Chat Control Retreats: Europe’s Big Privacy Win – But For How Long?

TL;DR

The European Union’s proposed Regulation to Prevent and Combat Child Sexual Abuse (CSAR) (widely known as chat control) has been the single greatest threat to digital privacy in Europe. For two years, the EU chat control proposal aimed to force providers to scan private messages, emails, and files for suspected CSAM  (child sexual abuse material), even if that meant breaking end‑to‑end encryption via client‑side scanning.

On October 31, 2025, Denmark backed away from mandatory message scanning after massive public protest and a firm “no” from key countries like Germany. This is a major victory for privacy, but it’s the third delay – not an official withdrawal. 

With voluntary scanning provisions expiring April 2026 and Poland taking the EU Council Presidency on Jan 1, 2026, the battle over encrypted communications is far from over.

In short: the threat has just changed shape. We at Atomic Mail believe this is a turning point for digital freedom. It’s not privacy vs. safety – that’s a false narrative. The real choice is between targeted, effective investigations and wholesale, automated surveillance of everyone.

What Is “Chat Control”?

On 11 May 2022, the European Commission introduced the official proposal, the 'Regulation to prevent and combat child sexual abuse' (CSAR). Opponents quickly called it 'Chat Control', highlighting its function as a mass surveillance system.

The regulation was designed to replace the temporary measure introduced in 2021 ("Chat Control 1.0"), which only permitted the voluntary scanning of unencrypted services. The new proposal ('Chat Control 2.0') was a significant escalation, as it aimed to make scanning mandatory for all providers, including those using end-to-end encryption (E2EE).

This mandatory proposal is the one that has just been blocked for the third time.

The new "Voluntary" proposal (the current threat)

On October 31, 2025, Danish Justice Minister Peter Hummelgaard announced a new "compromise." This plan would:

1. Strip out mandatory detection orders to achieve Council consensus.
2. Codify voluntary scanning within the future CSAR framework.

This new EU chat control law is a strategic pivot to get something passed before the April 2026 deadline.

Where it applies

The chat control law framework (both the mandatory one we just fought and the "voluntary" one now on the table) targets:

• Messengers (e.g., Signal, WhatsApp, iMessage).
• Email (e.g., Atomic Mail, Proton Mail, Tuta).
• Cloud storage (e.g., iCloud Photos/Drive, Google Drive, Microsoft OneDrive, Dropbox).
• Platforms hosting user content (e.g., Discord, Reddit, X/Twitter, Facebook, Instagram, TikTok).

Why it’s controversial

Even when intended to protect children, content scanning creates a widespread monitoring system. The EDPB/EDPS say that these measures might go against the EU Charter's rights to privacy and data protection, and could be more excessive than necessary.

Why Did It Happen?

The stated problem chat control tries to solve: The internet has made it easier for CSAM and grooming to spread. Reporting volumes have increased significantly over the past decade across major platforms and hotlines. So, policymakers argue that the current voluntary systems aren't enough and are inconsistent across providers and Member States. That's why the EU chat control law was trying to make it mandatory for all providers to detect and report.

The current "Chat Control 1.0" model allowing for voluntary scanning expires in April 2026. Proponents are now manufacturing a false crisis, claiming this will create a "regulatory gap" that leaves children unprotected.

According to Danish Justice Minister Hummelgaard: "Right now we are in a situation where we risk completely losing a central tool in the fight against sexual abuse of children. That's why we have to act no matter what. We owe it to all the children who are subjected to monstrous abuse."

Privacy advocates argue this framing is dishonest. The voluntary system allows Meta to scan, but it doesn't force encrypted services like Atomic Mail and Signal to break their security architecture. This is a political deadline being used to rush through a permanent surveillance framework.

What the Mandatory Chat Control Law Would Have Done

(This is the dangerous proposal we all just successfully paused. Understanding these threats is vital, as proponents will try to bring them back.)

Mandatory detection orders & scope – forcing services to scan

The core of the original EU chat control regulation was the "detection order." This would have legally forced service providers to scan all user communications – messages, images, and even end-to-end encrypted content. These were general, indiscriminate orders, not targeted warrants. Orders may target a service, a user cohort, or a feature (e.g., photo uploads).

Client‑side scanning: technical linchpin for breaking encryption

To scan end-to-end encrypted content in services like Atomic Mail and Signal, these services would have been forced to use Client-Side Scanning (CSS). 

This technology scans users' content on their devices before it is encrypted and sent. It creates a digital fingerprint, or 'hash', of the content and compares it to a government database of known CSAM. If there is a match, an automatic report is sent to the authorities.

Many experts agree that this architecture is essentially spyware, creating a systemic vulnerability (a 'backdoor') that hackers and hostile states can exploit to access the private communications of millions.

Age checks and platform obligations

To "protect" minors, services may be forced to verify the age of every user via ID or facial scan. This would be a huge blow to online anonymity.

And let's be blunt: not every provider is capable of securing that data. We just saw what happens when governments force this: the catastrophic Discord Breach 2025. That leak of 2 million user IDs was a direct result of forced age verification.

Read more in our article, Discord Breach 2025: What You Must Know About 2M Leaked IDs

Data retention, reporting, oversight

When the algorithm flags your message, it's sent to law enforcement.

This EU chat control proposal would have created a massive, automated pipeline for funneling millions of private messages and information (most of which will be false positives) from citizens' phones to a government database. The risk of leaks, misuse, and human error is enormous in such a case.

Quick Q: “Isn’t this only about criminals?”
Quick A: chat control doesn’t know who’s a criminal. It scans everyone to find someone.

Why Chat Control Failed: Privacy, Encryption, and Fundamental Rights at Risk

The entire fight chat control movement exists because this proposal was seen by experts, businesses, and regular users as an existential threat to digital freedom.

The mandatory proposal didn't just "have problems"; it was fundamentally broken. It was legally toxic, technically unworkable, and humanly catastrophic. This is why it was blocked three times, and why the 'blocking minority' (led by Germany, Poland, and others) refused to sign it.

Here are the core failures that stopped the law in its tracks.

The legal challenge: violation of the EU Charter of Fundamental Rights

The EU's own legal bodies have warned that the chat control law violates its highest laws.

• Article 7 of the EU Charter: Guarantees "respect for his or her private and family life, home and communications."
• Article 8 of the EU Charter: Guarantees "the protection of personal data."

The European Data Protection Board (EDPB) and European Data Protection Supervisor (EDPS), the EU's top privacy watchdogs, have said that the proposal would be "a form of generalised and indiscriminate surveillance" and that it "will lead to the end of confidentiality of communications."

Breaking encryption: the security catastrophe

This was the technical argument that united the entire security world against the proposal. Proponents claimed they could scan before encryption without "breaking" it. This was a cynical lie.

• It creates a systemic weakness: A backdoor for chat control is a backdoor for everyone. It's a "bug" mandated by law.
• It creates feature atrophy: Most likely, many providers will disable E2EE features in the EU rather than ship scanning builds. Others may pull out entirely. Users will move to riskier channels.
• It's an unmanageable target: The database of "bad" content that the scanner checks against? A hacker who compromises that database could add anything to it. They could add the "hash" (digital fingerprint) of a competitor's trade secret, a confidential document, or just a random family photo.

The inaccuracy of algorithms: the human cost of false positives

Beyond the legal and technical, the proposal failed the basic human test. Algorithms are stupid. They have no context. They cannot tell the difference between a crime and an innocent, private moments (like family photos, medical images, art, typos, and other cases).

• The 80-90% error rate: With billions of daily messages, even a 0.01% error means millions of misflags a month. Those aren’t statistics – they’re people. In reality, errors would definitely be much bigger than 0.01%. The Swiss Federal Police noted that as many as 80-90% of reports generated by automated systems are not illegal CSAM.

Just imagine: for every legitimate case, up to nine innocent people could have their most private moments flagged and viewed by a stranger in a review centre. They could also be forced to prove their innocence.

Security trade‑offs for businesses and critical sectors

Finally, the law was a direct assault on the European economy and professional confidentiality. This wasn't just about personal chats.

• Businesses: How can a company discuss a pending patent, a sensitive deal, or a critical financial report if they know the content is being scanned?
• Critical sectors: How can lawyers guarantee client privilege? How can doctors protect patient confidentiality (HIPAA/GDPR)? How can journalists protect their sources?

They can't. The EU chat control law makes a joke of all other privacy regulations, like GDPR. It creates a catastrophic point of failure that will chill free speech, cripple journalism, and hand a powerful new weapon to industrial spies and hostile states.

The Political Battlefield: Who’s For, Who’s Against?

Supporters: arguments & promised safeguards

Who they are: The main supporter is the European Commission (specifically Home Affairs Commissioner Ylva Johansson). They're supported by a changing group of member states, including countries like Spain, Hungary, Portugal, Cyprus, France, and others.

Typical arguments: "We must do something." Now that the mandatory plan failed, they are pushing the "voluntary" plan as a "reasonable compromise" to get something passed before the April 2026 deadline.

Opponents: the coalition that won the battle

Core critique: Generalised scanning of private communications is incompatible with E2EE and the EU Charter. It creates systemic risk and invites mission creep.

Who they are: This is the group that stopped the mandatory proposal. Countries firmly opposed include: Germany, Poland, Austria, Estonia, Slovenia, Luxembourg, the Netherlands, Finland, and the Czech Republic. Their firm opposition is what forced Denmark to back down.

The citizen movement stopped chat control as well

This victory wasn't just politicians and experts. The Fight Chat Control movement became the central hub for what may be the most successful digital rights campaign in European history.

Key success factors:

• Grassroots pressure: Citizens flooded government offices with calls and emails.
• Technical expertise: 500+ cryptographers provided credible, expert opposition.
• Industry alignment: Secure companies united against the proposal.
• Cross-border coordination: A pan-European campaign prevented divide-and-conquer tactics.

Current State: The "Poland Factor"

As of November 2025, the mandatory chat control proposal is on hold, but NOT dead. This is the third time it has been blocked since May 2022, after failing under the Hungarian, Belgian, and Swedish presidencies.

Denmark's retreat is tactical. The new battle is to pass a law codifying voluntary scanning before the April 2026 cliff.

What happens in January 2026?

Poland will adopt the rotating EU Council presidency on 1 January 2026, just three months before the voluntary scanning provisions expire. This creates a perfect storm:

• Timeline alignment: The April 2026 expiration creates natural urgency.
• "Child safety" narrative: Poland can position itself as protecting children from a "regulatory gap."
• Fresh negotiating mandate: Poland can learn from Denmark's mistakes.

Likely Polish Strategy: Poland won't make the same frontal assault. They will likely try a "smarter" mandatory proposal:

• Narrower scope: Target only "known" CSAM using hash-matching (not AI for "unknown" material).
• Risk-based approach: Limit scanning to "high-risk" services (though E2EE would still classify as high-risk).
• Voluntary-to-mandatory pipeline: Start with a "voluntary" framework and transition to mandatory later.

Ripple Effects on Privacy-First Apps

With mandatory scan is paused (for now) – the entire privacy ecosystem just swerved away from a cliff. The original EU chat control law would have basically banned secure apps by default, forcing a choice between breaking encryption or leaving Europe.

But the new "voluntary" proposal is just a different kind of trap. It creates a "two-tiered" internet: insecure "cooperative" apps that scan, and secure "uncooperative" apps that don't.

What would happen if this "voluntary" scanning became de-facto compulsory? What if Apple and Google get pressured to use App Store rules or new "safety labels" to punish apps that don't "voluntarily" scan? What if secure apps get de-ranked in search, or hit with warning labels?

We can only guess what could happen later, but the original, impossible dilemma returns: ship a spyware scanner or leave.

This isn't just some theoretical problem. The maths of end-to-end encryption is a tough nut to crack. Providers of really secure apps – ones that mathematically can't read your encrypted messages – have drawn a hard line.

The Signal precedent: "We will leave".

Signal's president has been very clear: if they're forced to scan, they'll stop operating in the EU. The mandatory proposal failed, in part, because of such principled stands from secure providers.

Post-April 2026 scenarios

This leaves us with three possible futures:

1. Scenario 1: Voluntary Framework Codified. The current system continues. E2EE services remain intact, but face political pressure to "voluntarily" scan.
2. Scenario 2: No Agreement Reached. The voluntary scanning rules expire in April 2026. This creates legal uncertainty for Meta and Google.
3. Scenario 3: Mandatory Framework Returns Under Poland. A new push begins, and secure services must choose: implement scanning, exit the EU, or challenge the law in court.

Your Options: How to Protect Your Privacy and Take Action

The "pause" in October 2025 proves that public backlash works. The Fight Chat Control movement forced the Council to back down. Now we must use that voice again.

Political action

• Join campaigns to fight chat control: The fight chat control movement is a powerful coalition of citizens, privacy groups, and experts. Their resources are your best weapon:‍
  
  • EDRi’s "Stop Scanning Me" Campaign: The central hub for European Digital Rights. They have petitions, resources, and legal analysis.‍
  • Fight Chat Control: A fantastic resource with clear arguments and tools.‍
    
• Write your representatives (Again!): This is critical. Tell them you oppose the new "voluntary" proposal just as much as the mandatory one. Tell them to let the temporary scanning rule expire in April 2026. Where to find contacts:
  
  • Use easy tools like DearMEP.eu or Fight Chat Control page to find your representatives and send a message.‍
• Spread awareness: People think the fight is over. It is not. They need to know about the "voluntary" Trojan horse and the "zombie" threat from Poland. What to do:
  
  • Share this article.
  • Follow the primary sources for real-time updates, like Patrick Breyer’s Blog and EDRi (European Digital Rights).

Technological choices

Support privacy-first services.‍

This "voluntary" proposal makes your choice of provider the most critical defense. It creates a two-tiered internet: "free" services (like Meta and Google) that "voluntarily" scan you, and secure services (like us) that physically can't.

You must now assume that anything you send over services like Gmail, Facebook Messenger, or Instagram DMs may be scanned. Their business models are already built on scanning your data for ads; "voluntarily" scanning for the government is an easy next step. Do not use them for anything private.

Your only defense is to choose privacy-first providers that use zero-access encryption and don't apply voluntary scanning – like Atomic Mail. We've built our service so we cannot read your encrypted emails. We can't scan what we can't see. Your choice of provider is now your best line of defence.

Consider self‑hosting (and its limits).

For the tech-savvy users, running your own cloud or mail server reduces platform risk, as you aren't subject to a provider's policies and own your infrastructure. But you also take on all the duties, like security patching, logging, and legal duties. Moreover, this only secures your server. The moment you interact with other services (e.g., send an email to a Gmail user), your message lands on their server, where it can be scanned. Self-hosting doesn't make your messages immune once they leave your control.

Why This Matters Now

The EU's chat control proposal is a zombie. It has been blocked three times, and it keeps coming back. The "pause" in October 2025 isn't a victory; it's a ceasefire.

This chat control law is a Pandora's Box. If we allow the government to build an infrastructure that can scan every private message – even "voluntarily" – the debate is over. The only thing left to argue about is what they scan for next. New categories will creep in, such as terrorism, copyright, “harmful” speech, and suddenly the baseline expectation for private life will be inspection first, encryption later. This would completely change the internet’s trust model.

Our commitment to secure, private communication

Atomic Mail follows strict data minimization, uses end-to-end encryption, and keeps zero-access to your encrypted emails. We don’t keep the keys. We don’t scan your inbox. Privacy is not a feature tier – it’s our foundation.

Create your Atomic Mail account and join our updates – because the best time to protect your privacy was yesterday; the second‑best time is now.

Quick FAQs (People Also Ask)

What is Chat Control?

"Chat Control" is the common name for the EU's proposed "Regulation to Prevent and Combat Child Sexual Abuse" (CSAR). Its goal is to fight the spread of Child Sexual Abuse Material (CSAM) by making it mandatory for all email, messaging, and cloud service providers to indiscriminately scan all private user communications for suspicious content.

Is Chat Control dead? I heard it was rejected.

No. The mandatory proposal is on hold, but not officially withdrawn. On October 31, 2025, after Germany led a "blocking minority" of countries, the Danish EU Presidency was forced to pull the mandatory plan from the vote. This is the third time it's been blocked, but proponents have not given up.

Which countries formed the blocking minority?

Based on current positions: Germany, Poland, Austria, Estonia, Slovenia, Luxembourg, the Netherlands, Finland, and the Czech Republic opposing mandatory encryption-breaking provisions.

Does this mean online platforms will not scan for CSAM anymore?

No, platforms and messaging apps will continue voluntary and existing temporary measures to detect illegal child sexual abuse material, but there will be no mandatory scanning requirements imposed by the EU under this rejected regulation.

What is this new "voluntary" Chat Control proposal?

Right now, a temporary law (the ePrivacy derogation) allows services like Meta and Google to scan their unencrypted platforms. This temporary law expires in April 2026. The new "compromise" is a desperate push to make this "voluntary" scanning permanent.

Does this proposal break end-to-end encryption?

The original mandatory proposal forced "client-side scanning" – scanning content before encryption. Experts agree this destroys confidentiality and creates a 'backdoor'. The new voluntary proposal discourages services from using E2EE in the first place.

Could scanning be used beyond CSAM?

Yes. Once the pipeline exists, expanding hash lists and classifiers is a policy switch, not a technical lift. History says categories grow, not shrink.

What is the current status of the Chat Control proposal?

The mandatory scanning proposal is on hold as of October 31, 2025, after Germany led a blocking minority. This is its third delay. Proponents are now pushing a new proposal to make voluntary scanning permanent before the current rules expire in April 2026. The mandatory proposal is not officially withdrawn and could return under the Polish presidency in 2026.

What changes if I use a privacy-first email like Atomic Mail?

Everything. The new "voluntary" proposal creates a two-tiered internet: "free" services (like Gmail) that scan you, and secure services that can't. Atomic Mail uses a zero-access encryption. We cannot scan your encrypted emails because we do not have your encryption keys. The EU chat control law, in all its forms, is an attempt to push mass surveillance. Our message is simple: Do not use services that accept "voluntary" scanning.