
European Parliament approves extension of controversial 'Chat Control' until 2028... encrypted services excluded
The European Parliament has decided to extend the 'Chat Control' regulation, which allows tech companies to scan private messages to combat Child Sexual Abuse Material (CSAM), until 2028. This decision revives the surveillance system that expired last April, but with end-to-end encrypted (E2EE) services excluded from scanning, the privacy debate has entered a new phase.
On July 9, 2026, the European Parliament finally passed a proposal to restore and extend the controversial 'Chat Control' regime ahead of the summer recess. Following the results of this vote, tech companies have once again secured a legal basis to scan users' private communications for the purpose of detecting Child Sexual Abuse Material (CSAM) until 2028.
This decision ends the legal vacuum that had persisted for several months since the expiration of the previous voluntary scanning regulations in April 2026. However, the mandatory scanning of end-to-end encrypted (E2EE) messages, which was the subject of the most intense debate, has been temporarily excluded from this extension, finding a compromise with privacy advocates.
The vote held on July 9, 2026, has become a significant turning point in determining the digital privacy landscape in Europe. Through this approval, the European Parliament has granted tech companies the authority to monitor messages for another two years under the guise of child protection, a move seen as ending the legislative deadlock that had lasted for several months.
This decision is a surrender of European values regarding fundamental rights that must guarantee the secrecy of users' communications. The noble goal of child protection must not become an excuse for indiscriminate digital surveillance.
This legislative process has undergone severe growing pains since the previous voluntary scanning system expired on April 3, 2026. On March 26, the extension was once rejected by lawmakers concerned about malfunctions in automated scanning systems and privacy violations, but a revised proposal was reached through trilogue negotiations held between May and June, leading to its final passage yesterday.
Temporary Protection and Technical Scope of Encryption Services
The core of this bill is the application of exceptions for end-to-end encryption (E2EE) services such as WhatsApp and Signal. Regulatory authorities have decided not to impose mandatory scanning obligations on encrypted messages where server-side scanning is technically impossible. This is interpreted as a measure that puts an end to concerns that tech companies would have to weaken encryption technology or install 'backdoors'.
- Allowing text and image scanning of non-encrypted email and messenger services
- Utilization of automatic detection mechanisms through comparison with databases of known child sexual abuse material
- Exemption from scanning obligations for communication services where end-to-end encryption (E2EE) is applied
- Inclusion of a sunset clause that applies temporarily until 2028
Major tech companies such as Google, Meta, and Microsoft have maintained their position to continue voluntary scanning for child protection even after the regulation expired last April. With the passage of this bill, these companies have resolved legal uncertainty and established a basis for stably maintaining their existing detection systems until 2028.
However, privacy advocacy groups warn that this measure will have a 'sliding door' effect. They point out that although encryption services are excluded, the legalization of indiscriminate scanning of non-encrypted communications will lower the overall level of communication secrecy for European citizens and could serve as a stepping stone for future regulatory tightening.
Legal experts are closely monitoring the possibility that this extension will conflict with Europe's General Data Protection Regulation (GDPR) and the Charter of Fundamental Rights. Since measures restricting individual privacy must possess not only legitimacy of purpose but also appropriateness and proportionality of means, analysis suggests there is ample room for legal disputes at the European Court of Justice (ECJ) in the future.
The sunset deadline set for 2028 means that the European Union must complete a more permanent and sophisticated Child Sexual Abuse Regulation (CSAR) before then. Over the next two years, discussions to find a balance between the limits of technical detection capabilities and privacy protection are expected to unfold more intensely across Europe.
In conclusion, this extension of chat control symbolizes a precarious compromise between the public interest of child protection and the fundamental right to individual privacy. How much this authority, granted temporarily until 2028, will actually contribute to the prevention of child crimes, and whether citizens' digital rights can be preserved without being infringed upon in the process, is expected to be the core of future policy evaluation.



This content is for information and commentary only and is not investment advice.
Join the reader conversation
Read reactions to this article and leave your own note.