What happened on 9 July 2026
On 9 July 2026, the European Parliament voted on whether to block the reinstatement of a temporary EU rule that lets online platforms voluntarily scan private communications for child sexual abuse material (CSAM). The rule is widely known by its critics' label, Chat Control 1.0.
The outcome was unusual. A majority of the Members of the European Parliament who voted wanted to reject the rule: 314 voted to reject it, 276 voted against rejection, and 17 abstained. Despite more votes to reject than to keep, the rule was reinstated.
The reason lies in the procedure. This was a second-reading vote under the EU's ordinary legislative procedure, where rejecting the Council's position requires an absolute majority of all Members of Parliament, currently 361 of 720, not just a majority of those present. The rejection reached 314, falling 47 votes short of that threshold, so the Council's text stood.
The practical effect is that the voluntary scanning framework, which had lapsed on 3 April 2026, is set to run again until 3 April 2028, subject to a final step involving the Council. This article explains precisely what that means, and separates the reliable facts from the considerable amount of exaggeration that has surrounded the story.
What Chat Control 1.0 actually is
Chat Control 1.0 is not a mass-surveillance mandate, and understanding what it is prevents most of the confusion around it. It is a temporary derogation, a legal exception, formally Regulation (EU) 2021/1232, from parts of the EU's ePrivacy Directive.
Voluntary, not mandatory
The derogation permits, but does not require, providers of certain communication services to scan for known CSAM and to report matches to authorities. Platforms may opt in; they are not compelled to scan. In practice, mainly large US-based services such as Gmail, Meta's messengers, Skype, and Xbox have used it.
Known material, unencrypted channels
In its core form the derogation targets already-identified images and videos on services that can read the content, meaning unencrypted or server-side-readable communications. It has never applied to end-to-end encrypted traffic, because a provider that cannot read a message has nothing to scan.
Why it exists at all
The derogation was introduced in 2021 to give platforms a clear legal basis under EU privacy law to continue existing voluntary detection while a permanent framework was negotiated. It was always framed as a temporary bridge, not a permanent regime.
The vote that passed by failing
The July 2026 outcome is best understood as a procedural result rather than a fresh political endorsement of scanning. Three steps produced it.
March 2026: Parliament said no
On 26 March 2026, Parliament rejected extending the derogation by 311 votes to 228, with 92 abstentions. As a result, the rule lapsed on 3 April 2026, and for three months there was no EU legal basis for this voluntary scanning.
July 2026: the Council revived the text
On 2 July 2026, the Council adopted its own first-reading position that largely restored the original text, sending the file to Parliament for a second reading. On 7 July, a fast-track urgency procedure was approved by 331 votes to 304, scheduling the decisive vote for 9 July, just before the summer recess.
The threshold did the work
Because a second-reading rejection needs an absolute majority of all seats, absences and abstentions effectively counted in favour of the Council's text. More Members wanted to reject the rule than to keep it, but the rejection did not clear 361 votes, so it failed and the text was reinstated.
Why critics call it undemocratic
Several Members and digital-rights groups objected to reopening a file Parliament had already rejected, and to scheduling the vote for the last day before recess. Supporters countered that the lapse had left a gap in child-protection tools and that a legal basis was needed while permanent rules are negotiated. Both framings appear across the coverage; the procedural facts above are not in dispute.
The end-to-end encryption carve-out
Alongside the main text, Parliament adopted an amendment stating that communications protected by end-to-end encryption should be excluded from the scope of the voluntary scanning. On its face this protects services such as WhatsApp, Signal, and Telegram's encrypted chats.
Why some call it symbolic
Critics, including former MEP and jurist Patrick Breyer, note that providers do not scan end-to-end encrypted content anyway, because they cannot read it. On that view the amendment confirms existing reality rather than adding a new protection.
Why it still matters
Even a declaratory carve-out has value: it puts Parliament on record against extending scanning into encrypted channels, which becomes relevant to the far more consequential permanent regulation still under negotiation.
The catch
The exclusion applies only to this temporary, voluntary track. It does not bind the separate permanent proposal, where the question of scanning encrypted messages, potentially through client-side scanning on the device before encryption, remains open.
What is not affected: Chat Control 2.0
The single most important thing to understand is that the July 2026 vote concerned only the temporary 1.0 derogation. The permanent regulation is a separate file with a very different reach.
A different, mandatory instrument
The permanent Child Sexual Abuse Regulation (CSAR), labelled Chat Control 2.0 by critics, would, in its most contested forms, create detection obligations rather than a voluntary option, and could reach encrypted services. It has not been adopted.
Still stuck in negotiation
Five rounds of three-way trilogue negotiations between Parliament, Council, and Commission have not produced a deal. The fifth round, on 29 June 2026, ended without agreement, specifically over suspicionless scanning. Talks are expected to resume in September 2026.
The core dispute
The unresolved question is whether scanning should be broad and provider-driven, as parts of the Council prefer, or narrow and ordered by a judge against identified suspects, as Parliament has insisted. That disagreement, not the July 2026 vote, is where the future of private messaging in the EU will actually be decided.
Timeline of the derogation
The path from 2021 to today is easy to lose in the headlines. Here is the sequence in plain terms.
2021 to 2024: introduction and extension
Regulation (EU) 2021/1232 entered into force in 2021, giving platforms a voluntary legal basis to scan unencrypted messages for CSAM. In 2024 it was extended to 3 April 2026.
March to April 2026: rejection and lapse
On 26 March 2026 Parliament rejected a further extension, and the derogation expired on 3 April 2026. For three months there was no legal basis for this scanning under EU law, though some providers stated they would continue regardless.
July 2026: revival
The Council revived the text on 2 July, the urgency procedure passed on 7 July, and the rejection failed to reach the threshold on 9 July, reinstating the derogation pending the Council's final step, with an intended end date of 3 April 2028.
What it means for private messages
For everyday users, the concrete effect is narrower than many headlines suggest, but it is not nothing.
If you use unencrypted services
On services that voluntarily opt in and can read your content, such as certain webmail and social messengers, providers may continue scanning for known CSAM and reporting matches. This has been the situation, on and off, since 2021.
If you use encrypted messengers
End-to-end encrypted messages remain outside the scope of this derogation, reinforced by the July amendment. Providers that cannot read your messages cannot scan their content.
What has not changed
This derogation does not create device-level scanning, does not require identity verification of every user, and does not mandate any provider to scan. Those more far-reaching ideas live in the permanent proposal, which has not passed.
What it means for digital evidence
For anyone who preserves online content as evidence, the Chat Control debate is a useful reminder of a deeper principle: how content is captured and authenticated matters as much as what the content is.
Scanning is not evidence
Automated CSAM detection produces a report to authorities; it does not produce court-ready, tamper-evident evidence with a verifiable chain of custody. The two are different activities with different legal standards.
Provenance and integrity still decide admissibility
Whether online material stands up in a legal or regulatory proceeding depends on provenance, integrity, and reproducibility: a cryptographic hash of what was captured, a qualified timestamp proving when, and a method that a third party can independently verify.
Why independent verification matters more, not less
As the legal environment around online communication grows more contested and fast-moving, evidence that can be verified without trusting any single vendor or platform becomes more valuable. A sealed evidence package anchored by an eIDAS-qualified timestamp and independently checkable hashes does not depend on who scanned what, or on any provider's cooperation.
The Council's three-month window
The July 2026 vote did not fully close the file. Because Parliament amended the Council's position rather than simply approving it, the amended text returns to the Council.
Accept or reject
The Council has roughly three months, until approximately 9 October 2026, to accept Parliament's amendments, including the encryption carve-out, or to reject them.
If the Council accepts
If the Council accepts all amendments, the regulation, including the end-to-end encryption exclusion, is formally adopted and runs to 3 April 2028.
If the Council rejects
If the Council rejects any amendment, a conciliation procedure begins, in which equal numbers of Parliament and Council representatives try to agree a joint text. That would extend the process by months, and is a realistic scenario given past disagreements.
What to watch next
The July vote generated dramatic headlines, but the decisions that will actually shape private communication in the EU are still ahead.
The Council's October decision
Whether the Council accepts or rejects the encryption amendment will signal how seriously the institutions treat encrypted-channel protection, and whether a conciliation fight is coming.
The September trilogues on 2.0
The permanent regulation resumes negotiation in September 2026. The unresolved core, suspicionless versus judicially targeted scanning, and the treatment of encryption, is the file that carries the real long-term stakes.
A likely legal challenge
The Council's own Legal Service has questioned whether generalised voluntary scanning is compatible with Article 7 of the EU Charter of Fundamental Rights absent reasonable suspicion and prior judicial authorisation. A challenge before the Court of Justice of the EU remains possible, whichever way the permanent file lands.
Frequently asked questions
Clear answers to the questions people are asking about the July 2026 Chat Control vote, based on official procedure and reliable reporting.
Did the EU just legalise mass surveillance of all messages?
What is the difference between Chat Control 1.0 and 2.0?
How did it pass if more MEPs voted against it?
Are WhatsApp, Signal, and Telegram affected?
Is scanning happening right now?
What happens in the Council's three-month window?
Does this kill end-to-end encryption in Europe?
Is automated scanning the same as legal evidence?
How does this affect businesses that preserve online evidence?
When will the permanent Chat Control 2.0 be decided?
Where can I read the primary sources?
What is the single most important takeaway?
Related reading
-
DSA Article 16: notice-and-action evidenceHow to preserve defensible evidence for platform takedown requests.
-
EU AI Act Article 50: transparency and disclosureWhat the AI Act requires for synthetic and manipulated content.
-
eIDAS qualified timestamps: complete guideWhy a qualified timestamp is the backbone of court-ready evidence.
-
How to secure internet evidence for EU courtsA practical workflow for admissible online evidence in 2026.
-
NIS2 cybersecurity incident evidencePreserving incident evidence under the EU's NIS2 regime.
Preserve online evidence that stands on its own
Whatever happens with EU communication rules, admissibility depends on integrity you can prove. Capture any web page as a tamper-evident package with an eIDAS-qualified timestamp and hashes anyone can verify independently.
No account needed to verify. Independent verification with open-source tools.