What is Chat Control? The controversial European law that would scan your private messages
After repeated and unsuccessful attempts by the European Commission to implement a universal surveillance system for private communications, the institution has returned to the fray with a new revision of the legislative initiative. This time, the proposal adopts a seemingly less intrusive approach than previous ones, suggesting the automated scanning and evaluation of private chats in messaging applications.
Nevertheless, the measure has reignited a heated debate about the delicate balance between protecting user privacy and the demands of public safety.
Objectives of the European Commission’s legislative proposal
In May 2022, the European Commission launched the initiative known as “Chat Control”, a regulation whose objective was to prevent and combat child sexual exploitation and abuse of minors on the internet, controlling the distribution of child sexual abuse material (CSMA), as well as any other forms of harmful contact with minors through digital communications.
However, both the European Parliament and several Member States opposed the early versions of the initiative, which resulted in the project being blocked and subjected to a prolonged debate process between 2023 and 2024.
Now, in November 2025, the initiative has been revived with force and, finally, an agreement has been reached in the EU Council for the monitoring to be, in principle, “voluntary” for the platforms.
Proponents of the proposal argue that current tools for reporting illegal materials are insufficient, especially on instant messaging and email platforms. Therefore, they propose creating clear obligations for communication service providers to identify and report illegal content and cooperate with the relevant authorities when required.
What does message scanning involve?
Although the proposed legislation pursues an undeniably important objective, it has not been without controversy. Specifically, the initiative known as Chat Control proposes requiring messaging and email platforms to scan users’ private communications to detect potentially illegal content, not only when there is concrete evidence, but also through a massive and automated scanning system.
In other words, all messages, images, videos, and other files sent via WhatsApp, for example, would be subject to review by automated tools, based on artificial intelligence algorithms or filters based on databases of hashes of previously identified material, without any human intervention, which raises questions about the accuracy of these tools and the risk of false positives.
Technically, this analysis could be performed on the user’s device (known as client-side scanning) before the content is encrypted and sent to the recipient. Although the proposal places particular emphasis on detecting child sexual abuse material, the mass scanning of private communications has led critics to describe it as a form of widespread surveillance.
Is this the end of end-to-end encryption and privacy?
Another frequently raised question is the future of end-to-end encryption (E2EE), the security technology that ensures that only the sender and recipient of a message can see its content, excluding even the platforms that provide it, as is the case with WhatsApp.
Critics argue that implementing the scanning as currently planned makes E2EE encryption incompatible, since it forces the content to leave the encrypted state to be reviewed by the tool, thus eliminating the protection that E2EE encryption provides against unauthorized inspection.
Digital security experts have warned that any mechanism requiring the inspection of encrypted message content can open “backdoors” in encryption systems, degrade the security of communications, and create vulnerabilities that could be exploited by malicious actors, such as hackers or authoritarian governments.
Opening controlled access points to prevent the distribution of illegal content can be used for other, less legitimate purposes.
However, the most recent version of the regulatory text has attempted to mitigate these risks by eliminating the mandatory scanning requirement, so, a priori, no rule has been approved that completely destroys end-to-end encryption.
The debate continues, and future legislative stages will determine the final scope of obligations for platforms and, consequently, the level of protection for citizens’ privacy.
María Barbero es abogada especializada en derecho digital, derecho de las nuevas tecnologías y emprendimiento tecnológico.
Graduada en Derecho y Relaciones Internacionales por la Universidad Europea de Madrid, amplió su formación con un doble máster en acceso a la abogacía, emprendimiento y tecnología en IE University. Enfocada en la actualización constante, aporta una visión jurídica adaptada a la evolución digital. Habla español e inglés.
More from my site
The use of facial recognition surveillance systems: legal limits and privacy risks
The Italian Data Protection Authority has once again reported OpenAI for non-compliance with privacy regulations
Global strategy on minors, digital health and privacy of the AEPD
Minors’ consent regarding privacy: The AEPD publishes an age verification system
X changes its privacy policy: it can now collect your biometric data
New tips from the Spanish Privacy Agency on the use of AI chatbots