A majority lost, and the law survived anyway
On July 9, 2026, 314 members of the European Parliament voted to reject the Council's revived rules allowing platforms to scan private messages for child sexual abuse material (CSAM). Only 276 voted to keep them. By any ordinary parliamentary math, the rejection wins. But the EU's second-reading procedure for this file does not count votes cast — it counts votes as a share of the full 720-seat chamber. Rejecting a Council position requires an absolute majority of all MEPs, 361 votes. The rejection landed at 314, forty-seven short, so abstentions and absences functioned as votes to keep the scanning regime alive (The Register; Euronews).
The rules at issue are not new. Regulation (EU) 2021/1232 created a temporary derogation from Articles 5(1) and 6(1) of the ePrivacy Directive, letting webmail and messaging providers voluntarily scan content and traffic data to detect, report, and remove CSAM, subject to proportionality and human-review safeguards (EUR-Lex). It was meant to be a three-year bridge to a permanent CSA Regulation. That permanent framework never arrived, the derogation expired on April 3, 2026, and Parliament has now spent 2026 oscillating over whether to revive it again.
The case the scanning regime's defenders make
Before dismissing this outcome, it's worth stating the strongest version of the case for the derogation. Voluntary scanning is currently the primary mechanism by which platforms detect and report CSAM circulating on services like Gmail, pre-2023 Facebook Messenger, and iCloud Mail — services that are not end-to-end encrypted and where scanning is technically straightforward. Child-safety advocates argue that letting this authority lapse, even briefly, removes a detection layer without a substitute in place, and that Parliament's own March 2026 vote to let the prior extension lapse created exactly that gap. The European Parliament's own press materials frame the July 9 vote as preserving continuity while adding constraints, not as a fresh mandate for surveillance (European Parliament press release).
That framing is doing real work, though. Parliament didn't simply extend the status quo — it attached an amendment excluding "communications to which end-to-end encryption is, has been or will be applied" from the derogation's scope, which the same source confirms. That single clause is the substantive story here, more than the procedural drama of the vote count.
Why the encryption carve-out matters more than the vote count
An amendment that formally excludes end-to-end encrypted services from voluntary scanning is, in practice, an amendment that keeps WhatsApp, Signal, and Telegram outside the regime's reach while leaving Gmail, iCloud Mail, and Meta's post-2023 unencrypted surfaces inside it. That is close to the outcome privacy advocates and encryption engineers have argued for since the original 2021 derogation: scan what can be scanned without breaking cryptography, and don't build scanning infrastructure that only functions by weakening or bypassing encryption on services that don't have exploitable server-side access.
This is also, not coincidentally, the position this publication has taken consistently: proportionate, targeted detection on unencrypted surfaces is defensible; client-side scanning mandates that functionally defeat end-to-end encryption are not, because the same detection infrastructure that flags CSAM can flag anything a government later decides to add to the list, and there is no way to build a scanning backdoor that only bad actors can't find.
The catch is that the amendment is not yet law. Under the ordinary legislative procedure, Parliament's amended position now goes back to the Council of the EU, which has three months — into early October 2026 — to accept it, reject it, or send the file to a conciliation committee. The Council's prior positions on this file have consistently favored broader scanning mandates than Parliament, including proposals that would have covered encrypted services through client-side detection before message content is encrypted. Given that history, expecting the Council to simply accept an amendment that carves encrypted services out of scope is optimistic. Former MEP Patrick Breyer, a longtime opponent of the scanning mandate, called the outcome a "farce" that "damages democracy" precisely because it lets a minority position prevail through parliamentary math rather than persuasion.
What to actually watch
Three things determine whether this ends well for both child safety and digital security: whether the Council accepts the encryption exclusion rather than stripping it in conciliation; whether the interim regime, once it resumes, applies only to services that have opted in rather than becoming a template for mandatory scanning; and whether the long-delayed permanent CSA Regulation — the actual replacement for this three-year-old "temporary" derogation — gets resolved before this cycle repeats again in 2028. The vote count made headlines. The Council's response to one amendment will decide the substance.