1. What is Chat Control?
“Chat Control” is not the official title of a single law. It is a term used by journalists, digital rights organisations, researchers and political critics to describe EU measures aimed at detecting child sexual abuse material in digital platforms and communication services.
The main permanent legislative file is the Proposal for a Regulation laying down rules to prevent and combat child sexual abuse, presented by the European Commission on 11 May 2022 under reference COM(2022) 209 and legislative procedure 2022/0155(COD). The proposal is commonly referred to in English as the Child Sexual Abuse Regulation, hence the acronym CSAR.3
The phrase Chat Control is effective because it highlights the prospect of monitoring private communications. It can also be misleading when it collapses different instruments into one label. A sound analysis must separate two distinct layers:
- Chat Control 1.0: Regulation (EU) 2021/1232, a temporary derogation from the ePrivacy framework.
- Chat Control 2.0: the permanent regulatory proposal introduced in 2022.
The distinction is not cosmetic. The first instrument operates as an exceptional legal permission for certain voluntary practices. The second was designed to create permanent obligations, national supervisory structures, regulatory orders and a new EU Centre.
2. What problem is the European Union trying to solve?
The European Union seeks to combat the production, distribution and repeated victimisation associated with child sexual abuse material, usually abbreviated as CSAM. The expression is preferable to “child pornography” because it makes clear that the material records or depicts abuse, exploitation and rights violations rather than a legitimate category of sexual content.3
The problem is inherently cross-border. Content may be produced in one country, hosted in another, shared through a service established in a third jurisdiction and viewed worldwide within seconds. Victims may continue to suffer exposure for years after the original abuse, with each new circulation compounding the harm.
The proposal also covers grooming, meaning the process by which an adult builds trust with, manipulates or coerces a child for sexual purposes. Unlike matching a file against a known image database, detecting grooming requires interpretation of context, chronology, age, intent, the relationship between the parties, coercion, language and cultural codes. It is therefore significantly more complex and far more prone to error.
A related concern is sextortion, in which real or manipulated intimate images are used to demand money, additional material, in-person contact or compliance. Generative AI has added deepfakes and synthetic sexual content capable of causing serious harm even when no original image of the victim exists.3
The Commission argues that voluntary platform action is uneven, concentrated among a limited number of companies and insufficient to provide consistent protection across services. The proposal aims to harmonise rules and reduce Europe’s dependence on foreign reporting systems.38
3. Core concepts you need to understand
3.1 Known and previously unknown CSAM
Known CSAM is material that has already been identified and validated by competent authorities or specialised organisations. Systems can detect copies through digital fingerprints, including where an image has been resized, recompressed or slightly altered.
Previously unknown CSAM is material that has not yet been catalogued. Detecting it requires AI classifiers that estimate whether an image or video falls within a prohibited category. The uncertainty is greater, as is the risk of misclassifying medical, family, artistic or educational material.
That difference is fundamental. Matching a file against a validated database is not the same as asking an algorithm to decide, without a known reference, whether an unseen item depicts abuse.
3.2 Grooming
Grooming is the process of approaching and manipulating a child for sexual purposes. It may involve building trust, isolating the child, emotional blackmail, gradual sexualisation, promises of benefits or threats.
Automated detection is difficult because individual words rarely establish the offence. The same sentence may mean very different things depending on who says it, the ages involved and the wider conversation. Automated tools may assist triage, but they cannot replace contextual investigation and human review.
3.3 NI-ICS
Number-independent interpersonal communications services, or NI-ICS, include messaging apps, webmail and other services that allow interpersonal communication without relying on the traditional telephone numbering system. Their inclusion within the European electronic communications framework was one of the developments used to justify the temporary derogation.910
3.4 End-to-end encryption
With end-to-end encryption, or E2EE, a message is encrypted on the sender’s device and decrypted only on the recipient’s device. Under normal conditions, the service provider does not hold the keys required to read the content in transit.
E2EE protects personal conversations, business transactions, medical records, journalistic sources, legal strategy, victims of abuse, political dissidents and government operations. It is not a luxury privacy feature; it is a core security infrastructure.
3.5 Client-side scanning
Client-side scanning means analysing content on the user’s device before encryption or after decryption. The cryptographic protocol may remain mathematically intact, yet the practical confidentiality of the communication is bypassed because the content is inspected at one of the endpoints.
Critics compare this architecture to placing an inspection mechanism inside every user’s device. Supporters respond that it may permit detection without intercepting data in transit. The real dispute is therefore not merely whether encryption is technically “broken”, but whether the system still deserves to be called confidential.
4. How did Chat Control develop? A legal and political history
4.1 The ePrivacy framework
Directive 2002/58/EC, commonly known as the ePrivacy Directive, protects the confidentiality of electronic communications and related traffic data. Article 5 limits interception, listening, storage and other forms of surveillance by parties other than the users themselves, unless legally authorised.9
For years, internet-based messaging and webmail services did not sit neatly within the same framework as traditional telecoms operators. The European Electronic Communications Code broadened the regulatory definition of electronic communications services and brought NI-ICS more clearly within the scope of European communications law.10
That change created a legal problem for companies already scanning non-encrypted communications on a voluntary basis. Practices developed largely within the United States reporting ecosystem could now conflict with the stricter European confidentiality framework.
4.2 The North American reporting model
Major US technology companies had long used automated tools to detect known abuse imagery and report apparent matches to the National Center for Missing & Exploited Children (NCMEC) through its CyberTipline.
US law imposes reporting duties on providers once they become aware of certain illegal material. The European system, by contrast, had to reconcile voluntary provider detection with the confidentiality obligations of ePrivacy.
That tension led to the 2021 temporary derogation.
4.3 Chat Control 1.0: Regulation (EU) 2021/1232
Regulation (EU) 2021/1232 was adopted on 14 July 2021. It created a temporary derogation from specific provisions of the ePrivacy Directive so that number-independent communication providers could continue voluntarily processing data to detect and report online child sexual abuse.2
The regulation permitted the use of technologies aimed at identifying:
- known CSAM;
- previously unknown CSAM;
- solicitation or grooming of children.
Its defining feature was voluntariness. It did not impose a universal scanning duty on every service. Instead, it created a legal safe harbour for certain practices already used by some companies.
4.4 Chat Control 2.0: the 2022 permanent proposal
On 11 May 2022, then Home Affairs Commissioner Ylva Johansson presented the proposed permanent regulation. It moved well beyond a temporary derogation. The Commission’s model combined risk assessments, mitigation duties, detection orders, reporting, removal, blocking and a new institutional framework.3
The proposal also envisaged an EU Centre to Prevent and Combat Child Sexual Abuse. Its functions would include maintaining indicators, supporting providers and public authorities, receiving reports, filtering clearly erroneous submissions, assisting victims and facilitating operational cooperation.
The Commission framed the proposal as a move away from uneven voluntary action towards a coherent European system. Critics saw it as a shift from targeted law enforcement to preventive, infrastructure-level monitoring.
4.5 The EDPB–EDPS warning in 2022
In Joint Opinion 04/2022, the European Data Protection Board and the European Data Protection Supervisor warned that the proposal could become the basis for general and indiscriminate scanning of the content of virtually all forms of electronic communication.5
They did not argue that every anti-CSAM measure would be unlawful. Their criticism focused on the breadth of the system, vague thresholds, the risks posed to encryption, false positives and the lack of adequate safeguards against population-wide monitoring.
4.6 The technical and legal debate in 2023
Institutional resistance grew during 2023. A complementary impact assessment by the European Parliamentary Research Service examined proportionality and implementation concerns. The Council Legal Service also raised fundamental-rights concerns, particularly where detection orders might affect users with no objective link to criminal activity.1112
Security researchers warned that client-side scanning creates an inspection capability within personal devices that can be repurposed for other objectives. The concern is not confined to the current list of prohibited content; it lies in the existence of an infrastructure that can later be expanded.13
4.7 Parliament’s November 2023 position
In November 2023, the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs adopted a more restrictive negotiating mandate. Parliament favoured targeted measures based on reasonable suspicion, narrowed detection orders and excluded end-to-end encrypted communications.4
The Parliament did not abandon child protection. It attempted to move the proposal away from service-wide risk-based scanning and towards interventions closer to individualised investigation.
4.8 The 2024 temporary extension
Because the permanent regulation had not been agreed, the Chat Control 1.0 derogation was extended in 2024 until 3 April 2026.14
Successive Council presidencies attempted to build support for the permanent CSAR. A Belgian compromise in 2024, associated with so-called upload moderation, failed to secure sufficient political backing. Germany, Austria, the Netherlands and several other countries raised concerns about encryption, legality and cybersecurity.15
4.9 The Council’s shift in 2025
In November 2025, the Council reached a common position after reworking central elements of the proposal. Its text reduced the emphasis on mandatory detection orders and moved parts of the system towards voluntary mitigation and risk-management measures.16
Supporters described the change as a pragmatic compromise capable of restarting negotiations. Critics argued that the regulatory infrastructure remained in place and that scanning could continue through other legal pathways.17
The Council’s agreement allowed interinstitutional negotiations with the European Parliament to begin.
5. Chat Control timeline
| Date | Development | Why it matters |
|---|---|---|
| 2002 | Adoption of the ePrivacy Directive | Establishes strong confidentiality rules for electronic communications.9 |
| 2018–2020 | The European Electronic Communications Code broadens the framework to cover NI-ICS more clearly | Messaging and webmail services become more firmly embedded in EU communications law.10 |
| 14 July 2021 | Regulation (EU) 2021/1232 is adopted | Creates the temporary voluntary derogation known as Chat Control 1.0.2 |
| 11 May 2022 | Commission presents COM(2022) 209 | Launches the permanent proposal known as Chat Control 2.0 or the CSAR.3 |
| 28 July 2022 | Joint EDPB–EDPS Opinion | Warns of general and indiscriminate scanning risks.5 |
| April–June 2023 | Legal and technical assessments in Parliament and Council | Concerns grow over proportionality, E2EE and legality.1112 |
| 14 November 2023 | Parliament adopts its negotiating mandate | Favours targeted orders and protection for E2EE.4 |
| 2024 | Temporary derogation extended until 3 April 2026 | Keeps the transitional regime alive while the permanent CSAR remains blocked.14 |
| 2024 | Belgian Council compromise fails | Member States remain divided.15 |
| 26 November 2025 | Council adopts a common position | Opens the way to interinstitutional negotiations.1617 |
| 26 March 2026 | Parliament closes first reading of the new extension without agreement | Temporary regime expires on 3 April 2026.6 |
| 2 July 2026 | Council sends its position to Parliament at second reading | Parliament gains a limited period to reject or amend the text.6 |
| 7–9 July 2026 | Urgency procedure and vote | Rejection wins a simple majority but not the required absolute majority; an E2EE safeguard is adopted.6718 |
6. Chat Control 1.0 and Chat Control 2.0: what is the difference?
| Issue | Chat Control 1.0 | Chat Control 2.0 / CSAR |
|---|---|---|
| Legal basis | Regulation (EU) 2021/1232 | Proposal COM(2022) 209 |
| Character | Temporary derogation from ePrivacy | Permanent regulatory framework |
| Basic logic | Allow voluntary practices under defined conditions | Risk assessment, mitigation, enforcement and, in the original proposal, detection orders |
| Services covered | Primarily NI-ICS | Messaging, hosting, app stores and other defined services |
| Detection | Voluntary | The design changed during negotiations; the original proposal provided for mandatory detection orders |
| E2EE | Contested; Parliament adopted an exclusion in July 2026 | Parliament’s 2023 position protected E2EE; Council positions evolved over time |
| Institutions | Providers and existing authorities | EU Centre, national coordinating authorities and permanent enforcement mechanisms |
| Main risk | Normalisation of a supposedly temporary exception | Creation of a durable infrastructure for preventive inspection |
This comparison explains why it is inaccurate to say simply that “the EU approved Chat Control”. At different stages, the label refers to different texts and procedures. The legal position must always be tied to a date, a specific instrument and the institution acting on it.
7. How do the detection technologies work?
7.1 Cryptographic and perceptual hashing
A traditional hash is a mathematical representation of a file. A minor alteration normally generates an entirely different value. To identify visually similar images, systems use perceptual hashes, which aim to recognise visual characteristics even after compression, cropping or resizing.
PhotoDNA, developed by Microsoft, is one of the best-known tools for identifying copies of previously confirmed abuse imagery.19
Detection of known material is the least technically controversial use case because it relies on a validated reference. Even here, however, database quality, false matches, indicator governance and procedures for removing wrongly included content remain crucial.
7.2 AI classification
For previously unknown material, a system must classify images or video according to statistical patterns. That necessarily introduces uncertainty. Models may misclassify medical images, family photographs, art, educational content or material from unfamiliar cultural contexts.
The EU AI Act lays down rules for artificial intelligence systems, but it does not automatically resolve the CSAR’s constitutional problems. A system may satisfy formal risk-management requirements and still be deployed disproportionately against private communications.20
7.3 Grooming detection
Grooming detection is even more delicate. There is no simple digital fingerprint that proves solicitation. The system looks for combinations of language, behaviour and progression over time.
Error rates may be significant because the same vocabulary appears in legitimate exchanges among family members, healthcare professionals, educators and teenagers. Automated classification should therefore be treated as a triage signal, never as sufficient proof of a criminal offence.
7.4 The base-rate problem
Even a system marketed as 99.9% accurate may generate a very large number of false alerts when applied to billions of messages. Where the event being detected is rare, a small error rate can still outnumber genuine cases.
This is the base-rate problem. It means effectiveness cannot be established through a single headline accuracy figure. Regulators need data on:
- sensitivity and specificity;
- positive predictive value;
- confirmed matches;
- duplicate reports;
- impact on investigations;
- victims identified;
- false positives by technology and content category.
Without those metrics, policy is built on vendor claims rather than independent evidence.
8. Does Chat Control break encryption?
The technically accurate answer is: not necessarily at the level of the cryptographic algorithm, but it may bypass the confidentiality that encryption is meant to provide.
Where a service uses genuine E2EE, the server cannot read message content. To detect images or text, the material would have to be analysed before encryption, after decryption or through a redesign of the service architecture.
Client-side scanning leaves the message encrypted while it travels across the network, but introduces an inspection mechanism on the user’s device. That is why many experts regard the distinction between “breaking” and “bypassing” encryption as inadequate from a fundamental-rights perspective.
In Podchasov v Russia, the European Court of Human Rights recognised that generalised access obligations affecting encrypted communications can weaken security for all users and create systemic risk.21
Security experts also warn of function creep. A scanning architecture introduced for CSAM could later be adapted to terrorism, copyright infringement, extremism, leaked documents or political content. That does not mean the EU intends those uses today. It means the technical capability would exist.
9. Is Chat Control compatible with European fundamental rights?
9.1 The EU Charter of Fundamental Rights
The Charter protects:
- private and family life under Article 7;
- personal data under Article 8;
- freedom of expression under Article 11;
- freedom to conduct a business under Article 16;
- the rights of the child under Article 24;
- effective judicial protection under Article 47.1
Article 52 allows limitations on fundamental rights only where they are provided by law, respect the essence of those rights, are necessary and proportionate, and pursue a legitimate objective.
Protecting children is unquestionably a legitimate objective. The dispute is whether inspecting communications belonging to non-suspects is necessary and whether less intrusive means could achieve comparable results.
9.2 Digital Rights Ireland
In Digital Rights Ireland, the Court of Justice of the European Union invalidated the Data Retention Directive because it interfered broadly with privacy and data protection without sufficient safeguards.22
The judgment did not concern CSAM or content scanning. Its relevance lies in the principles it articulated: scope, absence of a connection to suspicion, duration, access, security and independent oversight.
9.3 Tele2 Sverige and Watson
In Tele2 Sverige and Watson, the CJEU held that national legislation could not impose general and indiscriminate retention of traffic and location data for the generic purpose of fighting crime.23
The decision reinforces the idea that the seriousness of an objective does not remove the need for targeting and proportionality.
9.4 Privacy International and La Quadrature du Net
In Privacy International and La Quadrature du Net, the Court considered national security and data-retention regimes. It accepted that serious threats may justify exceptional measures, while maintaining firm limits on permanent, generalised surveillance.2425
Chat Control involves different technologies and private actors, but the constitutional question is similar: at what point does a measure stop being targeted and begin treating the entire population as a source of preventive intelligence?
9.5 SpaceNet
In SpaceNet and Telekom Deutschland, the CJEU again rejected general retention for broad public-security purposes, reaffirming the importance of targeting and safeguards.26
9.6 Scarlet Extended and Netlog
In Scarlet Extended and SABAM v Netlog, the Court rejected injunctions requiring intermediaries to install general filtering systems monitoring all users for copyright enforcement.2728
The protection of children is far more compelling than copyright enforcement. Even so, these judgments reveal the EU legal order’s deep suspicion of general monitoring duties imposed on private intermediaries.
10. Are child protection and privacy competing rights?
Not in any absolute sense.
States have positive obligations to protect children from abuse, exploitation and violence. Those obligations justify investigation, content removal, police cooperation, platform accountability and prevention.
Children also possess privacy rights and may depend on confidential communication to report abuse, seek counselling or speak to trusted professionals. Scanning systems may also capture teenagers sharing their own images, victims preserving evidence or families exchanging lawful photographs.
Public policy must protect children both from exploitation and from unnecessary state or corporate intrusion. A child cannot be reduced to an abstract justification for suspending rights that belong to children as well.
11. The impact on legal and professional privilege
One of the least discussed consequences concerns communications protected by professional secrecy or privilege.
Lawyers receive admissions, evidence, litigation strategy and sensitive personal information. Doctors receive images and medical records. Journalists speak to confidential sources. Psychologists receive deeply personal disclosures. Businesses discuss trade secrets.
Automated analysis is already an interference, even where no employee reads the message. To determine that content does not match an indicator, the system must still process it.
For legal practice, the issue reaches the right of defence and access to justice. A client must be able to disclose damaging facts to their lawyer without fearing that an external classifier may generate an erroneous report.
Any constitutionally sound regime should include enhanced safeguards for privileged communications, judicial control, data minimisation, rapid deletion and effective redress.
12. Where the EU institutions stand
12.1 European Commission
The Commission argues that the current system is fragmented, overly dependent on voluntary practices and unable to guarantee consistent protection. It says the proposal creates proportionate obligations, improves victim identification and establishes an EU Centre to support companies and public authorities.8
The strength of the Commission’s position lies in recognising that platforms cannot remain indifferent when their infrastructure is used to facilitate crimes against children.
Its weakness lies in assuming that detection technologies can be deployed at scale without sliding into general monitoring.
12.2 European Parliament
Parliament’s 2023 position was more protective of privacy. It favoured targeted orders, reasonable suspicion, tighter limits on detection and protection for E2EE.4
In 2026, the Parliament divided again. A simple majority of those voting supported rejection of the extension, but the second-reading rules required an absolute majority of all members.67
12.3 Council of the European Union
The Council reflected deep divisions among Member States. Some delegations called for broader detection powers; others warned of constitutional and cybersecurity risks.
The 2025 Council position softened coercive aspects of the Commission’s original proposal, but did not remove every controversy.1617
12.4 EDPB and EDPS
The European data protection authorities have been the most consistent institutional critics. Their opinions emphasise the risk of general scanning, the uncertainty of automated tools, the impact on E2EE and the need for strictly targeted measures.529
12.5 Child protection organisations
Child protection organisations argue that encryption and reduced provider visibility can prevent victims from being found. They support mechanisms capable of preserving reporting channels and limiting the continued spread of abusive material.
That argument deserves serious engagement. It is a mistake to suggest that every critic of scanning is indifferent to victims. The disagreement concerns design, scale, safeguards and evidence of effectiveness.
12.6 Technology companies and security experts
Services such as Signal, Proton, Matrix and other encryption advocates argue that there is no exceptional access mechanism that can be made safe only for legitimate authorities. An inspection capability installed on user devices expands the attack surface and can be abused by governments or criminals.
Researchers have described client-side scanning as a surveillance mechanism capable of altering the relationship between users and their own devices.13
13. Political backchannels: lobbying, technology and access to the Commission
The legislative process involved intense advocacy by child protection organisations, technology companies, law-enforcement bodies, academics and digital rights groups.
Investigative reporting highlighted the privileged access enjoyed by the US-based organisation Thorn and its representatives during the Commission’s preparation of the proposal. Thorn works in child protection and also develops detection technologies. Critics questioned the overlap between public-interest advocacy, technology supply and the expansion of a compliance market.30
The existence of lobbying does not prove corruption. Civil-society organisations and companies legitimately take part in the regulatory process. The concern begins where meetings, documents, technical assumptions and conflicts of interest are not sufficiently transparent.
A law capable of creating mandatory demand for detection tools also creates a market. Providers of scanning, age assurance, digital identity and automated moderation may all gain commercially. That makes it essential to distinguish scientific evidence from commercial interest.
14. The Commission’s advertising campaign and microtargeting controversy
In 2023, the European Commission ran online advertisements in support of the proposal. Reporting and a complaint to the EDPS questioned the use of targeting criteria capable of inferring or exploiting political and religious views.31
In a 2024 decision, the EDPS found that the Commission had breached data protection rules applicable to EU institutions in connection with the campaign.32
The episode is symbolically powerful. The institution advocating broader analysis of communications was itself criticised for using advertising practices inconsistent with the data protection standards it was bound to uphold.
That does not automatically invalidate the CSAR. It does, however, show that even measures pursued in the name of a compelling cause require scrutiny of the methods used to build political support.
15. What happened in the July 2026 vote?
15.1 The end of first reading and expiry of the temporary regime
In March 2026, Parliament and Council failed to agree a further extension of Regulation (EU) 2021/1232. The derogation expired on 3 April 2026.6
On 2 July, the Council adopted its position and returned the file to Parliament at second reading. At that stage, rejecting or amending the Council position required an absolute majority of Parliament’s component members, not merely a majority of those present.6
15.2 The vote
The proposal to reject received 314 votes in favour, 276 against and 17 abstentions. Rejection therefore won among participating voters, but failed to reach the threshold required to have legal effect.718
It is inaccurate to say that absent MEPs “voted in favour”. They did not vote. Their absence nonetheless had the practical effect of benefiting the Council position because rejection depended on an absolute majority.
15.3 The encryption amendments
Parliament adopted amendments intended to exclude end-to-end encrypted communications from the temporary regime.618
Because Parliament changed the text, it did not automatically become final law. As of 10 July 2026, the Council still had to accept the amendments or enter conciliation.
15.4 Was it a “procedural coup”?
Critics accused the parliamentary majority of using an urgency procedure and the pre-recess timetable to reduce scrutiny. The political criticism is substantial, particularly because the expiry date had been known for years.
Legally, however, describing the episode as a “coup” requires proof of a concrete breach of Parliament’s Rules of Procedure. The absolute-majority rule at second reading was not invented for this file; it is part of the EU legislative process.
My assessment is that the process may have been formally defensible yet democratically poor. Minimum procedural legality and deliberative legitimacy are not the same thing.
16. What was the legal status of Chat Control in July 2026?
As of 10 July 2026, two processes were running in parallel:
- Temporary extension of Chat Control 1.0: Parliament did not reject the Council position and adopted amendments, including an E2EE exclusion. The Council still had to decide whether to accept those changes.
- Permanent Chat Control 2.0/CSAR: interinstitutional negotiations continued following the Council’s 2025 common position.
It is therefore misleading to say simply that “Chat Control was approved” or “Chat Control was rejected”. The answer depends on the instrument, the procedural stage and the wording under discussion.
17. Effects on users, companies and Europe’s digital economy
17.1 Ordinary users
Users may have messages, images and files processed by automated systems even where they are not individually suspected. False positives can lead to account suspension, data preservation and referral to law-enforcement authorities.
The risk is not evenly distributed. Minority communities, teenagers, families, healthcare professionals and people exchanging sensitive material may be particularly exposed to mistaken classification.
17.2 Messaging services
Platforms may have to redesign products, create channels for complying with orders, implement risk assessments and document regulatory compliance.
Smaller companies will face proportionally higher costs. Large platforms have legal teams, datasets and infrastructure capable of absorbing complex obligations. A law designed to constrain digital giants may inadvertently strengthen their competitive advantage.
17.3 Encryption and cybersecurity
Any functional duty to access content can undermine the promise of E2EE. Even where the mathematics of encryption remains intact, endpoint scanning introduces new components, permissions and attack surfaces.
European security depends on strong communications. Weakening endpoints to fight one category of crime may expose citizens, governments and businesses to espionage, ransomware and hostile-state operations.
17.4 Age assurance
Protecting minors may lead services to verify the age of every user. That can involve identity documents, biometrics, facial-age estimation or digital identity systems.
Sound solutions should verify only the necessary attribute—for example, “over 18”—without revealing a person’s full identity. Data minimisation is essential if child protection is not to become universal identification on the internet.
17.5 Anonymity
Anonymity can shield criminals, but it also protects victims, whistleblowers, dissidents, LGBTQIA+ people in hostile environments and individuals facing persecution.
Eliminating anonymity to improve traceability could have political and social consequences far beyond the original objective.
18. The paradox: could the law harm children themselves?
Automated systems may treat as criminal images created or shared by teenagers, family photographs, medical consultations or evidence preserved by victims.
In cases of consensual sexting between adolescents, criminal law and platform policy already struggle to distinguish exploitation, coercion, age differences and evolving autonomy.
A policy designed to protect children may expose them to investigation, loss of privacy and renewed victimisation if automated systems cannot understand context.
Success should therefore not be measured solely by the number of reports generated. Relevant indicators include victims identified, networks disrupted, time-to-removal, report quality and harms caused by mistaken intervention.
19. My legal assessment: where is the real line?
The European Union should impose robust duties on platforms. Digital services cannot invoke neutrality while their infrastructure is used to store, distribute or monetise crimes against children.
Risk assessment, safety by design, rapid response to reports, removal of confirmed material, evidence preservation, transparency and international cooperation are all legitimate obligations.
Targeted investigation orders directed at identified people, accounts, groups or transaction flows can also be legitimate where they are based on objective grounds, time-limited and subject to judicial or genuinely independent control.
The line is crossed when investigation no longer begins with suspicion and instead examines everyone in order to discover who should become a suspect.
That is the quiet constitutional shift Chat Control may produce:
- from individualised suspicion to abstract risk;
- from warrant to infrastructure;
- from investigation after the fact to inspection before the event;
- from public investigator to private intermediary;
- from exceptional surveillance to permanent capability.
Child protection should not depend on a technological presumption of universal suspicion.
20. What would a constitutionally sustainable alternative look like?
A European model compatible with the rule of law should combine technology, human investigation and institutional safeguards.
20.1 Targeted orders
Detection orders should apply to accounts, users, groups or situations linked to objective indicators. The fact that a service can be abused does not make all of its users legitimate targets.
20.2 Prior independent authorisation
Intrusive measures should require approval by a court or a genuinely independent authority, with review and appeal rights.
20.3 Unequivocal protection for E2EE
The legislation should prohibit duties requiring general access to encrypted communications, including scanning at the endpoint.
20.4 Independent scientific auditing
Detection technologies should be tested by independent institutions. Error rates, datasets, inclusion criteria and real-world performance should be transparent.
20.5 Professional secrecy and privilege
Communications between lawyers and clients, doctors and patients, journalists and sources, and other protected relationships require specific safeguards.
20.6 A ban on function creep
Databases and systems built for CSAM must not be repurposed for other categories of content without a new legislative process, a fresh necessity assessment and constitutional review.
20.7 Investigation and prevention
The EU should invest in specialised police units, cross-border cooperation, financial tracing, authorised undercover work, victim identification, trauma support, digital education and forensic capacity.
The volume of alerts cannot substitute for the quality of investigation.
21. What could it mean for WhatsApp, Signal, Telegram and email?
WhatsApp and Signal
Services using E2EE by default sit at the centre of the controversy. Parliament’s position sought to exclude them from temporary voluntary scanning. The final impact depends on whether the Council accepts that wording and on the future text of the permanent CSAR.
Telegram
Telegram offers different communication modes. Not all chats use E2EE. The legal analysis depends on the type of chat and the service architecture actually used.
Gmail, Outlook and other email services
Conventional email is generally not protected by E2EE between end users. Providers may retain technical access to content and may therefore be more directly exposed to voluntary detection regimes.
Instagram, Discord and gaming platforms
Messages not protected by E2EE may remain within the scope of scanning and risk-management obligations. Services heavily used by minors are likely to face especially strong regulatory pressure.
23. Conclusion
Chat Control is one of the defining tests of European digital constitutionalism. It begins with a legitimate and urgent aim: protecting children from crimes that cross borders and remain online long after the original abuse.
The danger does not lie in regulation itself. It lies in turning a duty of targeted investigation into a privately operated, preventive infrastructure for inspecting communications.
Europe has built its legal identity around dignity, privacy, data protection and limits on public power. Abandoning those guarantees in the name of protection may produce a more intrusive system without necessarily producing a more effective one.
The answer is not passivity. It is precision: investigate better, act faster, remove confirmed material, identify victims, cooperate across borders and confine every intrusion to what is demonstrably necessary.
The rule of law is not a refusal to fight evil. It is the refusal to become unrecognisable while doing so.
References and primary sources
- [1] EUROPEAN UNION. Charter of Fundamental Rights of the European Union. Official Journal of the European Union, C 202, 7 June 2016. Available at: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:12016P/TXT. ↩
- [2] EUROPEAN PARLIAMENT; COUNCIL OF THE EUROPEAN UNION. Regulation (EU) 2021/1232 of 14 July 2021 on a temporary derogation from certain provisions of Directive 2002/58/EC. Available at: https://eur-lex.europa.eu/eli/reg/2021/1232/oj/eng. ↩
- [3] EUROPEAN COMMISSION. Proposal for a Regulation laying down rules to prevent and combat child sexual abuse. COM(2022) 209 final, 11 May 2022. Available at: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:52022PC0209. ↩
- [4] EUROPEAN PARLIAMENT. Child sexual abuse online: effective measures, no mass surveillance. 14 November 2023. Available at: https://www.europarl.europa.eu/news/en/press-room/20231110IPR10118/child-sexual-abuse-online-effective-measures-no-mass-surveillance. ↩
- [5] EUROPEAN DATA PROTECTION BOARD; EUROPEAN DATA PROTECTION SUPERVISOR. Joint Opinion 04/2022 on the Proposal for a Regulation laying down rules to prevent and combat child sexual abuse. 28 July 2022. Available at: https://www.edpb.europa.eu/our-work-tools/our-documents/edpbedps-joint-opinion/edpb-edps-joint-opinion-042022-proposal_en. ↩
- [6] EUROPEAN PARLIAMENT. Combating child sexual abuse online: vote to reinstate ePrivacy derogation. 6 July 2026. Available at: https://www.europarl.europa.eu/news/en/agenda/plenary-news/2026-07-06/13/combating-child-sexual-abuse-online-vote-to-reinstate-eprivacy-derogation. ↩
- [7] EUROPEAN PARLIAMENT. Final voting list: C10-0178/2026. Strasbourg, 9 July 2026. Available at: https://www.europarl.europa.eu/sedcms/votingList/C10-0178_Regulation-EU.pdf. ↩
- [8] EUROPEAN COMMISSION. Fighting child sexual abuse: Commission proposes new rules to protect children. 11 May 2022. Available at: https://ec.europa.eu/commission/presscorner/detail/en/IP_22_2976. ↩
- [9] EUROPEAN UNION. Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector. Available at: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32002L0058. ↩
- [10] EUROPEAN UNION. Directive (EU) 2018/1972 establishing the European Electronic Communications Code. Available at: https://eur-lex.europa.eu/eli/dir/2018/1972/oj/eng. ↩
- [11] EUROPEAN PARLIAMENTARY RESEARCH SERVICE. Proposal for a Regulation laying down rules to prevent and combat child sexual abuse: complementary impact assessment. April 2023. ↩
- [12] COUNCIL OF THE EUROPEAN UNION. Opinion of the Legal Service: Proposal for a Regulation laying down rules to prevent and combat child sexual abuse. Document 8787/23, 26 April 2023. ↩
- [13] LUDVIGSEN, Kaspar Rosager; NAGARAJA, Shishir; DALY, Angela. YASM (Yet Another Surveillance Mechanism). 2022. Available at: https://arxiv.org/abs/2205.14601. ↩
- [14] EUROPEAN UNION. Consolidated version of Regulation (EU) 2021/1232, valid until 3 April 2026. Available at: https://eur-lex.europa.eu/eli/reg/2021/1232/2024-05-15/eng. ↩
- [15] LE MONDE. “Chat control”: setback for the European messaging-surveillance proposal in the fight against child sexual abuse material. 20 June 2024. Available at: https://www.lemonde.fr/pixels/article/2024/06/20/chat-control-dans-la-lutte-contre-la-pedopornographie-revers-pour-le-projet-de-reglement-europeen-de-surveillance-des-messageries_6241853_4408996.html. ↩
- [16] COUNCIL OF THE EUROPEAN UNION. Proposal for a Regulation laying down rules to prevent and combat child sexual abuse: partial mandate for negotiations with the European Parliament. Document ST 15318/2025, 13 November 2025. Available at: https://data.consilium.europa.eu/doc/document/ST-15318-2025-INIT/en/pdf. ↩
- [17] REUTERS. EU states back away from forcing Big Tech to detect and remove child pornography. 26 November 2025. Available at: https://www.reuters.com/sustainability/society-equity/eu-states-back-away-forcing-big-tech-detect-remove-child-pornography-2025-11-26/. ↩
- [18] REUTERS. EU lawmakers back reinstating interim rules to allow Big Tech to tackle child pornography. 9 July 2026. Available at: https://www.reuters.com/legal/litigation/eu-lawmakers-back-reinstating-interim-rules-allow-big-tech-tackle-child-2026-07-09/. ↩
- [19] MICROSOFT. PhotoDNA: technology to help fight child exploitation. Available at: https://www.microsoft.com/en-us/photodna. ↩
- [20] EUROPEAN UNION. Regulation (EU) 2024/1689 laying down harmonised rules on artificial intelligence. Available at: https://eur-lex.europa.eu/eli/reg/2024/1689/oj/eng. ↩
- [21] EUROPEAN COURT OF HUMAN RIGHTS. Podchasov v Russia, Application no. 33696/19, 13 February 2024. Available at: https://hudoc.echr.coe.int/eng?i=001-230854. ↩
- [22] COURT OF JUSTICE OF THE EUROPEAN UNION. Digital Rights Ireland Ltd and Seitlinger and Others, Joined Cases C-293/12 and C-594/12, 8 April 2014. Available at: https://curia.europa.eu/juris/liste.jsf?num=C-293/12. ↩
- [23] COURT OF JUSTICE OF THE EUROPEAN UNION. Tele2 Sverige AB and Watson and Others, Joined Cases C-203/15 and C-698/15, 21 December 2016. Available at: https://curia.europa.eu/juris/liste.jsf?num=C-203/15. ↩
- [24] COURT OF JUSTICE OF THE EUROPEAN UNION. Privacy International, Case C-623/17, 6 October 2020. Available at: https://curia.europa.eu/juris/liste.jsf?num=C-623/17. ↩
- [25] COURT OF JUSTICE OF THE EUROPEAN UNION. La Quadrature du Net and Others, Joined Cases C-511/18, C-512/18 and C-520/18, 6 October 2020. Available at: https://curia.europa.eu/juris/liste.jsf?num=C-511/18. ↩
- [26] COURT OF JUSTICE OF THE EUROPEAN UNION. SpaceNet AG and Telekom Deutschland GmbH, Joined Cases C-793/19 and C-794/19, 20 September 2022. Available at: https://curia.europa.eu/juris/liste.jsf?num=C-793/19. ↩
- [27] COURT OF JUSTICE OF THE EUROPEAN UNION. Scarlet Extended SA v SABAM, Case C-70/10, 24 November 2011. Available at: https://curia.europa.eu/juris/liste.jsf?num=C-70/10. ↩
- [28] COURT OF JUSTICE OF THE EUROPEAN UNION. SABAM v Netlog NV, Case C-360/10, 16 February 2012. Available at: https://curia.europa.eu/juris/liste.jsf?num=C-360/10. ↩
- [29] EUROPEAN DATA PROTECTION SUPERVISOR. Opinion 7/2026 on the Proposal for a Regulation extending the application of Regulation (EU) 2021/1232. February 2026. Available at: https://www.edps.europa.eu/system/files/2026-02/26-02-16_opinion-extending-application-regulation-2021-1232_en.pdf. ↩
- [30] NETZPOLITIK. Dude, where’s my privacy? How a Hollywood star lobbies the EU for more surveillance. 2022. Available at: https://netzpolitik.org/2022/dude-wheres-my-privacy-how-a-hollywood-star-lobbies-the-eu-for-more-surveillance/. ↩
- [31] WIRED. A controversial plan to scan private messages for child abuse meets fresh scandal. 24 October 2023. Available at: https://www.wired.com/story/csar-chat-scan-proposal-european-commission-ads/. ↩
- [32] EUROPEAN DATA PROTECTION SUPERVISOR. Decision concerning investigation in complaint case 2023-1205 against the European Commission. 2024. Available at: https://noyb.eu/sites/default/files/2024-12/EDPSDecision_printed_Redacted.pdf. ↩
