The European Parliament has extended a temporary legal carve-out that lets technology companies voluntarily scan private communications for child sexual abuse material, even though more lawmakers voted against the measure than supported it.
The vote keeps permissions in place for companies including Meta, Google and Microsoft to scan private texts, emails and social media messages. The measure does not apply to end-to-end encrypted chats, according to WIRED, leaving services such as WhatsApp and Signal outside the current scanning regime.
The strange bit, and there is one, is the math. The measure moved under an “urgent procedure” used by the European People’s Party, the Parliament’s largest political group, after negotiations over the law collapsed in March. Under that procedure, the extension passed unless an absolute majority of 361 members of the European Parliament voted it down. Opponents had more votes than supporters on Thursday, but missed that threshold by 47 votes.
The result is that companies retain the legal basis to keep scanning eligible private messages until 2028, or until a permanent replacement is adopted. Critics have already given both the temporary and permanent versions the same blunt nickname: “Chat Control.”
What the extension actually permits
The law does not force companies to scan all messages. It allows them to do so voluntarily for child sexual abuse detection. That distinction matters legally, but it will feel thin to users whose messages are checked by a private platform before any police officer or court gets involved.
Simeon de Brouwer, a policy adviser at Brussels-based advocacy group European Digital Rights, told WIRED the extension means private companies can decide whether confidential digital conversations stay confidential. He said firms could read users’ messages, emails and shared images if they choose to do so.
Supporters framed the extension as a child protection measure. The European People’s Party has argued that voluntary detection by companies has helped identify and rescue children abused online, and that removing the legal basis for scanning would leave children exposed. The previous law expired in April, according to WIRED, creating pressure among supporters to restore the permissions before Parliament’s summer break at the end of the month.
“We cannot go to the summer recess knowing that our children are not protected,” Tomas Tobé, vice-chair of the European People’s Party, told lawmakers earlier in the week.
Privacy groups call the process anti-democratic
Opponents objected both to the scanning and to the route used to pass it. The urgent procedure bypasses preliminary committee debates, where lawmakers would typically argue over amendments. That is not a small procedural footnote. In privacy law, the messy committee stage is often where the difference between targeted enforcement and broad surveillance gets fought out in public.
Patrick Breyer, a civil rights activist and former member of the European Parliament, called the outcome a “farce” that “damages democracy” in a blog post after the vote.
Breyer argued that broad scanning is the wrong way to protect children, comparing it to opening everyone’s physical mail without suspicion. His criticism goes to the central trade-off in the measure: the extension preserves a detection system that supporters say has produced real child safety benefits, while giving private companies permission to inspect personal communications at scale.
The next fight is already queued up. A permanent version of the legislation remains under discussion. Until then, the temporary permission stands, regardless of the awkward fact that a larger bloc of lawmakers voted against it than for it.
This story draws on original reporting from WIRED.