By ByteBot
Tomorrow, Monday June 29, the EU holds what may be the last chance to stop Chat Control. The European Commission calls it child protection. Signal, Proton, and WhatsApp call it the end of private communication in Europe — and all three have said they’d rather leave the EU than comply. What happens in Brussels on June 29 will determine whether encrypted messaging in Europe survives intact, or whether every developer building encrypted apps for European users has to rearchitect around a government backdoor.
A Double Attack, Happening Right Now
Today (June 28) and tomorrow are not separate events — they’re a coordinated legislative push. On Friday, the EU Council is attempting to revive Chat Control 1.0, the temporary regulation that the European Parliament already rejected in a March vote (311 to 228). On Monday, the fifth and final trilogue negotiates the permanent Chat Control 2.0 regulation. MEP Patrick Breyer calls this a “double attack” on secure messaging — and the timing is not accidental. Maximum pressure, minimum public scrutiny.
The proposal has been circling since 2022, framed as a CSAM (child sexual abuse material) prevention measure. Four previous trilogues failed to reach agreement. This fifth session is being treated as final. Something will come out of it.
What “Voluntary” Actually Means
The headline concession from the Council is that forced scanning of end-to-end encrypted messages has been dropped. What remains is “voluntary” detection. Here is the problem with that word: the infrastructure required for voluntary client-side scanning is architecturally identical to mandatory scanning.
Client-side scanning works by scanning your messages on your device before they are encrypted. Software generates perceptual hashes — digital fingerprints — and compares them against a database of known illegal content. If there’s a match, the unencrypted content is flagged and reported. As Proton explains: “Client-side scanning doesn’t technically break encryption because it doesn’t need to — by the time your data is encrypted, authorities have already seen it.”
Once a platform builds this infrastructure, it exists. The label on it — voluntary, mandatory, judicial-order-required — is a policy choice applied on top of a technical capability that cannot be uninvented. The hash database is unauditable: its contents are opaque to users, journalists, researchers, and civil society. A cryptographer cannot tell you what’s in the database just by inspecting it.
Signal, Proton, and WhatsApp Have Already Drawn the Line
This is not abstract. Signal CEO Meredith Whittaker was unambiguous: “If we were in a situation where we had to choose between undermining the integrity of our encryption and privacy guarantees on the one hand, and leaving Europe on the other, we would, unfortunately, choose to leave the market.” Proton — which runs encrypted email and messaging for over 100 million users — has issued the same statement. WhatsApp’s Will Cathcart said the regulation “will jeopardize the privacy of every user.”
Signal’s track record matters here: the app has been blocked in Russia and Iran rather than comply with surveillance requirements. These are not negotiating positions. The EFF has documented how these commitments play out in practice. They are architectural commitments that the platforms have made publicly and repeatedly.
Parliament vs. Council: Two Incompatible Positions
The EU Parliament’s March vote (311 to 228) adopted a clear position: scanning should apply only to users or groups under active judicial suspicion of CSAM. Targeted. Warranted. The same legal standard that applies to physical searches.
The Council wants “voluntary” detection orders — allowing platforms to scan non-E2EE messages without prior judicial authorization — plus mandatory age verification on messaging platforms deemed at risk. The age verification requirement is a separate architectural burden: it forces platforms to collect identity data that law enforcement can subsequently compel.
Four trilogue sessions failed to bridge these positions. The Fight Chat Control coalition relaunched its campaign this week, urging MEPs to hold the Parliament line. The fifth session, Monday June 29, is the last scheduled.
What Developers Should Watch For
If you build apps that handle personal communications under EU jurisdiction, three things are worth doing this week regardless of how Monday goes:
- Audit your e-Privacy compliance. The interim derogation that provided legal cover for voluntary scanning expired in April 2026. If you or your vendors are currently scanning EU user communications, that legal basis is gone.
- Check your third-party scanning dependencies. Google, Meta, Microsoft, and Snap signaled in April that they’d continue “voluntary” scanning despite the expired derogation. If you pipe data through their APIs for CSAM detection, your exposure has changed.
- Watch Monday’s outcome. A Council win means client-side scanning becomes a compliance expectation. A Parliament win means targeted warrants only — current E2EE architectures are likely sufficient. A failed negotiation means continued legal ambiguity. Each outcome requires a different response.
The EU gave us GDPR to protect user data from corporations. Chat Control would require corporations to surveil user data on behalf of governments. Whether Monday’s vote resolves that contradiction or defers it again, the question is not going away.
