The EU Council of Ministers has pushed through a reactivation of the expired “Chat Control 1.0” regulation via an expedited procedure, catching the European Parliament off guard days before the summer recess. The move reopens a scanning framework that would let technology providers use AI to scan private, encrypted messages — the same surveillance apparatus privacy advocates thought they had defeated.
The Council adopted the position on Thursday via written procedure, according to Heise’s reporting. The regulation would reinstate the transitional measure that allowed technology providers to voluntarily scan private chats using AI and hash matching for known child abuse material. That exemption expired on April 3, 2026, after the Council and Parliament couldn’t agree on an extension.
🔍 THE BOTTOM LINE
The EU Council is using a procedural maneuver to force through a regulation that would let AI scan your private messages. By fast-tracking the vote to the last session before summer break — when attendance is historically low — the Council is betting that fewer MEPs means less resistance. The scans are framed as voluntary, but the structural pressure on providers to comply makes them anything but. And the AI detection method at the heart of this requires processing the content of every message to classify it — which means the scanning system sees everything, even if it only flags a fraction. That’s not targeted surveillance. That’s mass interception with a filter.
What Chat Control 1.0 Actually Does
Since the end of 2020, internet-based communication services — messenger apps, webmail, and VoIP — have been protected by the EU’s E-Privacy Directive, which prohibits unauthorized interception of private communications. To allow technology providers to voluntarily scan for child sexual abuse material (CSAM), the EU created a temporary exemption in 2021. That exemption expired in April 2026.
The reactivated regulation would close what the Council calls a “legal loophole” — the period between the expiry of the old exemption and the stalled negotiations on the permanent “Chat Control 2.0” framework. Providers would again be permitted, under the interim measure, to scan private chats using AI detection and hash matching. Scanned content and traffic data must be irrevocably deleted within twelve months unless a concrete suspicion is confirmed.
The Procedural Trick
The Council can’t simply “extend” an expired regulation. Instead, it has put forward a legislative proposal that is largely identical in content but different in form — technically a “new” regulation, not an extension. This allows it to enter the parliamentary process at second reading, where the Council’s position can only be stopped or modified by an absolute majority of MEPs.
That hurdle is significant at any time. It becomes nearly insurmountable when the vote is scheduled for the last plenary session before the summer break, when many MEPs have already departed. The draft is set to be placed on Parliament’s agenda as early as Tuesday under an urgent procedure.
Critics see the timing as deliberate. The Council is exploiting the gap between political attention and procedural reality — the same gap that lets controversial legislation pass when nobody is watching.
The AI Scanning Problem
The regulation doesn’t specify which scanning technologies providers must use, but the two methods in practice are hash matching and AI-based detection. Hash matching compares files against databases of known illegal content. AI detection attempts to identify new, previously unseen material — and it’s this method that raises the sharpest privacy concerns.
AI-based CSAM scanning has a well-documented false positive problem. The technology must process the content of private messages to classify them, which means the scanning system sees everything — even if it only flags a small fraction. For end-to-end encrypted services, the technical challenge is even more fundamental: scanning requires either breaking encryption at the client level or scanning on-device before encryption occurs. Both approaches undermine the security model that encrypted messaging is built on.
The Council emphasizes that scans will be “limited to the absolutely necessary extent” and that no general surveillance will take place. Privacy advocates note that the difference between “targeted scanning” and “mass surveillance” is largely semantic when the scanning infrastructure processes every message.
NZ Angle
New Zealand isn’t subject to EU regulation, but the precedent matters. The NZ government has been quietly expanding surveillance powers through the Search and Surveillance Act review and the Telecommunications (Interception Capability and Security) Act. The EU’s move normalizes the idea that encrypted messaging can and should be scanned at scale — and that norm-setting travels.
For NZ-based encrypted communication providers — and there are several — the EU regulation creates a compliance fork. If they serve EU users, they may need to implement scanning capabilities they wouldn’t otherwise build. Those capabilities, once built, exist. The question of whether they’re used only for CSAM or expanded to other content categories is a policy decision, not a technical one.
The Australia AI scribes privacy warning and the broader pattern of governments pushing AI-mediated surveillance into private communications suggest the EU’s move is part of a global trend, not an isolated European debate.
What Happens Next
If Parliament approves the urgent procedure, a vote could happen on the last day of session before the holidays. If MEPs reject the fast-track, the regulation returns to normal negotiation — where it has been stalled for months.
The longer-term fight over Chat Control 2.0 — the permanent framework — remains unresolved. The Council’s fast-track maneuver doesn’t resolve that debate. It buys time for the surveillance framework while putting pressure on Parliament to either accept the interim measure or be seen as blocking child protection measures.
❓ FAQ
Does this mean my WhatsApp messages will be scanned? If you’re in the EU and your provider participates in the voluntary scanning framework, yes — your messages would be processed by scanning systems, even if no human reads them. The scans target known CSAM hashes and AI-detected patterns. Providers that don’t participate face no direct penalty under the interim measure, but the Council’s framing makes non-participation politically difficult.
What’s the difference between Chat Control 1.0 and 2.0? Chat Control 1.0 is the temporary, voluntary framework that expired in April. Chat Control 2.0 is the proposed permanent framework with mandatory scanning requirements. The Council is reactivating 1.0 because 2.0 is stalled in negotiations.
Why is this happening now? The exemption expired in April. The Council is moving now because Parliament goes on summer break, and a fast-track vote during the last session — when attendance is low — is easier to pass than a normal vote with full attendance.
Is this about AI surveillance? The scanning framework uses both hash matching (comparing against known illegal content databases) and AI detection (identifying new material). The AI detection component is what privacy advocates are most concerned about, because it requires processing the content of all messages to classify them.
🔍 THE BOTTOM LINE
The EU Council just taught a masterclass in legislative timing. Push a surveillance regulation through when Parliament is half-empty, call it “voluntary,” and frame opposition as blocking child protection. The technical reality — that scanning encrypted messages requires breaking the encryption model — gets buried under the political framing. Whether Parliament fights back or lets it slide will set the precedent for every future debate about encrypted communication in Europe.