EU interpersonal communications · Regulation (EU) 2021/1232 · second reading, 9 July 2026
314 MEPs voted to kill Chat Control. It passed anyway.
A plurality of the European Parliament voted to reject message scanning. Under EU second-reading rules that wasn't enough. Here is what actually changed, which apps opt in to scanning your messages, and how to move to services that refuse — without the myths going around.
Rejection required an absolute majority of all 720 members. The motion failed 47 votes short. Absences counted for the law.
Section — the record
What actually happened, in 60 seconds
Two different things get called “Chat Control.” Most of what you read this week confuses them.
What passed on 9 July is the revival of “Chat Control 1.0” — a voluntary scheme that lets providers scan messages and mail for known child sexual abuse material. Google, Meta and Microsoft have used it for years, across Gmail, Facebook Messenger, Instagram DMs, Skype and Outlook. It lapsed in April 2026 after Parliament rejected it; the Council brought it back, and this week's rejection vote fell 47 short. It is on track to run to 3 April 2028.
What did not pass is “Chat Control 2.0” — the mandatory client-side scanning of everyone's messages, including encrypted apps, that Signal has said it would leave the EU over. That regulation remains stuck in negotiations, which collapsed again on 29 June. It comes back in September 2026.
Parliament also did something almost nobody reported: it passed an amendment (369 votes, clearing the same threshold the rejection missed) explicitly excluding end-to-end encrypted services from the revived scheme's scope.
- 26 MAR 2026
Parliament votes against extending the scanning scheme. It expires in early April.
- 02 JUL 2026
The Council of the EU moves to reinstate it until April 2028.
- 07 JUL 2026
An urgency procedure (Rule 170) passes 331–304, forcing a snap vote on the last sitting day before summer recess — the maneuver critics call the real procedural trick.
- 09 JUL 2026
The rejection motion gets 314 of the 361 votes required. The scheme survives. The E2EE carve-out amendment passes with 369.
- SEP 2026
Negotiations on the mandatory version — Chat Control 2.0 — resume. This is the fight that decides whether encrypted apps get scanned.
One procedural step remains: because Parliament amended the text, it returns to the Council, which can accept the amendments or force further negotiation. The voluntary scanning regime is in motion either way.
Section — the tracker
Who scans, and who refuses?
Scanning under the scheme is voluntary — these providers chose it, and used it for years before the April lapse. Statuses reflect each service's participation record and public commitments — updated as they change.
| Service | Status | Basis |
|---|---|---|
| Gmail | OPTS IN | One of the Google services in scope. Google reported hash-matching images and video in EU accounts under the scheme, and says it does not scan text for solicitation. |
| Instagram DM | OPTS IN | Meta runs media-matching on images and video across Instagram Direct and Messenger, on “surfaces that are not end-to-end encrypted”. It actioned about 1.5 million pieces of media in EU threads in 2024. |
| Snapchat | OPTS IN | Snap signed the April 2026 industry pledge to keep taking “voluntary action” against CSAM on its interpersonal communications services. It has never filed a transparency report under the scheme. No end-to-end encryption for text. |
| Skype / Outlook | OPTS IN | Microsoft invoked the derogation and names Skype, Outlook, GroupMe and Teams as its services in scope. It creates digital signatures of images and video. Xbox is not among them. |
| iCloud Mail | SCANS | Apple confirmed in 2021 that it scans incoming and outgoing iCloud Mail attachments for CSAM, and has done since 2019. Mail is not encrypted. Apple has never reported under the scheme — this is its own policy, not the EU’s. |
| Facebook Messenger | MIXED | Personal chats have been E2EE by default since late 2023, and Meta scans only surfaces that are not end-to-end encrypted. It was still reporting media-matching in Messenger threads through 2024. |
| Telegram | NOT E2EE BY DEFAULT | Default chats — including every group and channel — are encrypted to Telegram’s servers, not end to end, so the 9 July carve-out does not reach them. Telegram has never appeared among the providers reporting use of the scheme. Secret Chats are genuine end-to-end encryption, but they are opt-in and one-to-one only. |
| EXEMPT — E2EE | End-to-end encrypted; covered by the 9 July carve-out. Meta has warned it cannot keep meaningful encryption under a scanning mandate. | |
| iMessage | EXEMPT — E2EE | E2EE in transit; note iCloud backups without Advanced Data Protection weaken this. |
| Signal | WOULD EXIT EU | President Meredith Whittaker: Signal leaves the EU market before it weakens encryption. Restated through 2026. |
| Threema | WOULD RESIST | Swiss; calls the plans incompatible with its convictions, “all options” examined. |
| Tuta Mail | SUING THE EU | German, E2EE; publicly preparing litigation against Chat Control. |
| Proton Mail | OPPOSES | Swiss, E2EE, campaigning against; no exit commitment found. |
| SimpleX Chat | NO IDENTIFIERS | No phone number, no username, no user IDs — no account that ties messages to you. |
Every row verified 2026-07-10 against the sources below. A status changes → subscribers get one email.
Section — the honest part
What works, and what is theater
Client-side scanning is code inside the provider's own app, running before your message is encrypted. Anything that only changes what happens to your traffic after it leaves the app cannot help, by construction. Half the advice going around fails this test.
| Measure | Verdict | Why |
|---|---|---|
| Leave the services that opt in | WORKS | Opted-in services scanned content for years under this scheme. Moving off them is the single biggest step. |
| Signal | WORKS | Real E2EE, no scanning participation, and a credible public commitment to exit rather than comply. |
| SimpleX Chat | WORKS | The strongest architecture: no identifiers of any kind, so targeting individual users is technically much harder. |
| Telegram | PARTIAL | Not a scanning participant, so it is a real step up from Gmail or Instagram DM. But default chats are not end-to-end encrypted: Telegram holds the keys and stores the messages, so the 9 July carve-out does not protect them. Only Secret Chats fall under it, and they are opt-in and one-to-one only. |
| Proton Mail / Tuta | PARTIAL | A real upgrade over scanned mail today. Future-proofing rests on their stated willingness to fight, not on legal exemption. |
| Threema / Session | PARTIAL | Swiss-based helps enforcement-wise; EU law is written to reach any service “offered to EU users.” |
| Self-hosted Matrix / XMPP | PARTIAL | Personal, non-commercial servers plausibly fall outside the rules — plausibly. Untested. Metadata still leaks between servers. |
| VPNs | THEATER | Scanning happens on your device before encryption. A VPN never sees the content being scanned. Useful for other things; useless for this. |
| Tor | THEATER | Same layer problem. Network anonymity does not remove scanning code from an app. |
| Sideloading your apps | THEATER | Orders bind the provider, not the app store. A sideloaded WhatsApp is the same code. |
| GrapheneOS / de-Googled Android | DIFFERENT THREAT | Genuinely valuable against OS-level telemetry. Does not strip scanning code out of a compliant app. Do it for the right reason. |
Section — the escape ladder
Five steps, easiest first
Bring your people with you
An afternoon · free
An encrypted messenger you use alone is useless. Move your three most important group chats. For anything genuinely sensitive, use SimpleX — no phone number, no username, no account tied to you.
Shrink the surveillance you already carry
A weekend · a supported Pixel
GrapheneOS removes Google's telemetry layer. Be clear-eyed: this does not defeat in-app scanning — it removes a bigger, already-active layer underneath it.
Practice metadata discipline
Ongoing · free
Who you talk to and when leaks even from encrypted apps. Separate identities per context. Verify safety numbers in person for anyone sensitive. Treat access to any centrally-run app as revocable.
Run your own infrastructure
Weeks · sysadmin skills
A self-hosted Matrix or XMPP server for a small trusted circle is the only rung that doesn't rest on some company's promise to resist. You become the provider — plausibly outside the rules' commercial scope, though that reading is untested.
Section — September
The real fight is in September.
Chat Control 2.0 — the mandatory version, the one that reaches encrypted apps — returns to negotiation in September 2026. One email when that moves, and when any app's status in the tracker changes. Nothing else, ever.
Section — receipts
Sources
Every claim above traces to one of these. If you find an error, tell us and it gets fixed with a changelog entry.
- Council of the EU — press release, 2 July 2026
- European Commission — COM(2025) 740 final, implementation of Regulation (EU) 2021/1232: “Google, LinkedIn, Meta, Microsoft and Yubo submitted reports.”
- European Commission — COM(2023) 797 final: “Google, LinkedIn, Meta, Microsoft, and X (former Twitter) submitted reports for 2021 and 2022.”
- Google Ireland — transparency report under Regulation (EU) 2021/1232 (Google Chat, Hangouts and Gmail; hash-matching; no text scanning for solicitation)
- Microsoft — jurisdictional transparency reports: services in scope of the EU CSAM interim regulation (Skype, Outlook, GroupMe, Teams)
- Meta Ireland — EU CSAM derogation report: media-matching “across Messenger and Instagram Direct on surfaces that are not end-to-end encrypted”, ~1.5m items actioned in EU threads in 2024
- Google, Meta, Microsoft and Snap — April 2026 joint statement pledging continued voluntary detection
- 9to5Mac — Apple confirms it has scanned iCloud Mail for CSAM attachments since 2019
- The Register — vote report, 9 July 2026
- Euronews — the E2EE carve-out amendment
- netzpolitik.org — the urgency-procedure maneuver
- Greens/EFA — Rule 170 urgency vote, 7 July 2026
- Patrick Breyer — Chat Control dossier
- EFF — background on the April 2026 rejection
- The Record — Signal's EU exit warning
- Threema — public position
- TechRadar — Tuta's planned lawsuit
- Telegram FAQ — Cloud Chats (private and group) use client-server encryption; only Secret Chats are end-to-end encrypted
- Telegram protocol docs — “Secret Chats are one-on-one chats” and are device-specific
- fightchatcontrol.eu — contact your MEP (advocacy)
- EDRi — Stop Scanning Me coalition