EU Proposal: Chat Control

The EU’s Child Sexual Abuse Regulation - commonly referred to as “Chat Control” - is a legislative proposal first introduced by the European Commission in May 2022 to prevent and combat online child sexual abuse across the EU. It aims to establish EU‑wide rules requiring digital service providers to detect, report, remove, and block child sexual abuse material (CSAM) and to prevent the solicitation of minors on their platforms.

Originally, the proposal included mandatory scanning of user communications, which raised serious privacy and encryption concerns. However, in late October 2025, this mandatory scanning requirement was effectively removed, shifting obligations toward voluntary detection and risk-based measures.

On 26 November 2025, the Council of the EU endorsed its negotiating position, reflecting this compromise and formally setting the stage for trilogue negotiations with the European Parliament, scheduled to begin in January 2026. These negotiations will determine the final text of the regulation and the obligations for digital service providers.

The Reality: Green Light for Mass Surveillance

If this regulation is adopted, it would effectively greenlight mass surveillance of private communications across the EU, undermining end-to-end encryption and user privacy.

  1. Voluntary Scanning: Even without mandatory scanning, the regulation enables service providers, espacially large tech companies, to scan private messages, images, and files using error-prone AI algorithms for detection. Without knowing the context of your communications, false positives will lead to innocent users being flagged and reported to authorities, potentially resulting in unwarranted investigations and legal actions. To know the context on the other hand, service providers would need to save and analyze communication data over time, further eroding privacy.

  2. Identification of Minors: To comply with the regulation, service providers must implement measures to identify minors on their platforms. The only feasible way to do this is to use digital identity verification systems, which often require users to provide personal information and documents. Essentially, using digital identity systems means for verification, means you wont be able to communicate anonymously anymore.

  3. End-to-End Encryption at Risk: Even if End-to-End Encryption (E2EE) is used, service providers will be legally obligated to implement detection measures. This could lead to the weakening or removal of E2EE, client-side scanning, or backdoors, all of which compromise the security and privacy of online communications.

  4. Resource Drain: False positives generated by AI algorithms will lead to a significant increase in reports to law enforcement, overwhelming their resources and diverting attention from genuine cases of child sexual abuse. This could ultimately hinder efforts to protect children rather than enhance them.

Conclusion

The EU’s Chat Control regulation, if adopted, would pave the way for mass surveillance of private communications, undermining user privacy and the security of end-to-end encryption. While the intention to combat child sexual abuse is commendable, the proposed measures risk causing more harm than good by infringing on fundamental rights and freedoms.

Do we want to enable large tech companies to legally scan our private communications and tie them to our identities? To let error-prone AI algorithms decide who gets reported to law enforcement? This is a slippery slope towards a surveillance state, and we must remain vigilant in protecting our digital rights and freedoms.