EU revives message scanning rules, shifting policing to tech firms
The European Parliament has extended temporary rules allowing tech companies to scan private messages for abuse material, handing US firms an expanded law enforcement role ahead of a broader regulatory showdown.
The European Parliament has voted to keep temporary rules in place that allow technology companies to voluntarily scan private messages for child sexual abuse material. The measures, approved in Strasbourg on July 9, will remain in force until 2028. The rules do not apply to end-to-end encrypted messaging apps like WhatsApp or Signal.
The outcome relied on a procedural technicality. Although more Members of the European Parliament opposed the extension than supported it, opponents failed to secure the absolute majority required to reject it. This revived a derogation to e-Privacy rules that lawmakers had previously struck down in March.
For the predominantly American tech platforms operating in Europe, the vote means a continuation of the legal mandate to act as proxies for law enforcement. Companies are now authorised to scan emails, photos, and videos sent on their networks and report findings to authorities. This creates a complex compliance environment, as firms must maintain scanning infrastructure without absolute clarity on the final shape of EU law.
Digital rights groups have labelled the framework "Chat Control 1.0" and warn it fundamentally alters the relationship between citizens and corporations. Simeon de Brouwer of the European Digital Rights association argued the policy gives companies unchecked power. "It’s a big breach of our digital rights and goes against basic EU values," he said. "It’s a blank cheque to companies, mostly American ones, to look through all our emails and every photo and video we send to each other and then report it to an American centre that then reports it to EU law enforcement."
The centre-right European People's Party, the parliament's largest political group, strongly rejects the mass surveillance label. Dutch MEP Jeroen Lenaers said the goal was simply to close a legal loophole that had removed the basis for detecting abuse material. "Neither the member states nor the European Parliament is interested in a system of general surveillance," he said.
These temporary measures will eventually be replaced by a permanent regulation first proposed by the European Commission in 2022. Negotiations, which had stalled amid heavy lobbying, are reportedly back on track and set to resume after the summer recess.
Crucially for the technology sector, the upcoming permanent framework is not currently expected to mandate the scanning of encrypted messages. De Brouwer noted this distinction is vital for journalists and human rights defenders who rely on secure communications.
Children's rights advocates are pushing lawmakers to finalise a long-term solution that also addresses AI-generated abuse material. Scharliina Eräpuro, a survivor of child sexual abuse, highlighted the urgency of the issue. "Every single second, it's estimated that 10 children are being sexually abused online," she said, noting that around 60% of known material is hosted in Europe.