The European Parliament paved the way on Thursday for the return of so-called chat monitoring: providers will once again be allowed to voluntarily scan unencrypted private messages for abusive material. The circumstances surrounding this decision are noteworthy – a majority of voting MEPs opposed the measure, but failed to secure the absolute majority required for its rejection. The far more controversial mandatory scanning of encrypted messages remains unaffected for the time being.
In a vote described as chaotic, the European Parliament in Strasbourg on July 9th passed a temporary exemption to European data protection law, once again allowing online services to voluntarily scan unencrypted private communications for depictions of child sexual abuse. The regulation, which expired in April, is now back until 2028. This is not a new issue for Apple: the company has been at the center of the Europe-wide debate on mandatory CSAM scans for years, and its iCloud Mail service is among the offerings covered by the current transitional arrangement. It is important to note a distinction that is often overlooked in reports: this concerns the voluntary scanning of unencrypted content – not client-side scanning of encrypted chats, which is a separate and still ongoing issue.
What Parliament has decided
The vote concerned the extension of Regulation (EU) 2021/1232, known online as "Chat Control 1.0". It had expired on April 4, after Parliament had twice previously rejected its continuation unchanged, most recently by a clear majority. Parliamentary President Roberta Metsola brought the matter back to the agenda in early July via an urgent motion; the expedited procedure was adopted on July 7 by a vote of 331 to 304.
On Thursday, the decisive vote took place – with an unusual result. A motion to reject the regulation entirely passed with 314 votes in favor, 276 against, and 17 abstentions. Because the text was in its second reading, however, an absolute majority of 361 votes would have been required for rejection – even a simple majority of up to 360 votes against is insufficient. Thus, the regulation is considered adopted, despite a majority of those present voting against it. The fact that many members of parliament had already left on the last day of the session before the summer recess shifted the balance of power in favor of the proponents. This procedure drew accusations from several parliamentary groups that the process had exploited a parliamentary loophole.
Parliament did manage to push through some amendments – including the explicit exemption for end-to-end encrypted communication and the restriction to known abusive material. However, the regulation is not yet finalized: the EU Commission must comment on Parliament's proposals, and the Council of Member States must give its final approval before the exemption can come back into force.
What gets scanned – and what doesn't
Specifically, affected providers are once again permitted to automatically scan unencrypted private messages, emails, and files for known and, in some cases, unknown abusive material. The regulation does not name any specific companies but categorically covers providers of unencrypted communication. In practice, this primarily concerns large, mostly US-based services - such as email services like Google's Gmail or Apple's iCloud Mail, as well as unencrypted direct messages on platforms like Discord, Snapchat, or Instagram.
End-to-end encrypted communication is explicitly excluded. Messages via messengers such as Signal, Threema, WhatsApp, or Apple's iMessage are not covered by this regulation. This is precisely the crucial point: The transitional regulation now adopted does not break any encryption and does not mandate scanning on the end device. The debate surrounding mandatory scans - including of encrypted content, if necessary directly on the smartphone—is being conducted in a separate proceeding concerning the permanent "CSA Regulation," often referred to as "Chat Control 2.0," which will be further negotiated in September.
Why this topic is relevant for Apple
Even though it's a broad EU regulation affecting many providers, it directly impacts the Apple ecosystem – specifically in an area where the company has its own revealing history. In 2021, Apple announced a system for comparing iCloud photos on the device itself with known abuse hashes, but abandoned these plans in 2022 after massive criticism from security researchers and civil rights activists. The core concern at the time: A scanning system once implemented on the device could later be repurposed for other content, effectively creating a backdoor.
This stance is consistent. When the British government demanded access to encrypted iCloud data, Apple chose to withdraw its enhanced data protection in the country rather than install a backdoor. For the current transitional arrangement, this means that Apple is only affected by unencrypted iCloud emails, not end-to-end encrypted services. The real test for Apple's encryption policy would only come with a mandatory "2.0" version, which would pick up exactly where Apple once stopped its own technology.
Criticism and opposing viewpoint
Proponents – most notably the European People's Party led by Metsola – argue that the platforms need a legal basis to continue taking action against child abuse material. Child protection organizations and, for example, the German government's commissioner for abuse issues, argue that ending the regulation would deprive investigators of a valuable tool in the fight against sexualized violence.
The criticism is widespread and cuts across party lines. Civil rights activists like former MEP Patrick Breyer, as well as data protection organizations, consider the indiscriminate scanning of messages belonging to innocent individuals to be a disproportionate intrusion. They point to the European Commission's own evaluation report, which fails to demonstrate proportionality: only a vanishingly small fraction of the scanned messages actually contained illegal material, while the filters used show false-positive rates of up to 20 percent. The Commission was unable to establish a clear link between the automated reports and actual convictions or children rescued. At the same time, more effective measures - court-ordered surveillance, user reports, and scanning public content - remain available anyway. Another objection concerns the long-term nature of the solution: extending voluntary scanning again relieves EU governments of the pressure to commit to the Parliament's targeted child protection concept. Victim support groups have also spoken out, emphasizing that survivors of sexualized violence in particular depend on confidential, protected communication spaces.
The controversy extends into German politics. The reinstatement was spearheaded by the EPP group, which includes the CDU and CSU; the Social Democratic group ultimately enabled the expedited procedure, even though its own rapporteur opposed the maneuver. Sharp criticism came from the Greens and the AfD, who spoke of a dark day for civil liberties and a democratic scandal, respectively. It is also noteworthy that the German Child Protection Association, of all organizations, spoke out against indiscriminate mass surveillance and in favor of targeted measures – an indication that the common juxtaposition of child protection and data privacy inadequately reflects the debate.
Classification: A questionable path to a legitimate goal
No one in this debate disputes the need for better online protection for children – the goal unites all sides. The path to achieving it, however, raises questions. Pushing through a regulation against the expressed will of the majority of voting members of parliament by expediting a procedure during the summer recess is, regardless of the content, a process that undermines democratic legitimacy. And the actual benefit remains controversial: as long as the most effective investigative tools are already available and encrypted communication is excluded, the added value of indiscriminately scanning unencrypted messages is difficult to justify – while the intrusion into the privacy of innocent users is very real.
For Apple users, the immediate impact is manageable: encrypted services are unaffected; in practice, it concerns unencrypted iCloud emails on a few services. But the direction is important. The more difficult debate still lies ahead with the permanent regulation – and that will address precisely the question on which Apple has already reversed course: whether encryption can be weakened in favor of a surveillance infrastructure. How Parliament ultimately decides will reveal more about the future of data protection in Europe than the current transitional arrangement. (Image: Shutterstock / ImageFlow)
- India removes tariffs on iPhone components
- macOS 28 drops support for encrypted HFS+ drives
- Apple TV achieves Emmy record: 87 nominations
- Apple is growing against the trend in the shrinking PC market
- Apple is testing controversial memory from China
- Apple loses in EU court: Gatekeeper status confirmed
- Apple expands US chip production with Broadcom
- Cook and Ternus meet with Bavaria's Minister-President Söder
- Claude Cowork is coming to iPhone, iPad and the web
- Nocturne: Apple TV adapts Lars Kepler's bestseller into a film
- China: iPhone discounts put Apple in second place
- JP Morgan raises Apple price target to $345
- iOS 27 Beta 3: These are the new features included
- Edge AI: Apple Watch almost single-handedly dominates the smartwatch market
- Julia Garner stars in Apple's new true-crime thriller
- Epic dispute: Apple wants to pause the App Store process
- Home AI in iOS 27 requires the 2TB iCloud+ plan
- Apple asks via a popup before AI data is sent to Google
- Siri AI arrives on the Apple Watch with watchOS 27 Beta 3
- iOS 27 Beta 3: Development enters the next phase
- iOS 26.6 Beta 4: The testing phase continues




