Human rights organizations have warned of the threat of total surveillance due to new EU regulations.
Brussels has once again taken up the Chat Control bill , and the end of the story is still unclear. Negotiations on the controversial regulation to combat online child sexual abuse have reached a decisive stage, but instead of a quick resolution, Europe risks a protracted marathon. The main intrigue of recent weeks is that mandatory scanning of private messages may be removed, while the idea of universal age verification, on the contrary, is gaining momentum.
At the end of 2025, an unexpected turn occurred. After several failed attempts to agree on a common position among EU countries, the Danish government proposed abandoning mandatory mass analysis of private messages, including in services with end-to-end encryption. Previously, one group of countries, including Denmark itself, had insisted on mandating that messaging services monitor users' communications. Another group, including Poland, the Czech Republic, and the Netherlands, warned of the risk of mass surveillance and the undermining of end-to-end encryption.
On November 13, 2025, Copenhagen proposed completely removing the mandatory detection of prohibited content and adding explicit guarantees for encrypted communications. As a result, the Council of the European Union agreed on a position that does not require services like Signal or WhatsApp to scan all private communications or weaken end-to-end encryption . This approach largely aligns with the European Parliament's position, adopted back in 2023.
However, a final agreement is still a long way off. Currently, the Council of the European Union and the European Parliament must agree on a common text, with the European Commission acting as the mediator. Final negotiations are scheduled for June 29, 2026, but there are already reports of delays.
Even the Council's updated position retains controversial provisions. The document does not oblige national authorities to be fully independent, and the provision on excluding websites from search results could create the illusion of combating illegal content instead of actually removing it at the source.
Disagreements also persist over scanning. The Council proposes a permanent "voluntary" scheme, reminiscent of the temporary exception to the 2021 Electronic Communications Privacy Regulations. The European Parliament allows for mandatory scanning, but only in limited cases and upon reasonable suspicion, essentially analogous to a court order. Services like Signal and WhatsApp insist that any mass scanning is incompatible with genuine user protection.
In December 2025, the European Commission added to the tension by proposing to extend the temporary regime for another two years. Critics point to the lack of proven necessity and proportionality of such a measure, but the initiative remains on the negotiating table.
The most serious concern for human rights organizations is another part of the future law—mandatory age verification . Both the Council and the European Commission want to require "risky" services to verify the age of users. The draft definition of "risky" includes services with strong encryption and a high degree of privacy protection.
In practice, users may be required to provide identification documents or biometric data , such as a facial image , to send private messages, email, or download apps . Without such verification, access to private digital communications may be restricted.
This model effectively links correspondence to a specific individual through a passport or biometrics. The privacy of communications, freedom of expression, and the professional secrecy of doctors, lawyers, and psychologists are at risk. People without adequate digital identification, including teenagers, the elderly, and migrants, risk losing the ability to communicate confidentially online. Facial recognition systems often misidentify people with different appearances, increasing the risk of discrimination.
The Regulation on Combating Sexualized Abuse of Children was conceived as a supplement to the Digital Services Act . The latter already includes Article 28, which allows for age verification on platforms where proven necessary and proportionate. Massive restrictions on access to personal correspondence for all users go far beyond this approach.
Negotiations are ongoing, and the outcome remains uncertain. If the final text goes beyond the guarantees proposed by the European Parliament, Europe could end up with one of the most stringent mechanisms for monitoring digital privacy in recent years.
Brussels has once again taken up the Chat Control bill , and the end of the story is still unclear. Negotiations on the controversial regulation to combat online child sexual abuse have reached a decisive stage, but instead of a quick resolution, Europe risks a protracted marathon. The main intrigue of recent weeks is that mandatory scanning of private messages may be removed, while the idea of universal age verification, on the contrary, is gaining momentum.
At the end of 2025, an unexpected turn occurred. After several failed attempts to agree on a common position among EU countries, the Danish government proposed abandoning mandatory mass analysis of private messages, including in services with end-to-end encryption. Previously, one group of countries, including Denmark itself, had insisted on mandating that messaging services monitor users' communications. Another group, including Poland, the Czech Republic, and the Netherlands, warned of the risk of mass surveillance and the undermining of end-to-end encryption.
On November 13, 2025, Copenhagen proposed completely removing the mandatory detection of prohibited content and adding explicit guarantees for encrypted communications. As a result, the Council of the European Union agreed on a position that does not require services like Signal or WhatsApp to scan all private communications or weaken end-to-end encryption . This approach largely aligns with the European Parliament's position, adopted back in 2023.
However, a final agreement is still a long way off. Currently, the Council of the European Union and the European Parliament must agree on a common text, with the European Commission acting as the mediator. Final negotiations are scheduled for June 29, 2026, but there are already reports of delays.
Even the Council's updated position retains controversial provisions. The document does not oblige national authorities to be fully independent, and the provision on excluding websites from search results could create the illusion of combating illegal content instead of actually removing it at the source.
Disagreements also persist over scanning. The Council proposes a permanent "voluntary" scheme, reminiscent of the temporary exception to the 2021 Electronic Communications Privacy Regulations. The European Parliament allows for mandatory scanning, but only in limited cases and upon reasonable suspicion, essentially analogous to a court order. Services like Signal and WhatsApp insist that any mass scanning is incompatible with genuine user protection.
In December 2025, the European Commission added to the tension by proposing to extend the temporary regime for another two years. Critics point to the lack of proven necessity and proportionality of such a measure, but the initiative remains on the negotiating table.
The most serious concern for human rights organizations is another part of the future law—mandatory age verification . Both the Council and the European Commission want to require "risky" services to verify the age of users. The draft definition of "risky" includes services with strong encryption and a high degree of privacy protection.
In practice, users may be required to provide identification documents or biometric data , such as a facial image , to send private messages, email, or download apps . Without such verification, access to private digital communications may be restricted.
This model effectively links correspondence to a specific individual through a passport or biometrics. The privacy of communications, freedom of expression, and the professional secrecy of doctors, lawyers, and psychologists are at risk. People without adequate digital identification, including teenagers, the elderly, and migrants, risk losing the ability to communicate confidentially online. Facial recognition systems often misidentify people with different appearances, increasing the risk of discrimination.
The Regulation on Combating Sexualized Abuse of Children was conceived as a supplement to the Digital Services Act . The latter already includes Article 28, which allows for age verification on platforms where proven necessary and proportionate. Massive restrictions on access to personal correspondence for all users go far beyond this approach.
Negotiations are ongoing, and the outcome remains uncertain. If the final text goes beyond the guarantees proposed by the European Parliament, Europe could end up with one of the most stringent mechanisms for monitoring digital privacy in recent years.
