All About Cookies is an independent, advertising-supported website. Some of the offers that appear on this site are from third-party advertisers from which All About Cookies receives compensation. This compensation may impact how and where products appear on this site (including, for example, the order in which they appear).
All About Cookies does not include all financial or credit offers that might be available to consumers nor do we include all companies or all available products. Information is accurate as of the publishing date and has not been provided or endorsed by the advertiser.
The All About Cookies editorial team strives to provide accurate, in-depth information and reviews to help you, our reader, make online privacy decisions with confidence. Here's what you can expect from us:
- All About Cookies makes money when you click the links on our site to some of the products and offers that we mention. These partnerships do not influence our opinions or recommendations. Read more about how we make money.
- Partners are not able to review or request changes to our content except for compliance reasons.
- We aim to make sure everything on our site is up-to-date and accurate as of the publishing date, but we cannot guarantee we haven't missed something. It's your responsibility to double-check all information before making any decision. If you spot something that looks wrong, please let us know.
The European Parliament has approved an extension of one of the European Union's most controversial digital privacy measures, allowing certain online platforms to resume voluntarily scanning some private communications for child sexual abuse material (CSAM) while lawmakers negotiate a permanent replacement.[1]
The measure, often referred to by critics as "Chat Control 1.0," passed Thursday under unusual parliamentary rules after opponents failed to secure the absolute majority needed to block it, despite more lawmakers voting against the proposal than in favor (314 against, 276 in favor, 17 abstentions).[2] The extension will take effect once EU governments (the Council) formally sign off.
Privacy advocates argue the extension enables warrantless surveillance of private conversations, while supporters say it preserves an important tool for identifying child exploitation online until permanent legislation can be agreed upon.
Why is the law so controversial?
Which apps could be affected?
Does this include encrypted apps like WhatsApp?
What happens next?
What is Chat Control?
Chat Control includes legislation that extends a temporary exemption to the EU's ePrivacy rules that allows providers of certain communications services to voluntarily detect and report known child sexual abuse material shared through their platforms.
The original exemption was introduced in 2021 after changes to EU privacy law created uncertainty about whether companies could legally continue to use automated detection systems for child safety purposes.
Rather than requiring companies to scan messages, the law permits providers that choose to do so to continue using automated technologies to identify known CSAM while a permanent legal framework is negotiated.
Why is the law so controversial?
The debate centers on a fundamental privacy question: Should technology companies be allowed to automatically analyze private communications in an effort to detect child abuse?
While the technology could help identify abusive material and report it to authorities, critics counter that scanning private messages — even for a legitimate purpose — creates a form of mass surveillance that undermines digital privacy and could set a precedent for broader monitoring.
The extension also lands as the EU broadens monitoring in other areas: as of July 2026, every new car sold in the bloc must include a camera that monitors the driver's face.
Former European Parliament member and digital rights advocate Patrick Breyer called Thursday's vote "a farce," arguing the outcome ignored the wishes of a majority of voting lawmakers because of the parliamentary procedure used.
"The real losers are our children," Breyer said in a statement, arguing that extending the temporary system could delay negotiations over what he believes would be a more targeted, permanent child protection framework.
Which apps could be affected?
According to opponents of the legislation, the temporary rules primarily affect companies that voluntarily scan unencrypted private communications.
Examples frequently cited in the debate include:
- Instagram direct messages
- Discord
- Snapchat
- Skype
- Xbox messaging
- Gmail
- Apple's iCloud Mail
Exactly which services use automated detection technologies remains up to individual providers.
Does this include encrypted apps like WhatsApp?
Not necessarily.
One of the amendments approved during Thursday's vote was designed to keep end-to-end encrypted (E2EE) communications outside the scope of the temporary scanning framework. Services where providers cannot access message contents — such as WhatsApp or Signal — are generally not subject to these voluntary scanning practices.
That issue remains one of the biggest sticking points in negotiations over the EU's proposed permanent Child Sexual Abuse Regulation, often dubbed "Chat Control 2.0."
How to keep your messages private
The rules permit scanning only of unencrypted private messages, and only on platforms that choose to do so — all of them U.S.-based services. If you want your conversations out of scope, the fix is encryption, not a workaround. It's the same protection privacy advocates point to against warrantless U.S. surveillance of communications — the core concern driving the Chat Control fight, too.
- Move sensitive conversations to end-to-end encrypted apps. Messages on Signal and WhatsApp are encrypted by default with E2EE, which keeps them outside the scanning framework. Apple's iMessage is also encrypted between Apple devices.
- Know which services are exposed. The scanning applies to unencrypted private messages on U.S. platforms, including Instagram DMs, Discord, Snapchat, Skype, Xbox messaging, Gmail, and Apple's iCloud Mail. Assume anything sent through those can be scanned for known CSAM.
- Use encrypted email for anything sensitive. Standard Gmail and iCloud Mail are in scope; an encrypted email service (such as Proton Mail) keeps the contents unreadable to the provider.
- Don't count on a VPN for this. A VPN hides your location and network traffic, but it can't stop a platform from scanning a message you send inside its own app. Encryption is what protects the content.
What happens next?
The temporary rules are expected to remain in place while negotiations continue over a permanent child protection law.
EU institutions are expected to resume talks in September, with lawmakers still divided over whether future rules should permit broader automated scanning of private communications or instead limit detection measures to targeted investigations involving judicial oversight.
Chat Control isn't the only EU rule reshaping the apps Europeans use every day. Reddit is now asking EU users to verify their age with a selfie to comply with the bloc's tightening platform rules.
[1] EU-Parlament winkt Chatkontrolle 1.0 durch – Breyer: “Wahrer Verlierer sind unsere Kinder”
[2] Temporary derogation from the ePrivacy Directive — roll-call vote results, European Parliament