The measure, billed as a tool for child protection, is once again facing heavy criticism for its surveillance implications and the way it reshapes private digital communications in Europe.
Unlike an earlier draft, this version removes the explicit obligation for companies to scan all private messages, but quietly introduces what opponents describe as an indirect system of pressure.
This rewards or punishes online services depending on whether they agree to perform “voluntary” scanning, making monitoring effectively a business expectation rather than a legal requirement.
Former MEP Patrick Breyer, a long-time defender of digital freedoms and one of the plan’s most vocal opponents, said the deal “paves the way for a permanent infrastructure of mass surveillance.”
According to them, the Council’s text replaces legal compulsion with financial and regulatory incentives that push major US technology firms toward indiscriminate scanning.
He warned that the framework also brings in “anonymity-breaking age checks” that would turn normal online use into an exercise in identity verification.
The new proposal, which was largely carried out through Danish mediation, comes months after the original “Chat Control 1.0” regulation was shelved after widespread backlash.
It reinstates many of the same principles, requiring providers to assess their potential “risk” to child abuse material and implement “mitigation measures” approved by authorities. In practice, this may mean pressure to install scanning tools that examine both encrypted and unencrypted communications.
Czech MEP Marketa Gregorova called the council’s position “disappointing…chat control…opens the door to widespread scanning of our messages”.
Similar objections emerged throughout Europe.
In the Netherlands, members of parliament forced their government to vote against the plan, warning that it combines “mandatory age verification” with a “voluntary obligation” scheme that could penalize any company that refuses to adopt invasive surveillance methods. Poland and the Czech Republic also voted against, and Italy abstained.
Former Dutch MEP Rob Roos accused Brussels of working “behind closed doors”, warning that “Europe risks slipping into digital authoritarianism.”
In addition to parliamentarians, independent voices such as Daniel Vavra, David Heinemeier Hansson and the privacy-focused company Mullvad have spoken out against the council’s position, calling it a direct threat to private communications online.
Despite the removal of the word “mandatory”, the structure of the new deal appears to preserve mass scanning in practice.
Breyer described it as a “Trojan horse”, arguing that by calling the process “voluntary”, EU governments are placing the burden of oversight on the tech companies themselves.
The Council’s mandate introduces three central threats that remain largely unexplored in public debate.
First, so-called “voluntary scanning” turns mass surveillance into standard operating procedure. The proposal expands an earlier temporary regulation that allowed service providers to scan user messages and images without a warrant.
Authorities such as Germany’s Federal Criminal Police Office have reported that about half of the alerts from such systems are baseless, with perfectly legal content flagged by often flawed algorithms. Breyer said these systems leak “thousands of perfectly legal, private chats” to law enforcement each year.
Second, the scheme effectively wipes out anonymous communications. To meet the new requirement of “reliable identification of minors”, providers must implement universal age verification. This could mean ID verification or face scanning before accessing basic services like email or messaging apps.
For journalists, activists, and anyone who relies on anonymity for safety, this system could make easy private speech functionally impossible.
Technology experts have repeatedly warned that age estimation “cannot be done in a privacy-preserving manner” and poses a “disproportionate risk of serious privacy violations and discrimination”.
Third, it risks digitally isolating young people. Under the council’s framework, users under the age of 17 can be blocked from many platforms unless they pass strict identity verification, including chat-enabled games and messaging services. Breyer called the idea “academic nonsense”, arguing that it alienates teenagers rather than helping them develop safe online habits.
Member states remained divided: the Netherlands, Poland and the Czech Republic rejected the text, while Italy abstained. Negotiations between the European Parliament and the Council are expected to begin soon, with the aim of producing a final version before April 2026.
Breyer warned that the apparent agreement does not amount to a real withdrawal from surveillance. “The headlines are misleading: chat control isn’t gone, it’s just being privatized,” he said. “We are facing a future where you need an ID card to send a message, and where alien black-box AI decides whether your private photos are suspicious or not. This is not a victory for privacy; it is a disaster waiting to happen.”
<a href