EU Approves Chat Control: Warrantless Data Scanning Authorized
The EU Parliament has passed Chat Control 1.0, allowing companies to scan user data without a warrant. Encrypted communication remains exempt, with discussions on version 2.0 slated for September.
On July 9, 2026, the EU Parliament approved Chat Control 1.0. According to a report by Bruno Ferreira on Tom’s Hardware, the bill had been rejected several times previously. However, this time, a parliamentary maneuver requiring an absolute majority (50% + 1) to actively block the bill was employed. Consequently, the legislation was passed and, once published in the EU Official Journal, will remain in effect until 2028.
The law allows companies to perform warrantless mass scanning of user data. However, this is ostensibly limited to the detection of child sexual abuse material (CSAM). The scanning is not mandatory and is left to the discretion of individual companies. Ferreira points out, however, that this formalizes a legal mechanism enabling large tech companies to inspect user data.
The platforms affected are those defined as “interpersonal communication services,” including Gmail, iCloud, Hotmail, Discord, Instagram, Slack, Teams, Snapchat, Xbox, and Google Chat. Both one-on-one and group chats are covered, though public or non-targeted communications are excluded. It remains unclear whether activities like sharing files via Google Drive links fall under the law’s scope.
End-to-end encrypted (E2EE) communications are exempt, thanks to two amendments passed during yesterday’s vote. For now, E2EE services like WhatsApp are not subject to scanning. Although calls to weaken encryption have been repeatedly proposed by lawmakers worldwide, Chat Control 1.0 does not mandate such measures.
It is also important to note that EU law enforcement agencies must still adhere to warrant requirements, meaning Chat Control 1.0 does not grant authorities unlimited scanning capabilities.
This approval is seen as a precursor to the discussions on Chat Control 2.0 scheduled for September. The next version of the legislation is expected to propose broader surveillance powers, and the passage of version 1.0 is likely to alter the framework of those debates. This represents the latest chapter in the long-running battle over digital privacy in Europe. While the GDPR (General Data Protection Regulation) champions robust privacy protections, the expansion of surveillance under the guise of CSAM prevention raises renewed questions about balancing privacy and safety.
Technology companies operating in the EU are now faced with immediate legal risk assessments and compliance challenges. European startups that prioritize privacy, in particular, must decide whether to implement the new scanning mechanisms while maintaining user trust. Although encrypted communications are currently exempt, many companies will need to revise their transparency reports and data management policies.
Japanese tech companies offering services in the EU may also be affected by the legislation. Historically, Japanese platform providers have been relatively passive in responding to European privacy regulations. However, implementing the surveillance mechanisms required by Chat Control 1.0 will be a significant business decision. For instance, refusing to scan user data could invite criticism for failing to cooperate on CSAM prevention, while adopting the scanning mechanisms may provoke privacy concerns from Japanese users.
If discussions on Chat Control 2.0 lead to the removal of exemptions for E2EE, the broader business model of encryption-based services could be at risk. Messaging apps that have marketed themselves on encryption could even face an existential challenge.
The legislative process surrounding this law has also drawn criticism for its lack of transparency. A bill previously rejected in conventional deliberations was passed during the final days of the parliamentary session via procedural tactics, raising questions about democratic legitimacy. Civil society and digital rights groups in Europe are calling for an urgent re-evaluation of the law.
Moreover, whether surveillance genuinely contributes to CSAM prevention remains unproven. Mass data scanning is known to result in a significant number of false positives, increasing the likelihood that innocent users’ communications will be scrutinized. The balance between the risks of privacy violations and the social benefits of surveillance will remain a contentious issue.
Some technology companies are already considering relocating servers outside the EU or ceasing services in the region. For smaller startups, the cost of implementing scanning mechanisms could be a significant burden, potentially altering the competitive landscape within the EU and leading to further monopolization by major platforms.
Editorial Opinion
In the short term, technology companies within the EU will be forced to decide whether to implement scanning mechanisms and adapt to compliance requirements. While encrypted communications are exempt, non-encrypted service providers face immediate pressure to comply. For privacy-focused European startups, this creates a dilemma between risking user attrition and navigating legal risks. Publishing transparency reports and revising data management policies will be unavoidable. This period of adjustment is expected to last at least six months.
In the long term, the focus will shift to whether the exemptions for E2EE can be maintained during the September discussions on Chat Control 2.0. If exemptions are removed, services like WhatsApp and Signal that rely on encryption could face significant challenges. Japanese platform providers serving EU markets may also fall under the scope of the legislation. Additionally, this could set a precedent for similar surveillance legislation discussions in Japan. Over a one- to two-year time frame, the global fragmentation of privacy standards could accelerate.
As an editorial team, we question the legitimacy of the procedural tactics used to pass this legislation.
References
- ” Chat Control 1.0 sneaks through the EU Parliament, letting companies scan user data without warrants — legal tactic used to force a majority-required re-vote on eve of Parliament break ”, by Bruno Ferreira — Tom’s Hardware, 2026-07-10T11:00:00.000Z (ARR)
- Source URL: https://www.tomshardware.com/tech-industry/cyber-security/chat-control-1-0-sneaks-through-the-eu-parliament-letting-companies-scan-user-data-without-warrants-legal-tactic-used-to-force-a-majority-required-re-vote-on-eve-of-parliament-break
Frequently Asked Questions
- What services are affected by Chat Control 1.0?
- Platforms offering interpersonal communication services, such as Gmail, iCloud, Hotmail, Discord, Instagram, Slack, Teams, Snapchat, Xbox, and Google Chat, are affected. Both one-on-one and group chats are included, but public communications are excluded. File-sharing services like Google Drive fall into a gray area.
- Are end-to-end encrypted (E2EE) communications protected?
- For now, they are protected. Two amendments passed during the vote ensure that E2EE services like WhatsApp remain exempt from scanning. However, whether this exemption will persist in the September discussions on Chat Control 2.0 remains uncertain.
- Will this affect Japanese companies or users?
- Japanese companies providing services in the EU may be subject to this law. Additionally, it could serve as a precedent for similar surveillance legislation in Japan. While there is no direct impact on Japanese laws at present, the global shift in privacy standards warrants close attention.
Comments