The European Parliament has rejected extending the temporary derogation of ePrivacy rules that allowed certain providers to scan private communications in the EU. That exception has already expired, so the framework that gave limited coverage to that tracking has ceased to be in force.
The decision reopens the debate about the legal scope of these practices in messaging and interpersonal communication services. At this moment, the general and indiscriminate scanning of user messages is not legal in the European Union if there is no specific legal basis.
The demand on encrypted messages is out, but the plan remains open
Member States have withdrawn from the negotiation the most controversial part of the plan known as Chat Control, which proposed the obligation to scan encrypted messages. Even so, the proposal to impose mandatory detection of child sexual abuse material remains alive and continues to be negotiated.
The focus of those conversations has shifted towards risk mitigation measures. Among them are age verification and certain voluntary actions by the platforms. The legal and political debate now centers on whether those measures can end up becoming, in practice, disguised obligations.
The big platforms maintain a voluntary position
Google, Meta, Microsoft and Snap have jointly communicated that they will maintain voluntary actions in their interpersonal communication services.
"We will continue taking voluntary measures in our relevant interpersonal communication services." - Joint statement by Google, Meta, Microsoft, and Snap
It is not clear if that position implies that companies will continue scanning private communications. What does remain on the table is that this activity, in the new context, would now risk violating European legislation.
Fear that voluntary measures cease to be so
One of the points gaining weight in the negotiation is the risk that activities presented as voluntary cease to be truly voluntary if they come to be expected as part of platforms' regulatory compliance. That same concern affects age verification, which some sectors reject becoming a default requirement.
The immediate priority in the European debate is to prevent the already expired exception for mass scanning from being reinstated. At the same time, pressure is growing for legislators to clearly define risk mitigation measures within the text still under negotiation, with the aim of preventing age verification from becoming normalized as a general obligation and voluntary actions from leading to a stable expectation of communications tracking.
"This is a zombie proposal. It keeps coming back and should not be allowed to return through the back door." - Assessment gathered in the European debate
The repeal has fallen, but Chat Control is not closed. The pulse in Brussels now shifts from the mandatory scanning of encrypted messages towards indirect formulas that can reopen the same underlying conflict between child protection, privacy, and legal limits in private communications.