The European Parliament has voted to curb untargeted mass scanning of private communications in the EU, signaling a major shift in the ongoing debate over “Chat Control” legislation.
Lawmakers backed amendments that would restrict automated scanning of private messages to cases involving users or groups specifically suspected of child sexual abuse and authorized by a judicial authority.
The decision came during a plenary vote on March 11, 2026, as part of discussions on extending the temporary exemption to EU privacy rules that currently allows online service providers to voluntarily detect and report child sexual abuse material (CSAM). The exemption, originally set to expire in early April 2026, was extended by Members of the European Parliament (MEPs) until August 3, 2027, to allow more time for negotiations on a permanent regulatory framework.
At the same time, lawmakers adopted amendments tightening how such detection measures can be used. One of the key provisions, Amendment 5, introduced by Pirate Party MEP Markéta Gregorová of the Greens/EFA group, requires that any scanning of private communications be strictly targeted. Under the amendment, providers could only scan messages belonging to users or groups identified by a competent judicial authority as being reasonably suspected of involvement in child sexual abuse offenses.
The move effectively rejects proposals for broad, untargeted scanning of private chats, an approach that had been advocated by some EU governments during negotiations over the proposed Child Sexual Abuse Regulation (CSAR), often referred to as “Chat Control.” Cryptography experts previously warned that the law would threaten all private communications, while Signal President Meredith Whittaker warned that the company would exit the European Union if the law mandating client-side scanning were ever adopted.
Although countries like Germany and the Netherlands previously took a clear stance against the proposal, other EU member states continued to push it under “lighter,” but still dangerous forms.
Rapporteur Birgit Sippel (S&D, Germany), who oversaw the legislative file, said the extension is meant to maintain existing voluntary detection capabilities while protecting fundamental rights.
“We have a responsibility to address the horrific crime of child sexual abuse while safeguarding everyone’s fundamental rights,” Sippel said after the vote. She added that limiting detection technologies to previously identified CSAM and user-reported material creates a “proportionate framework” that can withstand judicial scrutiny while preserving end-to-end encryption.
Digital rights advocates welcomed the decision as a major setback for proposals to blanket-scan private communications. Patrick Breyer, a digital rights campaigner and former Pirate Party MEP who has long opposed Chat Control, described the vote as a “sensational victory” for privacy protections in Europe.
According to Breyer, evidence cited in EU Commission evaluations suggests that large-scale automated scanning generates substantial volumes of false positives. Data referenced by critics indicates that roughly half of reported chats can be non-criminal or misidentified, potentially diverting law enforcement resources away from targeted investigations into actual abuse networks.
Another concern raised by critics is the heavy reliance on a small number of technology companies. Reports indicate that the vast majority of automated CSAM reports submitted to European authorities originate from a single US-based platform operator, raising questions about oversight and the role of private companies in policing online communications.
Under the Parliament’s mandate, scanning technologies should be applied only to previously identified and hashed CSAM or to material flagged by users, trusted organizations, or law enforcement. The use of traffic data analysis alongside message content scanning was also rejected.
Negotiations with EU member states will now determine the final shape of the legislation. Until then, the Parliament’s vote signals that automated scanning of private communications in the EU should not be applied indiscriminately.
Leave a Reply