Mar 29, 2026 · 6 min read
The EU Just Killed Chat Control by a Single Vote
After years of debate, the European Parliament voted 307 to 306 to end the mass scanning of private messages. Starting April 4, tech companies must stop monitoring European citizens' chats.
What Just Happened
On March 26, 2026, the European Parliament voted to reject the extension of temporary rules that had allowed tech companies to scan private messages for child sexual abuse material. The vote was 307 in favor of ending mass scanning, 306 against, and 24 abstentions. One vote decided the outcome.
This followed an earlier vote on March 11, when MEPs endorsed a broader proposal to restrict surveillance by 458 votes to 103. Together, these votes represent the most significant privacy victory in Europe since the GDPR.
The current interim regulation expires on April 4, 2026. After that date, companies like Meta, Google, and Microsoft will be prohibited from indiscriminately scanning private messages within the EU.
What Was Being Scanned
Under the temporary "Chat Control" framework first adopted in 2021, tech platforms were permitted to voluntarily scan private messages, including encrypted ones, for known child sexual abuse imagery. In practice, approximately 99% of the reports sent to European law enforcement came from a single company: Meta.
The system flagged around 300,000 chats annually across the EU. But effectiveness was questionable. German authorities found that 48% of all flagged content was either a false positive or criminally irrelevant. That means nearly half the private conversations reported to police involved innocent people whose messages were flagged by automated scanning.
Privacy advocates had long argued that the system amounted to mass surveillance of European citizens with no court oversight and poor accuracy, all conducted by private companies on behalf of governments.
The Amendment That Changed Everything
The decisive moment came with Amendment 5, introduced by Pirate Party MEP Marketa Gregorova. The amendment demands that any future scanning of private communications must be "strictly limited to individual users or groups of users suspected by a competent judicial authority of being linked to child sexual abuse."
In plain terms: no more dragnet scanning. If governments want to monitor someone's messages, they need a judge to approve it first, just like a traditional wiretap. This aligns with the European Parliament's 2023 mandate and with the European Court of Human Rights' consistent position that mass surveillance violates fundamental rights.
Why This Almost Failed
The single vote margin reflects how contentious this issue remains. Child safety advocates, law enforcement agencies, and several EU governments pushed hard to maintain or even expand scanning capabilities. The European Commission had proposed a permanent Chat Control regulation that would have required all messaging platforms to scan content, including in encrypted messages.
Most EU Council members opposed the Parliament's restrictions, with only Italy breaking ranks. The trilogue negotiations between Parliament, the Commission, and the Council began on March 12 under what officials described as "extreme time pressure" to reach agreement before the April 4 expiration.
If no agreement is reached, the temporary rules simply expire, and companies lose their legal basis for scanning entirely.
What This Means for Encrypted Messaging
The vote has major implications for end to end encryption. The Commission's original proposal would have effectively required platforms to break encryption or implement client side scanning to comply. Security researchers and privacy organizations, including the Electronic Frontier Foundation and European Digital Rights, had warned that this would create surveillance infrastructure that any government could eventually abuse.
With the Parliament's position now established, any permanent regulation must respect the targeted, court authorized approach. This makes it far less likely that the EU will mandate the breaking of encryption, at least through this particular legislative pathway.
Companies can still scan public posts and hosted files without restriction. The limitation applies specifically to private, person to person communications.
The Broader Pattern
This vote fits into a larger global struggle over private communications. The EU's earlier attempt to withdraw ePrivacy protections demonstrated how fragile privacy safeguards can be. Meanwhile, the UK, Australia, and other countries continue to push for backdoors in encrypted services.
The Parliament's decision sends a clear signal: mass surveillance of private messages is not an acceptable approach to law enforcement, even when the stated goal is protecting children. Targeted, judicially authorized surveillance remains the legal standard in Europe.
But one vote is a razor thin margin. The battle over encryption and private communications is far from over. The next legislative proposal could tip the balance the other way.