The Council of the European Union is advancing a regulation called "Chat Control 2.0," which provides the possibility for online platforms to track signs of child exploitation in user correspondence. Some commentators warn that this document legalizes mass surveillance — this is stated in an investigation by journalists from the Polish economic news portal wnp.pl, writes Neatkarīgā.
The EU Council has adopted a bill aimed at protecting children.
The EU Council regulation allows authorities in EU countries to request internet providers to remove certain content. This raises concerns about violations of users' privacy rights.
After several months of debate, the EU Council has agreed on a common position regarding the draft regulation known as "Chat Control 2.0." The rules are designed to prevent the sexual exploitation of children, including the distribution of materials containing such cases. However, privacy advocates fear that the new law could be used for surveillance of online communication.
Negotiations are planned between the Council, the European Commission, and the European Parliament. Before the regulation is adopted, European institutions need to develop a joint proposal.
Where Did the Idea of Scanning Communications Come From?
In May 2022, the European Commission proposed a regulation intended to help combat the sexual exploitation of children. It requires internet providers, including messengers, to detect, report, and remove relevant materials. The Commission also proposed creating a new central agency to support the implementation of the regulation with the involvement of national authorities.
Since then, discussions on the document have continued in the EU. The idea of scanning personal correspondence, known as "chat control," raises the most concern. Therefore, the project is widely referred to as "Chat Control 2.0."
How Does Message Control Work?
Before encrypting and sending a message to another user, the system on the sender's phone locally analyzes the message using the provider's algorithm. The content is converted into a digital fingerprint — a so-called hash code — which is then compared to a database of CSAM patterns collected by the EU agency. If the algorithm deems the message suspicious, it is automatically flagged, and a notification is sent to the monitoring system. The user is not informed about this. Moreover, it does not require grounds — all messages will be regularly scanned.
In previously discussed versions of the rules, it was proposed to extend such a mechanism to encrypted communications in messengers like Signal, WhatsApp, and Proton, as well as to services like Dropbox.
"This will open the door to mass surveillance of private conversations and undermine the technical safeguards that ensure confidentiality and privacy. The adoption of this law will also violate press freedom," commented the Center for Media Freedom and Media (a German analytical center). The proposals have also been criticized by the European Data Protection Supervisor. The European Parliament has also opposed them.
What Did Government Representatives Agree on in the EU Council?
Due to strong resistance to the concept of chat scanning, Denmark, as the presidency, presented a softened draft regulation. Initially, a blocking minority formed among EU countries, with Poland being one of the leading countries in this movement.
Successive governments in Warsaw have consistently opposed message control. For Poland, it is important that the rules allow for holding criminals accountable but do not create a mechanism for total surveillance of internet users.
The draft new rules state that internet providers will need to assess the risks of their services being used to disseminate materials related to the sexual exploitation of children and take measures to mitigate these risks based on that assessment. This may include tools that allow users to report such exploitation, manage what content about them is shared, and set default privacy settings for children.
Member states will appoint designated authorities to analyze the risk assessments and, if necessary, require providers to implement appropriate measures.
A risk categorization system will be introduced: high, medium, and low. Authorities will be able to require high-risk providers to implement technologies to mitigate these risks.
Public authorities will have the power to demand the removal of content, and in the case of search engines, to exclude it from search results.
Internet providers will be required to verify users' ages.
The Council's proposal also states that, in general, the encryption of internet messages is to be protected.
The requirement for platforms to detect CSAM (child sexual abuse materials), included in previous drafts, has been revoked. However, platforms will be able to voluntarily implement relevant tools.
How to Evaluate the New Proposals from the EU Council?
"It seems to me that the EU Council has reached a compromise by postponing the implementation of decryption of internet messages, if it happens at all, to the future and only with the consent of regulatory authorities," commented Piotr Mechkowski, executive director of the Digital Poland Foundation.
He added that a model in which platforms, messengers, and other internet services assess risks and take measures themselves will help reduce the tension that has existed between EU countries for years. "In fact, this is a victory for those who oppose chat control," Mechkowski believes.
Among the NGOs opposing "Chat Control 2.0" is the European Digital Rights Association (EDRi).
EDRi's policy director, Ella Jakubowska, believes that the position of the EU Council is an important step towards canceling mandatory mass scanning of internet messages and attempts to weaken encryption. "However, at this stage, it is more of a political statement than a real guarantee," she said.
"The text agreed upon in the Council is very chaotic and contains many potential gaps that could undermine the agreement reached. But we know that negotiations with the European Parliament are just beginning, and I consider this 'victory' an important signal for negotiators to ensure the protection of encryption and exclude any possibilities of forced scanning. The current 'security measures' outlined in the Council's text are still insufficient," Jakubowska stated.
Hidden Threats in the Euro Council Proposal
Patrick Breyer, a Member of the European Parliament from Germany, warned against the introduction of these rules. Shortly after the EU Council's decision, he wrote on his website that the proposal contains "hidden threats." In his opinion, even if scanning messages is voluntary, it legalizes the mechanism itself. In practice, this will lead to service providers scanning all messages of all users, not just those suspected, to show concern for children's safety.
Breyer believes that the text approved by the Council retains alarming trends: there is a shift from the logic of "we suspect the suspect" to the logic of "everyone is potentially suspicious." Furthermore, the dependence of communication on identification will increase.
Work on the new regulation is expected to be completed by April 2026.
