On July 9, in Brussels, something unusual happened. A majority of European Parliament members voted against scanning private messages. The measure passed anyway.
That paradox is the story. It is also the most confused and consequential privacy battle Europe is fighting right now, and it directly affects not just your messages but the very foundations of crypto security.
TL;DR: On July 9, 2026, 314 MEPs voted against the Chat Control scanning regime while only 276 supported it, yet the measure survived because blocking required an absolute majority of 361 votes. The temporary regime restoring voluntary message scanning now runs until 2028, and the permanent regulation (CSAR) returns to negotiation in September 2026.
What Happened on July 9
The numbers are disorienting. 314 MEPs voted to reject the scanning regime, 276 voted to keep it, and 17 abstained, according to official European Parliament records. But defeating the Council’s position at second reading required an absolute majority of 361 votes. The opposition fell 47 short. The result: the temporary voluntary scanning regime, labeled by critics as “Chat Control 1.0,” was reinstated through 2028. More deputies said no than yes, and it passed anyway, because of a threshold.
The majority said no. It passed anyway.
European Parliament vote of July 9, 2026. 361 votes were needed to block the measure. Source: European Parliament
Two Different Laws: Don’t Mix Them Up
To grasp what is genuinely at stake here, two things that headlines routinely conflate must be separated. Chat Control 1.0 is the temporary regime that allows platforms to voluntarily scan unencrypted messages, such as those on Gmail, Messenger, or Skype, for child sexual abuse material. That is the version reinstated on July 9, and it has never touched encrypted services.
Chat Control 2.0, the permanent regulation formally known as CSAR, is a different matter entirely, still under negotiation. In its most contested version, it would require scanning even end-to-end encrypted services. The July 9 vote concerned the smaller sibling. The real fight resumes in September.
The Technical Knot: Client-Side Scanning
How do you scan an encrypted message that, by definition, nobody can read in transit? The answer is client-side scanning. It deserves an honest explanation: it does not break encryption, it goes around it. The message is inspected on your own device, in the instant before the lock closes. That is why “just use Signal” is a necessary but insufficient answer. Signal itself has already stated it would leave the European market rather than comply.
There is one figure that carries real weight, from the Commission’s own data: the automated detection of previously unknown material showed a false positive rate of up to 20%, meaning one in five flagged conversations was not illicit at all.

Two Serious Arguments on Both Sides
Reducing this conflict to a simple good-versus-bad framing would be dishonest, because both sides carry real weight. Proponents of the regulation point to child protection: abuse reports are rising, and there is genuine concern about a protection gap if scanning stops. After the April expiration, the US-based NCMEC reported a measurable drop in European referrals.
Opponents speak of mass surveillance and the rule of law. The European Data Protection Supervisor has rejected the regulation multiple times. The Council’s own legal service flagged friction with Article 7 of the Charter of Fundamental Rights. More than 80% of citizens consulted opposed scanning encrypted messages, according to the consultation data published by the European Parliament. One detail says everything: a survivor of abuse testified that their own complaint, which led to convictions, was only possible thanks to private, encrypted communication. Encryption protects victims too. This is a genuine dilemma, not a caricature.
Why This Matters for Crypto
Here is where the story becomes a crypto story too. End-to-end encryption is not just a messaging feature. It is the foundation of the entire crypto world. Your private keys, wallet security, self-custody, and private transactions all rest on the same cryptographic principle.
A legal precedent normalizing client-side scanning, the idea that encryption can be circumvented directly on a device, reaches into the roots of digital sovereignty. It is the same tension between surveillance and privacy visible in DAC8 and in the stablecoin rules under MiCA, fought this time on the communications front, inside a broader European architecture that includes the eIDAS digital wallet and the MiCA travel rule. For anyone who believes in self-custody, the encryption protecting your coins is exactly what is on the table.
What Happens Next
The Council has roughly three months, until early October, to accept or reject the Parliament’s amendment excluding encrypted services from the temporary regime. If the Council rejects it, a conciliation committee opens. More importantly, negotiations on the permanent CSAR regulation resume in September, with the final quarter of 2026 as the real decision window.
One variable will likely decide everything: whether Germany holds its position. Just four member states representing more than 35% of the EU population can block a text. Germany alone accounts for 19%. Europe is attempting two things simultaneously: protect children and preserve encryption. Many technical experts insist it cannot fully achieve both. The coming months will show which one bends. This is the clearest test, in a major democracy, of whether end-to-end encryption survives as a legal reality. The underlying records are verifiable at the European Parliament and the European Data Protection Board portals.

