Europe’s Encryption Wars: The EU Parliament Blocked Chat Surveillance, But the Fight Is Far From Over

="">

The European Parliament just drew a line in the sand on digital privacy. It said no to mass scanning of private messages. No to breaking encryption. No to what critics called the most sweeping surveillance proposal ever floated in a Western democracy.

But the forces behind that proposal haven’t gone away. And the legislative machinery that produced it is already grinding toward a compromise that could revive the most controversial elements in a different form.

The proposal in question — formally known as the Child Sexual Abuse Material regulation, or CSAR, but widely dubbed “Chat Control” by its opponents — would have required messaging platforms to scan the contents of users’ private communications, including those protected by end-to-end encryption. The stated goal was to detect and prevent the distribution of child sexual abuse material (CSAM). The mechanism, however, would have effectively mandated a backdoor into encrypted services used by hundreds of millions of Europeans.

On October 2024, the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) adopted its negotiating position, explicitly rejecting the indiscriminate scanning of encrypted messages. As TechRadar reported, the Parliament’s stance was unambiguous: mass surveillance of private chats was incompatible with fundamental rights. The vote represented a significant rebuke to the European Commission, which had originally proposed the regulation in May 2022, and to several EU member states that had pushed aggressively for client-side scanning mandates.

The Parliament didn’t reject the fight against CSAM. It rejected the method.

The Technical Impossibility of “Safe” Backdoors

At the heart of this debate sits a question that cryptographers have answered repeatedly, and that policymakers keep asking again: Can you build a system that scans encrypted messages for illegal content without compromising the encryption itself?

The answer, according to virtually every independent technical authority that has weighed in, is no.

End-to-end encryption works because only the sender and recipient can read a message. No intermediary — not the platform operator, not a government, not a hacker — can access the plaintext. Client-side scanning, the technique proposed under Chat Control, would require software on the user’s device to analyze message content before encryption or after decryption. This means the content is exposed to algorithmic inspection at the endpoint, which is functionally equivalent to breaking the encryption guarantee.

Signal Foundation president Meredith Whittaker has been among the most vocal critics. She has repeatedly stated that Signal would rather exit the European market than comply with a mandate to weaken its encryption. “There is no way to implement these proposals that is compatible with end-to-end encryption,” Whittaker said in public remarks throughout 2024. Apple, which briefly experimented with client-side CSAM scanning in 2021 before abandoning the effort under pressure from security researchers, reached the same conclusion.

The technical community’s objections aren’t abstract. Client-side scanning systems are vulnerable to false positives, function creep, and adversarial exploitation. A scanning system designed to detect CSAM could be repurposed — by governments or by attackers — to detect political speech, journalistic sources, or any other category of content. Once the scanning infrastructure exists, the scope of what it scans becomes a policy decision, not a technical constraint.

And that’s precisely what privacy advocates feared.

The European Commission’s original proposal gave a new EU Centre the authority to issue “detection orders” compelling platforms to scan messages. The orders could cover known CSAM, new CSAM, and — most controversially — grooming behavior, which would require AI-based analysis of text conversations. The breadth of this mandate alarmed not only privacy organizations but also the EU’s own legal advisors. The European Data Protection Supervisor called the proposal incompatible with the EU Charter of Fundamental Rights.

Yet the proposal kept moving.

The Council of the European Union — representing member state governments — proved to be the regulation’s strongest champion. Belgium, which held the Council presidency in the first half of 2024, pushed hard for a version that preserved mandatory scanning. Spain’s position, revealed in leaked Council documents published by Wired in 2023, was even more stark: Spanish representatives argued that it would be “desirable” to legislatively prevent EU-based providers from implementing end-to-end encryption at all.

Hungary, which took over the Council presidency in July 2024, continued pressing for a deal. But a blocking minority of member states — led by Germany, joined by Austria, Poland, and others — prevented the Council from reaching a unified position. Germany’s coalition government had explicitly committed in its coalition agreement to a “right to encryption” and opposed any measures that would undermine it.

So the trilogue negotiations between Parliament, Council, and Commission that would normally finalize the legislation stalled. The Parliament’s firm stance against mass scanning, combined with the Council’s inability to agree internally, pushed the regulation into legislative limbo as 2024 drew to a close.

What Comes Next — and Why Privacy Advocates Aren’t Celebrating

The failure to pass Chat Control in its original form doesn’t mean the idea is dead. EU legislative processes are long, iterative, and resistant to clean endings. The Commission has not withdrawn the proposal. The Council continues to negotiate among member states. And a new European Parliament, seated after the June 2024 elections, could theoretically adopt a different posture — though early signals suggest the new body’s privacy commitments remain intact.

Poland assumed the Council presidency in January 2025 and has indicated it will continue working on the file. The question is what form a compromise might take. Several proposals have circulated that attempt to thread the needle: applying scanning only to unencrypted messages, exempting end-to-end encrypted platforms, or limiting detection orders to known CSAM using hash-matching rather than AI-based content analysis.

Privacy advocates view these compromises with deep skepticism. Patrick Breyer, a former European Parliament member and one of Chat Control’s most prominent opponents, has argued that any form of mandatory scanning creates a surveillance infrastructure that will inevitably expand. “Once you build the machine, the machine will be used,” Breyer has said in multiple public statements. His concern is shared by organizations including the Electronic Frontier Foundation, European Digital Rights (EDRi), and the Center for Democracy & Technology.

There’s a broader geopolitical dimension too. The EU’s approach to encrypted communications is being watched closely by governments worldwide. The United Kingdom’s Online Safety Act, passed in 2023, contains provisions that could theoretically compel platforms to scan encrypted messages, though the UK government has acknowledged that the technology to do so safely doesn’t currently exist. Australia has had similar laws on the books since 2018. India’s IT rules have imposed traceability requirements that effectively pressure platforms to weaken encryption.

If the EU — the world’s most influential digital regulator, architect of the GDPR — were to mandate encryption backdoors, it would provide cover and precedent for every government seeking to do the same. That’s why the stakes extend far beyond Europe’s borders.

The technology industry’s response has been largely unified in opposition, though not without nuance. Meta, which completed the rollout of end-to-end encryption across Messenger and Instagram DMs in late 2023, has pushed back against scanning mandates while simultaneously investing in non-encryption-breaking detection methods — behavioral signals, metadata analysis, and user reporting tools. Google and Apple have taken similar positions. The argument from industry is that effective child safety measures exist that don’t require breaking the fundamental security architecture of the internet.

But there’s an uncomfortable tension here. The same companies opposing Chat Control have faced years of criticism for not doing enough to combat CSAM on their platforms. The National Center for Missing & Exploited Children (NCMEC) in the United States reported over 36 million CSAM reports in 2023, the vast majority originating from tech platforms. Law enforcement agencies across Europe argue, with some justification, that the shift toward encryption is making it harder to detect and prosecute child exploitation.

This isn’t a manufactured concern. It’s real. The question is whether the proposed remedy — mass surveillance of private communications — is proportionate, effective, and consistent with the rights that democratic societies claim to protect.

The European Parliament, for now, has answered that question clearly. The remedy is worse than the disease. Targeted, warrant-based surveillance of specific suspects remains legal and technically feasible. Metadata analysis can identify suspicious patterns without reading message contents. Investment in law enforcement capacity, international cooperation, and victim support can address the problem without building a panopticon.

Whether that answer holds depends on what happens in the coming months. The trilogue process could resume at any time. A single shift in the Council’s internal balance — one government changing its position, one election altering a national coalition — could break the current deadlock. And the Commission, which has invested significant political capital in this proposal, shows no sign of abandoning it.

The encryption wars are not new. They’ve been fought in various forms since the 1990s, when the U.S. government tried to mandate the Clipper Chip and restrict the export of strong cryptography. Every generation of policymakers rediscovers the same temptation: if only we could read the messages, we could stop the bad actors. And every generation of technologists explains, again, that you cannot build a door that only the good guys can walk through.

Europe’s Parliament understood that in 2024. The question now is whether Europe’s governments will accept it — or whether they’ll keep searching for a technical miracle that doesn’t exist, and in the process, dismantle the privacy protections that distinguish democratic societies from authoritarian ones.

The battle isn’t over. It’s just quieter. And in EU politics, quiet is often when the most consequential decisions get made.