EU interpersonal communications · Regulation (EU) 2021/1232 · second reading, 9 July 2026
314 MEPs voted to kill Chat Control. It passed anyway.
A plurality of the European Parliament voted to reject message scanning. Under EU second-reading rules that wasn't enough. Here is what actually changed, which apps opt in to scanning your messages, and how to move to services that refuse — without the myths going around.
Rejection required an absolute majority of all 720 members. The motion failed 47 votes short. Absences counted for the law.
Section — the record
What actually happened, in 60 seconds
Two different things get called “Chat Control.” Most of what you read this week confuses them.
What passed on 9 July is the revival of “Chat Control 1.0” — a voluntary scheme that lets providers scan messages and mail for known child sexual abuse material. Gmail, Facebook Messenger, Instagram DMs, Snapchat, Skype, iCloud Mail and Xbox have used it for years. It lapsed in April 2026 after Parliament rejected it; the Council brought it back, and this week's rejection vote fell 47 short. It is on track to run to 3 April 2028.
What did not pass is “Chat Control 2.0” — the mandatory client-side scanning of everyone's messages, including encrypted apps, that Signal has said it would leave the EU over. That regulation remains stuck in negotiations, which collapsed again on 29 June. It comes back in September 2026.
Parliament also did something almost nobody reported: it passed an amendment (369 votes, clearing the same threshold the rejection missed) explicitly excluding end-to-end encrypted services from the revived scheme's scope.
- 26 MAR 2026
Parliament votes against extending the scanning scheme. It expires in early April.
- 02 JUL 2026
The Council of the EU moves to reinstate it until April 2028.
- 07 JUL 2026
An urgency procedure (Rule 170) passes 331–304, forcing a snap vote on the last sitting day before summer recess — the maneuver critics call the real procedural trick.
- 09 JUL 2026
The rejection motion gets 314 of the 361 votes required. The scheme survives. The E2EE carve-out amendment passes with 369.
- SEP 2026
Negotiations on the mandatory version — Chat Control 2.0 — resume. This is the fight that decides whether encrypted apps get scanned.
One procedural step remains: because Parliament amended the text, it returns to the Council, which can accept the amendments or force further negotiation. The voluntary scanning regime is in motion either way.
Section — the tracker
Who scans, and who refuses?
Scanning under the scheme is voluntary — these providers chose it, and used it for years before the April lapse. Statuses reflect each service's participation record and public commitments — updated as they change.
| Service | Status | Basis |
|---|---|---|
| Gmail | OPTS IN | Scanned mail content under the voluntary scheme from 2021 until it lapsed. |
| Instagram DM | OPTS IN | Voluntary scanning participant; not end-to-end encrypted by default. |
| Snapchat | OPTS IN | Voluntary scanning participant; no end-to-end encryption for text. |
| Skype / Xbox | OPTS IN | Microsoft participated for these non-E2EE services. |
| Facebook Messenger | MIXED | Personal chats are E2EE by default since 2023 and outside content scanning; other surfaces have participated. |
| EXEMPT — E2EE | End-to-end encrypted; covered by the 9 July carve-out. Meta has warned it cannot keep meaningful encryption under a scanning mandate. | |
| iMessage | EXEMPT — E2EE | E2EE in transit; note iCloud backups without Advanced Data Protection weaken this. |
| Signal | WOULD EXIT EU | President Meredith Whittaker: Signal leaves the EU market before it weakens encryption. Restated through 2026. |
| Threema | WOULD RESIST | Swiss; calls the plans incompatible with its convictions, “all options” examined. |
| Tuta Mail | SUING THE EU | German, E2EE; publicly preparing litigation against Chat Control. |
| Proton Mail | OPPOSES | Swiss, E2EE, campaigning against; no exit commitment found. |
| SimpleX Chat | NO IDENTIFIERS | No phone number, no username, no user IDs — no account that ties messages to you. |
Every row verified 2026-07-09 against the sources below. A status changes → subscribers get one email.
Section — the honest part
What works, and what is theater
Client-side scanning is code inside the provider's own app, running before your message is encrypted. Anything that only changes what happens to your traffic after it leaves the app cannot help, by construction. Half the advice going around fails this test.
| Measure | Verdict | Why |
|---|---|---|
| Leave the services that opt in | WORKS | Opted-in services scanned content for years under this scheme. Moving off them is the single biggest step. |
| Signal | WORKS | Real E2EE, no scanning participation, and a credible public commitment to exit rather than comply. |
| SimpleX Chat | WORKS | The strongest architecture: no identifiers of any kind, so targeting individual users is technically much harder. |
| Proton Mail / Tuta | PARTIAL | A real upgrade over scanned mail today. Future-proofing rests on their stated willingness to fight, not on legal exemption. |
| Threema / Session | PARTIAL | Swiss-based helps enforcement-wise; EU law is written to reach any service “offered to EU users.” |
| Self-hosted Matrix / XMPP | PARTIAL | Personal, non-commercial servers plausibly fall outside the rules — plausibly. Untested. Metadata still leaks between servers. |
| VPNs | THEATER | Scanning happens on your device before encryption. A VPN never sees the content being scanned. Useful for other things; useless for this. |
| Tor | THEATER | Same layer problem. Network anonymity does not remove scanning code from an app. |
| Sideloading your apps | THEATER | Orders bind the provider, not the app store. A sideloaded WhatsApp is the same code. |
| GrapheneOS / de-Googled Android | DIFFERENT THREAT | Genuinely valuable against OS-level telemetry. Does not strip scanning code out of a compliant app. Do it for the right reason. |
Section — the escape ladder
Five steps, easiest first
Bring your people with you
An afternoon · free
An encrypted messenger you use alone is useless. Move your three most important group chats. For anything genuinely sensitive, use SimpleX — no phone number, no username, no account tied to you.
Shrink the surveillance you already carry
A weekend · a supported Pixel
GrapheneOS removes Google's telemetry layer. Be clear-eyed: this does not defeat in-app scanning — it removes a bigger, already-active layer underneath it.
Practice metadata discipline
Ongoing · free
Who you talk to and when leaks even from encrypted apps. Separate identities per context. Verify safety numbers in person for anyone sensitive. Treat access to any centrally-run app as revocable.
Run your own infrastructure
Weeks · sysadmin skills
A self-hosted Matrix or XMPP server for a small trusted circle is the only rung that doesn't rest on some company's promise to resist. You become the provider — plausibly outside the rules' commercial scope, though that reading is untested.
Section — September
The real fight is in September.
Chat Control 2.0 — the mandatory version, the one that reaches encrypted apps — returns to negotiation in September 2026. One email when that moves, and when any app's status in the tracker changes. Nothing else, ever.
Section — receipts
Sources
Every claim above traces to one of these. If you find an error, tell us and it gets fixed with a changelog entry.
- Council of the EU — press release, 2 July 2026
- The Register — vote report, 9 July 2026
- Euronews — the E2EE carve-out amendment
- netzpolitik.org — the urgency-procedure maneuver
- Greens/EFA — Rule 170 urgency vote, 7 July 2026
- Patrick Breyer — Chat Control dossier
- EFF — background on the April 2026 rejection
- The Record — Signal's EU exit warning
- Threema — public position
- TechRadar — Tuta's planned lawsuit
- fightchatcontrol.eu — contact your MEP (advocacy)
- EDRi — Stop Scanning Me coalition