EU Chat Control Expires, But Big Tech Keeps Scanning Your Messages Anyway
On April 3, 2026, the legal basis for scanning chat messages in the European Union quietly expired. The European Parliament had voted against renewing the temporary exception to the ePrivacy Directive that allowed tech companies to scan communications for child sexual abuse material (CSAM). Democracy had spoken: no mass surveillance of private messages.
One day later, Google, Meta, Microsoft, and Snap issued a joint statement announcing they would continue scanning anyway. They called the Parliament's decision an "irresponsible failure" and declared they would take "voluntary action" on their messaging services, legal basis or not.
Meanwhile, a coalition of 247 child rights organizations from over 40 countries published an open letter condemning the expiry, calling it "sadly no April Fool's joke" and warning that "children must not continue to pay the price of political deadlock."
Why this matters: This is one of the most consequential privacy battles in Europe. On one side: protecting children from horrific abuse. On the other: protecting everyone's right to private communication. The EU Parliament tried to find a middle ground. The member states refused it. And now Big Tech is operating in a legal gray zone, scanning messages without a clear legal basis. Whatever your position, the outcome affects every person who uses WhatsApp, Gmail, or Messenger in Europe.
How Did We Get Here?
The story starts in 2021. Under the EU's ePrivacy Directive, scanning the content of private communications is illegal. But the EU created a temporary exception (derogation) specifically for CSAM detection. This allowed companies like Google, Meta, and Microsoft to voluntarily scan messages and cloud storage for known child abuse images using hash-matching technology.
This exception was always meant to be temporary, a bridge until permanent legislation was agreed. But the permanent legislation, known as the CSAM Regulation or "Chat Control," became one of the most controversial tech proposals in EU history.
What the European Commission Wanted
The Commission's original proposal (2022) was sweeping: all messaging services, including end-to-end encrypted ones like Signal and WhatsApp, would be required to scan every message for CSAM. This would mean either breaking encryption or implementing "client-side scanning" that analyzes content on your device before it's encrypted.
What the European Parliament Wanted
The Parliament pushed back hard. In early 2026, it agreed to a shorter extension of the temporary derogation, but with crucial amendments:
- Targeted, not mass surveillance. Scanning only for individuals where a judge has reasonable suspicion of involvement with CSAM, not blanket scanning of all users
- Encryption exception. End-to-end encrypted messages would be explicitly exempt, protecting the integrity of encryption technology
- Judicial oversight. A court order required before any scanning could begin on a specific person's communications
What the Member States Wanted
The EU Council (representing the 27 member states) rejected the Parliament's amendments. They wanted broader scanning powers without the encryption exception. The member states argued that exempting encrypted messages would create a "safe haven" for abusers.
No compromise was reached. The Parliament voted against extending the derogation without its amendments. And on April 3, 2026, the legal basis expired.
Big Tech's "Voluntary" Response
The joint statement from Google, Meta, Microsoft, and Snap is remarkable for what it implies. The companies express "disappointment" at the Parliament's democratic decision and announce they will continue scanning regardless:
"As EU institutions continue to negotiate an immediate, interim solution and durable framework, signatory companies reaffirm their continued commitment to protecting children and preserving privacy, and will continue to take voluntary action on our relevant Interpersonal Communication Services."
The statement frames the Parliament's vote as an "irresponsible failure," despite the fact that the Parliament didn't reject child protection. It rejected mass surveillance as the method and proposed a targeted alternative that the member states refused.
The legal question: With the ePrivacy derogation expired, what legal basis do these companies have for scanning private communications in the EU? The ePrivacy Directive prohibits it. GDPR requires a lawful basis for processing personal data. "Voluntary action" by a company is not a recognized legal basis under either regulation. Privacy advocates argue that continuing to scan without the derogation may now be illegal under EU law.
The 247 Organizations Who Disagree
On April 1, 2026, a coalition of 247 organizations working on children's rights and ending sexual abuse published a joint statement titled "This is sadly no April Fool's joke: Europe is switching its detection of child sexual abuse online off."
The coalition, coordinated by ECPAT, includes organizations from over 40 countries: from Save the Children (Denmark, Italy, Finland, Romania) to the Internet Watch Foundation, Missing Children Europe, the National Center for Missing & Exploited Children (USA), and Dutch organizations including Defence for Children - ECPAT Netherlands, Stichting Misbruikt, Terre des Hommes Netherlands, and Offlimits.
Their argument is straightforward and powerful:
"This failure creates a deeply alarming and irresponsible gap in child protection. The consequences will be devastating -- in Europe and beyond. To tackle the millions of images and videos of child sexual abuse circulating online, detection at scale is indispensable and foundational."
They point to the 2021 precedent: when a similar legal framework lapsed that year, reports of child abuse material dropped dramatically. Law enforcement lost critical leads. Children remained trapped in abusive situations. The coalition warns the same will happen again.
"Behind every image and video is a child, forced to endure the repeated violation of their fundamental rights, including their right to privacy."
That last line is crucial. The 247 organizations frame child protection itself as a privacy right: the child's right to not have their abuse images circulated endlessly online.
The Encryption Debate: Why It's Not Black and White
The Chat Control debate is often framed as "privacy vs child safety." The reality is more nuanced. The question isn't whether to protect children, but how.
What Is Hash-Matching?
The technology currently used by Google, Meta, Microsoft, and Snap is called hash-matching (Microsoft's implementation is called PhotoDNA). It works like this:
- Known CSAM images are converted into unique digital fingerprints (hashes) by organizations like the National Center for Missing & Exploited Children (NCMEC)
- When a user uploads or sends an image, the platform generates a hash of that image
- The hash is compared against the database of known CSAM hashes
- If there's a match, the content is flagged for human review and reported to law enforcement
Hash-matching only detects previously identified abuse material. It cannot detect new, unknown content. And importantly, it works on unencrypted content -- images uploaded to cloud storage, sent via unencrypted email, or shared on social media.
Why Encryption Makes It Complicated
End-to-end encrypted (E2EE) services like Signal, WhatsApp, and iMessage encrypt messages on the sender's device so that only the recipient can decrypt them. The service provider cannot read the content in transit. This means server-side hash-matching doesn't work on E2EE messages.
To scan E2EE messages, you would need client-side scanning: software on your phone that analyzes images before they're encrypted. This is what the Commission's original Chat Control proposal effectively required.
Privacy and security experts overwhelmingly oppose client-side scanning because:
- It's a backdoor. Once you build infrastructure to scan messages before encryption, that infrastructure can be repurposed for any kind of surveillance
- False positives. Hash-matching isn't perfect. Innocent images can match, leading to wrongful accusations
- Mission creep. Today it's CSAM. Tomorrow it could be political dissent, copyrighted content, or anything a government deems undesirable
- Authoritarian exploit. If the EU mandates client-side scanning, authoritarian regimes will use the same precedent to justify surveillance of their citizens
Signal CEO Meredith Whittaker has been crystal clear on this point: "We'd rather shut down than build a backdoor."
| Approach | How It Works | Breaks Encryption? | Privacy Impact |
|---|---|---|---|
| Server-side hash-matching | Compares image hashes on the server against known CSAM database | No (only works on unencrypted content) | Low -- only known images flagged |
| Client-side scanning | Scans images on your device before encryption | Yes (effectively a backdoor) | High -- all images analyzed locally |
| Targeted surveillance | Court-ordered scanning of specific suspects only | Depends on implementation | Low -- judicial oversight, narrow scope |
| Metadata analysis | Analyzes patterns (who talks to whom, when, how often) without reading content | No | Medium -- reveals communication patterns |
Where Things Stand Now
The current situation is a mess:
- The legal basis has expired. The ePrivacy derogation ended April 3, 2026
- Big Tech keeps scanning. Google, Meta, Microsoft, and Snap announced voluntary continuation
- Legal uncertainty. It's unclear if "voluntary" scanning without the derogation is legal under the ePrivacy Directive
- No compromise in sight. Parliament wants targeted scanning with encryption protection. Member states want broad scanning powers
- Children at risk. 247 organizations warn that detection capabilities are now impaired
- Negotiations continue. EU institutions are working on an "interim solution" and a permanent framework
The European Parliament's position was not anti-child safety. It was anti-mass surveillance. The Parliament proposed targeted scanning of specific suspects with judicial oversight and an encryption carve-out. That proposal would have preserved both child protection and privacy rights. The member states killed it because they wanted broader powers.
What Does This Mean for Your Messages?
If You Use End-to-End Encrypted Apps (Signal, WhatsApp, iMessage)
Your message content is not being scanned in transit. End-to-end encryption means only you and the recipient can read the messages. However, metadata (who you message, when, how often, your IP address) is still visible to the service provider. WhatsApp shares metadata with Meta. Signal collects almost no metadata.
If You Use Gmail, Facebook Messenger (web), or SMS
These services are not end-to-end encrypted by default. Google and Meta have been scanning content on these platforms using hash-matching technology and will continue to do so "voluntarily." Your images and attachments sent through these services are subject to automated scanning.
If You Use Cloud Storage (Google Photos, OneDrive, iCloud)
Cloud storage services have been scanning uploaded images for CSAM using hash-matching. This is separate from the chat scanning debate but uses the same technology. Google, Microsoft, and Apple all perform this scanning on their cloud platforms.
How Can You Protect Your Privacy?
Use End-to-End Encrypted Messaging
Signal is the gold standard for private messaging. It's open-source, collects minimal metadata, and its CEO has pledged to never implement backdoors. WhatsApp uses the Signal protocol for encryption but shares metadata with Meta. For maximum privacy, use Signal.
Understand What's Encrypted and What's Not
Encryption only protects message content in transit. Metadata (who, when, where, how often) is often still visible. Cloud backups of encrypted chats may not be encrypted themselves (check your WhatsApp backup settings). And images you upload to cloud storage are scanned regardless of chat encryption.
Use a VPN to Protect Your IP Address
Even encrypted messaging services can see your IP address when you connect. A VPN masks your real IP, adding an additional layer of metadata protection. This prevents your messaging app from linking your communications to your physical location.
Review Your Cloud Storage Settings
If you store photos in Google Photos, OneDrive, or iCloud, those images are subject to CSAM hash-matching. Consider using encrypted cloud storage like Tresorit or Cryptomator for sensitive files.
Privacy tip: Check what your IP address reveals at myip.foo and test for DNS leaks that expose your browsing to your ISP. Even with encrypted messaging, your IP address and DNS queries reveal your online activity. Consider a VPN like NordVPN to encrypt all your internet traffic, not just your messages.
Common Questions
What is EU Chat Control?
EU Chat Control is proposed legislation requiring messaging services to scan communications for child sexual abuse material. Since 2021, a temporary ePrivacy exception allowed voluntary scanning. This expired April 3, 2026, after the Parliament voted against renewal because member states refused targeted scanning with encryption protection.
Did the EU ban chat scanning?
No. The Parliament voted against renewing the temporary legal exception, but didn't explicitly ban scanning. This creates a legal gray zone. Google, Meta, Microsoft, and Snap announced they'll continue scanning "voluntarily" despite the expired legal basis. Whether this is legal under the ePrivacy Directive is disputed.
Are my WhatsApp messages being scanned?
WhatsApp uses end-to-end encryption, so message content cannot be scanned in transit. However, metadata (who you message, when, from where) is visible to Meta. Unencrypted cloud backups of WhatsApp chats may be subject to scanning. For non-E2EE services like Gmail, content scanning continues.
What is hash-matching technology?
Hash-matching creates unique digital fingerprints of known child abuse images. When users upload images, the hash is compared against a database of known CSAM. It only detects previously identified material, works on unencrypted content, and doesn't require breaking encryption. Microsoft's PhotoDNA is the most widely used implementation.
Does chat scanning break end-to-end encryption?
Hash-matching on unencrypted platforms doesn't affect encryption. But scanning encrypted messages requires client-side scanning (analyzing images on your device before encryption), which security experts say is effectively a backdoor. Signal CEO Meredith Whittaker has stated Signal would shut down rather than implement this. The Parliament tried to exempt encrypted messages; member states refused.
Conclusion
The EU Chat Control saga reveals a fundamental tension in digital governance. The European Parliament made a democratic choice: no mass surveillance, even for a worthy cause. It offered a targeted alternative with judicial oversight that would have protected both children and encryption. The member states rejected it. And Big Tech, claiming to act in children's interests, continues scanning in a legal vacuum.
Key takeaways:
- The ePrivacy derogation for CSAM scanning expired April 3, 2026
- The European Parliament voted against renewal because member states refused to limit scanning to suspects or exempt encrypted messages
- Google, Meta, Microsoft, and Snap will continue "voluntary" scanning despite the expired legal basis
- 247 child rights organizations from 40+ countries warn of devastating consequences for child protection
- The Parliament's proposal (targeted scanning, judicial oversight, encryption exception) was the compromise -- the member states killed it
- Hash-matching technology on unencrypted platforms doesn't break encryption, but client-side scanning effectively would
- Signal's position is clear: "We'd rather shut down than build a backdoor"
- The legal status of continued "voluntary" scanning without the derogation is disputed
- For maximum privacy: use Signal, understand what metadata is visible, use a VPN, encrypt cloud storage
Both sides of this debate are right about something. Children deserve protection from horrific abuse. And citizens deserve the right to private communication. The EU Parliament tried to honor both. The failure here isn't the Parliament's vote. It's the member states' refusal to accept any limits on surveillance power.
Protect your communications:
- Use Signal for private messaging (not just WhatsApp)
- Check what your IP reveals at myip.foo
- Test for DNS leaks exposing your browsing
- Test for WebRTC leaks bypassing VPN protection
- Encrypt your traffic with a VPN like NordVPN
Related Articles
- Signal CEO: "We'd Rather Shut Down Than Build a Backdoor"
- Ireland Wants Police Access to ALL Encrypted Messages
- UK Considers Social Media Ban for Under-16s: Why Age Verification Is a Privacy Nightmare
- Tinder Requires Mandatory AI Face Scan: Your Biometrics Sent to US Servers
- How Police Used Google Cookies to Unmask an Anonymous Gmail User