BRUSSELS — By a margin so slim it required a recount, the European Parliament voted Thursday to strip mandatory chat scanning provisions from a landmark child protection regulation, ending a three-year political war that pitted law enforcement ambitions against the privacy rights of nearly 450 million Europeans. The final tally: 362 to 345.
Seventeen votes. That’s all that separated the European Union from adopting what critics had branded the most sweeping digital surveillance apparatus ever proposed in a Western democracy.
The regulation, formally known as the Child Sexual Abuse Regulation or CSAR, had been the subject of ferocious lobbying since the European Commission first introduced it in May 2022. Its most controversial element — a provision that would have compelled messaging platforms like WhatsApp, Signal, and iMessage to scan every user’s private messages, photos, and videos for suspected child sexual abuse material — is now dead. What remains is a fundamentally different piece of legislation, one that its architects in the Commission barely recognize and its opponents in Parliament claim as a historic victory for digital rights.
Patrick Breyer, the former Pirate Party MEP who became the regulation’s most visible antagonist, called the vote “a milestone for the preservation of digital privacy of correspondence” on his official website. Breyer, who lost his parliamentary seat in the 2024 elections but continued campaigning against the measure, framed the outcome in stark terms: the Parliament had rejected “Orwellian surveillance” and chosen instead to pursue child protection through means that don’t require breaking encryption.
The story of how this vote came together — and nearly didn’t — reveals the increasingly volatile politics of digital surveillance in Europe, where post-Snowden privacy sensibilities collide with genuine and growing concerns about online child exploitation.
To understand the magnitude of what happened in Strasbourg, you have to go back to the Commission’s original proposal. Drafted under then-Commissioner Ylva Johansson, the regulation would have established a system of “detection orders” allowing national authorities to compel any messaging service to scan user communications for known child sexual abuse material, new abuse material, and even grooming behavior. The scanning would apply to encrypted and unencrypted messages alike. Every chat. Every photo. Every video call. No warrant required for the scanning itself — only for accessing flagged content afterward.
The technical mechanism was never fully specified, which was part of the problem. For end-to-end encrypted services like Signal, compliance would have required some form of client-side scanning — analyzing content on the user’s device before encryption. Cryptographers and security researchers across the globe warned this would fundamentally undermine encryption, creating vulnerabilities that authoritarian governments and criminal hackers could exploit. Signal’s president, Meredith Whittaker, had repeatedly said the app would rather withdraw from European markets than comply.
And yet the proposal persisted. For years.
The European Council, representing national governments, proved a stubborn advocate for broad scanning powers. Belgium, during its Council presidency in 2024, pushed a compromise that would have exempted text-only messages but still required scanning of images, videos, and URLs shared via encrypted platforms. Privacy advocates dismissed this as cosmetic. The underlying architecture of mass surveillance, they argued, remained intact regardless of which content types were targeted.
Spain, Ireland, and several Eastern European member states pushed for the strongest possible scanning mandates. Germany, Austria, and the Netherlands resisted. The Council couldn’t reach a qualified majority for any version of the proposal through most of 2024, as Breyer documented on his site, noting that blocking minorities formed repeatedly to prevent the most invasive versions from advancing.
Poland’s reversal proved pivotal. After its change in government, Warsaw shifted from supporting mandatory scanning to opposing it, tipping the balance in the Council. By late 2024 and into 2025, the Council’s position had softened considerably, though not enough for privacy hardliners.
The Parliament, meanwhile, had staked out a dramatically different position. Its Committee on Civil Liberties, Justice and Home Affairs (LIBE) voted in November 2023 to reject indiscriminate scanning entirely, proposing instead that detection orders be limited and targeted — applicable only to specific suspects with judicial authorization, not to entire user bases. The committee also insisted on preserving end-to-end encryption without backdoors or client-side scanning workarounds.
But committee votes and plenary votes are different animals. The full Parliament vote on June 19, 2025, was the real test. And it was brutal.
The session played out like a parliamentary thriller. According to Breyer’s account, the vote on the critical amendments — those removing mass scanning provisions and protecting encryption — passed by just 17 votes. Some amendments scraped through by even less. The political groups were deeply split internally, with members of the center-right European People’s Party (EPP) breaking ranks to vote with Greens, Liberals, and the Left against their own group’s leadership, which had broadly supported scanning mandates.
The EPP’s internal fracture deserves attention. As the Parliament’s largest political group, the EPP had generally aligned with the Commission’s position, arguing that encryption protections shouldn’t become a shield for child abusers. But a significant faction within the group — particularly members from Germany and the Nordic countries — viewed mandatory scanning as a constitutional red line. Their defection made the difference.
So what does the regulation actually look like now?
The Parliament’s adopted position preserves several significant child protection measures while gutting the surveillance architecture. Platforms will face new obligations to conduct risk assessments and implement age verification for services likely to be accessed by minors. Detection orders can still be issued, but only on a targeted basis — directed at specific individuals or accounts where there is reasonable suspicion, subject to judicial review. Crucially, end-to-end encryption cannot be weakened, bypassed, or reverse-engineered to comply with detection orders. If a message is encrypted, it stays encrypted.
The regulation also establishes a new EU Centre to coordinate the fight against child sexual abuse, serving as a clearinghouse for reports from platforms, a resource for law enforcement, and a body to evaluate detection technologies. But the Centre’s role has been circumscribed compared to the Commission’s original vision, which would have given it broad authority to request detection orders.
Breyer and other privacy advocates have argued that these targeted measures will actually prove more effective than mass scanning. Their reasoning: indiscriminate scanning of billions of messages generates enormous volumes of false positives — flagging innocent family photos, consensual adult content, and memes as potential abuse material — overwhelming law enforcement and diverting resources from actual investigations. The German Federal Police’s own statistics, which Breyer cited repeatedly during the campaign, showed that the vast majority of flagged content in existing voluntary scanning programs turned out to be legally irrelevant.
Not everyone is celebrating. Europol and national law enforcement agencies across the EU had lobbied hard for broad scanning powers, arguing they were essential to combating the exponential growth of online child sexual abuse material. The National Center for Missing & Exploited Children in the United States, which operates the primary global database of known abuse material, had also supported the Commission’s approach. Child protection organizations like the Internet Watch Foundation expressed disappointment that stronger detection mandates weren’t preserved.
Their concern isn’t abstract. The scale of online child exploitation is staggering and growing. In 2023, the NCMEC received over 36 million reports of suspected child sexual exploitation, the vast majority from U.S.-based platforms conducting voluntary scanning. European law enforcement officials fear that without mandatory detection, platforms — particularly smaller ones — will simply stop looking.
But the Parliament’s position reflects a calculation that the cure proposed by the Commission was worse than the disease. Mass scanning of private communications, applied to every citizen regardless of suspicion, would have set a precedent with implications far beyond child protection. If the infrastructure exists to scan for abuse material, it can be repurposed — for copyright enforcement, for political dissent, for whatever a future government deems threatening. This slippery-slope argument, once dismissed as alarmist, gained traction as authoritarian tendencies surfaced in several EU member states.
The vote also carries significant implications for the global encryption debate. In the United Kingdom, the Online Safety Act passed in 2023 contains provisions that could theoretically compel platforms to scan encrypted messages, though the government has so far declined to activate those powers after Apple and Signal threatened to pull their services from the UK market. Australia has pursued similar legislation. The EU’s rejection of mass scanning sends a powerful counter-signal: the world’s largest single market for digital services has decided that encryption is non-negotiable.
The legislative process isn’t over. The Parliament’s position now forms the basis for trilogue negotiations with the Council and the Commission — the closed-door talks where the final text of EU legislation is hammered out. The Council will push back on some of the Parliament’s red lines, particularly around the scope of detection orders and the treatment of encrypted services. The Commission, which has invested enormous political capital in the original proposal, will try to salvage what it can.
But the Parliament’s position is strong. A plenary vote carries democratic weight that’s difficult to override in trilogue, and the 362-vote majority — while narrow — is a clear mandate. Council negotiators know that any deal that reintroduces mass scanning provisions will likely be rejected when it returns to Parliament for final approval.
The timing matters too. The new Parliament, elected in June 2024, is more fragmented and politically diverse than its predecessor, with stronger representation from parties on both the right and left that are skeptical of surveillance. The political conditions that enabled this vote are unlikely to shift dramatically before trilogue concludes.
For the tech industry, the immediate practical impact is limited — the current interim regulation allowing voluntary scanning by platforms remains in effect and has been extended while the permanent regulation is finalized. But the strategic signal is clear. Companies that have invested in end-to-end encryption as a core product feature — Apple, Meta, Signal — won’t be forced to dismantle it in Europe. That’s a massive commercial and engineering relief.
Meta’s decision to roll out end-to-end encryption across Messenger and Instagram DMs by default in late 2023 was made partly in anticipation of this fight. Had the Commission’s original proposal survived, Meta would have faced an impossible choice: break encryption for European users or exit the market. That scenario is now off the table.
The broader lesson from this three-year saga is about the limits of techno-solutionism in policymaking. The Commission’s original proposal was built on the premise that technology could thread an impossible needle — scanning every private message for illegal content while somehow preserving privacy and security. Cryptographers said it couldn’t be done without creating systemic vulnerabilities. The Parliament ultimately agreed.
What replaces it is less dramatic but arguably more honest: targeted surveillance of suspects with judicial oversight, better reporting mechanisms, mandatory risk assessments, and investment in law enforcement capacity. These are the boring, resource-intensive tools of traditional policing, adapted for the digital age. They don’t promise to catch every offender. But they don’t require treating every citizen as a suspect, either.
Breyer, reflecting on the vote, noted that the fight had consumed the better part of four years and involved an unprecedented coalition of digital rights organizations, cryptographers, tech companies, journalists, and ordinary citizens who flooded MEPs with messages in the days before the vote. “This proves that the basic right to digital privacy of correspondence can be defended successfully against attempts of those in power to undermine it,” he wrote on his site.
Seventeen votes. In a parliament of 720 members, that’s a margin of 2.4%. The architects of chat control came that close to winning. And the defenders of encryption came that close to losing.
The trilogue negotiations will determine whether this victory holds. But for now, the principle is established: in the European Union, the right to private communication extends to digital spaces, and no policy objective — however legitimate — justifies the mass surveillance of an entire population’s private messages. That’s not a small thing. In the global struggle over encryption and state access to private communications, it might be the most consequential legislative decision of the decade.


WebProNews is an iEntry Publication