More members of the European Parliament voted to kill EU message scanning than voted to keep it. It survived anyway. On 9 July 2026 the motion to reject drew 314 votes against the scheme and 276 in favour of it, with 17 abstentions, and it still failed, because at second reading, rejecting the Council's position needs an absolute majority of the whole Parliament, at least 361 votes, not a majority of those in the room. So the scanning regime known as EU Chat Control 1.0 is back on track to run to 2028. It is not law yet: Parliament's amended text now goes back to the Council.
Here is what most of the coverage gets wrong. The arithmetic was the headline; the consequential part barely registered. On the same day, Parliament amended the text to push end-to-end encrypted communications out of scope. That quietly defines what is still in scope. Everything that is not end-to-end encrypted.
What EU Chat Control 1.0 actually is
Chat Control 1.0 is a nickname, and a misleading one. The real thing is Regulation (EU) 2021/1232, usually called the ePrivacy derogation. It was introduced in 2021 as a temporary carve-out from the EU's ePrivacy rules on communications confidentiality. It applies to what the law calls number-independent interpersonal communications services: messaging apps, webmail, DMs. The apps you talk to people in, rather than the phone network.
One word carries almost all the weight. The regulation is voluntary: it permits providers to run detection, and does not order them to. What it permits detection of is narrow but not as narrow as the shorthand suggests. It covers child sexual abuse material and the solicitation of children, which is grooming, with anti-grooming technology allowed only under extra safeguards. In practice the great bulk of what providers detect and report is a hash match against images and video already catalogued as abuse material. The European Parliament's own summary of the extension describes providers as able to continue voluntarily using specific technologies to detect and report child sexual abuse online.
The regime is narrower than the nickname suggests and broader than its defenders imply: a permission slip rather than a mandate, confined to abuse material and the solicitation of children, but not confined to matching catalogued images alone.
The vote that lost and passed at the same time
The sequence over sixteen weeks explains the strangeness better than any single vote does. In March 2026, Parliament rejected an extension of the derogation by 311 votes to 228, with 92 abstentions. Nothing replaced it, and on 3 April 2026 the derogation simply expired. Voluntary scanning lost its legal cover in the EU.
It came back through the front door. On 2 July 2026 the Council adopted a first-reading position reinstating the derogation. That flipped the burden of proof. In an ordinary legislative procedure at second reading, the Council's text stands unless Parliament musters an absolute majority to strike it down, which means every absent MEP effectively counts as acquiescence. On 9 July, 314 MEPs wanted it gone. They needed 361.
The same threshold cut both ways on the same afternoon. Amendments that did clear 361 went through, including the encryption carve-out, which passed alongside a second amendment on votes of 369 and 362. And an amendment that would have restricted scanning to accounts of people already identified by the judiciary won a clear plurality, 322 to 255, and still died because it fell short of the absolute majority. Two separate majorities were overridden by the same arithmetic.
The carve-out is encryption-shaped
The amendment MEPs adopted excludes communications to which end-to-end encryption is, has been or will be applied. In plain terms, under the text Parliament adopted, services where the provider cannot read the message are formally outside the reach of Chat Control 1.0. That is why Signal, WhatsApp and other end-to-end encrypted messengers are being written up as out of scope.
Be honest about how much that changes. Critics on both sides have pointed out that the practical effect is limited, because a provider who genuinely cannot see message content was never able to scan it anyway. The amendment mostly writes an engineering fact into law. Its real significance is the shape it leaves behind. Once you carve out everything end-to-end encrypted, the remaining surface is defined by a single property: services where the provider can read your content.
So what is actually in scope
The in-scope surface is the ordinary, unencrypted middle of the consumer internet, the places where a company holds your content in a form it can inspect.
- Ordinary email. Standard webmail is not end-to-end encrypted. The provider can read the message body and attachments, which is exactly what makes hash matching possible.
- Unencrypted direct messages. DMs on mainstream social platforms are typically stored in a readable form on the platform's servers, whatever the padlock in your browser bar suggests about the connection.
- Content sitting on consumer platforms. Reporting on the vote has named services such as Instagram, Discord, Snapchat, Skype, Xbox, Gmail and iCloud as the kind of platforms the regime covers.
- Anything you upload to a service that can decrypt it. Encryption in transit protects the pipe. Encryption at rest protects the disk. Neither means the provider is blind to the content.
What it does not allow
Precision matters here, because the nickname invites people to imagine a system that does not exist. Chat Control 1.0 does not do the following.
- It does not compel anyone to scan. It removes a legal obstacle for providers who choose to. A provider that runs no detection at all remains compliant.
- It does not order the breaking of end-to-end encryption. As amended, it explicitly steps back from encrypted communications rather than demanding a way in.
- It is not a general-purpose reading machine. It reaches child sexual abuse material and the solicitation of children, and nothing else. Most detection in practice is hash matching against catalogued images and video, though grooming detection in text is permitted under additional safeguards.
- It is not a court-ordered, per-suspect regime either. The amendment that would have narrowed scanning to judicially identified suspects won more votes than it lost, 322 to 255, and still failed, so the voluntary permission remains broad rather than warrant-based.
This is a genuinely hard policy area, and reasonable people land in different places on it. Detection of catalogued abuse material has a real protective purpose, and the MEPs who voted to keep the derogation were not voting for surveillance for its own sake. The disagreement is about who gets scanned to find it, and on what authority.
The timeline, and where it goes next
- 2021: Regulation (EU) 2021/1232 introduced as a temporary ePrivacy derogation. Voluntary detection of online child sexual abuse becomes lawful
- March 2026: Parliament rejects an extension, 311 to 228 with 92 abstentions. No replacement is agreed
- 3 April 2026: The derogation expires. Voluntary scanning loses its legal cover
- 2 July 2026: Council adopts a first-reading position reinstating it. Burden shifts to Parliament to reject
- 9 July 2026: Rejection motion falls: 314 to reject, 276 to keep, 17 abstentions, 361 needed. The file survives; encryption carve-out adopted. The regulation is still not adopted law at this point
- Next: Parliament's amended text returns to the Council, which has three months to accept or reject it. If they disagree, a conciliation committee convenes
- 3 April 2028: The extension's proposed end date. Or earlier, if a permanent framework arrives first
Two caveats keep this accurate. The 9 July vote was not the last word: Parliament's amended position now goes back to the Council, which has three months to accept or reject it, with a conciliation committee if the two sides cannot agree. And the extension is explicitly a stopgap, running to 3 April 2028 or until the permanent framework is in place, described in the Parliament's own paperwork as a period limited to what is strictly necessary for the adoption of the long-term legal framework.
Chat Control 1.0 is not Chat Control 2.0
Most of the confusion online comes from collapsing two different laws into one nickname. The derogation above is the temporary, voluntary one. The other is the proposed CSAM Regulation, the permanent framework the Commission tabled in May 2022 and lawmakers have been negotiating since November 2023, and it is a substantially more far-reaching instrument.
| Dimension | Chat Control 1.0 (reinstatement, to run to 2028) | Chat Control 2.0 (proposed, unresolved) |
|---|---|---|
| Legal status | Regulation (EU) 2021/1232, expired and being reinstated. Not yet adopted | Draft CSAM Regulation, still in negotiation |
| Scanning | Voluntary. Providers may, need not | Detection orders could compel providers |
| Material targeted | CSAM and solicitation of children. In practice mostly known images and video | Debated: mandatory detection, including of new material and grooming |
| Encryption | End-to-end encrypted comms amended out of scope | The core fight; drafts have reached into encrypted content |
| Coverage | Interpersonal communications services | Broader, including hosted content |
| Status now | Amended text back with the Council | Talks resume in September 2026 |
If a post you are reading says Chat Control forces Signal to hand over your messages, it is describing neither of these laws accurately. 1.0 is voluntary, and as amended by Parliament it excludes end-to-end encrypted services. 2.0 is not law either, and the encryption question in it is still unsettled.
What an ordinary person should take from this
Not panic. Chat Control 1.0 is not a machine that reads your chats for meaning, and your encrypted messenger did not just become a wiretap. The realistic takeaway is duller and more useful, and it is about where your content sits rather than what any single vote decided.
- The rules governing a surface can change faster than your habits do. This derogation expired, stayed dead for three months, and came back through a procedural door in under a week.
- The scanned surface is defined by readability, not by intent. Whether your content is in scope depends on whether the provider can read it, not on whether you have anything to hide.
- A vote you would have won can still go against you. Two majorities on 9 July lost to an absolute-majority threshold. Do not assume the politics will protect a surface you depend on.
- Storage location is a choice you can actually make. You cannot vote in the European Parliament. You can decide which of your documents live in an inbox and which do not.
Your documents do not have to live in an inbox
Here is the pattern worth noticing. An enormous amount of what people call their records is not really stored anywhere. It is stranded: a lease in a Gmail thread, a diagnosis in a DM, a contract in a chat attachment. Those artefacts ended up in a consumer communications surface because it was the pipe they arrived through, not because anyone chose it as a filing system. And that surface is precisely the one whose scanning rules get rewritten by legislation.
The useful move is to stop treating the pipe as the archive. A memory layer you control is a different kind of place, one where the point is retrieval rather than delivery. That is the job MemX is built for: your documents and records live in a private memory layer instead of scattered across a mailbox and a dozen chat threads, and you can ask questions across them without going hunting.
Be clear about what that does and does not mean, because plenty of privacy marketing is not. MemX is private by architecture: per-user isolation, encryption at rest, with your memory belonging to you rather than being pooled into someone else's training corpus. That is a design posture about who can reach your data and under what conditions. It is not a claim that MemX is end-to-end encrypted or zero-knowledge, and it is not a legal exemption from anything. The honest argument is smaller and more durable: the fewer of your important records that are sitting in a consumer inbox or a chat thread, the less of your life is parked on a surface whose rules get renegotiated in Brussels every couple of years.
01Did the EU just make message scanning mandatory?
No. Regulation (EU) 2021/1232 permits voluntary detection and does not require any provider to scan. The 9 July 2026 vote kept the reinstatement of that permission moving rather than converting it into an obligation, and the text still has to clear the Council. The proposal that could mandate detection is the separate CSAM Regulation, often called Chat Control 2.0, which is still under negotiation.
02How did it pass if more MEPs voted against it?
Because of the second-reading threshold. Rejecting the Council's first-reading position requires an absolute majority of all MEPs, at least 361 votes. The rejection motion drew 314 votes to reject and 276 to keep, with 17 abstentions. A plurality was not enough, so the file survived.
03Is WhatsApp or Signal being scanned?
Not under this regime. MEPs adopted an amendment excluding communications to which end-to-end encryption is, has been or will be applied, which would place end-to-end encrypted services outside the scope of Chat Control 1.0, assuming the Council accepts the amendment. Several commentators note the practical effect is limited either way, since a provider that cannot read message content could not scan it in the first place.
04What is actually in scope, then?
The services where the provider can read your content: ordinary email, unencrypted direct messages, and content held on mainstream consumer platforms. Encryption in transit and encryption at rest do not remove content from that category, because in both cases the provider can still access it.
05How long does this last?
The extension runs until 3 April 2028, or until a permanent long-term framework replaces it. It is not finished business either: Parliament's amended text now returns to the Council, which has three months to accept or reject it, with a conciliation committee if they cannot agree.
The 9 July vote will be remembered for its arithmetic. It should be remembered for its shape. When a legislature draws a line around end-to-end encrypted communications and says these are out of reach, it is also saying something about everything on the other side of that line. Most people's documents are on the other side of the line, and most of them did not choose to put them there.
