Summary
The European Union’s proposed Regulation to Prevent and Combat Child Sexual Abuse, commonly known as “Chat Control,” is a highly controversial legislative initiative aimed at curbing the spread of child sexual abuse material (CSAM) online by mandating the detection and removal of such content across digital communication platforms, including those employing end-to-end encryption. Introduced by the European Commission in 2022, the proposal requires service providers to scan private messages and files, potentially through client-side scanning technology that analyzes content directly on users’ devices before encryption, raising significant concerns about privacy, data security, and the integrity of encrypted communications.
The proposal has ignited widespread opposition from privacy advocates, civil society organizations, legal experts, and over 40 European technology companies, who argue that it constitutes mass surveillance violating fundamental rights protected under the EU Charter of Fundamental Rights, particularly Articles 7 and 8. Critics contend that mandatory scanning risks weakening encryption, exposing users to cyber threats, and undermining trust in digital services, potentially driving businesses out of the European market. Furthermore, doubts about the technical accuracy of automated detection tools and the lawfulness of the regulation have been raised by independent auditors, the European Data Protection Supervisor, and the Council of Europe’s legal advisers.
Member states remain divided, with countries like Luxembourg, Austria, Germany, and Poland opposing the measure, while others, including Denmark in its rotating Council presidency, have pushed for votes on the regulation despite persistent resistance. The debate reflects broader tensions between child protection objectives and the safeguarding of digital privacy and security within the EU, with public consultations and media coverage revealing widespread public skepticism and mobilization against what many see as an intrusive surveillance mechanism disguised as child safety legislation.
As the legislative process approaches critical votes scheduled for late 2025, advocacy coalitions continue to call for the unequivocal exclusion of end-to-end encryption from scanning mandates and for alternative, targeted approaches to combating online child sexual abuse. The outcome of this legislation will have far-reaching implications not only for digital rights and cybersecurity in Europe but also for global standards on encryption and online privacy.
Background
The European Union Council has been actively debating a highly controversial proposal commonly referred to as “Chat Control,” formally known as the Regulation to Prevent and Combat Child Sexual Abuse (CSAR). Introduced by the European Commission in May 2022, this legislation aims to combat the spread of child sexual abuse material (CSAM) online by mandating the detection, reporting, and removal of such content across all digital communication platforms, including those employing end-to-end encryption.
The proposal has sparked intense debate due to its requirement for mandatory scanning of private communications on a massive scale. A particularly contentious aspect is the potential use of client-side scanning technology, where messages are analyzed directly on users’ devices before encryption, effectively circumventing traditional end-to-end encryption protections. This approach raises significant concerns about user privacy, data security, and the integrity of encrypted communications.
Since its introduction, the proposal has undergone several amendments, including explicit exclusions of end-to-end encryption from detection orders and the introduction of independent audits for detection technologies. However, these adjustments have not assuaged critics who argue that the legislation fundamentally undermines privacy rights and could create systemic vulnerabilities in digital communications infrastructure. The European Data Protection Supervisor and various civil society organizations have voiced strong opposition, emphasizing the risks posed by such intrusive measures.
Despite widespread resistance, including from multiple EU Member States such as Luxembourg, Austria, Germany, Poland, the Netherlands, and others, the European Commission and the Danish Presidency of the Council have continued to push the proposal forward, scheduling critical votes in late 2025. Public consultations conducted prior to the proposal revealed broad opposition from both citizens and stakeholders against imposing mandatory chat control.
Critics highlight that the regulation could set a dangerous precedent, enabling authoritarian governments worldwide to demand similar access to private communications under the guise of child protection. There are also concerns about the technical feasibility and accuracy of AI-driven scanning technologies, as evidenced by high rates of false positives in existing systems, such as those reported by Irish police forces. Moreover, leaked legal advice from the Council of Europe has raised serious doubts about the lawfulness of these measures.
On the industry side, over 40 European technology companies have publicly opposed the legislation, warning that weakening encryption would erode trust in digital services, harm European businesses, and threaten democratic freedoms. Law enforcement representatives acknowledge the importance of combating child abuse but remain skeptical about outsourcing investigative responsibilities to private companies, which traditionally fall under state sovereignty.
The ongoing debate around Chat Control reflects a broader struggle within the EU to balance child protection, privacy rights, and digital security, with the legislative process now entering a decisive phase.
Formation of the Coalition
The coalition against the European Union’s “Chat Control” proposal was formed as a broad alliance of European technology companies, privacy-focused enterprises, and industry associations united to oppose the legislation on grounds of privacy, security, and digital sovereignty. This coalition includes over 40 European privacy-first companies alongside the European DIGITAL SME Alliance, which represents more than 45,000 digital small and medium-sized enterprises across Europe.
The impetus for the coalition arose from widespread concerns about the proposal’s mandate to implement client-side scanning, which would require analyzing private communications on users’ devices before encryption. This measure threatens end-to-end encryption and could enable mass surveillance, undermining digital security and the trust that European businesses have built internationally. The coalition contends that weakening encryption would not increase safety but instead harm European tech companies and force many to consider leaving the EU market.
The coalition’s formation was also motivated by the legislative process itself, as the proposal had not yet reached final trilogue negotiations, leaving room for public and political influence. Several EU Member States, including Luxembourg, Austria, Germany, and Poland, had already voiced opposition or abstention regarding Chat Control, and the coalition sought to amplify these positions while countering intense lobbying efforts by the European Commission’s Home Affairs Unit in favor of the proposal.
Through joint statements, open letters, and coordinated advocacy, the coalition called on EU Member States’ ministers and members of the European Parliament to reject the proposal, protect encryption, and defend Europe’s digital sovereignty. Leading companies like Tutanota publicly declared their commitment to fight any measures that would backdoor or weaken encryption, emphasizing the fundamental role of strong encryption in securing communications and supporting democratic society.
The coalition represents a unified industry front emphasizing the risks that Chat Control poses not only to individual privacy but also to the competitiveness and innovation of the European digital economy. Their collective action reflects a strategic effort to ensure democratic scrutiny of the proposal and prevent the normalization of mass surveillance in the EU.
Arguments Against the Proposal
The proposed legislation, often referred to as “Chat Control,” has faced widespread criticism from civil society organizations, technology companies, and privacy advocates who argue that it fundamentally infringes on the right to privacy and other fundamental rights guaranteed by the EU Charter of Fundamental Rights, particularly Articles 7 and 8. Opponents highlight that the proposal mandates the scanning of all private digital communications, including encrypted messages, photos, and files, effectively imposing mass surveillance on all 450 million EU citizens without consent or suspicion. This level of mandatory chat control raises serious concerns about privacy violations and the erosion of digital security.
One of the central technical criticisms of the proposal is its reliance on client-side scanning, a process where messages are analyzed on the user’s device before encryption. This method bypasses end-to-end encryption protections, exposing private communications at their source and creating systemic vulnerabilities in digital security. Critics warn that such measures would not only weaken encryption but also damage trust in European businesses and the broader digital ecosystem, potentially pushing tech companies out of the EU market and stifling innovation.
Furthermore, the technical feasibility of the automated scanning tools proposed is questioned due to high rates of false positives, as illustrated by data from Ireland where 11.2% of reports were false alarms, causing risks of innocent users being wrongly accused and legal or social harm. Child protection experts, including the United Nations, argue that mass surveillance approaches do not effectively prevent abuse and may, in fact, make children less safe by diverting resources from proven protective measures.
Legal experts, including the Council of the European Union’s Legal Service and the Council of Europe’s lawyers, have expressed serious doubts about the lawfulness of the proposal, suggesting it could lead to the de facto permanent surveillance of all interpersonal communications and contravene fundamental EU privacy rights. There is also concern that once mass scanning is implemented for child protection, political pressure would inevitably expand its use to other areas such as counterterrorism or organized crime, creating a slippery slope towards authoritarian surveillance practices.
Opposition voices emphasize that the proposal risks undermining the EU’s own cybersecurity and digital sovereignty goals, contradicting frameworks such as NIS2, eIDAS 2.0, and the European Digital Identity Wallet. The long legislative process, with persistent divisions within the Council, reflects deep unease about the proportionality, legality, and potential consequences of the measure.
Actions Taken by the Coalition
A broad coalition of over 40 European technology companies and digital rights organizations has actively mobilized against the European Union’s proposed “Chat Control” legislation, emphasizing its threats to privacy, security, and free speech. This coalition has engaged in multiple coordinated efforts to raise awareness and pressure policymakers to reject the proposal.
The coalition has issued open letters and public statements signed by hundreds of researchers and industry leaders, warning that the proposed measures would fundamentally undermine digital security by enabling mass scanning of private communications—even those protected by end-to-end encryption—which they describe as effectively instituting permanent surveillance of interpersonal communications. They have underscored the risk that the technology mandated by the proposal could be exploited by authoritarian regimes to suppress political dissent, and highlighted legal concerns regarding compliance with the EU Charter of Fundamental Rights and existing human rights frameworks.
To influence democratic scrutiny processes within the EU, the coalition has actively encouraged citizens across Member States to contact their national governments, Members of the European Parliament, and permanent EU representations, urging them to oppose Chat Control. They have promoted calls to action that recommend personal outreach methods such as phone calls, letters, and attending local political events, citing these as more impactful than emails. Specific campaigns and petitions, including change.org initiatives in countries like France, have been launched to broaden public engagement and political pressure.
In addition, the coalition continues to provide technical and legal briefings, and hosts stakeholder sessions to inform policymakers and the public about the risks associated with the proposal. Their advocacy explicitly calls for the unequivocal exclusion of end-to-end encrypted services from detection mandates and for the rejection of any regulatory provisions that would introduce backdoors or weaken encryption.
This multi-faceted approach combines grassroots mobilization, expert legal and technical analysis, and direct engagement with EU institutions to counteract the lobbying efforts by the European Commission’s Home Affairs Unit, which has persistently pushed for the adoption of the proposal despite opposition from numerous Member States, including Luxembourg, Austria, Germany, Poland, the Netherlands, Slovenia, Finland, Belgium, the Czech Republic, and Estonia. The coalition’s ongoing efforts seek to safeguard fundamental rights enshrined in EU law while promoting effective child protection strategies that do not compromise digital privacy or security.
Responses from the European Union
The European Union’s proposed Regulation to Prevent and Combat Child Sexual Abuse, often referred to as “Chat Control,” has elicited a wide range of responses across EU institutions, member states, and civil society actors. While the regulation aims to curb the spread of child sexual abuse material (CSAM) online, its method—mandating the scanning of private communications including those protected by end-to-end encryption—has sparked significant controversy due to concerns over privacy, fundamental rights, and cybersecurity.
Positions within EU Institutions
The European Parliament has taken a firm stance on the proposal, agreeing on a position in 2023 that reflects skepticism toward the regulation’s approach, emphasizing the need for proper democratic scrutiny and protection of fundamental rights. The European Data Protection Supervisor and several civil society organizations have warned that the law could undermine encryption and user privacy, highlighting the risks of mass surveillance inherent in the proposal.
The European Commission’s Home Affairs Unit has been actively lobbying in favor of the proposal, seeking to persuade EU Member States to support their plans despite opposition. At the same time, leaked legal advice from the Council of Europe’s lawyers has raised serious questions about the lawfulness of the measures, cautioning against the de facto permanent surveillance of all interpersonal communications and warning that such measures could be expanded to target other crimes or political dissent.
Member State Responses
Member State governments have displayed mixed and evolving positions. Countries such as Luxembourg, Austria, Germany, and Poland have consistently opposed Chat Control, while others including the Netherlands, Slovenia, Finland, Belgium, the Czech Republic, and Estonia have either opposed or abstained at various stages. Denmark, currently holding the rotating presidency of the Council of the European Union, has been a decisive and controversial player; after initially opposing the proposal, it has shifted to an undecided stance and is now actively pushing for a vote on the regulation by 14 October 2025 despite widespread resistance from privacy advocates and some member states.
Concerns from Civil Society and Industry
A coalition of over 40 European companies, alongside digital rights groups and the European DIGITAL SME Alliance, have voiced deep concerns about the regulation, stressing that it undermines cybersecurity achievements and threatens Europe’s digital independence by mandating systemic vulnerabilities. These stakeholders argue that the regulation’s mandatory scanning threatens fundamental rights to privacy and data protection guaranteed under Articles 7 and 8 of the EU Charter and that automated scanning technologies risk misidentifying innocent content, leading to false accusations and damaging investigations.
Prominent voices from criminal investigation bodies acknowledge the importance of combating child abuse material but express skepticism about privatizing investigative efforts and the risks of overreach, warning that innocent individuals could become unintended targets of investigations.
Ongoing Legislative Process and Calls for Action
The legislative process remains in a critical phase, with key dates including Council position finalisation in September 2025 and a potential vote in October 2025. Given the deep unease about the content and proportionality of the proposed regulation, the period leading to these decisions is seen as decisive for public and stakeholder engagement. Calls have been made for EU citizens and lawmakers to oppose measures amounting to Chat Control and to defend fundamental rights against surveillance-driven policies. Activists and experts continue to emphasize that undermining encryption and privacy is a step backward, potentially creating an infrastructure for mass surveillance under the guise of child protection.
Public and Media Reaction
The European Union’s proposed Regulation to Prevent and Combat Child Sexual Abuse, commonly referred to as “Chat Control,” has sparked widespread public and media backlash across Europe. Critics argue that the proposal mandates indiscriminate mass surveillance of private digital communications, including encrypted messages, which they claim fundamentally undermines privacy and data protection rights guaranteed by Articles 7 and 8 of the EU Charter of Fundamental Rights. This surveillance would affect all EU citizens, scanning every private message, photo, and file automatically, without suspicion or exceptions—except for politicians, who are exempted under professional secrecy rules.
Civil society organizations, digital rights activists, and numerous experts have voiced strong opposition to the legislation, citing its incompatibility with fundamental rights and its technical infeasibility. For instance, reports from Ireland highlighted a high rate of false positives in detecting child exploitation material, with over 11% of alerts flagged as false, raising concerns about the effectiveness and consequences of automated scanning systems. Furthermore, leaked internal legal advice from the Council of Europe raised serious questions about the lawfulness of the measures, warning that mass scanning could lead to permanent surveillance of all interpersonal communications and potentially enable authoritarian misuse against political dissent.
Media coverage has emphasized the law’s potential to create a “mass surveillance infrastructure” under the guise of child protection. Critics accuse policymakers and private companies of pushing the legislation primarily to legalize mass surveillance and weaken encryption, thereby exposing users’ sensitive data to hackers and
Future Developments
The European Union’s proposed Regulation to Prevent and Combat Child Sexual Abuse, commonly referred to as “Chat Control,” remains at a critical juncture in its legislative process. After years of negotiation and political contention, the proposal faces decisive votes scheduled for late 2025, with the Council position expected to be finalized by 12 September 2025 and the earliest Council vote anticipated on 14 October 2025. Despite earlier setbacks, such as the narrow blocking minority that halted the plan in December 2024, recent developments indicate renewed momentum behind the proposal, with several formerly opposed governments, including France, withdrawing their resistance.
The ongoing debate centers largely on the regulation’s controversial mandate for mandatory scanning of private communications, potentially including encrypted messages through client-side scanning technology. This approach involves analysing content on users’ devices before encryption, raising significant concerns over privacy, the undermining of end-to-end encryption, and cybersecurity risks. Civil society organizations, legal experts, and privacy advocates continue to highlight the lawfulness and proportionality issues, warning of the possibility that the technology could lead to mass surveillance and might be co-opted by authoritarian regimes for broader purposes beyond child protection.
Public opposition remains strong, as demonstrated by surveys showing a majority of Europeans reject such invasive monitoring measures, and over 40 European companies have united in resistance against the proposal, fearing its detrimental impact on digital privacy, cybersecurity, and the competitiveness of European businesses. Critics argue that rather than adopting mass surveillance tactics, the EU should prioritize targeted law enforcement, international cooperation, and stricter penalties for offenders to combat child sexual abuse material without compromising fundamental rights.
The next months are expected to be decisive, with intense public and stakeholder engagement aimed at influencing the final outcome. Activists, legal challenges, and industry coalitions continue to advocate for preserving encryption and digital sovereignty while protecting children online. The legislative process’s eventual conclusion will not only shape the future of privacy and security within the EU but could also set precedents influencing global digital communications governance.
The content is provided by Blake Sterling, 11 Minute Read
