Jul 10, 2026 · 6 min read
EU Revives Chat Control, Gmail Scanning Returns
On July 9, 2026, MEPs voted 314 to 276 against extending the EU's Chat Control scanning exemption, but fell short of the absolute majority needed to block it, so Gmail and iCloud Mail can keep scanning private messages until 2028.
In March, the European Parliament rejected extending "Chat Control 1.0" twice. The measure lapsed in April. By most readings, the fight looked over. Then on July 9, 2026, MEPs voted 314 against the extension to 276 in favor, and the extension survived anyway. A clear majority opposed it. It passed regardless.
Key Takeaways
- On July 9, 2026, MEPs voted 314 against extending "Chat Control 1.0" to 276 in favor with 17 abstentions, a result The Register reports fell 47 votes short of the 361-vote absolute majority needed to block it.
- Chat Control 1.0 is a voluntary exemption to the EU's ePrivacy Directive, not a scanning mandate. It shields providers like Gmail, iCloud Mail, and Instagram DMs from confidentiality lawsuits if they choose to scan for child sexual abuse material (CSAM).
- Genuinely end to end encrypted services, including WhatsApp, Signal, and iMessage, sit outside the exemption's scope entirely.
- The extension is expected to run until April 2028, unless a permanent "Chat Control 2.0" regulation, with negotiations resuming in September 2026, replaces it sooner.
- Digital rights advocate and former MEP Patrick Breyer called the outcome "a farce" that "damages democracy," arguing mass scanning substitutes for targeted investigation rather than supporting it.
How Did a Losing Vote Win?
The math looks backward at first glance, but the procedure explains it. Chat Control 1.0 was in its second reading, and EU rules for second readings don't ask whether more MEPs voted yes or no. They ask whether an absolute majority of all 720 sitting members, 361 votes, actively rejects the Council's position. Anything short of that threshold means the Council's text stands, regardless of how the room actually voted.
Opponents hit 314. They needed 361. The 276 in favor, the 17 who abstained, and the roughly 113 MEPs who didn't show up all functionally counted as support for the status quo. A competing amendment that would have narrowed scanning to cases identified by judicial authorities, targeted, suspicion based scanning rather than blanket scanning, fared slightly better at 322 votes, and still fell short of the same 361-vote wall. Under this procedure, an absent MEP votes the same way as one who actively supports extending mass scanning.
What Is Chat Control 1.0?
Chat Control 1.0 is the nickname critics gave to a temporary derogation from the ePrivacy Directive, originally adopted as Regulation (EU) 2021/1232. Normally, EU confidentiality law would expose a messaging or email provider to legal liability for scanning the contents of private communications. This derogation carves out an exception specifically for CSAM detection.
The distinction that gets lost in headlines: this is permission, not a mandate. No provider is legally required to scan anything under Chat Control 1.0. What the exemption does is remove the legal risk for providers that choose to scan voluntarily, using tools like hash matching against known CSAM databases. That's different from the pending "Chat Control 2.0" proposal, which has floated mandatory scanning obligations that could extend to encrypted messaging through client side scanning before messages are ever encrypted.
Which Services Are Affected?
Because the exemption only covers services that aren't fully end to end encrypted, its practical reach depends entirely on how a given platform handles encryption. Per Breyer's post vote breakdown, providers that can continue scanning under this exemption include:
- Gmail
- iCloud Mail
- Facebook Messenger (the pre 2023, non encrypted version)
- Instagram DMs, newly in scope after Meta removed end to end encryption from Instagram messaging in May 2026
- Skype
- Snapchat
- Xbox messaging
WhatsApp, Signal, and iMessage remain outside the exemption's scope because their encryption architecture means the provider itself technically cannot read message content, scan or not. Instagram's move to drop encrypted DMs is a useful case study here: a platform's own architecture choices, not the law, ultimately decide whether it falls under the exemption at all.
Why Did the Exemption Almost Die in April?
The current fight is actually round three. MEPs first voted down the extension on March 26, 2026, by 311 to 228 with 92 abstentions. Because that vote also fell under the absolute majority rule and produced a mixed signal about Parliament's next move, the derogation was allowed to lapse on April 3, 2026, when no replacement was in force.
What happened during that roughly three month gap is itself informative. The National Center for Missing & Exploited Children, which operates the CyberTipline that most providers report CSAM to, recorded a "measurable decline" in European referrals in the weeks following the lapse, consistent with providers pausing voluntary scanning once their legal cover disappeared. NCMEC's broader 2025 numbers give a sense of scale: 21.3 million CyberTipline reports containing more than 61.8 million images, videos, and other files, plus 1.4 million online enticement reports, up 156% from 2024.
The Council then pushed a near identical proposal back to Parliament under an "urgent procedure," which MEPs narrowly approved on July 7 by 331 votes to 304 with 11 abstentions, clearing the way for the July 9 vote that let the exemption resume.
Why Email Users Should Care
Gmail and iCloud Mail sit squarely inside this exemption because standard email, unlike WhatsApp or Signal, was never built with end to end encryption by default. Messages typically sit on the provider's servers in a form the provider can technically read, which is exactly the condition that makes voluntary CSAM scanning legally possible under Chat Control 1.0 and technically possible in the first place.
That's a different mechanism than the read receipt and click tracking pixels marketers embed in newsletters, and this exemption says nothing about advertisers or senders monitoring when you open a message. But the underlying pattern, a law justified by child protection quietly expanding the scope of what platforms can inspect, is one email users have seen before in other contexts. Illinois HB 5511 and the UK's under 16 social media rules both use child safety framing to justify identity checks and monitoring that extend well past their stated target. Chat Control 1.0 fits the same pattern applied to inbox content instead of device access or social accounts.
For now, the exemption remains opt in for providers, and there's no indication Google or Apple plans to change existing scanning practices because of this vote. The bigger question is what the permanent successor regulation looks like.
What Happens Next?
Talks on "Chat Control 2.0," the permanent regulation meant to replace this recurring temporary patch, resume in September 2026. The core dispute hasn't moved: whether scanning should stay targeted at specific suspects under judicial oversight, or apply indiscriminately across all users, including, per earlier drafts, through client side scanning that would apply even to encrypted apps like WhatsApp and Signal before messages are encrypted.
Breyer, for his part, is skeptical anyone can assemble 361 votes for a permanent mass scanning regime, calling that outcome "a complete pipe dream." Whether he's right gets tested starting this fall. Until then, Chat Control 1.0's current extension runs through April 3, 2028, assuming nothing forces Parliament back to this question a fourth time before then.