The European Parliament has once again stepped into one of tech policy’s most divisive fights. EU chat control — the controversial legislation that compels tech companies to scan private messages for child sexual abuse material — has been extended until 2028. The vote was close, messy, and politically charged. And privacy advocates are calling the outcome, at best, a draw.
- The EU chat control law passed, allowing tech firms to voluntarily scan messages for abuse material until 2028.
- EU chat control was amended to exempt end-to-end encrypted messages, a partial win for privacy advocates.
- Only 314 MEPs voted to block the extension — short of the 361 needed to stop it from advancing.
- Negotiations for a permanent Chat Control 2.0 framework are set to resume in September.
Table of Contents
How the Vote Actually Went Down
Here’s the thing about Thursday’s result: more MEPs wanted to block EU chat control than wanted to keep it. The problem was the math. Stopping the extension required an absolute majority of 361 votes. Only 314 lawmakers voted against, while 276 voted in favour. The law passed not because it commanded strong support, but because the opposition fell short of a fairly high bar. That’s a meaningfully different story than a decisive mandate for surveillance.
This vote came after the European Parliament triggered a rarely used urgent procedure on Tuesday, fast-tracking a debate on whether to revive rules that had quietly expired in April. Since that expiry, platforms like WhatsApp had been left to manage the situation themselves, taking voluntary measures to detect and report abuse material without any binding legal obligation. The urgency procedure — pushed through primarily by the European People’s Party (EPP), the Parliament’s largest political group — brought the issue back to the floor in a matter of days.

The EPP’s role here deserves scrutiny. Back in March, the party had actually voted against a temporary extension of EU chat control, because the version on the table included amendments that narrowed the scope of permitted scanning. EPP leader Manfred Weber has reportedly been hunting for a version of the law he can push through without those restrictions. Thursday’s vote gave him a partial opening.
The Encryption Exemption: A Win, But a Qualified One
The clearest win for privacy advocates came in the form of an amendment that explicitly excludes end-to-end encrypted communications from the scanning requirement. The amendment was put forward by the Pirate Party — not a major player in the Parliament, but one with a consistent and principled position on digital rights — and it passed with an absolute majority.
Pirate Party MEP Markéta Gregorová described it as ‘a bittersweet victory.’ Her full statement captures the tension well: ‘Protecting encryption was one of our priorities, and I am therefore glad that we managed to secure an absolute majority for an amendment that at least preserves encryption. At the same time, however, voluntary mass scanning unfortunately passed.’
That framing is important. The encryption carve-out isn’t nothing — forcing companies to break end-to-end encryption would have been a far more catastrophic outcome for digital security broadly. Security researchers and cryptographers have spent years explaining why backdoors in encryption don’t stay exclusive to the ‘good guys’ — they create vulnerabilities that criminals and authoritarian states can exploit just as easily. The Parliament acknowledging this, even implicitly, matters.
But the voluntary mass scanning provision within EU chat control is still a serious problem. ‘Voluntary’ sounds benign, but when platforms are operating under a legal framework that encourages scanning and could face pressure or liability if they don’t act, the practical reality tends to drift toward compliance. We’ve seen this pattern before across other content moderation regimes.

EU Chat Control 2.0: The Bigger Battle Ahead
Thursday’s vote was essentially a stopgap. The real fight — over a permanent, binding version of EU chat control — hasn’t started in earnest yet. That’s the legislation advocates have been calling ‘Chat Control 2.0,’ and it’s where the stakes get considerably higher.
Patrick Breyer, a former MEP who has been one of the loudest critics of surveillance legislation in Brussels, didn’t pull punches after the vote. ‘The political battle over the permanent Chat Control 2.0 is just getting started,’ he said, adding that ‘the resistance we saw in Parliament today was so strong that finding a majority for permanent, suspicionless mass scanning in future negotiations is a complete pipe dream.’
That’s an optimistic read, and Breyer has skin in the game. But he’s not entirely wrong. The narrow margin in Thursday’s vote — and the fact that it only passed because opponents failed to clear a threshold, not because supporters commanded a majority — does suggest the political coalition for aggressive, blanket scanning is fragile at best.
Negotiations on Chat Control 2.0 are scheduled to resume in September. The central point of contention will be whether message scanning, if mandated, should be narrowly targeted (based on specific suspicion) or applied broadly across platforms as a matter of routine. That’s not a technical question — it’s a deeply political and philosophical one about what kind of digital society Europe wants to be.

Why This Matters Beyond Europe
It would be easy to file EU chat control under ‘European policy drama’ and move on. That would be a mistake. The EU has a well-documented track record of setting global standards in tech regulation — the GDPR is the clearest example, but there are others. Rules that originate in Brussels have a habit of shaping how global platforms operate, simply because companies find it easier to build one compliance framework than separate ones for each market.
If a permanent version of EU chat control passes without a strong encryption exemption, the pressure on platforms to build scanning capabilities into their products globally becomes real. And once those capabilities exist in an architecture, the question of who else gets access — other governments, other legal systems, other definitions of ‘harmful content’ — becomes urgent.
The child protection argument that supporters of EU chat control deploy is genuinely important. Nobody serious argues that combating the spread of child sexual abuse material isn’t a priority. The disagreement is about whether mass message scanning is an effective, proportionate, and safe way to do it — and whether the collateral damage to privacy and security is worth the trade-off. Those are hard questions, and the European Parliament’s current answer is: ‘sort of, until 2028, but not for encrypted messages.’
That’s not a settled answer. It’s a holding position. And with Chat Control 2.0 negotiations looming in the autumn, the pressure on both sides is only going to build. The encryption exemption has bought privacy advocates some breathing room — but the structural push toward broader digital surveillance in Europe hasn’t gone anywhere. If anything, Thursday’s vote confirmed that the political appetite for EU chat control remains alive, even if the majority for it isn’t quite there yet.
Source: Cointelegraph

