering exactly this: what’s at risk, what to encrypt, and how to do it step by step.