Can cops eavesdrop on your WhatsApp? The controversial EU legislation battle is entering a decisive phase. To understand what is at stake, EU Perspectives spoke with Patrick Breyer, Parliament’s one-time co-negotiator-turned-fierce critic of the file. The jurist and digital rights expert was quick to cite concerns over mass surveillance and privacy violations.
After years of political deadlock, 2026 is the year we will learn how far the EU is willing to go. The Child Sexual Abuse Regulation, commonly known as Chat Control, which aims to prevent and combat online child sexual abuse by requiring online platforms to detect, report and remove illegal material, has a long and contentious history. Originally introduced as a temporary measure allowing companies to scan for child sexual abuse material (CSAM) voluntarily, the framework was proposed as a permanent system by the European Commission in May 2022. That move raised concerns among privacy advocates and cybersecurity experts, particularly over the impact on end-to-end encryption.
From stalemate to trilogues
Throughout 2025, the Child Sexual Abuse Regulation (CSAR) file struggled to find consensus inside the Council. Under the Danish Presidency, member states ultimately converged around a compromise that removed explicit ’detection orders’ mandating the scanning of private communications, instead placing greater emphasis on risk assessment and mitigation obligations for online service providers. Platforms would be required to evaluate how their services could be misused and apply measures to reduce those risks, such as abuse-reporting tools or restrictions on content sharing.
The Council’s position was endorsed at the end of November, clearing the way for trilogue negotiations with the European Parliament and the Commission. From Mr Breyer’s perspective, the current phase is “is critical but dynamic” and defined by institutional pressure. Still, he sees a narrow optimism, pointing to signals from the Commission’s new leadership, as the new Commissioner for Internal Affairs, Magnus Brunner, has “signalled alignment with the European Parliament’s position regarding targeted surveillance, breaking the Commission’s previous rigid stance”.
Is encryption still under pressure?
Despite the Council’s decision to drop explicit mandatory scanning orders, Mr Breyer remains concerned about the implications for end-to-end encryption. In his view, the risk has not disappeared, but shifted. “The Council’s approach puts encryption at risk by maintaining ‘voluntary’ scanning as a permanent measure and enforcing coercive ‘risk mitigation’ obligations,” he said.
The Council’s approach puts encryption at risk by maintaining ‘voluntary’ scanning as a permanent measure and enforcing coercive ‘risk mitigation’ obligations. — Patrick Breyer, digital rights expert
At the centre of this concern is Article 5 of the Council’s mandate, which requires providers to “contribute effectively” to the automated detection of illegal content. For encrypted services, Mr Breyer argues, this wording leaves little room for manoeuvre. “Any requirement that forces a service to bypass its own encryption protocol fundamentally destroys the security guarantee of end-to-end encryption,” he warned.
More broadly, the ex-MEP cautions that the structure of the regulation could lead to mass surveillance without formally mandating it. He points to the Commission’s expected proposal to extend the interim derogation allowing voluntary scanning beyond April 2026, which he says would normalise large-scale scanning as the default. “This enshrines mass surveillance of private messages by US tech giants as the status quo, pressuring Parliament to accept a flawed permanent deal,” he said.
You might be interested
Combined with what the jurist describes as “overly heavy and complex” risk mitigation requirements, Mr Breyer argues the framework could leave privacy-preserving services with little practical choice. “The proposal includes overly heavy and complex risk mitigation measures that punish privacy-respecting services, effectively forcing them to implement surveillance tools to avoid liability.”
Supporters: Child protection first
Supporters of the regulation, including law enforcement authorities and child protection advocates, argue that the measures are essential to detect and prevent online sexual abuse. The European Child Sexual Abuse Legislation Advocacy Group (ECLAG), a coalition of more than 70 child rights NGOs, welcomed the Danish Presidency’s proposal as a way to move beyond years of legislative deadlock. But the group expressed concern about the absence of mandatory detection orders. “This proposal avoids the immediate cliff that would have left children unprotected and marks an important step forward after years of delays”, they state.
Also, law enforcement bodies have repeatedly argued that encrypted services create investigative difficulties. Europol argues that the EU’s legal tools are behind. Especially when it comes to access to data, as criminals are increasingly moving from open dark-web forums to E2EE (end-to-end encrypted) apps.
But Mr Breyer sees it differently. To him, the problem facing authorities is not a lack of data, but too much of the wrong kind. “Authorities are not suffering from ‘blind spots’ so much as ‘data floods’”. As an example, he pointed to Germany, where “nearly half (48 per cent) of the reports sent to the German BKA were completely legal content” in 2024. The result, he argues, is investigative overload rather than effectiveness. “This mass surveillance model drowns investigators in noise, distracting them from the targeted, undercover work required to infiltrate the darknet forums where actual criminal networks operate”.
Authorities are not suffering from ‘blind spots’ so much as ‘data floods’. — Patrick Breyer
Instead, Patrick Breyer points to an alternative approach promoted by the European Parliament. “I advocate for the European Parliament’s ‘Security by Design’ approach,” he said, including safer default settings such as private profiles for minors and a stronger focus on removing known illegal content. Enforcement efforts, he added, should prioritise “the public web and darknet rather than spying on the private chats of law-abiding citizens”.
The battles ahead in 2026
Looking ahead, the jurist expects several flashpoints to dominate negotiations as the regulation moves toward a possible adoption next year. “The timeline is tight, with a final deal expected by June 2026,” Mr Breyer says. To him, the most heated debates in the coming year will centre on app store restrictions, mandatory age verification, and the clash between targeted and indiscriminate monitoring of private communications.
