Did the EU Just Pass Chat Control? What the July Vote Means for Your Messages
By Scott, Clearfront founder
Not quite, and the truth is stranger than the headline. On 9 July 2026 a majority of MEPs present, 314 against 276, voted to reject the EU's revived message-scanning rules, known as Chat Control 1.0. The rules advanced anyway, because killing a law at second reading takes an absolute majority of all 720 seats, 361 votes, and the rejection fell 47 short. But nothing new became legal that day: the text now sits with the Council, which has until roughly 9 October to decide. Here is what was actually voted on, whether your messages are being scanned right now, and what the encryption carve-out means.
What is Chat Control?
Chat Control is the nickname for two different EU proposals, and the difference matters. Chat Control 1.0 is Regulation 2021/1232 ↗, a temporary derogation from the EU's ePrivacy rules that lets providers voluntarily scan unencrypted private messages for child sexual abuse material and grooming. Chat Control 2.0, the CSA Regulation still under negotiation, would go much further and make detection mandatory.
The July vote was about 1.0, the voluntary version. Services like Gmail, Facebook Messenger, Snapchat, and Skype used the original derogation to scan for known abuse material until it expired on 3 April 2026. The Council wants it revived and extended to 3 April 2028, as a bridge while the fight over the mandatory version continues.
What did the European Parliament actually vote on 9 July?
Parliament held a second-reading vote on the Council's position to revive the derogation. The attempt to reject it outright won more votes than it lost, 314 to 276 with 17 abstentions, and still failed, because a second-reading rejection needs an absolute majority of Parliament's 720 members, 361 votes, regardless of how many turn up. The rejection fell 47 votes short.
Three votes from the day tell the story:
- -Reject the Council position: 314 for rejection, 276 against. Failed, 47 short of the 361 needed.
- -Amendment excluding end-to-end encrypted services: 369 in favour. Passed.
- -A second encryption-exclusion amendment: 362 in favour. Passed.
Notice the irony. The only votes that cleared the 361-vote bar were the ones protecting encryption.
How does a law advance when a majority voted against it?
Through procedure, used aggressively. Under the EU's ordinary legislative process, once the Council adopts a position, Parliament must muster an absolute majority to throw it out at second reading. Two days before the vote, on 7 July, the European People's Party invoked Rule 170, an urgency procedure, passing 331 to 304, which skipped the usual committee review and pushed the vote to the last sitting day before summer recess.
Around 112 MEPs were absent, many already gone for the break. With 720 seats and 361 votes needed to reject, every absent member effectively counted for the proposal. Former MEP Patrick Breyer, Chat Control's most persistent critic, called the move a procedural trick, and EU diplomats quoted in the press described the fast-tracking as unprecedented. Whatever you think of the policy, the timing did the work the argument could not.
Are your messages being scanned right now?
The 9 July vote gave no provider any new permission to scan anything. The old derogation expired on 3 April 2026, and its replacement is not in force. Between those two points sits a legal grey zone: reporting indicates some providers simply kept their voluntary scanning running after expiry, now without a clear legal basis under the ePrivacy rules.
So the honest answer is: possibly, but not because of this vote. If a service scanned your unencrypted messages in March, it likely still does. What the vote changed is what happens next: if the Council accepts Parliament's amendments, voluntary scanning of unencrypted services regains its legal basis until 3 April 2028, with end-to-end encrypted services excluded. It stays voluntary, per provider, and scoped to child sexual abuse detection, not a general licence to read everything.
What about WhatsApp, Signal, and other encrypted apps?
End-to-end encrypted messages were never covered by the original derogation, and Parliament's newly adopted amendments would write that exclusion into the revived one explicitly, covering services where end-to-end encryption is, has been, or will be applied. For users of Signal, WhatsApp, or iMessage, the content of your chats stays out of this regime's reach.
Two caveats keep that from being a full stop. The Council still has to accept the amendment for it to become law. And encryption protects the content of a message, not the fact of it: who you message, when, and from where is metadata, and metadata sits outside this regulation entirely. The scanning debate is also far from over, because negotiations on the mandatory Chat Control 2.0 resume in September 2026.
What happens next?
- 1.The amended text is now with the Council, which has three months, until roughly 9 October 2026, to respond.
- 2.If the Council accepts the amendments, the derogation enters into force with the encryption carve-out and runs until 3 April 2028.
- 3.If the Council rejects them, the file goes to a conciliation committee, and the grey zone continues in the meantime.
- 4.Separately, talks on the mandatory Chat Control 2.0 regulation resume in September 2026. That is the bigger fight.
What can you actually do about it?
You do not get a vote in the Council this October, and you cannot control which scanning regime Brussels lands on. What you can control is how much of your life is exposed if any message, account, or platform you use leaks or is read: the addresses, usernames, breaches, and forgotten accounts already tied to your name in public data. That exposure exists whether or not Chat Control ever comes into force.
Clearfront scans that digital footprint in one sweep on your own machine, no cloud, no third party reading anything, and an AI security analyst reports what is publicly exposed and what to fix first. Install Clearfront free and run it on yourself, or get the free removal guide to start shrinking the part of your exposure no parliament controls.
Frequently asked questions
- Did Chat Control pass the EU Parliament?
- Parliament failed to reject it, which is not the same as passing it into law. The rejection won 314 votes to 276 but needed an absolute majority of 361. The amended text now goes to the Council, which has until about 9 October 2026 to accept or reject Parliament's changes.
- Does Chat Control mean all my messages will be scanned?
- No. Chat Control 1.0 permits voluntary scanning of unencrypted services for child sexual abuse material and grooming. It does not compel any provider to scan, and Parliament's amendments exclude end-to-end encrypted services like Signal and WhatsApp.
- Is Chat Control in force right now?
- No. The old derogation expired on 3 April 2026 and the replacement has not entered into force. Some providers reportedly continued scanning voluntarily in the gap, without a clear legal basis, but the 9 July vote itself made nothing newly legal.
- Does Chat Control affect the UK or US?
- Not directly, it is EU law. But large platforms often apply one policy across regions, the UK's Online Safety Act creates its own scanning powers, and US providers like Gmail and Facebook Messenger already scan for abuse material under US reporting rules. The EU decision shapes the global default.
Sources and further reading
I believe your personal data is yours to own and protect. I built Clearfront, a free, open-source tool for scanning and scrubbing your own digital footprint from public data, and I write here about OSINT, breach exposure, and personal privacy.
Scott
Clearfront founder
Related posts
- Is the UK Actually Banning VPNs? What Is True and What Is Not
No, the UK is not banning VPNs and using one is legal. Here is what is actually happening, why the confusion started, and what it means if you use a VPN.
- Is UK Age Verification Safe? What Happens to Your ID and Face Scan
UK age checks often mean uploading ID or a face scan to a third party. Here is how age verification works, the real privacy risks, and how to spot a safe check.
- What Google Knows About You (and How to See and Delete It)
Google records what you search, watch, and where you go, and gives you the tools to see, delete, and stop most of it. Here is exactly where to look and what to switch off.