On July 9, 2026, the European Parliament voted on reinstating a regulation permitting platforms to scan private messages without warrants. A majority of voting MEPs opposed it. It passed. The event was not a surprise to anyone tracking EU legislative procedure, but it clarifies what thresholds mean when applied against majorities.
What Happened on July 9
Chat Control 1.0 – a temporary derogation from ePrivacy rules allowing platforms to voluntarily scan messages for child sexual abuse material – required an absolute majority of 361 votes to reject. 314 MEPs voted against it, 276 in favor, and 17 abstained. Mass scanning is now permitted again until 2028.
The derogation, formally Regulation (EU) 2021/1232, had first been introduced in August 2021. On March 26, 2026, the European Parliament voted to reject any further extensions of the derogation, and it expired on April 3, 2026. On July 2, the EU Council adopted the Commission’s original text as its official second-reading position. That single procedural step transformed the entire legislative arithmetic.
In late June, European Parliament President Roberta Metsola reopened the file, sending it to the Council, warning that the expired rules left a dangerous gap in online child protection. The Council then sent the file back to Parliament at the beginning of the vacation season, where it was difficult to secure the necessary majority to dismiss it again.
The procedural mechanism is precise. In second-reading votes, Parliament does not vote to adopt; it votes to reject or amend. Opponents of Chat Control 1.0 would need 361 votes to block or amend it. 314 is a majority of those voting. 361 is a majority of all 720 MEPs, whether or not they attended.
What the Regulation Permits
The interim rule acts as a derogation from the ePrivacy Directive, allowing online communications platforms to voluntarily detect, report, and remove child sexual abuse material. Tech companies are not required to scan messages, but may do so if they wish.
In practice used mainly by unencrypted US services such as Gmail, Facebook/Instagram Messenger, Skype, Snapchat, iCloud Mail, and Xbox. A symbolic exemption was adopted for encrypted communications – though in practice, service providers do not scan these anyway.
According to EU Commission figures, mass scanning of private chats accounted for only 36 percent of all abuse reports in 2024 (the majority came from public posts and cloud storage). The German Federal Criminal Police Office reports that 48 percent of all incoming alerts are not criminally relevant in the first place. Crime statistics reveal that 40 percent of the resulting investigations actually target minors themselves. Under the chat control system, an estimated 99 percent of reports generated by Meta consist of previously known material, which generally does little to stop ongoing, active abuse.
Those are European Commission and German law enforcement figures, not activist estimates. The detection system flags previously-identified content with high volume and low investigative yield.
The Procedural Architecture That Enabled This
Parliament rejected Chat Control 1.0 in March. EU ambassadors agreed to push a temporary revival. Because an expired regulation cannot be extended, the Council proposed a formally new law with identical content via an expedited procedure.
The urgent procedure vote passed narrowly: 331 votes in favor, 304 against, and 11 abstentions. It signals the anger of many MEPs, who see the move as an attempt to bypass Parliament’s normal rules of procedure.
The timing is material. The Council sent the file back to Parliament at the beginning of the vacation season. The July 9 vote was the last plenary session before summer recess. Reaching 361 votes requires sustained coordination; the threshold becomes harder to meet when members are traveling, when the calendar is compressed, and when the text returns under an urgent procedure that skips committee review.
This is not a loophole. It is legislative design. Second-reading thresholds exist to prevent Parliament from rejecting Council positions lightly. The threshold can also be weaponized through timing.
The European Parliament voted against it twice, but Roberta Metsola decided to push it through using an urgent procedure. If a vote does not please her or her political group, she cannot simply decide to hold the vote again and again until it passes. Marketa Gregorova accused the European People’s Party of abusing its position as the largest political group to bring back a proposal that Parliament had already rejected.
The criticism focuses on process, not just outcome. When a body votes to end a regulation and the regulation returns three months later in new packaging with a higher threshold to reject it, the question becomes whether procedure serves deliberation or circumvents it.
What This Reveals About Legislative Control
This revival comes barely a week after the final trilogue on the Child Sexual Abuse Material Regulation concluded on June 29 without agreement, with talks set to resume after the summer. There are two legislative tracks: Chat Control 1.0 (the temporary, voluntary derogation) and Chat Control 2.0 (the permanent Child Sexual Abuse Regulation). This is why the news can seem contradictory: one Chat Control was stopped in March 2026, yet another is still being negotiated, and the first is now being revived.
Chat Control 2.0, or the CSAR, is still being discussed in trilogue negotiations between the European Parliament, the Council, and member states. Five rounds of negotiations, including what was supposed to be the final round on June 29, have passed without agreement on the legislation’s shape.
By reinstating the temporary regime until 2028, the Council removes pressure to reach a compromise on the permanent regulation. Patrick Breyer warned that the Council will never agree to a desperately needed paradigm shift as long as they can simply stick to the old approach of suspicionless scanning at the whim of the tech industry.
The structural observation is straightforward: when an interim arrangement favors one party’s position, that party has an incentive to extend the interim rather than negotiate toward the opposing position. The permanent regulation under negotiation would require agreement between Parliament (which wants judicial warrants and targeted detection) and the Council (which has accepted voluntary scanning). If the Council already has voluntary scanning until 2028, the negotiating dynamic shifts.
The immediate priority is to make sure the expired exception for mass scanning is not revived. At the same time, lawmakers need to pull the teeth from the currently negotiated Chat Control proposal by narrowing risk mitigation measures. This means ensuring that age verification does not become a default requirement and voluntary activities are not turned into an expectation to scan our communications.
Implications for Email Architecture
Chat Control 1.0 applies to services where the provider can access message content server-side. Gmail is explicitly named in the regulation, but any email service operating within the EU’s jurisdiction is potentially affected. Chat Control 1.0 applies to messaging and email services that are not end-to-end encrypted, or where the platform can access message content server-side. WhatsApp uses end-to-end encryption by default; Signal is fully E2EE; iMessage is E2EE when not backed up to iCloud.
According to European Commission figures, mass scanning accounted for only 36% of abuse reports in 2024, with 99% of Meta’s automated alerts consisting of previously known material. The detection of new material – the stated policy goal – is vanishingly rare through automated scanning. For development teams, this means building content moderation pipelines that handle enormous volumes of false positives without overwhelming human review teams or violating user trust.
The regulation creates compliance pressure even where it does not mandate action. If large US-based providers opt into scanning and smaller European providers do not, the difference becomes visible to regulators and to users who do not distinguish between voluntary and mandatory. The risk is convergence toward scanning as a de facto norm, not because the law requires it but because the competitive and political environment makes non-scanning costly to explain.
For services built on different architectural principles – where the provider cannot access message content, where encryption is applied before any content leaves the user’s device, where there is no server-side decryption key – Chat Control 1.0 does not directly apply. The concern is Chat Control 2.0, still under negotiation, which proposes client-side scanning even for end-to-end encrypted services. The more significant threat to encrypted messaging comes from the permanent Chat Control 2.0 regulation, still under negotiation, which proposes to require scanning even on E2EE platforms via client-side scanning technology.
Email providers operating under US jurisdiction, accepting cryptocurrency, and designed to prevent server-side access to user content occupy a distinct position. Services that apply PGP encryption for user-controlled key management do not fall under the voluntary scanning framework because there is no server-side plaintext to scan. The question for such services is not Chat Control 1.0 but whether the permanent regulation, if adopted in a strong form, attempts to impose technical mandates that conflict with architectural commitments. If client-side scanning becomes a legal requirement, the choice is between exiting the EU market or breaking the encryption model. Signal has already stated it would choose the former.
Open-source post-quantum cryptography platforms – such as PQCServer, released under AGPL-3.0 – demonstrate one response: make the server-side architecture incapable of accessing user content by design, then publish the code so the claim is verifiable. That does not insulate a service from legal pressure, but it removes the technical capability to comply with a scanning mandate without fundamentally rewriting the system.
Thresholds, Not Majorities
On July 9, 2026, more Members of the European Parliament voted against Chat Control 1.0 than voted for it. The regulation passed because the threshold to reject it was set higher than a simple majority, and opponents could not reach it during a compressed vote before recess.
The outcome is procedurally legitimate and democratically troubling. Procedure is part of democratic design, but when procedure allows a text rejected in March to return in July with identical content and pass despite majority opposition, the question is whether the rules are being used or gamed.
If you’re in the EU: today proved that MEPs respond to pressure, because 314 of them didn’t get there by accident. The single variable that decides it remains what it has always been – whether Germany holds the line in the Council. Four member states representing more than 35% of the EU population can block this. Berlin is 19% of that on its own.
Trilogue negotiations on the permanent regulation resume in September 2026. The temporary regulation now runs until 2028. The Council has its interim status quo. Parliament has demonstrated that 314 votes can be assembled against suspicionless scanning, but also that 314 votes are not always enough. Whether that number grows or shrinks by September will determine whether Chat Control 2.0 can pass, or whether the threshold defeats it as well.