The longest-running fight over encryption in the democratic world comes down to a conference room in Brussels. On June 29, negotiators from the European Parliament, the Council of the EU, and the Commission convene for the fifth and final scheduled trilogue on the Child Sexual Abuse Regulation — the file everyone outside the institutions calls Chat Control 2.0. The Cyprus Council Presidency, in its final days before handing over to Ireland on July 1, wants a political agreement locked in by July. Four years of proposals, rejections, and resurrections have funneled into this single session.
How we got to the final room
A quick recap for anyone who has tuned out the acronyms. Chat Control 1.0 was the interim regime — a temporary derogation from EU privacy rules that allowed platforms to “voluntarily” scan private messages for child sexual abuse material. In March 2026, the European Parliament refused to extend it, and in April it expired. That was a genuine victory for private communication, and digital rights groups treated it as one — though Parliament President Roberta Metsola has since floated reviving the expired regime, a reminder that in Brussels no surveillance proposal is ever fully dead.
Chat Control 2.0 — formally the CSAR — is the permanent replacement, and it has always been the more dangerous file. The original Commission proposal would have empowered authorities to issue “detection orders” compelling services, including end-to-end encrypted ones, to scan the content of private messages. There is no way to comply with such an order without breaking encryption or installing scanning software on every user’s device. Client-side scanning is not a compromise with end-to-end encryption; it is the abolition of it with extra steps.
What’s actually on the table
After years of deadlock, the member states converged around a compromise that removes explicit detection orders mandating the scanning of private communications. That sounds like retreat, and partially it is — sustained public pressure, hostile legal opinions, and the technical community’s unanimous verdict forced the maximalist version off the table.
But former MEP Patrick Breyer, the proposal’s most persistent adversary, has warned precisely about what remains: a Council position that, in his words, cements “voluntary” mass scanning and legitimizes “the warrantless, error-prone mass surveillance of millions of Europeans.” The word “voluntary” is doing heroic work in that framing. When a regulation is built on the expectation that platforms scan, when risk-mitigation duties are written so that scanning is the obvious safe-harbor behavior, the voluntariness is a legal fiction. The platforms scan everyone; the government gets the results; nobody technically ordered anything.
The GDPR contradiction nobody wants to litigate
There is a deep incoherence at the heart of this project that European institutions have spent four years declining to confront. The EU’s own crown jewel, the GDPR, is built on data minimization, purpose limitation, and the principle that processing must be necessary and proportionate. Blanket scanning of private correspondence — processing the most sensitive categories of data imaginable, of every user, without individualized suspicion — fails those tests on their face. The EU Court of Justice has repeatedly struck down indiscriminate data retention on exactly this reasoning.
Europe cannot permanently be both the continent of the GDPR and the continent of suspicionless message scanning. At some point, one principle eats the other. Tomorrow’s trilogue is, among other things, a bet on which.
The stakes beyond Europe
It would be a mistake for Americans to file this under foreign news. Encryption is a global architecture: WhatsApp, Signal, and iMessage do not maintain separate cryptographic realities per jurisdiction. If the EU normalizes scanning infrastructure inside encrypted services — even “voluntary” scanning — that infrastructure exists for every government that subsequently demands access to it, democratic or otherwise. Signal has said repeatedly it would leave markets that mandate scanning rather than compromise its protocol. The precedent set in Brussels becomes the ask in Washington, London, and Delhi within the year.
And the timing matters. The UK has just enacted an under-16 social media ban, the US House is moving mandatory age verification, and the EU is cracking down on VPN loopholes. Chat Control belongs to the same family: each proposal, justified by child safety, conditions private digital life on inspection.
What to watch
Three things will tell us how this ends. First, whether a political agreement is actually announced in July, or whether the file slips to the Irish presidency — delay has historically favored privacy, as compromises unravel under scrutiny. Second, the fine print on “voluntary” detection: who defines the risk categories, and whether encrypted services face obligations that only scanning can satisfy. Third, whether age-verification requirements ride along in the final text, quietly attaching identity checks to communication platforms.
The negotiators will emerge with language about balance — they always do. Read past it. The question on the table tomorrow is binary in a way the communiqués will refuse to be: either private correspondence in Europe remains private by mathematical guarantee, or it becomes private by permission, subject to a scanner whose scope will only ever grow. Four years of resistance have kept the worst version at bay. Tomorrow we find out what the sustained pressure actually bought.



