EU Removes Client Side Scanning Mandate—But Privacy Worries Persist in Chat Control Law

The European Union has dealt a significant blow to one of the most controversial provisions in its proposed Chat Control law. Regulators have officially eliminated the mandatory client side scanning requirement, marking what privacy advocates view as a hard-won victory after months of intense pressure from civil rights organizations, tech companies, and digital freedom groups. This provision would have forced messaging platforms to scan users’ private communications and media files before they could be encrypted—a surveillance infrastructure that sparked widespread alarm across the continent.

Yet the story doesn’t end with this partial retreat. The updated legislation still contains provisions that keep privacy advocates vigilant and concerned about the true trajectory of online surveillance in Europe.

The Major Win Against Mandatory Client Side Scanning

The removal of compulsory client side scanning represents a fundamental shift in the EU’s approach to online safety regulation. Under the original proposal, platforms would have been obligated to deploy scanning technology on users’ devices before encryption takes place—essentially creating backdoors into private communications. This technical requirement would have fundamentally altered how encryption works in popular messaging apps, compromising the security guarantees that billions of users rely on.

The decision to drop this mandate reflects the intensity of opposition it faced. Privacy organizations, leading technologists, and even some EU member states warned that client side scanning would compromise cybersecurity, enable government overreach, and create vulnerabilities that malicious actors could exploit. By removing this requirement, the EU has acknowledged these legitimate concerns.

Age Verification and Voluntary Content Scanning: New Privacy Risks Remain

While the most egregious technical requirement has been eliminated, the revised Chat Control law retains several provisions that continue to trouble privacy advocates. Mandatory age verification checks now form a core part of the legislation, potentially requiring users to submit sensitive identifying information just to access messaging services. Such requirements create obvious data collection risks and could expose users to security breaches.

Perhaps more concerning is the law’s provision granting platforms voluntary powers to scan communications for flagged content, particularly child sexual abuse material (CSAM). On the surface, “voluntary” sounds benign—but critics argue this creates perverse incentives. Tech companies may face implicit or explicit pressure to deploy monitoring systems to avoid regulatory penalties, particularly when framed as child protection measures. This could result in widespread content surveillance operating through the back door, without formal mandates or transparent oversight. The distinction between “voluntary” and “effectively coerced” could blur quickly as regulators tighten expectations.

Europe’s Fractured Response: Privacy vs. Child Safety

The EU’s policy shift has exposed deep disagreements among European stakeholders. Privacy advocates and digital rights organizations like EDRi and the European Data Protection Supervisor have cautiously welcomed the removal of mandatory client side scanning, yet they remain skeptical about remaining provisions. They warn that the law still opens pathways to mass surveillance, even without explicit technical mandates.

Conversely, child safety organizations argue the legislation hasn’t gone far enough, insisting that stronger enforcement tools are necessary to combat online exploitation. This tension between protecting vulnerable populations and preserving privacy rights lies at the heart of the debate.

The EU Council and Parliament continue negotiating the law’s final form, suggesting that further changes are likely. The updated Chat Control legislation represents an ongoing struggle to balance legitimate safety concerns with fundamental rights—a conversation that will continue shaping Europe’s digital future for years to come.