The EU Chat Control Proposal: Child Protection or Generalised Surveillance?

Governments have historically sought to expand their capacity to monitor communications and public activity, particularly during periods of perceived security threats. These periods are times where privacy and freedom of expression are most frequently compromised and threats to democratic government emerge. The digital age has made this project far more feasible. We now live in societies under multiple forms of surveillance, with online / digital monitoring and recording playing a central role in this development, in a synergy between the business model of so-called “surveillance capitalism” and the ever-growing desire of authorities, governments, and organisations for increasingly total ownership and control over the flows of information and their citizens’ speech.

The European Union — or, to be more precise, the majority of the governments of its member states — with the support of the European Commission (and, naturally, the Council), has repeatedly attempted to expand the scope of surveillance under various pretexts. This admittedly follows a worldwide rush to police private communications. Throughout the past two decades, proposals expanding surveillance powers have repeatedly been justified using four broad policy objectives:

  • Combating terrorism
  • Dismantling organised crime
  • Protecting intellectual property, most commonly the rights of creators
  • Protecting children

The latest episode in the effort to control speech concerns the last of these: the protection of children and the detection of the distribution of child pornography (CSAM). So? What could be more legitimate, one might ask. The problem, of course, is that by invoking child protection, access to a fundamental right of all citizens is lost: all messages, belonging to everyone, will be scanned indiscriminately, effectively eliminating the remaining confidentiality of communications completely and with the certainty that, as happened with all previous invocations of exceptional dangers, this process will expand far beyond the boundaries of combating child pornography, with no visible limit to where it will end.

Once this gateway is breached, it will remain wide open. This is what experience so far has shown. It should be noted that the process of message surveillance will, in practice, introduce software performing functions that resemble one aspect of commercial spyware—namely inspection of communications on the user’s own device before encryption—even though it is deployed through operating systems or messaging applications rather than covert compromise.

Beyond this, even the effect these will have on the action’s objective is in doubt: Experienced technologists and security experts have expressed serious doubts, unconvinced that this measure will contribute in any meaningful way to the actual fight against the dissemination of child pornography.

As Carmela Troncoso of the Max Planck Institute for Security and Privacy points out, research shows that the use of this type of software to compare content against known images of child exploitation and pornography is not effective. The detection mechanism can easily be bypassed by changing a few pixels in an image.

At the same time, when artificial intelligence is used to search for unknown but potentially suspicious images, the likelihood of “false positive results” will be so high that, on the one hand, it will involve very large numbers of people who have no connection whatsoever to such networks, while on the other hand it will block any meaningful investigation because of the enormous volume of alerts generated.

The same applies to the intention of the legislation to monitor written messages as well, where again the number of false positive findings would be so large that they would “drown out” any genuine signal (which, of course, can easily be hidden), on such a scale that any form of effective control would become impossible.

The Background

Since at least 2021, the European Commission has pursued a legislative agenda to expand the scanning of private electronic communications for child sexual abuse material. This started with temporary legislation permitting voluntary detection by providers and followed by proposals for a permanent regulatory framework. The scope of the detection activities would include even those protected by “end-to-end encryption” (E2EE), in order to identify material involving the sexual exploitation and abuse of minors.

The stated goal is unquestionably noble. The mechanism for achieving it, however, requires something unprecedented: scanning the content on the user’s device before the message is even encrypted (already an improvement over an earlier proposal that would have effectively abolished encryption altogether). This is why it became known as “Chat Control”.

In November 2023, the European Parliament’s LIBE Committee rejected the Commission’s proposal for indiscriminate mandatory message scanning in its negotiating position and called for stronger protection of end-to-end encryption. Following intense negotiations, the European Parliament voted in March 2026 not to extend the temporary message-scanning regime, with the decisive motion succeeding by a margin of one vote (307–306). It was a rare victory for digital rights, achieved through the mobilisation of hundreds of thousands of citizens.

However, the Council and the EPP did not accept this defeat: they reintroduced the exact same text as a “new” proposal, through an urgent procedure, deliberately timed for the final day before the summer recess — when the presence of Members of the European Parliament is historically more limited.

The result, as we saw on 9 July 2026, was the reinstatement of this regime despite the clear majority against it, because of the technical threshold of 361 votes required (see below).

The core danger is not only the circumvention of procedure. It is the precedent it creates: a member state or an EU institution could impose generalised, unjustified surveillance of the private communications of hundreds of millions of citizens — something that the Council’s own Legal Service acknowledged in June may violate Article 7 of the Charter of Fundamental Rights.

According to a report by the Commission itself, the rate of false positive findings from artificial intelligence tools can reach up to 20% — meaning that one in five “suspicious” private conversations would be forwarded for human review despite not actually containing illegal material.

The Commission may be underestimating the scale of false positives: former Commissioner Ylva Johansson estimates that around 75% of reports do not establish any criminal offence whatsoever.

Across the millions of messages that would be checked every day, this creates a machine for manufacturing suspects and makes the investigation of genuine cases practically impossible.

It is worth noting here a second, converging front in the restriction of speech. On 2 July — just five days before the vote to reinstate Chat Control — the Court of Justice of the European Union issued a ruling (Case C-67/25) that dramatically expanded the ban on republishing content from Russia Today and Sputnik — that is, from Russian media outlets.

The Court ruled that even private individuals operating non-profit websites funded through donations can face criminal prosecution — with a prison sentence of up to five years in Germany — simply because they republished videos, regardless of whether there was a profit motive, the duration of the material, or the extent of dissemination of the message.

It should be noted that the restriction is also independent of the content itself and of whether the content is true or false: a reproduction concerning the weather in Moscow or the description of a football match would, formally speaking, violate the ruling.

Connect this with the intended ability to deploy horizontal, EU-wide spyware installation along the lines of Chat Control, and the direction in which all of this is leading becomes menacing.

Critics — including Patrick Breyer and organisations such as European Digital Rights (EDRi) — point out that the logic in both cases is the same: the “exceptional circumstance” (child protection, information warfare) is used to justify continuously expanding tools for controlling content and communications, through mechanisms that are not easily withdrawn once the “exceptional circumstance” has ended.

The comparison with authoritarian regimes, which is often made by critics, does not concern the scale of repression — it is clearly not comparable to, say, the persecution of journalists in authoritarian states — but rather the legal architecture.

The argument is that many authoritarian regimes selectively apply laws against “disinformation” or “extremism” according to political expediency, whereas the EU is creating a permanent, technological, horizontal mechanism of control that is automatically applied to everyone — something which, critics argue, is structurally much harder to reverse once it becomes established, regardless of intentions.

The authoritarianism being built is horizontal and permanent.

The Recent History of Digital Policing in the EU Under Other Pretexts

Chat Control is not an isolated incident, but the latest chapter in a long tradition of data surveillance and automated content flagging and removal, the “automated” part being a real issue here because it pre-empts court decision and even police scrutiny.

Examples:
  • In 2006, the Data Retention Directive obliged telecommunications providers across the EU to store metadata relating to calls, messages, and internet usage of all citizens – not only suspects – in the name of counterterrorism, following the attacks in Madrid and London. In 2014, the Court of Justice of the EU annulled this Directive in its entirety, ruling that it constituted disproportionate generalised interference with fundamental privacy rights: essentially the same legal argument now being used against Chat Control.

Despite this annulment, several member states continued to maintain the national data retention legal regime derived from this directive, and the debate over a Europe-wide reinstatement remains open to this day.

For example, Greek Law 3917/2011 remains in force, obliging telecommunications providers in Greece to retain traffic and location metadata for reasons of national security and criminal investigations.

  • In the field of intellectual property, Article 17 of the Directive on Copyright in the Digital Single Market (2019) effectively obliged large-scale platforms to install automated upload filters that inspect content before it is even published — a technology structurally related to what is now being proposed for CSAM, but with a different detection target. The ECJ allowed the directive to stand, emphasizing safeguards to protect freedom of expression.
  • This was followed by the Terrorist Content Online Regulation (2021), which gives authorities the ability to demand the removal of content within one hour, with minimal judicial oversight before the order is issued. Interestingly we cannot fully assess whether this regulation has been applied legitimately, because the published public data is aggregated. We know the mechanism has been used, but we do not have enough case-level transparency to independently evaluate proportionality, accuracy, or possible overreach. This is perhaps, not a bug, but a feature.

More recently, the Digital Services Act (DSA, 2022) and negotiations on e-evidence (access by authorities to data stored in another member state without full judicial assistance) have continued along the same pattern: Each time, a specific, legitimate, and reasonable social objective – terrorism, piracy, child abuse, disinformation – is used to justify surveillance or content-control tools with a broader and more permanent application than the original objective alone would justify.

Usually, these measures produce only small or negligible results compared with the original pretexts used to introduce them. Data Retention showed marginal to no effect; article 17 IP protections probably didn’t close any “value gap” for creators and are now seen as a joke given the extent that IP rights have been utterly disregarded in training AI systems which then produce content plagiarized in one or the other form from unwitting and unwilling creators;  and as for terrorism it seems that the risk to privacy, freedom of expression are per a relevant OECD report, much higher and the “anti-terrorist” effects unmeasurable.

But regardless of their current use (or non-use) the problem is that this whole legal framework being built, directive to directive, as EDRi, an association of civil and human rights organisations from across Europe, suggests, is creating an infrastructure of surveillance, control and exclusion. A legal nexus is emerging through which it is and will be possible, for any EU government, indeed for the EU as a whole, to ignore democratic protections and guarantees, in fact with minimal transparency.

The Latest Developments

Chat Control 1.0 ultimately passed through the European Parliament on Thursday, 9 July, remaining in force until 3 April 2028, providing a “window” of time while negotiations continue for the permanent Chat Control 2.0.

After its rejection in March, President Metsola brought the file back at the end of June, warning of a “dangerous gap” in child protection. The Council forwarded it to Parliament precisely at the beginning of the summer period, when, due to the holiday recess, it was more difficult to gather the necessary majority for rejection.

The backbone of this renewed effort was the European People’s Party (EPP) and a majority of Social Democratic MEPs, while opposition came from a very broad spectrum: From almost the entire European Left (see below), to the majority of the liberal Renew group, and even to a majority segment of the three-headed far-right formations, all rejected the EPP/Metsola proposal.

In Thursday’s vote, a simple majority (314–276) initially supported rejecting the Council’s position.

However, because rejection at second reading required an absolute majority of the European Parliament (361 of 720 MEPs), an attempt to block the extension failed despite a majority of MEPs present voting against it (314 votes to reject, 276 to retain, and 17 abstentions). Parliament’s second reading was therefore concluded, and the text was passed on back to the Council for final approval. An amendment by the liberals (Renew) that explicitly excludes encrypted communications from the scope of application is considered by some to be “a ray of hope”, although it remains unclear how extensive this exemption will be in practice — and the Council will most likely reject it.

The truly critical battle over encryption is expected in September, with Chat Control 2.0.

At the level of member states, the file is handled primarily by Interior Ministries, with minimal substantive national debate on the implications for data protection and cybersecurity.

What is being built

Although this minor coup was accomplished through the collaboration of the European Commission with the European Parliament Chair, the real culprits were a majority of European governments, eager to show they “mean business” in fighting CSAM.

At the same time the path of greatest surveillance seems to be the “safe path” for a series of government and corporate actors in and around the EU.

Conclusion: intergovernmentalism launders accountability yet again

None of what we have listed and described above is accidental, and none of it required a single villain. It happened because the EU’s current constitutional architecture makes this kind of outcome structurally easy, and democratic reversal structurally hard. Chat Control was not imposed on national governments by a remote Brussels bureaucracy. It was driven through Brussels by a majority of national governments, using the Council as the vehicle precisely because the Council allows them enact collectively, and with untraceable accountability, what most would find hard to justify to their own electorates. When the measure is unpopular, ministers can point to “Brussels.” When it passes anyway, no single national government carries the political cost of having caused it. This is the defining feature of intergovernmentalism: it launders accountability across twenty-seven capitals and a rotating presidency until no one is left holding it.

The mechanics of 9 July illustrate this point splendidly. It was a procedural threshold that decided the outcome, not a substantive vote. A parliamentary majority voted to reject the measure; it lost anyway, because abstentions and absences functioned as votes for the Council’s position under second-reading rules. Also, because the timing of the vote (the last sitting day before recess) was chosen with the Parliament’s own President’s active participation, so as to maximize exactly that asymmetry. We are not seeing here an incidental democratic malfunction. In fact we see the system working as designed: an architecture where the executive (the Council, with the Commission’s cover) can out-manoeuvre by design the legislature it nominally answers to.

A genuinely federal Union would not eliminate disagreement over child protection, encryption, or privacy. Reasonable people will keep disagreeing about where that line sits. But it would force the disagreement into the public sphere, and allow it to be settled through a traceable chain of accountability. A directly empowered European Parliament, without a Council acting as an alternative, opaque legislature with its own procedural loopholes, would not allow a minority position to prevail by procedural default. A single, electorally accountable European executive – rather than 27 governments each free to blame “Brussels” for what a majority of them voted for behind closed doors – would mean that when a measure like this passes, voters know who to hold responsible, and can do so at the next election, the way they can with any national government. Transparency, legitimacy, and reversibility are not incidental virtues of federal structures; they are what those structures are for. The lesson of Chat Control is not that the EU overreached, but that intergovernmental Europe is currently designed to make overreach cheap, and accountability nearly impossible to locate.

Finally, it would be much more difficult, if complicity could not be occluded in opaque intergovernmental haze, to gradually build up this Panopticon, which was erected over the past decades, utilizing surveillance and tracking technology to create an infrastructure that would delight any would be tyrant.

  • Mihalis Panayiotakis, Dimitris Tsingos

The EU Chat Control Proposal: Child Protection or Generalised Surveillance? was last modified: July 14th, 2026 by Mihalis Panayiotakis