
EU Parliament votes to extend chat scanning rules until 2028 with end-to-end encryption exemption after chaotic session
MEPs approved a temporary extension of the controversial 'chat control 1.0' regulation on 9 July, continuing voluntary scanning for child abuse material on services like Facebook and Google while WhatsApp and Signal remain off-limits.
Background: A temporary patch for a stalled permanent law
Since 2021, a temporary derogation from the EU's ePrivacy Directive has allowed online platforms to voluntarily scan private messages for child sexual abuse material (CSAM). The original arrangement was extended in 2024 but expired in April 2026 after the European Parliament initially refused to prolong it. Meanwhile, the permanent regulation known as CSAR, or "chat control 2.0", has been caught in trilogue negotiations since 2022. The European Commission's proposal initially included scanning of end-to-end encrypted chats, a provision fiercely opposed by digital rights groups.
The 9 July vote and the chaotic session
On Thursday, the Parliament voted on an urgent motion to extend the temporary regime for a further period. The measure was approved because the required absolute majority of 360 votes to reject it was not reached in a chamber where only 607 MEPs were present, many had already left Strasbourg ahead of the summer recess. Several lawmakers described a disorderly atmosphere.
A considerable part of the deputies did not have the faintest idea what it was about. There were tumultuous scenes, and a decisive vote was kept open unusually long before the devices were finally closed. The results are long decided.
He called the EU's procedures "highly undemocratic" and the Parliament a "sham parliament".
What the extension covers, and what it excludes
Under the renewed derogation, services like Facebook, Google, Microsoft and Snapchat may continue to automatically scan private messages for known CSAM using hash-matching technology. If a match is flagged, a human reviewer checks it before law enforcement is notified. End-to-end encrypted messengers such as WhatsApp, Signal, Telegram and Threema are explicitly excluded from the scanning obligation. The extension is set to run until 2028, though it still requires approval from the EU Commission and the Council of member states.
- Temporary derogation adopted allowing voluntary scanning of private messages for CSAM.
- Extension granted.
- Parliament votes to restrict scanning to concrete suspicion and exclude AI analysis.
- Council walks out of trilogue talks, negotiations collapse.
- Metsola writes to Council urging reintroduction of scanning measure.
- Parliament approves extension of temporary regime until 2028 with end-to-end encryption exclusion.
Political and institutional tensions
The vote has deepened divisions. Parliament President Roberta Metsola sent a letter to the Council on 22 June, revealed by Politico, urging it to reintroduce the measure after an earlier rejection. In March, the Parliament had adopted a position limiting automated scans to concrete suspicion cases and ruling out AI-based analysis of unknown material or private chats. The Council walked out of the trilogue on 16 March, arguing that such restrictions would render the system ineffective. The outcome left the interim regulation in limbo, with many platforms simply continuing their voluntary practices.
Child protection vs. privacy
An appeal signed by 247 child protection organizations condemned the failure to reach a long-term European agreement, insisting that platforms must retain the ability to scan chats for CSAM. Privacy activists, however, warn that the expansion of scanning infrastructure creates systemic risks. The permanent CSAR proposal includes client-side scanning, a technology that would analyse content directly on the user's device before encryption, a move cybersecurity experts say would hollow out digital safeguarding. For now, the temporary fix papers over the rift, but the battle over chat control 2.0 is far from resolved.


