EU Chat Control 1.0 and 2.0: Timeline, Political Deadlock, and Controversy

EU Chat Control 1.0 and 2.0: Timeline, Political Deadlock, and Controversy

Quick Take

Chat Control 1.0’s voluntary scanning exemption expired in April 2026, but the European Council is pushing a new law that would resurrect the same powers, while the permanent “Chat Control 2.0” regulation remains stalled after years of failed trilogues.


What is “Chat Control”?

  • Chat Control 1.0 – Regulation (EU) 2021/1232 created a temporary derogation from the ePrivacy Directive, allowing providers to voluntarily scan private messages for child sexual abuse material (CSAM). It was set to expire on 3 August 2024.
  • Chat Control 2.0 – The Commission’s 2022‑2023 proposal for a permanent CSA Regulation that would make CSAM detection and reporting a legal obligation for platforms, including a requirement to bypass end‑to‑end encryption.

Both versions aim to protect children, but they differ dramatically in scope and legal force.


Timeline of Key Events (2021‑2026)

Date Event Outcome
Jul 14 2021 Temporary derogation adopted (Chat Control 1.0) Legal basis for voluntary scanning of private messages.
Apr 29 2024 First extension Derogation extended to 3 April 2026 because the permanent regulation was still unresolved.
Mar 2 2026 Commission proposes second extension to April 2028.
Mar 11 2026 LIBE (civil liberties) committee rejects extension (38‑28).
Mid‑Mar 2026 Parliament votes 458‑103 for a compromise: extend to 2027 only with targeted, proportionate detection, no scanning of end‑to‑end encrypted services, and judicial oversight.
Mar 26 2026 Trilogue on the extension collapses – Council refuses Parliament’s conditions.
Apr 4 2026 Parliament rejects any extension (311 MEPs against). Amendment 34, which bans automated assessment of unknown content, passes by a single vote (307‑306).
Jun 26 2026 Chat Control 1.0 expires – the legal ground for indiscriminate scanning ends. Major platforms (Google, Meta, Microsoft, Snap) announce they will continue scanning regardless of the expiry.
Jun 26‑29 2026 Council’s legal service warns the proposed “voluntary” scanning still amounts to generalized surveillance, violating Article 7 of the EU Charter.
Jun 29 2026 Council decides to resurrect the expired law by drafting a new regulation with identical content, using an expedited procedure.
Jul 2 2026 Council adopts its position on the “new” regulation via written procedure.
Jul 7 2026 (expected) Urgency vote in Parliament – if approved, the draft bypasses the normal committee stage and requires an absolute majority of all MEPs to stop or amend it.
May 11 2022 – Oct 2025 Parallel track: Commission proposes permanent CSA Regulation (Chat Control 2.0); Parliament adopts a protective mandate limiting scanning to visual material, banning encryption bypass, and rejecting mandatory age verification.
Nov 26 2025 Germany votes against mandatory suspicion‑less scanning, breaking the Council deadlock; the Danish presidency shifts to risk‑assessment obligations and proposes making the temporary scanning regime permanent.
Dec 2025 – May 2026 Four trilogue rounds (Dec 9, Feb 26, Apr 16, May 11) fail to resolve core disagreements on suspicion‑less scanning and age verification.
Jun 10 2026 Council’s own lawyers raise alarm about the legality of “voluntary” scanning.
Jul 14 2026 “Final” trilogue fails – no agreement on making suspicion‑less scanning permanent; talks continue under the Irish presidency.

Why the Revival Is Unprecedented

  • Parliament’s rejection was considered final. EU law does not allow an expired regulation to be simply extended; the Council’s plan to draft a new law with identical text sidesteps that rule.
  • Urgency procedure would let the proposal skip the standard committee review, requiring only an absolute majority of all MEPs to block it – a far higher hurdle than the usual simple majority.
  • Legal conflict: The Council’s legal service itself warned that the “voluntary” scanning proposal still constitutes generalized surveillance, potentially breaching the EU Charter.

Core Points of Contention

  1. Scope of Scanning – Whether platforms can scan all private communications (suspicion‑less) or only targeted content identified by a judicial authority.
  2. Encryption Bypass – Chat Control 2.0 originally demanded the ability to bypass end‑to‑end encryption; Parliament’s protective mandate explicitly rejected this.
  3. Age Verification – Some drafts propose mandatory age checks for app stores or services, which Parliament has repeatedly opposed.
  4. Legal Basis – The distinction between voluntary scanning (which providers can choose) and mandatory scanning (which would impose a legal duty) is crucial for compliance with the EU Charter’s privacy protections.

Community Reactions (Hacker News Comments)

“Most everyone would love to see more work on stopping child sexual abuse. But this is the ultimate ‘grant me dictatorial powers so I can do good’ play.” – mikaeluman

“They claim to protect consumers and privacy and then push this creepy surveillance state.” – Zufriedenheit

“I don’t understand. How does it affect encrypted messages? It seems like either you need: 1. allow MITM decryption by a privileged authority 2. require all devices doing E2EE have a non‑user‑modifiable piece of functionality to scan on‑device.” – arjie

“Chat control 1.0 … does that imply it’s currently not allowed? Apparently not enforced at least: ‘Google, Meta, Microsoft, and Snap state they will continue scanning private messages regardless.’” – olejorgenb

“EU politicians spend more time on chat control than on the reopening of Hormuz or EU energy security. It is a complete joke.” – rwq-askh

These comments highlight three recurring concerns:

  • Over‑broad surveillance that could affect all users, not just a tiny fraction of offenders.
  • Potential erosion of encryption and the technical feasibility of implementing on‑device scanning without compromising security.
  • Perceived political priorities, with many observers questioning why the EU devotes extensive legislative energy to this issue.

What Happens Next?

  • Parliament’s urgency vote (scheduled for early July 2026) will determine whether the revived law proceeds without the usual committee scrutiny.
  • If approved, the proposal will face a full‑chamber vote where an absolute majority of all 705 MEPs (i.e., at least 353 votes) is required to reject or amend it.
  • Meanwhile, the permanent Chat Control 2.0 regulation remains stuck in trilogue deadlock, with no consensus on encryption bypass or mandatory age verification.

Bottom Line

The EU is attempting to resurrect a temporary child‑protection scanning regime after it legally expired, using a fast‑track legislative shortcut that sidesteps Parliament’s earlier rejection. The move reignites a broader debate over privacy, encryption, and the balance between child‑safety objectives and fundamental rights, while the permanent Chat Control 2.0 framework remains unresolved after years of negotiations.

Sources