The European Parliament voted Thursday to revive a temporary rule that gives large technology companies legal cover to scan users’ communications for child sexual abuse material, or CSAM. The decision matters because companies including Google, Microsoft and Meta had been left in a gray zone after the earlier authority expired in April.
The rule, first adopted in 2021, permits voluntary scanning by online service providers. It does not authorize scanning on encrypted messaging services such as Signal, according to The Record. Privacy advocates have branded the policy “Chat Control,” arguing that it normalizes surveillance of private communications without adequate limits.
The vote came one day before Parliament’s summer recess and turned on a procedural feature that critics say changed the outcome. The provision could be blocked only by an absolute majority. Under that system, absent lawmakers effectively count against rejection, so the measure survived even though more members present voted against it than for it, The Record reported.
That procedural route has become part of the fight. Rand Hammoud of the Center for Democracy and Technology Europe wrote in a blog post that the “highly politicised procedural efforts” were driven by Parliament President Roberta Metsola and amounted to an unprecedented tactic. Hammoud accused lawmakers of “overstepping Parliament’s own mandate and previous vote.”
Parliament had rejected the same measure three months earlier under ordinary voting conditions, according to critics cited by The Record. Some lawmakers and officials, including Metsola, had pushed for renewal after the April lapse, saying companies needed a clear legal basis to continue detecting suspected abuse material.
Companies continued scanning after the rule expired, The Record reported, but European officials warned that doing so without legal protection carried risk. The new vote gives firms a clearer path to keep voluntary CSAM detection running until 2028.
A temporary fight inside a larger one
The revived authority is separate from a broader proposal that privacy advocates often call “Chat Control 2.0.” Lawmakers have been negotiating that permanent framework since November 2023, but The Record reported that talks have produced little progress.
Simeon de Brouwer, a policy adviser at European Digital Rights, told The Record by email that the more expansive version could, in its strongest form, require service providers to scan conversations and hosted content, including end-to-end encrypted communications.
Law enforcement officials have argued that scanning is needed to find and report abuse material online. When the earlier authority lapsed in April, Europol Executive Director Catherine De Bolle said in a statement that “enabling online service providers to continue detecting and reporting suspected CSAM to the competent authorities is vital for the protection of children.”
De Brouwer argued the cost is too high. He told The Record that Chat Control lets technology companies “snoop without a warrant, with little to no oversight, and with no legal basis, on millions of conversations.”
The result is a familiar European policy collision: child-protection enforcement on one side, communications privacy on the other, and a legislature using procedural machinery that has now become part of the controversy. For users, the immediate effect is narrower than the most aggressive proposals. The current rule permits voluntary scanning and leaves encrypted platforms like Signal outside its scope. The larger fight over whether Europe can compel broader scanning remains unresolved.
This story draws on original reporting from The Record.