EU Chat Control Was Just Extended Until 2028. Here's What That Means For Your Privacy

A failed EU vote just revived mass scanning of private messages on Gmail, iCloud, and Instagram, here's what EU chat control actually changes for everyday users, everywhere.
We receive compensation from the products and services mentioned in this story, but the opinions are the author's own. Compensation may impact where offers appear. We have not included all available products or offers. Learn more about how we make money and our editorial policies.

The European Parliament has approved an extension of one of the European Union's most controversial digital privacy measures, allowing certain online platforms to resume voluntarily scanning some private communications for child sexual abuse material (CSAM) while lawmakers negotiate a permanent replacement.[1]

The measure, often referred to by critics as "Chat Control 1.0," passed Thursday under unusual parliamentary rules after opponents failed to secure the absolute majority needed to block it, despite more lawmakers voting against the proposal than in favor (314 against, 276 in favor, 17 abstentions).[2] The extension will take effect once EU governments (the Council) formally sign off.

Privacy advocates argue the extension enables warrantless surveillance of private conversations, while supporters say it preserves an important tool for identifying child exploitation online until permanent legislation can be agreed upon.

In this article
What is Chat Control?
Why is the law so controversial?
Which apps could be affected?
Does this include encrypted apps like WhatsApp?
What happens next?

What is Chat Control?

Chat Control includes legislation that extends a temporary exemption to the EU's ePrivacy rules that allows providers of certain communications services to voluntarily detect and report known child sexual abuse material shared through their platforms.

The original exemption was introduced in 2021 after changes to EU privacy law created uncertainty about whether companies could legally continue to use automated detection systems for child safety purposes.

Rather than requiring companies to scan messages, the law permits providers that choose to do so to continue using automated technologies to identify known CSAM while a permanent legal framework is negotiated.

Why is the law so controversial?

The debate centers on a fundamental privacy question: Should technology companies be allowed to automatically analyze private communications in an effort to detect child abuse?

While the technology could help identify abusive material and report it to authorities, critics counter that scanning private messages — even for a legitimate purpose — creates a form of mass surveillance that undermines digital privacy and could set a precedent for broader monitoring.

The extension also lands as the EU broadens monitoring in other areas: as of July 2026, every new car sold in the bloc must include a camera that monitors the driver's face.

Former European Parliament member and digital rights advocate Patrick Breyer called Thursday's vote "a farce," arguing the outcome ignored the wishes of a majority of voting lawmakers because of the parliamentary procedure used.

"The real losers are our children," Breyer said in a statement, arguing that extending the temporary system could delay negotiations over what he believes would be a more targeted, permanent child protection framework.

Which apps could be affected?

According to opponents of the legislation, the temporary rules primarily affect companies that voluntarily scan unencrypted private communications.

Examples frequently cited in the debate include:

  • Instagram direct messages
  • Discord
  • Snapchat
  • Skype
  • Xbox messaging
  • Gmail
  • Apple's iCloud Mail

Exactly which services use automated detection technologies remains up to individual providers.

Does this include encrypted apps like WhatsApp?

Not necessarily.

One of the amendments approved during Thursday's vote was designed to keep end-to-end encrypted (E2EE) communications outside the scope of the temporary scanning framework. Services where providers cannot access message contents — such as WhatsApp or Signal — are generally not subject to these voluntary scanning practices.

That issue remains one of the biggest sticking points in negotiations over the EU's proposed permanent Child Sexual Abuse Regulation, often dubbed "Chat Control 2.0."

Outside the EU, the U.K. is facing the same fight — the U.K. government is weighing a crackdown on VPNs as part of its online safety agenda.

How to keep your messages private

The rules permit scanning only of unencrypted private messages, and only on platforms that choose to do so  — all of them U.S.-based services. If you want your conversations out of scope, the fix is encryption, not a workaround. It's the same protection privacy advocates point to against warrantless U.S. surveillance of communications — the core concern driving the Chat Control fight, too.

  1. Move sensitive conversations to end-to-end encrypted apps. Messages on Signal and WhatsApp are encrypted by default with E2EE, which keeps them outside the scanning framework. Apple's iMessage is also encrypted between Apple devices.
  2. Know which services are exposed. The scanning applies to unencrypted private messages on U.S. platforms, including Instagram DMs, Discord, Snapchat, Skype, Xbox messaging, Gmail, and Apple's iCloud Mail. Assume anything sent through those can be scanned for known CSAM.
  3. Use encrypted email for anything sensitive. Standard Gmail and iCloud Mail are in scope; an encrypted email service (such as Proton Mail) keeps the contents unreadable to the provider.
  4. Don't count on a VPN for this. A VPN hides your location and network traffic, but it can't stop a platform from scanning a message you send inside its own app. Encryption is what protects the content.

What happens next?

The temporary rules are expected to remain in place while negotiations continue over a permanent child protection law.

EU institutions are expected to resume talks in September, with lawmakers still divided over whether future rules should permit broader automated scanning of private communications or instead limit detection measures to targeted investigations involving judicial oversight.

Chat Control isn't the only EU rule reshaping the apps Europeans use every day. Reddit is now asking EU users to verify their age with a selfie to comply with the bloc's tightening platform rules.

Learn More
On Proton Unlimited's website
All-In-One
Proton Unlimited
PROMOTION: Get 30% Off
  • Comprehensive security bundle with VPN, email, cloud storage, and password manager
  • Includes Proton VPN, our top privacy VPN, which offers 20,000+ servers high-speed servers
  • Backed by Proton's Swiss privacy protection and end-to end encryption
Author Details
Thomas Kent is a multi-disciplined reporter with over a decade of experience covering online platforms, digital trends, and consumer-facing tech. Tom focuses on digital privacy, data tracking, and user behavior, with a particular interest in how cookies, online surveillance, and platform design shape the modern internet experience. His reporting takes a research-driven, news-focused approach, translating complex technical topics into clear, accessible insights.

Citations

[1] EU-Parlament winkt Chatkontrolle 1.0 durch – Breyer: “Wahrer Verlierer sind unsere Kinder”

[2] Temporary derogation from the ePrivacy Directive — roll-call vote results, European Parliament