ESCAPE CHAT CONTROL · escapechatcontrol.com STATUS: LIVING DOCUMENT · LAST VERIFIED 2026-07-09

EU interpersonal communications · Regulation (EU) 2021/1232 · second reading, 9 July 2026

314 MEPs voted to kill Chat Control. It passed anyway.

A plurality of the European Parliament voted to reject message scanning. Under EU second-reading rules that wasn't enough. Here is what actually changed, which apps opt in to scanning your messages, and how to move to services that refuse — without the myths going around.

Section — the record

What actually happened, in 60 seconds

Two different things get called “Chat Control.” Most of what you read this week confuses them.

What passed on 9 July is the revival of “Chat Control 1.0” — a voluntary scheme that lets providers scan messages and mail for known child sexual abuse material. Gmail, Facebook Messenger, Instagram DMs, Snapchat, Skype, iCloud Mail and Xbox have used it for years. It lapsed in April 2026 after Parliament rejected it; the Council brought it back, and this week's rejection vote fell 47 short. It is on track to run to 3 April 2028.

What did not pass is “Chat Control 2.0” — the mandatory client-side scanning of everyone's messages, including encrypted apps, that Signal has said it would leave the EU over. That regulation remains stuck in negotiations, which collapsed again on 29 June. It comes back in September 2026.

Parliament also did something almost nobody reported: it passed an amendment (369 votes, clearing the same threshold the rejection missed) explicitly excluding end-to-end encrypted services from the revived scheme's scope.

  • 26 MAR 2026

    Parliament votes against extending the scanning scheme. It expires in early April.

  • 02 JUL 2026

    The Council of the EU moves to reinstate it until April 2028.

  • 07 JUL 2026

    An urgency procedure (Rule 170) passes 331–304, forcing a snap vote on the last sitting day before summer recess — the maneuver critics call the real procedural trick.

  • 09 JUL 2026

    The rejection motion gets 314 of the 361 votes required. The scheme survives. The E2EE carve-out amendment passes with 369.

  • SEP 2026

    Negotiations on the mandatory version — Chat Control 2.0 — resume. This is the fight that decides whether encrypted apps get scanned.

One procedural step remains: because Parliament amended the text, it returns to the Council, which can accept the amendments or force further negotiation. The voluntary scanning regime is in motion either way.

Section — the tracker

Who scans, and who refuses?

Scanning under the scheme is voluntary — these providers chose it, and used it for years before the April lapse. Statuses reflect each service's participation record and public commitments — updated as they change.

ServiceStatusBasis
GmailOPTS INScanned mail content under the voluntary scheme from 2021 until it lapsed.
Instagram DMOPTS INVoluntary scanning participant; not end-to-end encrypted by default.
SnapchatOPTS INVoluntary scanning participant; no end-to-end encryption for text.
Skype / XboxOPTS INMicrosoft participated for these non-E2EE services.
Facebook MessengerMIXEDPersonal chats are E2EE by default since 2023 and outside content scanning; other surfaces have participated.
WhatsAppEXEMPT — E2EEEnd-to-end encrypted; covered by the 9 July carve-out. Meta has warned it cannot keep meaningful encryption under a scanning mandate.
iMessageEXEMPT — E2EEE2EE in transit; note iCloud backups without Advanced Data Protection weaken this.
SignalWOULD EXIT EUPresident Meredith Whittaker: Signal leaves the EU market before it weakens encryption. Restated through 2026.
ThreemaWOULD RESISTSwiss; calls the plans incompatible with its convictions, “all options” examined.
Tuta MailSUING THE EUGerman, E2EE; publicly preparing litigation against Chat Control.
Proton MailOPPOSESSwiss, E2EE, campaigning against; no exit commitment found.
SimpleX ChatNO IDENTIFIERSNo phone number, no username, no user IDs — no account that ties messages to you.

Every row verified 2026-07-09 against the sources below. A status changes → subscribers get one email.

Section — the honest part

What works, and what is theater

Client-side scanning is code inside the provider's own app, running before your message is encrypted. Anything that only changes what happens to your traffic after it leaves the app cannot help, by construction. Half the advice going around fails this test.

MeasureVerdictWhy
Leave the services that opt inWORKSOpted-in services scanned content for years under this scheme. Moving off them is the single biggest step.
SignalWORKSReal E2EE, no scanning participation, and a credible public commitment to exit rather than comply.
SimpleX ChatWORKSThe strongest architecture: no identifiers of any kind, so targeting individual users is technically much harder.
Proton Mail / TutaPARTIALA real upgrade over scanned mail today. Future-proofing rests on their stated willingness to fight, not on legal exemption.
Threema / SessionPARTIALSwiss-based helps enforcement-wise; EU law is written to reach any service “offered to EU users.”
Self-hosted Matrix / XMPPPARTIALPersonal, non-commercial servers plausibly fall outside the rules — plausibly. Untested. Metadata still leaks between servers.
VPNsTHEATERScanning happens on your device before encryption. A VPN never sees the content being scanned. Useful for other things; useless for this.
TorTHEATERSame layer problem. Network anonymity does not remove scanning code from an app.
Sideloading your appsTHEATEROrders bind the provider, not the app store. A sideloaded WhatsApp is the same code.
GrapheneOS / de-Googled AndroidDIFFERENT THREATGenuinely valuable against OS-level telemetry. Does not strip scanning code out of a compliant app. Do it for the right reason.

Section — the escape ladder

Five steps, easiest first

  1. Stop feeding the services that opt in

    Minutes · free

    Move private conversations to Signal and private mail to Proton or Tuta. Gmail, Instagram DM and Snapchat participated in content scanning for years — this step matters regardless of any future vote.

  2. Bring your people with you

    An afternoon · free

    An encrypted messenger you use alone is useless. Move your three most important group chats. For anything genuinely sensitive, use SimpleX — no phone number, no username, no account tied to you.

  3. Shrink the surveillance you already carry

    A weekend · a supported Pixel

    GrapheneOS removes Google's telemetry layer. Be clear-eyed: this does not defeat in-app scanning — it removes a bigger, already-active layer underneath it.

  4. Practice metadata discipline

    Ongoing · free

    Who you talk to and when leaks even from encrypted apps. Separate identities per context. Verify safety numbers in person for anyone sensitive. Treat access to any centrally-run app as revocable.

  5. Run your own infrastructure

    Weeks · sysadmin skills

    A self-hosted Matrix or XMPP server for a small trusted circle is the only rung that doesn't rest on some company's promise to resist. You become the provider — plausibly outside the rules' commercial scope, though that reading is untested.

Section — September

The real fight is in September.

Chat Control 2.0 — the mandatory version, the one that reaches encrypted apps — returns to negotiation in September 2026. One email when that moves, and when any app's status in the tracker changes. Nothing else, ever.