A controversial vote has kept the temporary Chat Control rules alive until 2028, but many questions remain. EU Perspectives asked lawmakers, legal experts and digital rights organisations to explain what happened, why the vote became so contentious, and what it means for citizens, technology companies and negotiations on the EU’s permanent child sexual abuse law.

The outcome has puzzled many observers. Although more members of the European Parliament (MEPs) voted against extending the temporary rules than in favour, the proposal still passed because it was being considered at second reading. Under EU law, rejecting the Council’s position required the backing of an absolute majority of all MEPs, a threshold opponents failed to reach.

Among the biggest points of contention now are whether Parliament’s procedure was legitimate, whether the extension changes how private communications can be scanned in practice, and whether Thursday’s vote will influence negotiations on the permanent Child Sexual Abuse Regulation (CSAR). Here’s what the experts told us.

What does today’s vote mean?

EDRi, European digital rights civil society organisation: Today, both sides won: yes, the temporary derogation is renewed once more despite the majority of MEPs voting against it, but this majority is also sending a clear signal against mass surveillance toward the negotiators of the long-term CSAR framework, for which a simple majority is needed. The Parliament’s mandate for the CSAR is not undermined, it is strengthened. 

Member of the European Parliament Martin Sonneborn (NI/DE): The implication reaches beyond this one file. If an urgency procedure can force a second reading vote that the Rules do not permit, the Treaty’s second reading protections become optional whenever a majority finds them inconvenient. That is a precedent no group in this House should want, including the ones voting for it today.

You might be interested

How uncommon is this procedural loophole used in today’s vote?

Rand Hammoud, CDT Director of the Security, Surveillance and Human Rights Programme: Reviving an already rejected law through an emergency procedure, timed for the last day before recess, is a questionable way of lawmaking. This isn’t just about child safety versus privacy; it’s about the risk of undermining confidence in the democratic process itself. The case for reviving Chat Control 1.0 rests on urgency that the evidence doesn’t support, and it regrettably risks jeopardising progress on the longer-term CSAR framework.

“What is truly monumental is the fact that the President of the European Parliament was willing to suggest ignoring the mandate of the institution she represents.”
— EDRi

Sonneborn: Uncommon enough that its defenders had to reach back to a wartime emergency to find a precedent. When the President’s office was asked to justify the urgency, the single example it produced was the Ukraine assistance of 2022. That comparison falls apart on contact: in 2022 the Council had committed in writing to adopt Parliament’s text, so the urgent procedure served the will of this House in a genuine emergency. Here it is being used against the will of this House.

The mechanism is where the real problem sits. At second reading, a silence counts as consent. Now put an urgency procedure on top: compressed deadlines, a vote squeezed in before the summer recess, minimal time to organise a majority. Every empty seat becomes a vote for the Council. You do not need to win the argument, you only need enough colleagues to be on a train home. My position is that this is not merely unusual, it is inadmissible.

Thomas Lohninger, Executive Director of epicenter.works: The president of the European Parliament tried to create a false urgency before the summer recess to overturn a democratic majority of her own Parliamentarians. But this manoeuvre failed today and there is still a democratic majority in the European Parliament against mass surveillance and to protect encryption. Such procedures are meant for genuine urgency, not to bypass democratic decision-making. While today’s manoeuvre failed, it raises important questions about how parliamentary procedures are used and underlines why protecting democratic processes is just as important as protecting fundamental rights.

EDRi: Which loophole? For the Council to ignore the EP’s first reading position, and bully it in reconsidering its stance on mass surveillance? What is truly monumental is the fact that the President of the European Parliament was willing to suggest ignoring the mandate of the institution she represents. Fortunately, the move partly backfired.

What will the vote mean in practice for citizens and companies in Europe – including “Big Tech”?

EDRi: Today’s vote means that private companies may deny your right to have confidential digital conversations; they could, if they want to, read every message you write, every email you send, every picture you share. (Isn’t their surveillance already creepy enough?) 

For police forces to monitor you, the law requires them to first obtain a warrant, and judges authorise such surveillance only if it’s targeted to specific people suspected of a serious crime. In contrast, here the proposal is to outsource the surveillance to private (mostly US) companies, and require of them neither targeting based on suspicion, nor democratic safeguards.

Lohninger: Today was a good day for democracy, because the protest from civil society had an impact. The heavy lobbying from rich and powerful companies and law enforcement agencies could not counter the good arguments from committed citizens that helped protect the internet today. This gives us hope for the many more fights to come. 

“We see a coalition of Big Tech companies together with vendors of such surveillance technologies, law enforcement agencies and the conservative European People’s Party all working to undermine the confidentiality of our online communication.”
— Thomas Lohninger, Executive Director of epicenter.works

Hammoud:  Targeted telecommunications surveillance based on concrete suspicion and judicial authorisation remains fully permissible, as do production and preservation orders for electronic evidence under the EU’s e-evidence framework.

Content hosted on platforms remains subject to existing removal and reporting channels: legal orders to expeditiously remove clearly illegal content (CSAM among the clearest examples), notice-and-action mechanisms, and dedicated CSAM-flagging channels for trusted flaggers under the Digital Services Act.

Known, previously verified CSAM can still be identified through hash-matching, a tool that flags content for human review within narrowly defined parameters, without requiring the broader scanning regime the derogation authorises.

Did you experience pressure from specific Commissioners or national representatives ahead of today’s vote? How intense was the lobbying?

Sonneborn: Not the kind you can put in writing. The pressure in these files is structural, not personal: it comes from the calendar and the procedure, which is exactly why those are the instruments chosen. Nobody needs to make a phone call when the rules can be arranged so that staying home counts as a yes. That is the elegant thing about doing it this way, the coercion is built into the timetable, and everyone keeps clean hands.

EDRi: Lobbying was strong – the same four Commissioners who (unsuccessfully) lobbied MEPs last March, did it again on Monday.

“Whenever the permanent text stalls, the “temporary” one is extended to buy time, and each extension is sold as a one-off emergency.”
— MEP Martin Sonneborn (NI/DE)

Lohninger: On this file we see a coalition of Big Tech companies together with vendors of such surveillance technologies, law enforcement agencies and the conservative European People’s Party all working to undermine the confidentiality of our online communication.

What about the alternative, permanent regulation known as “Chat Control 2.0”?

Sonneborn: The permanent Regulation and this “temporary” derogation are two hands of the same project. The derogation keeps voluntary scanning alive; the permanent Regulation would make it mandatory. Whenever the permanent text stalls, the “temporary” one is extended to buy time, and each extension is sold as a one-off emergency. Worth remembering: this derogation renews a text materially identical to the version that expired on 3 April. Nothing was improved. The aim is not to fix the proposal, it is to keep the clock running until resistance tires.

A lawful restriction of a fundamental right has to rest on a law that says exactly what is permitted and what is not. A blanket ePrivacy derogation does not, which in my view makes it illegal, but courts take years to say so, and by then it has been “temporary” for half a decade.

EDRi: This vote is only a temporary derogation, a band-aid to apply until a long-term solution is adopted. The permanent CSAR is nearly finalised — likely to be adopted in October. That’s the most credible alternative.

Lohninger: The negotiations on Chat Control 2.0 are ongoing and their outcome remains uncertain. Any future proposal must respect fundamental rights and protect encryption. Similarly, if Europe allows for indiscriminate mass surveillance we would lose the core of our values that make us European. Today’s vote does not end this debate, the negotiations on both the temporary extension and the permanent CSA Regulation will continue.