What if the only way to keep your messages truly private was to live outside the law?
That’s the question lurking behind Europe’s latest privacy showdown. Last week, the EU Parliament delivered what looked like a knockout punch to the so-called Chat Control proposal, voting down an interim derogation that allowed tech companies to voluntarily scan encrypted messages. Sound like a win? It is—but only if you squint. Because the zombie proposal everyone’s been fighting keeps shambling forward, now wearing a different mask.
Let’s back up. Chat Control, in its original form, was audacious in a way that should terrify anyone who values encryption. EU member states wanted to mandate that platforms scan all encrypted messages for child sexual abuse material (CSAM). Not as an option. As a requirement. Think of it as forcing every messaging app to install a government spy camera, but one that somehow only “sees” illegal content (spoiler: that’s not how technology works).
The Partial Victory Nobody Expected
The good news landed in waves. First, member states quietly abandoned the mandatory scanning requirement—too technically impossible, too legally fragile. Then came last week’s Parliament vote: a formal rejection of the voluntary scanning exception that had temporarily allowed companies to do this anyway without running afoul of the EU’s strict e-Privacy Directive. For a moment, privacy advocates could breathe.
“Whether this indicates continued scanning of our private communication is not entirely clear, but what is clear is that such activity would now risk breaching EU law.”
But here’s where it gets tricky. Google, Meta, Microsoft, and Snap didn’t panic. They issued a joint statement committing to “continue to take voluntary action on our relevant Interpersonal Communication Services.” Read that carefully. It’s technically vague—but it’s also a signal that scanning isn’t going away, it’s just going underground. These companies have done this before: during previous regulatory gaps, they kept scanning anyway, betting (correctly) that enforcement would be slow, fragmented, and ultimately toothless across 27 different EU member states.
Why Voluntary is Now a Dirty Word
Here’s the real insight nobody’s talking about: the distinction between mandatory and voluntary just collapsed. Not legally—the law is clear. But practically? When lawmakers start expecting platforms to voluntarily adopt certain behaviors as part of compliance, those behaviors aren’t voluntary anymore. They’re compliance theater.
The negotiators are still haggling over what they’re calling “risk mitigation measures.” Age verification. Reporting mechanisms. Content flagging systems. Sounds reasonable in isolation. Except once these become standard practice—once regulators nod approvingly at platforms that adopt them—non-compliance becomes the same as admitting you don’t care about child safety. The pressure transforms voluntary action into de facto requirement.
That’s the trap.
And it’s why the Chat Control proposal, even in its neutered form, is still dangerous. It’s like negotiators agreed to ban the nuclear bomb, then quietly began stockpiling the components. The CSAM detection mandate is still on the negotiating table. Age verification requirements are being dusted off. The language has shifted from “must scan” to “should take measures to mitigate risk”—which sounds less sinister until you realize it achieves almost the same outcome through a slower, more durable mechanism.
Can Big Tech Actually Be Trusted to Police Itself?
There’s a reason to be skeptical. Meta’s history with privacy commitments in Europe reads like a comedy of errors: repeated fines for violating GDPR, multiple regulatory investigations, promises to change behavior that get quietly reversed. Google’s scanning systems have repeatedly over-flagged innocuous content. Microsoft’s tech has reportedly misidentified thousands of images. When you’re relying on voluntary action from companies with a proven track record of non-compliance, you’re not regulating—you’re asking nicely.
The Parliament’s move was smart tactically. By rejecting the interim derogation, they forced the issue into the light. Now any scanning activity by platforms operates in a legal gray zone. It’s not explicitly banned (yet), but it’s not protected either. That creates legal risk for the companies—which should make them hesitate.
But should is doing a lot of work there.
What happens next matters enormously. Lawmakers need to do two things simultaneously. First, they must prevent the expired scanning exception from quietly reappearing in a revised directive—this is the “don’t let the zombie come back” part. Second, they need to actively narrow the Chat Control proposal’s remaining teeth: make sure age verification doesn’t become mandatory, ensure that “risk mitigation” doesn’t become a code phrase for mass detection, and establish real enforcement mechanisms with teeth (not the gentle administrative nudges we’ve seen so far).
Without that, Europe’s privacy victory is just temporary theater before the same fight starts again under different branding.
The Bigger Picture: Why Europe Matters
This might feel like insider-baseball European regulation, but it’s not. The EU sets the global standard. When Brussels regulates tech, San Francisco follows. What gets decided in these negotiations will influence how messaging apps, social platforms, and communication services operate worldwide. If Europe allows mass scanning to return through the back door—dressed up as age verification and risk mitigation—it signals to every government everywhere that there’s a playbook for dismantling encryption without saying so.
Conversely, if the EU Parliament holds the line and forces real narrow legislation, it builds a template for privacy that actually works. Not perfect. Not foolproof. But resistant enough to the inevitable regulatory creep that will follow.
The Parliament just won a round. They didn’t win the fight.
🧬 Related Insights
- Read more: Anthropic’s Private Market Momentum Is Real—But SpaceX Could Steal the Show
- Read more: EU AI Act Chapter V: GPAI Providers’ Enforcement Reckoning
Frequently Asked Questions
What is EU Chat Control and why was it controversial?
Chat Control was a proposal to force messaging platforms to scan encrypted messages for child abuse material. It would have required either breaking encryption (technically impossible and security-threatening) or installing mass surveillance systems. Privacy advocates, security experts, and even some tech companies opposed it because there’s no way to scan encrypted messages without fundamentally undermining encryption for everyone.
Will tech companies stop scanning messages now?
Unlikely. Google, Meta, Microsoft, and Snap have already signaled they’ll continue “voluntary” scanning. The difference is it now happens in a legal gray zone—technically riskier for them, but without enforcement mechanisms, many will likely continue anyway. The EU has a track record of slow enforcement against big tech violations.
What’s actually being negotiated now?
The CSAM detection mandate is still alive, but reframed as “risk mitigation measures.” This includes potential age verification requirements and reporting obligations. The real risk is that these voluntary-sounding measures become industry norms and then de facto requirements, achieving the same outcome as the original mandatory scanning proposal without explicitly saying so.
