
Chat Control 1.0 Isn’t Law Yet. Here’s What Actually Happened on July 9
Dan SaltmanChat Control isn’t live in the EU – but it could be soon.
If you read the tech blogs or the mainstream news right now, you’d think your digital privacy was officially executed last week.
The narrative everywhere is “The European Parliament greenlights Chat Control 1.0, reviving the mass scanning of your private messages until 2028.” Outlets are treating this like a done deal, claiming your DMs and emails are actively back on the chopping block.
Read the actual legislative procedure and a different picture emerges (2025/0429(COD), second reading). Parliament amended the Council’s text on July 9. Under the EU’s own rules, that means the regulation has not been adopted – it’s back with the Council, with a clock running. There is no legal basis today for platforms to mass-scan your private messages under this regime. That could change inside three months, or it could stall into next year. (LexisNexis)

The “Deemed Adopted” Illusion
The motion to reject the Council’s text won a clear majority of the MEPs who voted: 314 to reject, 276 against, 17 abstentions – and still failed. The vote sheet states the rule at the top of the item: “Majority of Parliament’s component Members required to amend or reject the Council position.” That’s 361 of 720 – not a majority of those voting, but a majority of everyone elected, present or not. When a second reading fails to reject a Council position, the text is typically “deemed adopted” in its original form.
113 MEPs cast no vote at all. Because the bar is a fixed number of the whole Parliament, an abstention, a vote against, and a missing vote are worth precisely the same thing: nothing. The Council’s text needed nobody to vote for it. It only needed enough people not to vote against it.
The timing wasn’t an accident. On July 7, Parliament approved a rarely used urgent procedure by 331 votes to 304, with 11 abstentions – an EPP-backed manoeuvre that dropped the file onto the last sitting day before summer recess, when an absolute majority was hardest to assemble.
On July 9, Parliament adopted two amendments walling off communications to which end-to-end encryption “is, has been, or will be applied.” Amendment 30, tabled by Renew, carried 369–236. A second, backed by a bloc spanning Renew, the Greens, ECR and PfE, carried 362–235. Both cleared the absolute-majority bar the rejection motion missed. Those two were the only amendments of the day to pass. Roughly thirty were voted. Everything else died on the same threshold – including a Green proposal to restrict scanning to suspects identified by the judiciary, which won 322 to 255 and lost anyway (vote sheet).
A final vote to reject the amended Parliament position then failed too – 276 for, 286 against, 30 abstentions. That closed the second reading and sent the amended package to the Council. (EuroNews). The Council now has three months (extendable to four) to review Parliament’s changes. The clock runs from when it formally receives the text, so the deadline lands somewhere between early October and November.
The Council must accept every single amendment – by qualified majority, and unanimously on any amendment the Commission opposes. If it refuses the encryption carve-out, the bill doesn’t pass anyway: a Conciliation Committee is convened. And refusal is the likely path; an exemption for encrypted communications cuts against the entire premise of a scanning regime, which is why observers expect the Council to reject it.
The old scanning exemption – Regulation (EU) 2021/1232 – expired on April 3, 2026, after MEPs rejected an extension on March 26 by 311 votes to 228. That expiration stands. Nothing on July 9 reversed it.
Nothing is being scanned under this regulation today that wasn’t being scanned yesterday. Three caveats:
- Several providers have kept scanning voluntarily since April anyway, outside any legal framework. The absence of a legal basis hasn’t stopped them.
- Breyer, who has fought this longer than anyone, reads the outcome as scanning permitted until 2028. He may be right about the politics even if the procedure says otherwise: the Council now has the text it wanted.
- The derogation lapsing doesn’t mean CSAM enforcement stops. Targeted surveillance under judicial authorisation, DSA notice-and-action, trusted flaggers, and hash-matching on hosted content all remain available – as CDT Europe, which is not a vendor and has no product to sell, has pointed out. What expired was suspicionless scanning of everyone’s messages, not the ability to investigate suspects, which should absolutely continue.
The Real Fight is in September
Chat Control 1.0 is the small battle.
The permanent regulation – the CSA Regulation, “Chat Control 2.0” – would mandate scanning through detection orders, and reaches for client-side scanning on your device. It hasn’t passed.
The fifth trilogue collapsed without agreement on June 29, and negotiations resume in September. Whatever the Council does with the derogation this autumn, that’s the fight that decides whether encryption survives in Europe.
Don’t Wait for Bureaucrats to Save Your Data

A procedural delay is not a win. A political manoeuvre forced this vote – the rarely used ‘urgent procedure’ carried 331-304 two days before the plenary. That is how Chat Control is getting pushed through the legislative pipeline. Not by winning arguments, but with clever timing.
They want access to your digital ledger. And even if this specific law is stuck in a three-month bureaucratic purgatory, the platforms themselves still hold years of your unencrypted, highly vulnerable data history just waiting to be scraped, leaked, or eventually scanned.
You shouldn’t have to navigate confusing EU voting thresholds just to keep your private conversations private. You need to take control of your own data trail.
Take Your Privacy Into Your Own Hands with Redact
The law is stuck in limbo.
Your chat history is still sitting on their servers.
Whatever the Council decides this autumn, years of your unencrypted DMs, posts, and comments are already exposed. Redact finds and deletes them across Discord, Twitter/X, Reddit, Facebook, and many more services.
- 🔒 Runs 100% on your device
- 🗑️ Mass-delete across 35+ platforms
- 🚫 Credentials never touch our servers
Delete it before anyone gets the legal green light to scan it.
If politicians and corporate platforms are going to treat your past posts, direct messages, and chat histories as fair game, the smartest move is to eliminate the footprint entirely.
With Redact.dev, you can stop relying on politicians to protect your rights. Redact is a local-first privacy application that empowers you to automatically scan, filter, and delete your old messages, posts, and data across more than 35 of the world’s biggest platforms, including Discord, Twitter/X, Reddit, Facebook, Instagram, TikTok, and many more.
Because Redact’s social media deletion runs entirely on your own device, your account credentials and personal history never touch our servers. It gives you the power to systematically wipe the ledger clean on your own terms.
Don’t wait to find out whether bureaucrats decide you have a right to privacy. Download Redact today and clear your digital footprint.
Redact makes data-deletion software – obviously we have an interest in this conclusion. The vote counts and procedure above are sourced. Check them yourself before citing.