European Parliament Allows Message Scanning Until 2028
Extension of ePrivacy exception moves forward despite majority of MEPs voting against
July 11, 2026 · 4 min read
TL;DR: The European Parliament has extended the ePrivacy exception until 2028, allowing big tech to scan private messages for child abuse. The measure remains in force because the absolute majority needed to block it was not reached, although more MEPs voted against.
What happened?
On July 9, 2026, the European Parliament voted on extending the so-called 'ePrivacy exception,' a temporary rule allowing messaging platforms to voluntarily scan chats, emails, and social networks for already identified child sexual abuse content. Although more MEPs voted against than in favor, the absolute majority of 361 votes needed to reject the proposal was not reached, so the exception is extended until April 2028. The regulation was approved in second reading, a process where a 'no' must be explicit and majority to block it; otherwise, the proposal goes through by default. This vote culminates a long debate that began in 2022 with the European Commission's original 'Chat Control' proposal, which sought to force platforms to scan all communications. After intense criticism from civil rights groups and tech companies, the Commission softened its stance and proposed a voluntary and temporary exception, which has now been extended.
Why is it important?
This decision has deep implications for digital privacy in the European Union. The ePrivacy exception, originally created as a temporary measure, allows companies like Meta, Google, and Microsoft to analyze end-to-end encrypted communications without explicit user consent, under the argument of combating child abuse. However, digital rights organizations and cybersecurity experts warn it sets a dangerous precedent: it normalizes mass surveillance of private communications and weakens encryption, which could be exploited by authoritarian governments or malicious actors. Moreover, the lack of an absolute majority reveals a political fracture in the European Parliament between those prioritizing child protection and those defending privacy as a fundamental right. The historical context is relevant: in 2021, the European Commission proposed a similar regulation that was rejected after a massive activist campaign. Now, the extension of the exception until 2028 brings the possibility of it becoming permanent. According to Commission data, over 30 million cases of online child sexual abuse were reported in 2025, used as justification for the measure. However, critics point out that automated scanning generates false positives and can violate the privacy of millions of innocent users.
What consequences will it have?
In the short term, messaging platforms can continue implementing automated content scanning systems, such as PhotoDNA (Microsoft) or similar tools from Google and Meta. This affects services like WhatsApp, Messenger, Gmail, and Outlook, among others. The measure could accelerate the adoption of 'client-side scanning' techniques, where analysis is performed on the user's device before encryption, which has been criticized for creating backdoors in security systems. In the long term, there are fears this exception could become permanent, eroding trust in end-to-end encryption and opening the door to future regulations mandating scanning of all communications. Tech companies have already expressed concern, and some threaten to withdraw services from the EU if privacy rules are further weakened. For example, Signal has stated it would prefer to leave the European market rather than implement client-side scanning. The market impact is significant: according to a University of Oxford study, implementing mandatory scanning could cost tech companies up to 1.2 billion euros in compliance, plus user losses as they migrate to more secure platforms. In terms of users, over 400 million Europeans use encrypted messaging services, and many could see their privacy compromised.
What should readers know?
It is important to understand that the exception does not force companies to scan messages, only allows it. However, political and social pressure to combat child abuse makes it likely many will continue doing so voluntarily. Users concerned about privacy can opt for services with end-to-end encryption that do not perform scanning, like Signal, or use additional encryption tools. They should also watch for updates to terms of service and privacy policies of the platforms they use. The battle for digital privacy does not end here: organizations like EFF and EDRI have already announced they will challenge the decision before the Court of Justice of the European Union. Additionally, civil society is organizing campaigns to pressure national governments to oppose the measure. It is advisable for users to inform themselves about available encryption tools and consider using decentralized networks or open-source services. The European Parliament's decision is not final: the Council of the EU must still formally approve the extension, and intense debate is expected in the coming months. Meanwhile, surveillance of private communications remains a hot topic defining the future of digital rights in Europe.
'Privacy cannot be sacrificed in the name of security. This decision is a step backward for digital rights in Europe.' — Analyst at TheVortiq