EU Chat Control 1.0 passed on July 9, 2026 — and the strangest part is that a majority of MEPs voted against it. Of the 607 Members of European Parliament who voted, 314 opposed the mass-messaging scanning regulation while only 276 supported it. However, under the EU’s second-reading procedure, blocking a Council position requires an absolute majority of all 720 MEPs — 361 votes. The opposition fell 47 short. So more people voted against than for it, and it passed anyway. We covered the Council’s procedural revival last week — this is what that set in motion.
How a Majority No Vote Still Loses
The EU Council revived Chat Control 1.0 on July 2 using Rule 170 urgent procedure — a fast-track mechanism designed for emergencies that triggered a plenary vote within one week. The timing was deliberate: the last Parliament session before summer recess, when many MEPs had already departed for home. Under second-reading rules, the denominator is fixed at 720 regardless of attendance. Low attendance doesn’t help opponents — it actively hurts them, because absent MEPs effectively count as abstentions against the blocking majority threshold.
This is a pattern worth recognizing. Any time the Council wants to push through a contested position, scheduling the critical vote during a recess period structurally disadvantages opposition. Former MEP Patrick Breyer, who has tracked Chat Control since its 2021 introduction, called the process “a blatant disregard for democratic processes.” The procedural mechanics are now documented. Expect them again.
What EU Chat Control 1.0 Actually Permits
The regulation is a temporary derogation from the EU ePrivacy Directive — it permits, but does not mandate, platforms to voluntarily scan unencrypted messages for known child sexual abuse material (CSAM). It runs until April 3, 2028. The platforms in scope are those using unencrypted or server-side encrypted messaging: Gmail, Instagram DMs (after Meta removed end-to-end encryption in May 2026), Discord direct messages, Snapchat, Skype, Xbox messaging, and iCloud Mail.
WhatsApp, Signal, and iMessage remain outside scope. An end-to-end encryption exemption amendment was adopted alongside the main vote. That amendment now returns to the Council, which has until approximately October 9 to accept or reject it.
The primary detection mechanism is hash matching — tools like Microsoft’s PhotoDNA generate a cryptographic fingerprint of confirmed abuse images and compare new content against that database. It cannot detect AI-generated CSAM or newly created material with no prior database entry. Notably, according to data Breyer cited from Brussels Signal’s coverage, 99 percent of Meta’s EU Chat Control reports involve previously known material. The regulation primarily recycles known findings rather than uncovering new abuse.
The False Positive Problem
The child protection argument for Chat Control is straightforward. The evidence against it is equally concrete. Forty-eight percent of Meta’s Chat Control alerts were flagged as “not criminally relevant.” Forty percent of the resulting investigations targeted minors themselves — the children the system exists to protect. For detection of unknown material beyond the hash-matching database, the EU Commission’s own implementation report found false positive rates between 13 and 20 percent. One in five flagged conversations was not CSAM.
Moreover, the volume math does not favor the regulation. At even a 1 percent error rate across billions of daily messages, investigators receive millions of false positives. The blunter the detection instrument, the less useful it becomes — and hash matching is blunt by design. Sophisticated actors who produce new abuse material use end-to-end encrypted platforms the regulation does not touch.
Chat Control 2.0 and What Comes Next
The permanent version of the regulation — Chat Control 2.0 — is still in trilogue negotiations and would be mandatory rather than voluntary. It would potentially extend to end-to-end encrypted services through client-side scanning: content analyzed on the sender’s device before encryption is applied. Five trilogue rounds have completed without agreement. Negotiations resume under the Irish EU Council Presidency in September 2026. The EU Council’s own Legal Service warned in June that the current Chat Control 2.0 proposal likely violates Article 7 of the EU Charter — the right to privacy — and would face successful court challenge.
Signal has stated it will withdraw from the EU market before implementing client-side scanning. WhatsApp has characterized mandatory scanning of encrypted services as “the end of end-to-end encryption as we know it.” The Register’s coverage of the July 9 vote details how the industry response has shifted from resistance to contingency planning.
What Developers Need to Know Now
If you build communication platforms serving EU users, Chat Control 1.0 means voluntary CSAM scanning on unencrypted message surfaces is legally permitted again through April 2028. End-to-end encrypted services remain outside scope for now. The more consequential deadline is September: if Chat Control 2.0 negotiations produce a mandatory framework covering E2EE services, the architecture decisions you make today could carry legal weight. Scanning infrastructure, once built, also becomes a high-value target — security researchers have consistently noted that detection systems can be repurposed by attackers or government actors beyond their original specifications.
Third-party CSAM detection APIs are available for platforms choosing to comply voluntarily: Microsoft PhotoDNA, Meta PDQ, and commercial services like alternatives discussed at Fight Chat Control. But the regulation you should be watching is not the one that just passed — it’s the one being negotiated for September. Chat Control 1.0 is the mild version.













