TL;DR: It's April 3, 2026. Chat Control 1.0 is dead. The temporary EU regulation that let Google, Meta, Microsoft, and TikTok voluntarily scan your private messages for child abuse material expired today after the European Parliament voted 311-228 to reject extending it. Platforms operating in the EU no longer have a legal basis for mass message scanning. But the permanent replacement (CSAR, or Chat Control 2.0) is very much alive. Trilogue negotiations resume in May, with a political deal targeted for July. The Commission still wants mandatory scanning. The encryption fight is just getting started.
What Actually Changed Today
At midnight, EU Regulation 2021/1232 stopped being law. That's the temporary ePrivacy derogation that since 2021 gave tech companies a legal pass to scan private messages, even though doing so technically violates the EU's ePrivacy Directive.[1]
The companies affected:
- Google: Gmail, Google Chat
- Meta: Facebook Messenger, Instagram DMs
- Microsoft: Outlook, Xbox messages
- TikTok: Direct messages
These platforms were running three types of automated scanning on unencrypted messages in the EU:
- Hash scanning: Matching images against databases of known child sexual abuse material (PhotoDNA-style)
- AI image classification: Algorithms flagging new images as potential CSAM
- Text analysis: Algorithms scanning conversations for grooming patterns
As of today, none of that has a legal basis under EU law. If these platforms continue scanning, they're violating the ePrivacy Directive, and they know it.[2]
End-to-end encrypted platforms like Signal and WhatsApp? Nothing changes for them. They weren't doing this scanning anyway.
How Parliament Killed It
We covered the full political drama last week. Here's the short version.
The European Commission wanted a two-year extension to April 2028. The Council (EU member state governments) backed the Commission. Parliament said no, twice.
On March 11, Parliament passed a compromise: extend scanning, but require judicial authorization and limit it to targeted cases. The Council rejected the compromise. They wanted mass scanning without judicial gatekeeping.
On March 26, the Commission's clean extension went to a plenary vote. Parliament killed it 311-228, with 92 abstentions.[3]
The EU's Center for Democracy and Technology called it "a strong message that the European Parliament takes privacy seriously." CDT Europe added that the vote "sends an unambiguous signal that indiscriminate surveillance of private communications is incompatible with European fundamental rights."[4]
Patrick Breyer, the Pirate Party MEP who's been the sharpest critic of Chat Control, put it more bluntly: Parliament chose privacy over "error-prone mass surveillance by US corporations."[5]
The Scanning They Lost Was Bad at Its Job
Let's not mourn this system. The numbers speak for themselves:
- According to the Swiss Federal Police, around 80% of machine-flagged content turns out not to be illegal, and in Ireland only about 20% of reports were confirmed as actual abuse material[5]
- Germany's federal police (BKA) found nearly 50% of reports were criminally irrelevant[5]
- Among German suspects flagged: roughly 40% were minors, often sexting without criminal intent[5]
That's the system EU governments wanted to extend. An error-prone dragnet that mostly caught teenagers and innocent people, while actual abusers used platforms the scanning couldn't touch.
What Platforms Will Actually Do
This is the question everyone's watching. Will Google, Meta, and Microsoft actually stop scanning EU messages today? Or will they quietly continue and dare regulators to enforce?
The honest answer: we don't know yet. Platforms have three options:
- Comply and stop scanning: The legally clean choice. Remove the automated scanning systems for EU users.
- Find an alternative legal basis: Tricky. The Digital Services Act's general monitoring prohibition makes this hard. Companies could argue "legitimate interest" under GDPR, but that's legally shaky for mass surveillance.
- Keep scanning and fight the enforcement action: Risky but possible. EU enforcement is slow. It could take years before a regulator actually forces compliance.
Watch the next few weeks. If platforms issue transparency reports showing EU scanning numbers dropping to zero, the law worked. If the numbers stay the same, we'll know they're gambling on enforcement delays.
Chat Control 2.0: The Permanent Danger
Here's where the celebration stops.
Chat Control 1.0 was the appetizer. The main course is CSAR (the Child Sexual Abuse Regulation) which would make scanning mandatory and extend it to encrypted platforms. We've covered the full scope.
The trilogue negotiations (three-way talks between Parliament, Council, and Commission) are on a tight schedule:
- May 2026 (expected): Next trilogue session
- June 29, 2026 (expected): Fifth and final trilogue session
- July 2026: Target date for a political deal
The Council wants broad scanning powers. The Commission is on their side. Four EU Commissioners signed a statement insisting "the protection of children, not that of perpetrators, must remain the guiding principle."[6]
Parliament is the only institution pushing back. Their November 2023 negotiating mandate excludes end-to-end encrypted services, rejects mandatory age verification, and demands judicial warrants for any scanning. But the Council's position still allows "voluntary" mass scanning, mandatory age verification (killing anonymous communication), and AI analysis of unknown content.
Signal has already said it'll leave Europe before implementing client-side scanning. If CSAR passes in anything close to the Council's version, encrypted messaging in the EU faces an existential threat.
What You Can Do
If You're in the EU
Contact your MEPs before the next trilogue. Tell them you support Parliament's position: targeted surveillance with judicial warrants, not mass scanning. The EDRi campaign page makes this easy.
Switch to Encrypted Messaging
Use Signal, not Messenger. The more people depend on real end-to-end encryption, the harder it becomes for any government to justify breaking it. Our comparison guide can help you choose.
Watch Platform Behavior
If you use Gmail, Messenger, or Outlook in the EU, watch for transparency reports or policy changes in the coming weeks. Platforms that keep scanning after today are breaking EU law.
Support Digital Rights Groups
EDRi, Patrick Breyer's office, and CDT Europe have been fighting Chat Control for years. They need support for the CSAR battle ahead.
Today Is a Win. Tomorrow Is a Fight.
Chat Control 1.0 is dead. Voluntary mass scanning of private messages in the EU lost its legal basis today. The European Parliament defended privacy when the Commission and Council wouldn't.
But the permanent regulation that could mandate scanning, including on encrypted platforms, is three months from a potential deal. The Commission hasn't given up. The Council hasn't given up. The lobbying from Thorn and the ECLAG coalition hasn't slowed down.
The fight just moved from "should we extend the temporary system" to "should we build a permanent one." And the permanent one is worse.
Celebrate today. Organize for the next trilogue.
References
- EUR-Lex: Regulation 2021/1232 (temporary ePrivacy derogation for voluntary CSAM detection)
- CADE: European Parliament Rejects Extension of Chat Control Rules on Message Scanning (March 2026)
- Computer Weekly: EU Parliament Rejects Chat Control Message Scanning (March 2026)
- CDT Europe: Response to European Parliament Rejection of Chat Control 1.0 Extension
- Patrick Breyer MEP: Chat Control Tracker (comprehensive timeline and fact-check)
- Daily Sabah: EU Lawmakers Reject Extension of Child Abuse Detection Rules (March 2026)
Published: April 3, 2026