Democracy has a rounding error, and on July 9 the European Parliament found it. A majority of voting MEPs — 314 against, 276 in favor, 17 abstentions — cast their ballots to end the EU’s temporary regime for scanning private messages. The regime survived anyway.
Not because it won. Because the “no” camp didn’t lose by enough.
If you follow this file, you already know the shorthand: Chat Control. But that word now covers two very different legal instruments moving on two different tracks, and the confusion between them is doing real work for the people who want the scanning to continue. So before the outrage, the plumbing.
Two laws, one nickname
Chat Control 1.0 is the temporary one — technically the ePrivacy derogation, Regulation (EU) 2021/1232. It doesn’t force anyone to do anything. It permits messaging providers to voluntarily scan communications for already-known child sexual abuse material (CSAM), carving an exception out of the confidentiality rules that would otherwise make that scanning illegal under EU law. This is the law the Parliament voted on July 9.
Chat Control 2.0 is the permanent one — the CSA Regulation (CSAR), the Commission’s May 2022 proposal. It would go much further: mandatory detection orders that could compel providers to scan everyone’s messages, including the client-side scanning that would gut end-to-end encryption. This is the law civil-society groups have spent three years fighting. It was not on the ballot July 9. It is still stuck in negotiation, and it comes back in the autumn.
Keep those two straight, because officials are counting on you not to.
What actually happened on July 9
The temporary derogation was set to expire. What follows is the sequence that flipped a losing vote into a win:
- In the spring of 2026, the Parliament rejected extending the derogation at first reading. The law then lapsed on April 3, 2026. For a few months, the voluntary-scanning exception was simply dead.
- On July 2, 2026, the Council of the EU adopted the Commission’s extension text as its formal second-reading position — and that changed the math entirely.
- At second reading, the Parliament cannot kill the Council’s position with a simple majority. It needs an absolute majority of all MEPs — 361 votes — to reject. Not a majority of those present. A majority of the entire chamber.
- On July 7, the Parliament fast-tracked the file under an urgent procedure by 331–304. Then, on July 9, the rejection vote drew 314 — a clear plurality against, and 47 votes short of the 361 needed to stop it.
The result: the derogation is extended to April 3, 2028 (or until the permanent regulation is agreed, whichever comes first). More MEPs voted to end mass scanning than to keep it, and mass scanning won. Brussels Signal dubbed the outcome “mini-chat control.” Former MEP Patrick Breyer, the file’s most dogged opponent, was blunter: “The fact that Chat Control is moving forward against the will of the majority of voting MEPs is a farce and damages democracy.”
The mechanism isn’t a scandal in itself — the absolute-majority threshold at second reading is a normal feature of EU codecision, designed to stop a thin, distracted plenary from undoing a painstakingly negotiated compromise. The scandal is watching it deployed to preserve mass surveillance over the stated objection of most of the members who showed up to vote.
The encryption “carve-out” is thinner than the headline
Here’s the part that got the reassuring press coverage: the Parliament also adopted an amendment exempting end-to-end encrypted services from the derogation’s scope. Signal and WhatsApp, safe. Crisis averted.
Read the fine print. As Breyer pointed out, the carve-out is largely symbolic — providers offering genuine end-to-end encryption “do not scan such traffic in any case,” because they can’t without breaking the encryption. Exempting them from a voluntary scanning permission changes nothing about what they were already doing. It’s a wall built around an empty room.
Meanwhile, the amendment that would have done real work — restricting scanning to communications tied to judicially identified suspects, rather than everyone — drew 322 votes in favor. That’s more than the 314 who voted to reject the whole thing. It still failed, because it too needed 361. The genuinely protective change fell to the same threshold that saved the surveillance.
The permanent version — the one that actually matters — is not dead
Chat Control 1.0 is the sideshow. Chat Control 2.0, the mandatory CSAR, is the main event, and its history over the last year is a story of narrow escapes:
- In autumn 2025, the Danish Council presidency made the CSAR a priority and scheduled a vote for October 14 to lock in a mandate for final negotiations. Days before, a blocking minority of nine member states representing more than 35% of the EU population — including Germany and Luxembourg — refused, and the vote was pulled for lack of a qualified majority.
- On October 31, 2025, Denmark retreated: it dropped the mandatory detection orders from its compromise, falling back to a “voluntary” framework.
- On December 19, 2025, the Commission proposed simply extending the temporary derogation for two more years while CSAR talks dragged on — the move that led directly to July’s vote.
- A fifth trilogue — billed as the last — was held June 29, 2026 under the Cyprus presidency. The core disagreement is unchanged: the Council now favors a permanent voluntary scheme with no mandatory detection; the Parliament wants scanning only on something like reasonable suspicion; and the Commission still fights for its original mandatory proposal. Both the Commission and Council are also pushing mandatory age verification for “risky” services — a surveillance expansion in its own right.
As of July 1, 2026, the presidency passed to Ireland, and negotiations on the permanent regulation are expected to resume in September. Breyer’s assessment of the odds of a mandatory-scanning majority: “a complete pipe dream.” Maybe. But this file has been declared dead more than once and keeps getting up.
Why the technical objection never goes away
Every version of Chat Control eventually collides with the same wall, and no amount of political redrafting moves it: you cannot scan the contents of an end-to-end encrypted message without breaking the guarantee that makes it end-to-end encrypted. The proposed workaround — client-side scanning, which inspects your message on your own device before it’s encrypted — doesn’t dodge that problem. It relocates it.
More than 500 scientists and cryptographers have signed an open letter calling client-side scanning “technically unfeasible” for its stated purpose and warning that it would manufacture new vulnerabilities for criminals and hostile states to exploit. The false-positive problem alone is damning: scan billions of messages a day, and even a microscopic error rate generates millions of wrongful reports — burying investigators in noise while genuine abuse slips through, and dragging innocent family photos and medical images into law-enforcement pipelines.
The cleanest framing of the core danger comes from the privacy trackers watching this file: a scanning mechanism “isn’t a backdoor. It’s a front door that’s wired to stay open.” A tool built to inspect content before encryption can be repointed at other content later — different keywords, different targets, a different government. The architecture doesn’t care what it’s looking for. That decision lives in a policy document that can be rewritten after the infrastructure is already installed on two billion phones.
EDRi’s head of policy, Ella Jakubowska, put the human cost plainly: “The risk of a chilling effect on adults and children seeking to communicate or seek information legitimately is enormous.”
What this means for you
Practically, in July 2026: nothing about your messaging changed overnight. Genuine end-to-end encrypted apps — Signal first among them — still work exactly as before, and the encryption carve-out, symbolic as it is, at least confirms the Parliament isn’t (yet) ordering them broken. Use them. If you’re relying on the default SMS app or an unencrypted chat service, this is the moment to move.
Politically, the file is not settled, it’s scheduled. The temporary regime runs to 2028. The permanent one reopens in September under a new presidency. The pattern of the last four years is unmistakable: mass-scanning proposals in the EU don’t get defeated, they get paused, renamed, and reintroduced — each time with a fresh reassurance about encryption bolted to the front.
The vote on July 9 is the whole story in miniature. A majority said no. The machinery said it didn’t matter. Watch the autumn.



