On July 9, 2026, the European Parliament held a vote that, by the numbers, went against mass scanning of private messages. 314 MEPs voted to kill it. Only 276 voted to keep it. And yet, when the sitting ended, the measure was still alive — not because it won, but because it didn’t lose by enough.

That same day, in a separate vote, Parliament did something that gets far less attention in the headlines: it passed amendments to wall off end-to-end encrypted apps from the whole scheme. That vote actually cleared its threshold. The result is a regulation that is neither dead nor in force — bounced back to the Council of the EU, which now has three months to decide what happens next.

If you read only the headlines from July 9 and 10, you’d think this was settled. It isn’t.

TL;DR

  • Parliament voted 314–276 (17 abstaining) to reject the Council’s plan to revive private-message scanning for CSAM detection — rejection needed an absolute majority of 361, so it failed by 47 votes
  • The old scanning exemption had already expired on April 3, 2026; that expiry has not been reversed
  • In a separate vote, Parliament also adopted two amendments (369 and 362 votes) explicitly excluding end-to-end encrypted services — these did clear the 361-vote threshold
  • Because Parliament amended rather than simply failing to reject, the file goes back to the Council, which has three months (roughly until October 9, 2026) to accept or reject the changes
  • The regulation is not currently in force. Nothing is being scanned under it today that wasn’t already being scanned yesterday
  • The Council’s own Legal Service is reported to have warned, around June 10, 2026, that the scheme sits uneasily with Article 7 of the EU Charter of Fundamental Rights
  • A survivor of child sexual abuse, Alexander Hanff, testified that his own disclosure — which convicted multiple offenders — was only possible because of confidential, encrypted communication

Why This Should Matter to You

Whether or not you live in the EU, this fight determines the default privacy posture of apps used by billions of people, because platforms rarely build one version of their backend for Europe and another for everyone else. And whether or not this particular round of the law survives, the pattern is now clear: a small number of MEPs can keep a rejected policy alive indefinitely, just by making sure the rejection vote — not the policy itself — fails to reach a supermajority.

That’s worth understanding on its own, independent of how you feel about CSAM detection.


How We Got to July 9

Since 2011, EU platforms have been allowed — not required — to scan unencrypted messages for child sexual abuse material (CSAM) and grooming, and report matches to authorities. This has never applied to end-to-end encrypted (E2EE) traffic like WhatsApp: if the platform can’t read a message, there’s nothing to scan.

The current legal basis, Regulation (EU) 2021/1232, entered into force in August 2021 and was extended once, by Regulation (EU) 2024/1307, to April 3, 2026.

The expiry nobody reversed

The European Commission proposed extending the derogation again, until April 3, 2028. Parliament pushed back in two separate steps. On March 11, 2026, it adopted a set of narrower amendments — a shorter end date of August 2027 and tighter limits on scanning for previously unknown material and grooming — and referred the file back to committee. Then, on March 26, in its actual first-reading decision, Parliament voted 311–228 to reject the Commission’s extension outright and called on it to withdraw the proposal. Talks collapsed. On April 3, 2026, the exemption lapsed. For the following three months, “voluntary” scanning under this legal basis was not permitted in the EU at all.

The Council tries again

On July 2, 2026, the Council adopted its position at first reading — largely reviving the Commission’s original, broader proposal — which sent the file to Parliament for a second reading. On July 7, the European People’s Party invoked an urgency procedure (Rule 170) to fast-track that second reading straight to a plenary vote, skipping committee review, before the summer recess. It passed, 331–304.

That set up the vote two days later.


July 9: Two Votes, One Confusing Outcome

Under Article 294 of the Treaty on the Functioning of the European Union — the EU’s “ordinary legislative procedure” — a second-reading Parliament can only reject a Council position with an absolute majority of all 720 seats: 361 votes, regardless of turnout. The same threshold applies to amending it.

VoteForAgainstAbstainThresholdResult
Reject the Council’s position31427617361Failed — fell 47 short
Amendment excluding E2EE services (1)369361Passed
Amendment excluding E2EE services (2)362361Passed

More MEPs wanted to kill the regulation outright than wanted to keep it — but killing it required a supermajority that rejection never reached. Former MEP and digital rights campaigner Patrick Breyer called it bluntly: “The fact that Chat Control is moving forward against the will of the majority of voting MEPs is a farce and damages democracy.”

But “moving forward” needs a caveat. The same afternoon, MEPs passed encryption-carve-out amendments by 369 and 362 votes — comfortably over the same 361-vote bar that rejection missed. Rapporteur Birgit Sippel said a clear majority wanted to narrow the regulation further, but procedural rules limited how much could be changed in a single sitting.


So Is It Law or Not?

Not yet. This is the part most coverage skipped.

Under Article 294(7)–(9), a Council position is only “deemed adopted” automatically if Parliament neither rejects nor amends it. Parliament did neither cleanly — the rejection failed, but the amendments succeeded. That means the amended text goes back to the Council, which now has three months to:

  • accept all of Parliament’s amendments — in which case the regulation, including the E2EE carve-out, is formally adopted; or
  • reject any part of them — which triggers a Conciliation Committee, adding months more negotiation.

Practically: as of July 10, 2026, the pre-April derogation remains expired, and its replacement has not entered into force. No provider gained new scanning permission on July 9. If the Council eventually signs off, the earlier Commission timetable suggests the derogation would run until April 3, 2028 — but the final scope and date depend on what the Council accepts, including whether the E2EE exclusion survives.


What the Regulation Would Actually Allow — and What It Wouldn’t

It’s worth being precise here, because “Chat Control” has become political shorthand that often overstates the text itself.

The regulation is permissive, not mandatory. It creates a narrow exception to the ePrivacy Directive so that qualifying providers may — not must — use specified technologies to detect and report CSAM and grooming, under conditions:

  • processing must be strictly necessary and proportionate;
  • providers must use the least privacy-intrusive technology available;
  • automated text scanning may only flag patterns, not interpret the substance of a conversation;
  • previously unidentified material requires human review before it’s reported;
  • users must be told when a provider invokes the exemption.

It also does not name specific apps. Lists circulating online that claim “Gmail, Instagram, Discord, Snapchat, and Xbox are scanned” conflate a legal category — “number-independent interpersonal communications services” — with a roster of consumer products. Whether a given app is actually affected depends on whether its operator chooses to invoke the exemption, and on what portion of its traffic is even technically scannable. That changes faster than the law does: Meta rolled out default end-to-end encryption for personal Messenger chats in December 2023, and Microsoft retired consumer Skype entirely in May 2025 — both regularly still appear in recycled “scanned apps” lists from years ago.

Encrypted email sits in its own category, though it’s not identical to a messenger like WhatsApp. Proton Mail and Tuta (Tutanota) apply zero-access encryption to mail once it’s stored, so the provider can’t read what’s sitting in your inbox — but that’s a narrower guarantee than WhatsApp’s protocol, where the server never handles readable content at all, even transiently. An email arriving at Proton Mail from a non-Proton sender travels over standard mail protocols and briefly exists in a form Proton’s systems could technically inspect before it’s encrypted for storage; a message between two Proton Mail users, by contrast, is genuinely end-to-end encrypted throughout. In practice this distinction hasn’t mattered in the disclosed cases below — Proton has never handed over message content — but it’s a real architectural difference worth naming rather than papering over. Gmail and iCloud Mail don’t offer either version of this protection, which is why they’re the ones actually named in most coverage.

That said, “the provider can’t read your content” is a different guarantee from “the provider can never be compelled to hand anything over.” Both Proton and Tuta have complied with targeted, individual court orders — a completely separate legal mechanism from Chat Control, available against any communications provider, encrypted or not:

  • Proton, 2021: a Swiss court order, relayed via Europol from French police, forced Proton to start logging one activist’s login IP address. Proton could not and did not hand over message content — only the IP, going forward from the order.
  • Proton, 2024: in a Spanish investigation into the Catalan “Democratic Tsunami” movement, a similar order compelled Proton to disclose the only piece of data it held: a recovery email address, which investigators then traced through Apple to identify the account holder.
  • Tuta, 2020: a regional court in Cologne ordered Tuta to begin capturing one specific suspect’s incoming and outgoing mail in plaintext, before encryption, in a blackmail investigation — a materially more invasive order than a metadata request. Tuta appealed, citing a conflicting ruling from a Hanover court that it isn’t a “telecommunications service” under German law and can’t be compelled this way.

None of that is Chat Control. It’s the ordinary reach of judicial process, and it applies regardless of what happens to the regulation this article is about. Encryption limits what a provider has to give up; it doesn’t put anyone beyond the reach of a valid court order.


The Council’s Own Lawyers Don’t Like This Either

Here’s what most July 9 headlines missed entirely: multiple reports say that around June 10, 2026, the Council of the EU’s own Legal Service — its internal legal advisors — assessed this same proposal and found that it still amounts to generalized, suspicionless scanning of private communications, warning that accessing people’s messages without prior suspicion or judicial authorization sits uneasily with Article 7 of the EU Charter of Fundamental Rights — the right to respect for private life and communications. We haven’t been able to locate the underlying Council document itself, only secondary reporting on its contents, so treat the exact date and wording as reported rather than verbatim.

If accurate, it means the body pushing this text through was warned by its own lawyers that the approach may not survive a challenge at the Court of Justice of the EU — and proceeded regardless.


The People This Is Supposed to Protect Are Pushing Back

The sharpest pushback didn’t come from privacy lobbyists. It came from Alexander Hanff, a survivor of child sexual abuse and a privacy technologist who has worked on detection efforts since 1992. In his own words, published before the vote:

“I have fought this law as Chat Control I and again as Chat Control II, and I have fought it as a survivor of child sexual abuse who told his story nearly fifteen years ago, testimony that put my abusers, and the abusers of more than twenty other boys from my school, in prison. I would never have found the courage to tell that story without private, confidential, encrypted communication, and the convictions that followed would never have happened.”

Hanff’s argument isn’t that CSAM detection doesn’t matter — it’s that mass scanning is a poor substitute for it, and actively harms the people it claims to protect:

“Chat Control was not created to protect children. It was about Big Tech companies like Meta or Google wanting access to our data for profiteering, and states attempting to expand mass surveillance. The EU Commission has wasted five years and millions of euros on algorithms that cannot protect children and were never meant to. This money should have been diverted to real policing, causal research, and support for survivors.”

That reframes the usual “child safety vs. privacy” narrative. It isn’t privacy advocates against child protection — it’s a CSA survivor arguing that suspicionless mass surveillance and genuine child protection are different, and often opposing, things.


What’s Actually at Stake Next

This July 9 outcome — whichever way the Council eventually rules — is still only the temporary track. The bigger fight is the permanent CSA Regulation (“Chat Control 2.0”), first proposed by the Commission in 2022. It sat without a Council negotiating position for three years; member states only agreed one on November 26, 2025, which is what finally allowed three-way trilogue talks with Parliament and the Commission to begin in December 2025. A fifth round of trilogues was held June 29, 2026, with no resolution; negotiations resume in September.

PositionHeld byWhat it broadly means
Broader, less-targeted scanningCouncil, CommissionProviders could be required or permitted to scan communications without requiring individual, prior suspicion
Targeted scanning onlyParliament majority, Greens, RenewScanning should be limited to accounts already under judicial suspicion, with a warrant

That’s a characterization of where each side has been arguing from, not a quote from either side’s legal text — the exact wording is still being negotiated. The disagreement hasn’t moved much since 2022, and July 9 didn’t resolve it — if anything, a majority of voting MEPs trying (and narrowly failing) to reject even the temporary version suggests the broader, suspicionless approach has an uphill fight in September. But procedural quirks are exactly what let a minority position survive on July 9. Nothing here is decided until it’s decided.


What You Can Do Today

  1. Move sensitive conversations to end-to-end encrypted apps. Signal and similar services stay outside this regulation because there’s nothing on the wire for a provider to scan.
  2. Check what’s actually encrypted, conversation by conversation. Some apps mix encrypted and unencrypted chats by default — don’t assume uniform protection across a single platform.
  3. Remember encryption ≠ immunity from courts. Proton Mail and Tuta protect content from bulk scanning, not from a targeted, valid legal order in a specific investigation. Plan your threat model accordingly.
  4. Watch the Council, not just Parliament. The regulation only takes effect if the Council accepts Parliament’s amendments — or after a Conciliation Committee resolves the difference.
  5. Follow the September trilogue. The permanent CSA Regulation will shape EU communications privacy for years; this July vote is a placeholder next to it.


Sources