Two weeks ago I wrote that Chat Control wasn’t buried, only deferred, and that the Council and the EPP were preparing to revive the lapsed “voluntary” scanning regime through an emergency procedure in Parliament’s last sitting before summer. I hate being right this fast. On 9 July it happened, almost to the letter. And if your feed says the EU just approved scanning your private messages: that is not what happened. What happened is stranger, and in some ways worse.
(This story is still moving: the Council answers next, probably by early October. I’ll keep updating here, so follow the blog or the RSS feed if you want the sequel.)
What was actually voted on 9 July
Not a new law. A resurrected one. The Council essentially cast Reanimate on a proposal Parliament had already put in the graveyard, except in this version the caster doesn’t pay the life equal to its cost. The 450 million of us on the battlefield do.
In March, Parliament rejected the extension of the “voluntary” Chat Control 1.0 derogation by 228 votes to 311, and the old regulation expired on 3 April. File closed, you’d think.
Then on 2 July the Council adopted the original proposal, the one Parliament had just killed, as its official first-reading position, which restarts the machinery at second reading. On 7 July Parliament narrowly agreed (331-304, 11 abstentions) to fast-track the vote into the same week, skipping committee scrutiny. And at second reading the rules invert: it no longer takes a majority to pass a Council position. It takes an absolute majority of all members (officially 360 MEPs) to stop one. Absent members count, in effect, for the proposal.
The rejection motion got 314 votes. 276 voted against, 17 abstained. A clear plurality of voting MEPs said no to Chat Control, for the second time in four months, and it still wasn’t enough, because 314 is 46 short of 360. That is the entire procedural story behind every “EU Parliament greenlights Chat Control” headline.
The part most headlines missed
Here’s the twist: Parliament did clear that 360-vote bar, twice, for amendments. With 369 and 362 votes, MEPs amended the text to exclude from its scope communications “to which end-to-end encryption is, has been or will be applied”. The wording is from Parliament’s own press release. That “will be applied” matters: it also shields services that turn on E2EE tomorrow.
And because Parliament amended the position, the regulation is not law. It went back to the member states. The Council now has three months (early October, roughly) to swallow Parliament’s encryption carve-out. If it won’t, the file goes to a conciliation committee, a procedure so rare it has been used once since 2013. (Politico has the procedural blow-by-blow.)
Meanwhile, and almost nobody says this out loud, voluntary scanning has no legal basis in the EU at all right now, and hasn’t since 3 April. Whatever you think “protecting children online” requires, the current legal state is: nothing is authorised. The proposal on the table would restore scanning on non-encrypted services (Instagram and Discord DMs, Snapchat, Skype, Xbox, Gmail, iCloud mail) reportedly until April 2028, pending the permanent law.
How a twice-rejected law gets un-rejected
Sit with the sequence for a moment. Parliament rejects the law in March. The Council re-tables the identical text in July. Parliament’s president, over the objections of political groups, as Politico reported, lets it onto the agenda of the last sitting before recess, under an urgency procedure that skips the committees, the EDPS opinion, and the fundamental-rights homework. The vote itself was chaotic enough that one MEP told the sitting vice-president, on the record: “We don’t know what we are voting on.”
German digital-rights outlet netzpolitik.org called it a Verfahrenstrick, a procedural trick, quoting campaigner Konstantin Macher: a shabby manoeuvre before the summer break, against the majority of members, used to overturn Parliament’s clearly stated position. Alexander Hanff, a privacy technologist and himself a survivor of child abuse whose pre-vote plea to MEPs is the single most important text written about this file, did the arithmetic on the 415 MEPs who voted for the fast-track, abstained, or simply weren’t there. His plea makes the point no policy paper can: it was private, encrypted communication that let him report his abusers, twenty years later, and see them convicted.
By now the strategy is less legislation than siegecraft. When the front gate holds – and it has held, twice – you don’t rethink the siege; you fetch the battering ram and keep swinging at the same door: March, July, September, until the hinges give. And while the ram booms against the gate, the quieter work happens at the postern: deals cut in rooms with no minutes, one MEP at a time. Hanff counted that of the 415 who let the fast-track through, barely a quarter had met civil-society groups at all, while industry lobbyists pushing scanning tech enjoyed repeat audiences. The asymmetry is the whole game: a door only needs to open once. We have to win every vote. They only have to win one.
I said in the last post that whether someone is linked to child sexual abuse is for courts to establish, not tech companies. I’ll add: whether a rejected law stays rejected should be for parliaments to decide, not for whoever controls the agenda and the calendar. If this template works (re-table, fast-track, schedule against the recess, let the inverted threshold do the rest) it works for any file the member states want badly enough. The EU keeps insisting it is not building a surveillance state, and keeps reaching for surveillance-state tooling with remarkable appetite: scanning first proposed as mandatory, then “voluntary”, then revived when it lapses; and the permanent Chat Control 2.0 negotiations resume in September regardless. Soft words, persistent direction.
Does the scanning even work?
Shortly: no, and I refer you to the previous post for the false-positive math, which hasn’t changed. For the empirical side, Patrick Breyer’s summary collects the numbers: about a third of abuse reports in 2024 originated from mass scanning, roughly half of the alerts German police receive are not criminally relevant, and 99% of Meta’s reports concerned already-known material. Scanning everyone still protects no one.
How the Finnish MEPs voted
The roll-call is public (HowTheyVote.eu), so here is Finland’s scorecard on the motion to reject Chat Control. Remember: on this vote for means against scanning:
Voted to reject Chat Control: Li Andersson (vas), Merja Kyllönen (vas), Ville Niinistö (vihr), Maria Ohisalo (vihr), Sebastian Tynkkynen (ps). An alliance of the Left, the Greens and the Finns Party – not a sentence I write often.
Voted against rejection, i.e. let Chat Control proceed: Mika Aaltola, Sirpa Pietikäinen and Pekka Toveri (kok), Maria Guzenina and Eero Heinäluoma (sd), Anna-Maja Henriksson (r), Elsi Katainen and Katri Kulmuni (kesk).
Did not vote: Aura Salla (kok).
On the 7 July fast-track vote that made this whole manoeuvre possible, Aaltola, Pietikäinen, Toveri and Kulmuni voted for the urgency; Kyllönen and Tynkkynen voted against. The E2EE amendments were not roll-called per MEP, so there is no public record of individual positions on the encryption carve-out. If your MEP is on the second list, they have some explaining to do about voting for a text their own Parliament had rejected three months earlier. Feel free to ask them; their addresses are public.
What happens next
The Council responds by early October: accept the encryption carve-out, or force conciliation. The permanent CSA Regulation talks restart in September. Either way this file moves again within months, and I’ll write it up when it does, so follow the blog if you want the procedural reality instead of the headline. If you want to do something today: the ball is with the member states now, so the useful address is your government’s ministers, not your MEP. Mine already got their letter.
