EU encryption policy

The EU's Chat Control Scanning Rule Survives to 2028 on a Procedural Threshold, Not a Parliamentary Majority

314 MEPs voted to end warrantless CSAM scanning of private messages, but a fast-tracked vote needed 360 to actually stop it.

Chat Control's Threshold Problem People of Internet Research · EU 314 Votes to scrap the rule MEPs who voted to end warrantless … 360 Absolute majority needed The supermajority required to bloc… 2028 Extension now runs through The Council's adopted text permits… 2021 Original derogation created Regulation (EU) 2021/1232 first au… peopleofinternet.com
Chat Control's Threshold Problem People of Internet Research · EU 314 Votes to scrap the rule 360 Absolute majority needed 2028 Extension now runs through 2021 Original derogation creat… peopleofinternet.com

Key Takeaways

A Majority Voted No — And Lost Anyway

On July 9, 2026, the European Parliament held a vote that, on its face, looks like a defeat for the EU's controversial private-message-scanning regime. A total of 314 MEPs voted to scrap the reinstated "Chat Control 1.0" interim rule; only 276 voted to keep it (The Register). By any normal reading, that's a clear majority against. But because the vote was structured as a second-reading rejection of the Council's position, blocking it required an absolute majority of 360 MEPs — a threshold the opposition missed by 46 votes (European Parliament). The rule survives, extended to 2028, despite more lawmakers voting to kill it than to keep it.

What the Interim Rule Actually Does

The measure at issue is a narrow derogation from the ePrivacy Directive, first created by Regulation (EU) 2021/1232 and commonly nicknamed "Chat Control 1.0." It permits — but does not require — messaging and webmail providers to voluntarily scan communications for known child sexual abuse material and grooming behavior, subject to conditions: least-intrusive technology, mandatory data protection impact assessments, prompt reporting to law enforcement, and deletion of retained data within 12 months (EUR-Lex). It is not the more sweeping "Chat Control 2.0" proposal, which would mandate detection orders and remains separately under negotiation. This interim rule lapsed on April 3, 2026 after Parliament rejected an extension in March, and it is this lapse the European Commission and Council moved to reverse.

The Case for Reviving It

The strongest argument for the rule is straightforward: platforms that had been voluntarily scanning for CSAM under the derogation lost the legal basis to do so the moment it expired, and child-safety hotlines reported a real detection gap in the interim. Proponents, led by the European People's Party, argued that a further lapse pending the slower "Chat Control 2.0" negotiations would leave known, hash-matched abuse material undetected on mainstream platforms for months or years. That is a genuine cost, not a hypothetical one, and it deserves to be weighed rather than dismissed by critics who reflexively label any scanning provision "mass surveillance."

The Procedural Problem

What should trouble anyone who cares about how the EU legislates, however, is the mechanism used to get here. On July 7, the EPP invoked a rarely used urgent procedure — requested from Parliament President Roberta Metsola on June 17 — to fast-track a fresh vote, passing that motion 331–304 with 11 abstentions (EU Perspectives). That procedural switch is what converted Thursday's vote from an ordinary majority question into one requiring 360 votes to reject. Greens/EFA negotiator Markéta Gregorová warned on the floor that the maneuver violated Parliament's own rules of procedure — and she turned out to be right about the practical effect: a policy a majority of voting MEPs opposed became law anyway. That is a legitimacy problem independent of what one thinks of chat scanning itself. Rules that can only be blocked by supermajority, invoked selectively to push through contested surveillance-adjacent measures, invite exactly the kind of backlash that has dogged the Chat Control saga since 2021.

The Substantive Problem

On the merits, the extension is narrower than the loudest "Chat Control" headlines suggest — it remains voluntary, targets known CSAM rather than open-ended content, and carries a nominal carve-out for end-to-end encrypted platforms. But that carve-out is close to meaningless in practice. As MEP Patrick Breyer noted after the vote, providers using genuine E2EE cannot scan message content in the first place, so exempting them changes nothing operationally (Patrick Breyer). The carve-out functions as political cover, not a substantive limit — and it tells us nothing about how the permanent Chat Control 2.0 regime, still being negotiated, will treat encrypted services. That is where the real fight over client-side scanning and encryption backdoors will happen, and Thursday's vote does not resolve it either way.

The Bottom Line

A voluntary, non-mandatory scanning regime for known CSAM, bounded by data protection safeguards, is a proportionate stopgap that reasonable people can support — that is the steelman, and it has real force. What isn't proportionate is reviving it through a procedural maneuver that required a supermajority to stop a policy most present MEPs voted against. The EU's credibility on any future encryption or content-scanning rule — especially the more consequential Chat Control 2.0 — depends on those rules being adopted through processes the public can trust were fair. Thursday's vote, whatever one thinks of the underlying policy, was not that.

Sources & Citations

  1. European Parliament plenary agenda
  2. Regulation (EU) 2021/1232, EUR-Lex
  3. The Register: MEPs fail to prevent Chat Control revival
  4. EU Perspectives: Parliament forced back to chat control question
  5. Patrick Breyer MEP statement