“Chat Control” is a draft EU regulation (proposed by the Commission on 11 May 2022) that would set a legal framework to detect, report and remove online child sexual abuse material (CSAM). In its most controversial form, it would require messaging apps and online services to automatically scan what users send — texts, images, videos — including conversations meant to remain private and end-to-end encrypted. Technically, it shifts surveillance to the source: on your device itself, before encryption protects your messages (“client-side scanning”, or CSS). Data-protection authorities and the Council’s Legal Service have flagged this approach as problematic because it amounts to generalized searches without prior individualized suspicion.

In practice, the messaging app embeds a module that computes a “fingerprint” (perceptual hash) for each image or analyzes each message before sending, then compares the result against reference databases (CSAM hash catalogs, pattern lists, ML models). If the algorithm “believes” it matches prohibited content, it creates a report and triggers an alert chain to a designated center or the authorities. The issue is both principled and practical: in principle, you’re scanned constantly without a connection to an investigation; in practice, these systems are neither perfect nor neutral. Research shows structural vulnerabilities: attackers can mass-produce false positives, poison hash sets, or hide a “secondary objective” (e.g., targeted face recognition) inside a hashing scheme ostensibly limited to CSAM. Errors do happen and have human consequences (account closures, unwarranted investigations). We saw this as early as 2022: Google reported fathers who had taken medical photos of their children at a doctor’s request; accounts were closed and suspicion lingered despite cases being dismissed.

The core problem concerns the secrecy of correspondence and data protection. The EU Charter of Fundamental Rights (Arts. 7 and 8) and the ECHR (Art. 8) protect privacy and the integrity of communications. The CJEU has repeatedly struck down generalized, indiscriminate surveillance mechanisms — even for legitimate aims — because they are not targeted or proportionate (Digital Rights Ireland, Tele2 Sverige). In short: you cannot screen an entire population “just in case”. The EDPB and EDPS have explicitly warned that the proposal, as drafted, would effectively sweep up almost all communications, chilling free expression (journalists, NGOs, protected professions).

Several strong signals suggest it is not, if it mandates indiscriminate detection. The Council’s Legal Service has underlined the impact on fundamental rights of scanning inter-personal content without targeting. Parliament (via the LIBE committee) voted in November 2023 to reject mass scanning and explicitly protect end-to-end encryption. That doesn’t mean scanning is impossible, but it must be strictly targeted, proportionate, and subject to robust judicial oversight. Any solution that circumvents encryption by systematic client-side scanning collides with those principles.

A regulation is an EU legislative act (Art. 288 TFEU) that is general in scope, binding in all its elements, and directly applicable in every Member State. Unlike a directive, it does not need national transposition to take effect: it applies as-is, at the same time and in the same way everywhere. The EU uses it when it wants a uniform rule for the whole market and all citizens.

The Commission proposes the text. It is then co-decided by the European Parliament (elected MEPs) and the Council of the EU (ministers of the Member States) under the ordinary legislative procedure. In practice this means successive readings, amendments and, often, “trilogues” between Commission–Council–Parliament. If Parliament and Council don’t adopt the same text, it doesn’t pass. The final outcome is therefore a political compromise between governments and elected representatives.

After the 2022 proposal, the file hit several political roadblocks in 2024. Since July 2025, under the Danish Council presidency, it has picked up speed again: specialist media report a political aim to wrap up a deal in the autumn, with a date mentioned for a vote around 14 October 2025 and positions hardening in September. Nothing is settled: Parliament’s position protects E2EE, and in the Council the balance shifts with national coalitions; some capitals have already formed “blocking minorities” in the past. The calendar is accelerating, and technical trade-offs (opt-in scanning? limit to known images? exclude grooming?) remain contentious.

The balance of power in the Council has shifted since July 2025. Under the Danish presidency, a new text — largely inspired by the 2024 Belgian and Hungarian compromises — puts back on the table mandatory scanning (including before encryption) and a risk categorization by service. An internal read-out of the “law enforcement” working party meeting of 11 July 2025, leaked by netzpolitik.org, sums it up: a majority of countries “can live” with the Danish proposal, a blocking minority remains, and a few key undecideds (Germany, France, Belgium, Finland, Luxembourg, Estonia, Czechia, etc.) carry a lot of weight.

Visually, the July 2025 map published by MEP Patrick Breyer shows at a glance which governments are “supportive”, “opposed/neutral”, or “undecided”. It’s an activist snapshot but useful to locate your country.

Countries explicitly “supportive” on 11/07 (or positive about the Danish text) … Italy, Spain, Hungary, Latvia, Lithuania, Cyprus, Croatia, Sweden (government support, parliamentary green light required), Denmark (author of the text). France said it was ready to “support in principle” the text, notably renewal of the transitional regime, which currently places it among the rather supportive. Portugal is “very positive” but keeps reservations about the encryption part.
“Opposed” countries (or formally critical on key points) … Poland (rejects mandatory scanning and inclusion of E2EE, flags cybersecurity risks and the invalidity of forced “consent”), Austria (bound by a firm parliamentary stance against CSS and weakening encryption), Netherlands (strong concerns over “detection orders” and CSS). Slovenia and Luxembourg express serious doubts about proportionality and client-side scanning.
“Undecided / under review” (or internally split) … Germany (new coalition still arbitrating, historically opposed to E2EE scanning), Belgium (“difficult” domestic politics on encryption after its 2024 compromise), Estonia (internal split security vs. data protection on CSS), Finland (text “rather problematic”, under review), Czechia (election season, position pending), Ireland (welcomes cybersecurity safeguards but remains cautious), Slovakia (positive on ambition but open to counter-arguments), Romania (not cited in that specific read-out). These nuances matter: the Council Legal Service still considers CSS contrary to fundamental rights, which weighs on the fence-sitters.

Bottom line: adoption hinges on a handful of capitals (Paris, Berlin, Brussels, Helsinki, Luxembourg, Prague, Dublin). And even among the “supportive”, several national parliaments could impose safeguards. For a broad overview, see the July 2025 map (indicative).

Apple. Dropped in 2022 its CSAM detection plan for iCloud Photos (on-device scanning), welcomed by encryption advocates. Since then Apple has emphasized strengthening E2EE (Advanced Data Protection). This remains incompatible with generalized CSS; the company focuses on systemic security rather than AI scanning on devices.

Meta / WhatsApp. Consistent public stance: no backdoors and no imposed scanning that weakens E2EE. Will Cathcart has reiterated the app won’t “break” encryption — similar messages during UK/EU debates. Tech media note that client-side scanning undermines WhatsApp’s confidentiality claims.

Google. Defends E2EE (notably on Messages/RCS) and, more broadly, server-side hashing where lawful and proportionate, without damaging universal E2EE. European analyses recall the limits of technologies like PhotoDNA (useful for known content, not “unknown” nor grooming), which underpins arguments against generalized CSS.

Microsoft. Long-time promoter of PhotoDNA (detection via hashes of already-known content, not CSS). In the EU it argues for proportionate rules and provenance/traceability tools, not real-time scanning of all encrypted chats. PhotoDNA’s scope is not equivalent to CSS for “unknowns”.

Signal. Hard line: would rather exit a market than weaken E2EE. Meredith Whittaker has said Signal will not integrate mandatory CSS or any “exception” to E2EE.

Threema. Firmly opposes the “Chat Control” proposal, warning of system-wide insecurity introduced by any CSS.

Element / Matrix. Warns against a return of mass scanning and the damage to the open-source ecosystem (self-hosted servers, federation), where imposing client/server scanners would be unrealistic and dangerous.

Proton (Mail/Drive/Pass/VPN). Welcomes Parliament’s 2023 stance excluding E2EE from detection and deems CSS technically and legally untenable.

Telegram. No clear EU-level position on CSS; its encryption isn’t enabled by default for all chats, making it a hybrid case in the debate.

Overall trend: services that are truly E2EE reject mandatory CSS. Among “Big Tech”, the public line is to protect E2EE and avoid a generalized client-side scanning mechanism.

If generalized client-side scanning were introduced, every device would become a permanent inspection post. Your messages and photos would be sifted before encryption, and errors could trigger reports — account closures, blocking of essential services (mail, cloud), even police investigations. Documented cases show how such errors can wreck a digital life within hours. Beyond that, weakening the E2EE ecosystem opens attack surfaces: more code, more access points, more risk. For protected professions (lawyers, doctors, journalists), it directly undermines professional secrecy; for victims of violence or activists, it removes safe spaces. At industry scale, trust in European digital services would suffer if the EU became the first democratic region to impose such mass scanning.

No, not unilaterally. If adopted, a regulation overrides any conflicting national rule (primacy of EU law) and applies directly. A State cannot carve out a national exception without facing infringement proceedings by the Commission and, ultimately, a CJEU ruling. Before adoption, however, France can weigh in at the Council, build coalitions to amend or block; after adoption, it can challenge before the CJEU (annulment action), or, if the text leaves room, implement maximum safeguards within the permitted flexibility (strong judicial oversight, public audits, exclusion of CSS, etc.). But a frontal national ban on an obligation laid down by a regulation would run counter to EU law.

Yes. Under European law the secrecy of communications and the confidentiality of attorney-client exchanges are at the core of the right to privacy (Charter, ECHR Art. 8). The ECtHR affords “enhanced” protection to legal professional privilege: without confidentiality, the right to defense and investigative journalism are illusory. Likewise, ePrivacy requires confidentiality of electronic communications. Client-side scanning inserts a mechanism that inspects messages before encryption, mechanically weakening that confidentiality — including for protected professions. The EDPB/EDPS have warned that imposing detection tech on messengers may lead to near-generalized sweeping of communications with worrying error rates. In other words, even with on-paper “exemptions”, a generalized on-device scanner is hard to reconcile with professional secrecy as protected in Europe.

Because a fundamental right doesn’t depend on what you have to hide, but on the power the State or companies can wield over your life. Pre-emptive surveillance of everyone dilutes the presumption of innocence, chills speech, and multiplies errors. Detection technologies also “find” innocents: false positives trigger reports, account closures, investigations — with very real harm. Even for policing effectiveness, flooding services with dubious alerts diverts resources from genuine cases. European data-protection authorities note that error rates for detecting “new” content remain concerning. And confidentiality also protects others: victims of abuse, activists, medical and legal professionals, whistleblowers, journalists. Weaken one, weaken all.

Everyone shares the goal of protecting children. The question is real-world effectiveness and societal cost. Technical analyses indicate that CSS dramatically widens the net, generates heavy false positives, and can be bypassed by determined offenders (closed networks, tools outside the EU, adversarial ML). Each false positive consumes investigative time and delays genuine cases. More targeted approaches exist and work: more human and judicial resources, targeted infiltration and surveillance, focused international cooperation, stronger action at the source, education, and prioritizing truly actionable reports. In short, favor effective, proportionate tools over indiscriminate population-wide scanning.

In June 2025, the Commission published a “roadmap” to ensure “lawful and effective access to data” for law enforcement. It includes a technology roadmap on encryption from 2026 and funding for decryption capabilities by 2030 (e.g., Europol). This strategic backdrop keeps political pressure on end-to-end encryption and helps explain the push to pass a text like CSAR in the short term. It’s crucial to remember strong encryption also protects hospitals, businesses, administrations and citizens against crime and espionage. Weakening it in the name of “lawful access” creates holes usable by malicious actors too.

At this stage, development and operation would largely rely on private actors: big firms (Apple, Meta, Microsoft, Google) and specialist companies (e.g., PhotoDNA/MS). Three major concerns follow. First, transparency: models, thresholds and training data are trade secrets, hence hard to audit. Second, dependency: the EU would outsource a sovereign function (detection) to mostly extra-EU providers, with unilateral updates and imported biases. Third, function creep: once the infrastructure exists, expanding the scope (terrorism, “disinformation”, fraud…) is tempting unless strict, enforceable safeguards are in place. Apple’s 2021 episode illustrates the risks: it announced an on-device CSAM scan, then backed down after backlash from cryptographers and regulators, precisely due to potential drift and the difficulty of guaranteeing a tightly bounded use.

Governments and data-protection authorities — notably in Germany, the Netherlands and elsewhere — have raised fundamental objections: incompatibility with fundamental rights, technical insecurity, operational ineffectiveness (too many alerts and false positives). Germany’s Justice Minister, for instance, has said “chat control” has no place in a rule-of-law state, and the Dutch chamber publicly slowed earlier versions. The landscape is fluid, though: some countries that stalled in 2024 now support compromises re-introducing client-side scanning. Hence the importance of tracking your government’s stance in real time.

Parliament’s reference position remains the one adopted in November 2023 (LIBE + negotiation mandate): no mass surveillance, exclusion of E2EE from detection, targeted measures based on reasonable suspicion. This line was supported by a broad majority across groups (Greens/EFA, The Left, S&D and much of Renew). It contradicts generalized CSS.

After the 2024 elections, the 2024–2029 legislature renewed the French delegations (RN/Patriots for Europe, LR/EPP, Renaissance–MoDem–Horizons/Renew, PS–Place Publique/S&D, LFI/The Left, Ecologists/Greens). To date, most public positions follow group lines:
• Greens/EFA and The Left (LFI): outright opposition to CSS and any weakening of E2EE; they backed the 2023 LIBE line.
• S&D (PS/Place Publique) and Renew (Renaissance/Modem/Horizons): broadly aligned with LIBE 2023 (protect E2EE, targeted approach), though some MEPs may be “open” to very narrow measures on known content under judicial control.
• EPP (Les Républicains): split between “security” advocates (in favor of detection obligations) and “rule-of-law/technical” concerns (proportionality and encryption security).
• Patriots for Europe / ID lineage (RN, allies): heterogeneous depending on security/privacy files; no single French line in favor of mandatory CSS at time of writing.
• ECR: generally supportive of stronger investigative tools, but not at the price of a generalized E2EE backdoor (internal nuances).

Start by explaining the mechanism without jargon: “They want to install software on our phones that reads our messages before they’re encrypted, to compare what we send against image databases and automated models. If the machine is wrong, it can report us by mistake.” Then the issue: “This isn’t a debate for or against protecting children; it’s about the method: scanning everyone all the time is disproportionate and ineffective. Offenders adapt; meanwhile, everyone’s security and privacy are weakened.” Finally the solution: “Fund people and courts, target investigations, cooperate across borders, take content down at the source, educate and prevent — without breaking encryption.” For a 30-second pitch:
“‘Chat Control’ is a scanner on our phones that reads messages before sending. It can be wrong and flag innocents. It breaks the secrecy of exchanges (doctors, lawyers, journalists) and creates holes for attackers. Let’s protect children with effective, targeted means — not by surveilling 450 million Europeans.”
In longer conversations, use concrete analogies: “Would you accept an agent opening all your letters ‘just in case’?” Remind people that, in Europe, confidentiality of communications and professional secrecy are protected rights — and that data-protection authorities have warned about errors and drift. Offer a clear action: sign the petition, write to your MEPs, discuss it at work and at school, and favor messengers that publicly oppose mandatory CSS.