Chat control survives, encrypted messaging doesn't count
On July 9, 2026, 314 members of the European Parliament voted to reject the revival of Chat Control. Only 276 voted to keep it. By any ordinary reading of a vote, that is a defeat for the proposal. It passed anyway. The mechanism behind that outcome tells you more about how EU surveillance legislation actually survives than any of the substantive arguments about child safety or encryption ever will, and it is worth understanding in detail before the next round starts in September.

I have tracked this proposal through two previous cycles, its withdrawal after public opposition in late 2025 and the shift toward normalized scanning I flagged in December. The pattern I described then, temporary derogations quietly becoming permanent baseline, has now played out almost exactly as predicted, just with an unexpected twist on encrypted messaging.
In brief
- Chat Control 1.0, the voluntary CSAM-scanning derogation from the ePrivacy Directive, expired on April 3, 2026 after Parliament rejected its extension in March by 311 votes to 228.
- The Council adopted a first-reading position on July 2 reinstating the derogation unchanged through April 2028.
- Parliament voted on July 9 under emergency procedure; a rejection motion got more no votes (314) than yes votes (276) but missed the 361-vote absolute majority required in second reading, so the extension stands.
- An amendment adopted the same day excludes communications protected by end-to-end encryption from the scope of voluntary scanning, meaning WhatsApp, Signal, and Telegram are formally out of Chat Control 1.0’s reach.
- This exclusion applies only to the voluntary derogation track. The permanent CSA Regulation (Chat Control 2.0), still in trilogue, remains the venue where client-side scanning obligations could still be imposed on encrypted services.
- The Council now has three months to accept Parliament’s amendments; disagreement triggers a conciliation committee, while CSAR negotiations resume in September.
The procedural mechanic nobody explains clearly
Second-reading procedure under the ordinary legislative procedure (Article 294 TFEU) is where this vote’s outcome actually lives. When the Council adopts a position at first reading, Parliament can approve it, amend it, or reject it outright. Rejecting a Council position outright at second reading requires an absolute majority of Parliament’s component members, currently 361 votes out of 720, not a simple majority of votes cast in the chamber that day.

This is structurally different from a first-reading vote, where a simple majority of votes cast decides the outcome. It means abstentions and absences function, in practice, as votes in favor of whatever the Council already adopted. The rejection motion on July 9 secured 314 votes, comfortably more than the 276 in favor, and still failed by 47 votes against the threshold. MEPs fail to prevent Chat Control snoopfest revival put it plainly:
“Chat Control expired on April 3, 2026, after first being introduced in August 2021. Today, however, MEPs did not reach the required threshold to reject it.”
Anyone assessing the political durability of Chat Control needs to internalize this asymmetry. A proposal that cannot secure a straightforward parliamentary majority in its favor can still survive indefinitely as long as opposition cannot clear the higher bar required to kill a Council position outright. This is precisely the “zombie proposal” dynamic that outlets covering the file since 2022 have repeatedly noted, and the July 9 vote is the clearest procedural demonstration of it to date.
The end-to-end encryption carve-out and its limitations
The same session that failed to reject the Council’s text adopted an amendment explicitly excluding end-to-end encrypted communications from the scope of the voluntary scanning regime. As Euronews reported:
“A law allowing scanning of online communications to detect child sexual abuse material was amended by MEPs to protect users’ privacy.”
Practically, this means providers operating under E2E protocols, WhatsApp’s Signal Protocol implementation, Signal itself, Telegram’s Secret Chats, are outside the scope of the derogation Parliament just extended. That is a genuine, specific boundary, and it directly addresses the architectural concern I raised in December about client-side scanning turning “the user’s phone into a checkpoint.” If a service cannot access plaintext content to begin with, the voluntary scanning regime cannot compel it to scan.
But the boundary is narrower than the headlines suggest, for two reasons that matter to anyone doing compliance or threat-modeling work around this file:
- The exclusion applies to Chat Control 1.0 only. It is an amendment to the ePrivacy derogation, a voluntary, time-limited legal basis for providers who already scan certain content categories (typically metadata and non-E2E services like some cloud storage and unencrypted chat platforms). It does not touch the CSA Regulation still in trilogue.
- CSAR (Chat Control 2.0) is where detection orders live. The permanent regulation under negotiation would introduce mandatory detection orders that courts or authorities could issue against specific services, including, in earlier drafts, an obligation for E2E providers to implement client-side scanning to comply. That mechanism has not been foreclosed by this week’s vote. The trilogue resumes in September, and the encryption carve-out achieved in the derogation vote creates political pressure but no legal precedent binding the CSAR negotiators.
The distinction between these two tracks is the single most consequential technical detail in the entire file, and it is the one most general-audience coverage collapses into a single “Chat Control” narrative. Anyone advising a messaging provider, a CISO at a company running an E2E product, or a policy team tracking exposure needs to treat Chat Control 1.0’s encryption exclusion as a favorable signal, not as closure.
Where the CSAR negotiation actually stands
The permanent regulation has followed its own separate, slower track throughout 2026. Trilogue negotiations between Parliament, Council, and Commission resumed on June 29, running in parallel with the derogation fight that dominated headlines. Double threat to privacy: Chat Control 1.0 and 2.0 are back captured the structural risk of treating these as one fight:
“In March, the European Parliament rejected the extension of the so-called Chat Control 1.0 regulation, which expired in April 2026…”
The risk for observers, and for organizations building compliance timelines, is conflating the derogation’s fate with CSAR’s. A win on one track changes nothing about the substantive obligations still being negotiated on the other. The current CSAR compromise text under discussion reportedly narrows mandatory detection orders to known CSAM hash-matching rather than open-ended AI classification of new content, a meaningful technical distinction from earlier 2022-2023 drafts that proposed broader machine-learning based detection. Whether that narrowing survives the next round of trilogue, expected to conclude discussions by late autumn, is the actual decision point that will determine whether client-side scanning becomes a legal requirement for E2E services operating in the EU.
What happens next
The Council has three months from the July 9 vote to formally respond to Parliament’s amendments, including the encryption exclusion. Two outcomes are procedurally available:
- The Council accepts Parliament’s amended text as-is, in which case the derogation, encryption exclusion included, enters into force through April 2028 without further negotiation.
- The Council rejects or modifies the amendments, triggering a conciliation committee under Article 294(10) TFEU, composed of equal numbers of MEPs and Council representatives, tasked with reaching a joint text within six weeks, extendable by two.
Given that several member states have historically pushed for broader scanning mandates than Parliament has been willing to accept, a conciliation committee is a realistic scenario, not a formality. Meanwhile, CSAR trilogue continues independently, with the next substantive session expected in September. Any organization building a compliance roadmap around this file should treat Q4 2026 as the actual decision window for the regulation that matters most, not this month’s derogation vote, however dramatic its procedural mechanics turned out to be.
FAQ
What is the difference between Chat Control 1.0 and Chat Control 2.0? Chat Control 1.0 is the temporary ePrivacy derogation that lets providers voluntarily scan communications for CSAM, now extended to 2028, while Chat Control 2.0 refers to the permanent CSA Regulation still in trilogue, which would mandate detection orders and potentially client-side scanning as a legal obligation rather than a voluntary derogation.
Does excluding end-to-end encrypted messages from Chat Control 1.0 mean WhatsApp and Signal are now safe? Only from the voluntary scanning regime just extended. The permanent CSAR still under negotiation could reintroduce detection obligations covering encrypted services through client-side scanning, so the exclusion is a tactical win in one legislative track, not a resolution of the underlying architecture debate.
Why did Chat Control pass despite more MEPs voting against it than for it? Under the second-reading procedure, a motion to reject a Council position needs an absolute majority of all Parliament seats (361 votes), not just a simple majority of votes cast; the rejection motion got 314 votes against 276, more no votes than yes votes, but fell short of the 361 threshold, so the Council’s text stood.