When we wrote about Chat Control’s endgame two weeks ago, we noted a Brussels axiom: no surveillance proposal is ever fully dead. Today the axiom collected its proof. Chat Control 1.0 — the interim regime the European Parliament rejected in March, the one that expired in April, the one digital rights groups celebrated burying — is back in force until April 3, 2028. And the mechanics of its resurrection are, if anything, more corrosive than the regime itself.

Losing by winning: the arithmetic of a procedural ambush

Here is what happened in Strasbourg on July 9. The Parliament voted on a motion to reject the Council’s extension of the ePrivacy derogation — the legal carve-out that lets platforms “voluntarily” scan private messages, photos, and files for known child sexual abuse material. The motion to reject won the floor: 314 MEPs voted to kill the extension, 276 voted to keep it, 17 abstained.

The extension passed anyway.

Under the second-reading rules of this procedure, rejection required an absolute majority of all MEPs — 361 votes — not a majority of those voting. Roughly 112 members were absent, many reportedly already gone for the summer recess. Every empty seat counted, functionally, as a vote for mass scanning. The rejection fell 47 votes short, and the extension slid through by default.

Compare the two votes side by side. In March 2026, MEPs rejected extending this exact regime 311 to 228. In July 2026, MEPs opposed it 314 to 276 — a larger number against — and it passed. Same Parliament, same file, same majority sentiment, opposite outcome. The difference was scheduling and procedure, not democracy.

Patrick Breyer, the former MEP who has fought this file longer than anyone, put it plainly: “The fact that Chat Control is moving forward against the will of the majority of voting MEPs is a farce and damages democracy.” On the policy itself, his metaphor is the one worth keeping: “Trying to protect children with suspicionless mass surveillance is like frantically mopping the floor while the faucet is still running.”

What is actually back in force

Precision matters here, because the revived regime is real but bounded. The extension restores the temporary derogation from EU ePrivacy rules that permits — does not mandate — providers of unencrypted communication services to scan private messages against hash databases of known CSAM. In practice that means the messages, photos, and files flowing through Instagram and Facebook Messenger, Snapchat, Discord, Xbox chat, Gmail, and iCloud email are once again eligible for suspicionless scanning, warrant-free, until April 3, 2028.

What it does not do: it does not compel scanning, does not break end-to-end encryption, and does not touch Signal or WhatsApp’s default encrypted chats. Your properly encrypted conversations remain outside its reach — mathematically, not just legally.

But recall what we said in June about the word “voluntary”: it is a legal fiction wearing a consent costume. When the regulatory environment is built so that scanning is the safe-harbor behavior, platforms scan everyone, governments receive the results, and no one technically ordered anything. That machine, switched off in April, has been switched back on — and every scan of an innocent person’s private photos between now and 2028 will happen without suspicion, without a warrant, and now, without even a parliamentary majority behind it.

Meanwhile, the permanent version waits in the wings

The July political deal on Chat Control 2.0 — the permanent Child Sexual Abuse Regulation that the June 29 trilogue was supposed to lock in — did not materialize. Negotiations continue, with talks now expected to resume in September 2026 under the Irish Council presidency. We counted delay as a win for privacy in June, and it still is: compromises on this file have historically unraveled under scrutiny.

But today’s vote changes the strategic geometry, and not favorably. The interim regime’s expiry in April was the ticking clock that pressured all sides — the “do something or scanning ends entirely” urgency belonged to the surveillance camp. With the derogation now safe until 2028, that pressure inverts. Negotiators can take their time building the permanent architecture while the “temporary” one — temporary since 2021, now scheduled to reach its seventh birthday — quietly does the work. There is nothing so permanent as a temporary government program, and Chat Control 1.0 is becoming the EU’s proof of concept.

The lesson for everyone outside Brussels

If you take one thing from today, take this: the fight over your private communications was not lost on the merits. A majority of Europe’s elected representatives, voting on the record, opposed this. It passed through an attendance gap in a summer week — which tells you the surveillance side’s most reliable ally is not argument but process: the second reading, the recess-week calendar, the absolute-majority threshold that converts absence into assent.

The practical response is the same as it was in June, only more so. End-to-end encryption remains the line. The revived regime cannot touch Signal or encrypted WhatsApp chats, and that boundary — the one drawn by mathematics rather than by votes that can be rescheduled — is the one that held. Use encrypted messengers for anything you’d call private. Move group chats off platform DMs. And if you’re in Europe, remember the 47-vote margin and the 112 empty seats the next time your MEP asks for your support — attendance, it turns out, is a privacy policy.

The interim regime has its extension. The permanent fight resumes in September. We’ll be watching both.