This coverage has traced many collisions between technology and regulation. Few are as sharp, or as instructive, as the European Union’s long-running fight over what critics call “Chat Control” — a proposal to combat one of the gravest harms online, the circulation of child sexual abuse material, by a means that would touch one of the foundations of digital privacy: the confidentiality of encrypted communications. It is a case where two legitimate goods point in opposite directions, and where, after years of deadlock, the conflict has not been resolved so much as transformed.
Begin with the proposal, stated precisely, because the entire controversy lives in the mechanism. First proposed by the European Commission in May 2022, the Regulation to Prevent and Combat Child Sexual Abuse — the CSAR — aims to require messaging and hosting platforms to detect and report child sexual abuse material on their services. The goal is unobjectionable; almost no one disputes the importance of fighting CSAM. The problem is implementation. To detect such material in services protected by end-to-end encryption — where, by design, only sender and recipient can read a message — the proposal pointed toward “client-side scanning”: analyzing the content on the user’s own device, before it is encrypted. Cryptographers and security experts argue this fundamentally breaks the security model of encryption: the cryptography may stay intact, but the privacy guarantee is, in one analyst’s phrase, functionally zapped, because it creates exactly the kind of third-party content analysis that encryption exists to prevent.
A timeline of deadlock
The legislative path has been contentious and revealing, and the recent chapter is dramatic. For years — through 2024 and 2025 — negotiations stalled, votes were postponed, and member states could not agree. In October 2025, under the Danish Council presidency, the proposal backed away from mandatory message scanning after intense public protest and firm opposition from key states, Germany among them — the third such retreat, not a formal withdrawal.
Then came the decisive moment this year. A separate, temporary regulation from 2021 had given platforms a legal pass to voluntarily scan unencrypted messages for CSAM, an exception to the EU’s ePrivacy rules. It was always meant as a bridge until the permanent CSAR was settled. The permanent rules were never settled. The Commission asked to extend the voluntary regime to 2028; the European Parliament refused. On March 11, 2026, Parliament voted overwhelmingly for a compromise — extend scanning only with strict conditions: judicial authorization, targeted rather than mass surveillance. Council member states rejected those conditions. With no agreement, the temporary derogation expired on April 3, 2026, after Parliament voted 311 to 228 against extending it. As of that date, platforms operating in the EU lost their legal basis for voluntary mass message scanning.
But the story did not end there, and this is the point: the permanent CSAR — “Chat Control 2.0” — is very much alive. The latest Council text, agreed in late 2025, removed the explicit obligation of mandatory scanning and added language stating that nothing in the regulation imposes detection obligations on providers — but it kept the core framework, required providers to assess risks and cooperate with a newly established EU Centre on Child Sexual Abuse, and added a review clause obliging the Commission to reassess “the necessity and feasibility of including detection obligations” within three years. Trilogue negotiations resumed in May 2026, with a political deal targeted for around mid-year. The threat, as privacy advocates put it, has not disappeared — it has changed shape.
Why this reaches beyond Europe
For readers outside the EU, this is not a parochial European quarrel, and that is worth underscoring. Because the major messaging platforms are global, a European scanning mandate would not stay within European borders. Analysts warn that if something like the stricter Council mandate became law, US companies would face conflicting legal obligations they could not simultaneously satisfy, and users far beyond Europe could find their communications subject to systematic analysis — a spillover that recalls the extraterritorial logic seen in data sovereignty and the CLOUD Act, only running in the opposite direction. And the precedent matters globally: if the world’s most influential privacy regulator endorses client-side scanning, other governments — including authoritarian ones — gain a template to demand the same, for purposes far removed from child protection. The encryption debate is, in this sense, indivisible: a backdoor built for one jurisdiction weakens the guarantee for everyone.
Two readings, with comparable weight
The conflict admits two legitimate positions, and both deserve to be stated fully, because this is a case where reasonable people of good faith genuinely disagree.
Those who back strong detection — child-protection organizations, many in law enforcement, the Commission — argue that the scale of CSAM online is staggering and growing, that encrypted platforms have become safe channels for predators, and that the rights of children to safety must weigh against the privacy interests of all users. For them, a targeted, judicially supervised detection capability is a proportionate response to a grave and documented harm, and treating encryption as absolute means abandoning children to abusers who exploit it.
Those who oppose the scanning — cryptographers, privacy and digital-rights groups, several governments, and major encrypted-messaging providers — argue that there is no way to scan encrypted content without breaking the protection that secures everyone’s communications: journalists, dissidents, businesses, ordinary citizens. They warn that detection systems produce false positives at scale, that any backdoor will eventually be abused or exploited, and that the measure normalizes “surveillance by default.” Some providers have said they would withdraw from the European market rather than compromise their encryption. For them, the harm is real but the cure would create a larger one, weakening the security of an entire society to surveil it.
It is not for this outlet to decree the balance. What can be stated is that both sides are defending something genuinely important — the safety of children and the integrity of private communication — and that the tragedy of the debate is that the most intrusive technical solution pits these two goods directly against each other, when both deserve protection.
What this case reveals
What Chat Control adds to the coverage is the clearest example yet of regulation forced to choose between two values it cannot fully reconcile by technical means. Elsewhere the gap was between a fast technology and a slow law; here the law is neither too slow nor absent — it is caught, for years, unable to find a path that protects children without weakening the encryption that protects everyone. The deadlock is not a failure of will but a reflection of a genuine dilemma, and the fact that it keeps “changing shape” rather than resolving is the most honest indicator of how hard it is.
The verifiable fact is that the EU has spent years trying to legislate detection of CSAM in private messages, that the attempt collides with end-to-end encryption, that the voluntary scanning regime expired in April 2026 while the permanent regulation continues in negotiation, and that the outcome will set a precedent reaching far beyond Europe. Whether the EU finds a path that protects children without breaking encryption — or sacrifices one good for the other — will depend on decisions still being negotiated: on whether detection is mandatory or voluntary, targeted or mass, judicially supervised or automatic, and on whether a technical means exists that does not force the choice. As in every story of this kind, what is decisive is not the worthiness of the goal — protecting children is beyond dispute — but whether the means chosen to pursue it leaves intact the protections a free society depends on.