The Silent Invasion
How the European Union built the most comprehensive surveillance infrastructure in peacetime history - and sold it as child protection.
The European Union has constructed an integrated surveillance infrastructure connecting biometric databases, message scanning, and travel tracking - all justified by the emotionally compelling argument of protecting children. Our investigation reveals how the “need” was manufactured, the decision was coordinated, and the data proves the justification is hollow. 48% of alerts aren’t crimes. 40% of investigations target minors. This is what they’re not telling you.
The Infrastructure: Six Systems, One Hub
The EU’s surveillance architecture connects six major systems through eu-LISA, the European Union Agency for the Operational Management of Large-Scale IT Systems, based in Warsaw, Poland. With a staff expanding from 2,523 in 2024 to a projected 10,000, eu-LISA operates the digital backbone of Europe’s border and security infrastructure (eulisa.europa.eu). This centralized management means all data flows through a single agency, creating unprecedented interoperability between systems that were once siloed.
1. Entry/Exit System (EES)
Operational since 10 April 2026, EES records the entry and exit of third-country nationals at EU borders, collecting biometric data including fingerprints and facial recognition (EES). Every crossing is logged, creating a comprehensive travel history for 447 million EU citizens and millions of annual visitors.
Technical specifications:
Central database operated by eu-LISA
Replaced traditional passport stamps entirely
Collects: name, date of birth, fingerprints, facial biometrics, locations and times of every border crossing
Scope: All third-country nationals entering/exiting Schengen Area (29 countries)
The system has faced significant problems since launch, with passengers facing up to 5-hour wait times at border crossing points and airlines calling for implementation suspension (eu-LISA).
2. European Travel Information and Authorisation System (ETIAS)
Launching in Q4 2026, ETIAS will require all visa-exempt travelers to obtain pre-travel authorization for €20 (ETIAS). Applicants will undergo background checks against SIS II and other databases before arrival.
Technical specifications:
Pre-travel authorisation for visa-exempt visitors to Schengen Area (30 countries)
€20 fee for adults 18-70, valid for 3 years or until passport expiry
Collects: personal details, travel history, background checks
Data shared with Europol and SIS II
Privacy concerns include pre-crime profiling potential and data retention over multiple years. The system mirrors the US ESTA and UK ETA programs (ETIAS).
3. Schengen Information System (SIS II)
As of end 2025, SIS II holds 94.6 million total entries: 92.6 million alerts about objects (mostly lost/stolen ID documents) and 2.0 million alerts about persons. The system processed 17 billion searches in 2025, yielding approximately 365,000 positive hits (SIS II).
Technical specifications:
Alerts for: persons wanted for arrest, missing persons, persons to be refused entry
Objects: vehicles, weapons, identity documents
Biometric data: fingerprints, photographs
European Arrest Warrants system
Participating nations: 31 countries (27 EU + 4 EFTA: Iceland, Liechtenstein, Norway, Switzerland)
4. Eurodac
Eurodac maintains fingerprints of asylum seekers and irregular migrants across the EU, creating a centralized database for comparing migration patterns (Eurodac). The system enables cross-border identification of asylum applicants and facilitates the Dublin Regulation determining which member state is responsible for examining an asylum claim.
Technical specifications:
Fingerprint database for asylum seekers and irregular migrants
Biometric comparison across all EU member states
Facilitates Dublin Regulation compliance
Data shared with law enforcement upon request
5. Visa Information System (VIS)
The VIS holds 70 million visa records with biometric data, allowing consulates and border authorities to verify identities and share visa information (VIS). The system prevents visa shopping and facilitates identification of visa applicants.
Technical specifications:
70 million+ visa records with biometric data
Biometric verification at consulates and borders
Prevents fraudulent visa applications
Enables cross-border identity verification
6. Chat Control
Chat Control 1.0 was re-adopted in July 2026, creating a legal framework for mass scanning of private communications until April 2028 (HowTheyVote vote tracker). Chat Control 2.0 (formally the CSAR - Regulation to Prevent and Combat Child Sexual Abuse) remains in trilogue negotiations, proposing permanent detection orders with 24-hour content removal requirements.
The eu-LISA Interconnection: One Hub to Rule Them All
What makes this infrastructure unprecedented is the interconnection through eu-LISA. The agency operates as the central nervous system connecting:
EES → shares entry/exit data with SIS II for person alerts
ETIAS → queries SIS II, VIS, and Eurodac for pre-travel screening
VIS → shares visa data with SIS II for border control
Eurodac → shares migration data with SIS II for wanted persons
Chat Control → will connect to Europol’s CSAM databases
This creates a closed-loop surveillance system where data from one system feeds into others. A person’s travel history (EES), visa applications (VIS), asylum claims (Eurodac), and communications (Chat Control) can all be correlated through eu-LISA’s centralized architecture. The budget for eu-LISA operations continues to expand, reflecting the EU’s commitment to this integrated infrastructure (eu-LISA).
Chat Control 2.0 vs 1.0: What’s New
The distinction between Chat Control 1.0 and 2.0 is critical for understanding the long-term trajectory of EU surveillance policy. While 1.0 was presented as a temporary measure, 2.0 proposes permanent infrastructure (Full Surveillance Architecture).
The European Parliament’s own research admitted: “no reliable method to detect unknown abuse material without high error rates” (Parliament Research). Yet Chat Control 2.0 would mandate exactly this - forcing platforms to implement detection technology that does not exist in reliable form.
The encryption problem remains fundamentally unsolved. Client-side scanning (CSS) would break end-to-end encryption fundamentally, as any mechanism that can detect abuse material can also be expanded to detect other content. The July 2026 amendment to Chat Control 1.0 explicitly excludes end-to-end encrypted messages (Wired), but Chat Control 2.0 negotiations continue to pressure for circumvention methods.
The Data That Destroys The Justification
German Federal Criminal Police (BKA) data reveals that of 205,728 CSAM alerts received in 2024, only 106,353 were criminally relevant under German law. This means 48% of all alerts are not crimes. Additionally, nearly 40% of suspects in youth pornography cases were minors themselves (BKA Bundeslagebild 2024).
The law supposedly designed to protect children is instead criminalizing them. This data, confirmed through multiple sources including Netzpolitik.org (Netzpolitik.org, June 2024), undermines the entire justification for mass surveillance.
As German Digital Minister Volker Wissing (FDP) stated: “The data shows that detection systems are creating massive numbers of false leads that waste resources and harm the very children they’re meant to protect” (Bertelsmann Foundation).
The Statistics Game
INHOPE, the Association of Internet Hotline Providers, reported a 218% increase in CSAM reports from 2023 to 2024, with nearly 2.5 million suspected CSAM records processed in their ICCAM system (INHOPE news). However, 65% were classified as illegal content, leaving 35% that were not illegal material.
The increase in reports is being used to justify more surveillance, but the German data shows the system is not working as intended. More scanning does not mean more effective enforcement - it means more false leads.
Who Made It Happen
Ylva Johansson: The Political Driver
European Commissioner for Home Affairs Ylva Johansson was the primary political force pushing Chat Control. Her meetings with US tech companies began before any legislation existed, and she reportedly delivered an ultimatum: “I will propose to make it mandatory so you better shape up and start realising this is going to happen” (EDRi).
Between 2020 and 2024, Johansson held meetings with “almost a dozen US-based tech companies” to pressure them into supporting mandatory scanning (Corporate Europe Observatory). Her department, DG Migration and Home Affairs (DG HOME), drafted the legislation formally known as the CSA Regulation.
The Commissioner’s claims about detection accuracy proved controversial. Johansson claimed CSAM scanning tools achieved 99.99% accuracy, but the European Commission admitted through Freedom of Information requests that these figures were “supplier claims taken at face value” and had never been independently tested or verified (EDRi).
Critically, Johansson rejected meetings with civil society organization EDRi three times while “frequently meeting with big tech companies and child protection groups” (EDRi). This pattern of engagement only with industry and pro-scanning NGOs raised questions about whose interests were being prioritized.
Roberta Metsola: The Procedural Stunt
Parliament President Roberta Metsola, an EPP member from Malta, executed an unprecedented procedural maneuver in June 2026 that critics called “without precedent” and a “power grab.”
Here is what happened: In March 2026, the European Parliament had voted against extending the temporary Chat Control derogation (Regulation 2021/1232), causing it to expire on April 3, 2026 (Euronews). The matter appeared settled.
Then, in June 2026, Metsola personally wrote to EU member states in the Council asking them to approve a bill that her own Parliament had already rejected. According to Politico, this was described as “overriding her own Parliament” by diplomats (Politico, June 2026).
The timing was deliberate: the re-vote was scheduled for July 9, the last day before Parliament’s summer recess, when many MEPs had already left Strasbourg. This made reaching the required 361 absolute majority nearly impossible.
German MEP Martin Sonneborn attempted to intervene, shouting: “Madam President... declare the urgent motion inadmissible. After all, we’re not in Malta here!” - a reference to concerns about political standards in Metsola’s home country - before his microphone was cut after 60 seconds (Euronews).
Cypriot MEP Fidias Panayiotou bluntly asked: “What kind of democracy is this if we’re forced to vote on the same issue over and over until they get the result they want?” Strategic Culture Foundation
The EPP Coordination: Manfred Weber’s Role
The European People’s Party (EPP), as the largest political group in Parliament, orchestrated the procedural maneuver. EPP Group Leader Manfred Weber actively pushed for the urgent procedure vote to bypass normal democratic scrutiny (Corporate Europe Observatory).
The EPP leads all three EU institutions: Commission President Ursula von der Leyen, European Council President Antonio Costa, and Parliament President Roberta Metsola. This concentration of power allowed the group to coordinate across institutions to revive the legislation despite Parliament’s earlier rejection.
According to Strategic Culture Foundation reporting, “most [parliamentary group] leaders revealed they were never even informed of the undemocratic ploy in the background. Except for Metsola’s own EPP, of course, the group leading all three EU institutions and the biggest supporters of Chat Control” Strategic Culture Foundation.
Thorn: The Company That Writes Its Own Regulations
Thorn occupies a unique and troubling position in the Chat Control story: the company that profits from the legislation was intimately involved in drafting it.
Who Is Thorn?
Thorn was founded in 2009 by Hollywood actor Ashton Kutcher and his then-wife Demi Moore, with the stated mission of “defending children from online child sexual abuse” (LobbyFacts.eu). The company builds technology to help platforms detect and report CSAM, positioning itself as an essential partner in the fight against child abuse.
But Thorn is not a nonprofit advocacy organization. It is a company with commercial interests in the expansion of mandatory detection legislation. Every new law requiring platforms to scan messages creates guaranteed market demand for Thorn’s products.
The 8 Documented Meetings
According to the EU Lobby Register (LobbyFacts.eu), Thorn has held at least 8 high-level meetings with European Commission officials during the period when Chat Control legislation was being drafted (LobbyFacts.eu):
November 2020 - President Ursula von der Leyen (video conference with Thorn co-founder)
October 2021 - Commissioner Thierry Breton (Internal Market)
September 2021 - Commissioner Margrethe Vestager (Digital)
March 2022 - Vice-President Margaritis Schinas
March 2023 - Commissioner Ylva Johansson (Home Affairs)
September 2025 - Commissioner Magnus Brunner
This represents extraordinary access for a company whose business model depends on the legislation being discussed.
The Financial Interests
Thorn’s lobbying spending in Brussels is substantial:
Direct EU lobbying: €200,000-€299,000 in 2024
Through FGS Global (intermediary): an additional €600,000-€700,000
Total 2024: approximately €800,000-€1,000,000
This figure is documented in the EU Transparency Register (EU Transparency Register).
The Revolving Door: Cathal Delaney
The most damning evidence of Thorn’s influence came in March 2025, when EU Ombudsman Emily O’Reilly ruled on a “revolving door” case that revealed the depths of the conflict.
Who is Cathal Delaney? An Irish official who worked at Europol on AI-based CSAM detection systems. At the end of 2021, Delaney left Europol and joined Thorn - with no restrictions placed on his move (EU Ombudsman).
The EU Ombudsman ruled this constituted “maladministration” - Europol had allowed a senior official to move directly to a company he had been actively helping to regulate, without any cooling-off period or conflict-of-interest restrictions (Heise.de).
Even more troubling: Delaney attended a Europol meeting with his former colleagues to present Thorn products while the Chat Control legislation was being debated (Patrick Breyer). This allowed Thorn to effectively lobby Europol from the inside.
EU Ombudsman Ruling (March 2025): “There was maladministration” in how Europol handled Cathal Delaney’s transition to Thorn. The Commission also refused to release 4 documents relating to meetings with Thorn during the drafting of Chat Control legislation, which the Ombudsman criticized as improper secrecy (EU Ombudsman decisions).
The Balkan Insight Investigation
The Balkan Investigative Reporting Network (Balkan Insight) published an explosive investigation in September 2023 revealing the extent of Thorn’s influence (Balkan Insight).
The investigation revealed that Commissioner Ylva Johansson wrote directly to Thorn executive director Julie Cordua:
“We have shared many moments on the journey to this proposal. Now I am looking to you to help make sure that this launch is a successful one.”
This email was followed by the Commissioner’s May 2022 proposal for the CSA Regulation - the permanent Chat Control law (Fortune Europe).
Conflict of Interest: The Core Problem
This creates an unmistakable conflict of interest: Thorn helps write the law that creates guaranteed market demand for their detection products. The company that profits from mandatory scanning was involved in drafting the scanning requirements.
As the EU Ombudsman ruling confirms, this is not mere coincidence or legitimate industry input - it represents a breakdown in the firewall between regulation and the regulated industry.
The Revolving Door Problem: When Regulators Become Regulated
The Chat Control debate has exposed a fundamental flaw in EU governance: the revolving door between regulatory agencies and the companies they regulate. This is not abstract - it directly shaped the legislation.
The Delaney Case: Europol to Thorn
The most documented case involves Cathal Delaney, an Irish official who worked in Europol’s Serious and Organised Crime Threat Assessment (SOCTA) unit, focusing on AI-based CSAM detection systems.
In late 2021, Delaney left Europol and joined Thorn - the same detection company whose products would be mandated by the Chat Control regulation he had helped develop. Europol placed no restrictions on this move.
The EU Ombudsman’s investigation revealed that Delaney:
Was registered as a lobbyist in the German Bundestag while still employed at Europol
Attended a Europol meeting with former colleagues to present Thorn products during the Chat Control debate
Was allowed to transition without any cooling-off period or post-employment restrictions
In March 2025, EU Ombudsman Emily O’Reilly ruled this constituted “maladministration” - a finding of significant governance failure (EU Ombudsman).
Commissioner Johansson: Industry Ties
Commissioner Ylva Johansson’s own background raises questions about industry neutrality. Before joining the Commission, she held ministerial positions in Sweden, including as Minister for Employment and Integration, and had previous corporate roles at Telia, the Swedish telecommunications giant.
While this previous employment is not unusual for EU Commissioners, her aggressive push for legislation that benefits detection companies - while rejecting meetings with independent civil society - created an appearance of captured regulation.
The Commission Secrecy Problem
The EU Ombudsman also criticized the European Commission for refusing to release four documents relating to meetings with Thorn during the drafting of Chat Control legislation (Heise.de).
The Commission claimed Thorn only provided “specialist knowledge,” but the Ombudsman’s investigation revealed discussions also covered “business strategy for using Thorn products (Safer)” - a clear indication that commercial interests were being discussed in meetings meant to inform public legislation.
The Pattern: What This Tells Us
The revolving door problem in Chat Control is not an isolated incident - it represents a systematic failure to separate the regulated from the regulator:
Europol develops detection standards - officials move to companies selling detection technology - companies help write the regulation that mandates their products
Commission proposes legislation - meets repeatedly with affected companies - refuses to release meeting records
Child protection NGOs coalition - includes a commercial vendor (Thorn) - vendor supplies the “evidence” supporting mandatory scanning
This is why accuracy claims went unverified. This is why the “need” was manufactured. This is why the Parliament vote was circumvented. The entire process was captured by actors with financial interests in the outcome.
What Needs to Change: The EU needs mandatory cooling-off periods for officials moving between regulatory agencies and the companies they regulate. Meeting records with lobbyists must be automatically published. And companies with financial interests in legislation should be prohibited from helping draft that legislation - no matter how noble the stated mission.
The Vote That Should Have Killed It
On July 9, 2026, the European Parliament voted on Chat Control 1.0:
276 MEPs voted FOR rejecting (to block reinstatement)
314 MEPs voted AGAINST rejecting (to allow reinstatement)
17 abstentions
More MEPs wanted to kill Chat Control than keep it. But the motion failed because stopping it required an absolute majority of 361 votes (HowTheyVote).
This was achieved through a procedural trick: Parliament President Metsola reopened the file during summer recess when many MEPs had left Strasbourg, making it impossible to reach the 361 threshold.
The fact that Chat Control is moving forward against the will of the majority of voting MEPs is a farce and damages democracy. The procedure used was without precedent.- Patrick Breyer, Former MEP (patrick-breyer.de)
What Supporters Say
For balance, it’s important to note what Chat Control supporters argue:
Proponents argue that CSAM is a genuine problem requiring technological solutions. The 218% increase in reports, they say, demonstrates the scale of the issue. They contend that voluntary detection by tech companies was insufficient and that a legal framework was needed.
Supporters also argue that the regulation includes safeguards: detection is limited to known CSAM hashes for first offenses, and judges must approve detection orders for suspects. They note that the July 2026 amendment explicitly excludes end-to-end encrypted messages.
Government position from supporting member states (France, Italy, Spain, Belgium) is that the regulation balances child protection with privacy, and that the 48% false positive rate is still better than no detection at all.
However, as this investigation shows, the 40% of investigations targeting minors themselves - the very children the law claims to protect - undermines this argument. The infrastructure built cannot be easily undone.
Technical Reality: Detection Methods Deep-Dive
Understanding what detection technology can and cannot do is essential for evaluating Chat Control’s effectiveness. Two primary technologies are central to the debate: hash-based matching and AI-based detection.
Hash-Based Detection: PhotoDNA and Neural Hashing
Microsoft PhotoDNA is the primary hash-based detection technology. The process works as follows:
Image hashing: Convert image to unique numerical signature (hash)
Hash matching: Compare against database of known CSAM hashes
Local processing: Hash generated on device, original image never leaves
Technical details:
Perceptual hash - images resized and processed to create signature
Robust to image modifications (resizing, compression, cropping)
One-way function - cannot recreate image from hash
Known CSAM detection: >99% accuracy
Novel CSAM detection: Cannot detect new/unknown material
False positives: Very low for hash matching (<0.1%)
The critical limitation: PhotoDNA only works for known CSAM - material already identified and hashed in databases. Every new image of abuse requires human identification before it can be detected (Microsoft PhotoDNA).
AI Detection: Machine Learning Approaches
AI-based detection systems from vendors like Thorn and Hive AI attempt to identify novel (previously unknown) CSAM through machine learning classification:
Training: Models trained on datasets of known CSAM
Classification: Analyze image features to determine if CSAM
Confidence scoring: Output probability scores
Vendor-reported capabilities:
Detect novel (previously unknown) CSAM
Identify grooming patterns in text
Detect AI-generated sexual content
The Accuracy Reality: Vendor Claims vs. Real-World Data
However, these laboratory figures collapse in real-world deployment. The German BKA data reveals that of 205,728 CSAM alerts received in 2024, only 106,353 were criminally relevant - meaning 48% of all alerts were not crimes (BKA Bundeslagebild 2024).
The Base Rate Problem: Why Accuracy Statistics Lie
The European Parliament’s impact assessment highlighted the critical “base rate problem”:
CSAM is rare compared to total content scanned. Even with 99% accuracy, most “detections” will be false positives. Example: If 0.1% of content is CSAM, 99% accuracy = 10 false positives per true positive.- European Parliament Study (2023)
From Ireland’s data: 852 of 4,192 reports (20.3%) were confirmed as actual exploitation, while 471 (11.2%) were false positives (INHOPE). The system produces more noise than signal.
Consequences of False Positives
The real-world consequences of false positives are severe:
Innocent users flagged to law enforcement
Trauma for wrongly accused individuals
Resource waste for police investigations
Chilling effect on legitimate content sharing
40% of investigations target minors themselves - the very children the law claims to protect (BKA)
What Cannot Be Detected
Even with advanced technology, fundamental gaps remain:
Never-before-seen CSAM (without AI, limited accuracy)
Grooming in all contexts
Live streaming of abuse
Recreated images from hashes
Content hidden via steganography
Novel AI-generated CSAM (evades hash databases)
As the European Parliament Study (2023) concluded:
There aren’t currently any technological solutions that can detect child sexual abuse material, without resulting in a high error rate which would affect all messages, files and data in a particular platform.- European Parliament Study
The Encryption Exemption
In July 2026, MEPs passed an amendment to explicitly exclude end-to-end encrypted communications from Chat Control 1.0 requirements. The vote was 369 in favor (Wired).
This raises the question: if encrypted messages cannot be scanned, what exactly is being scanned? The regulation creates infrastructure that could be expanded once the legal basis for encryption is challenged.
The Pattern: Sequential Erosion
The EU has followed a consistent pattern documented by privacy advocates:
2017: “Migration crisis” → EES border tracking
2020: “COVID-19” → Expanded health tracking
2021: “CSAM” → Chat Control 1.0
2026: “Gap in protection” → Chat Control re-authorized
Future: “Terrorism/crime” → More of the same
That’s the same approach to normalising the erosion of privacy that we’ve seen before - first with financial privacy, then travellers’ data, now our communications: a sweeping power justified by an urgent-sounding purpose, then quietly normalised.- Lyudmyla Kozlovska, President, Open Dialogue Foundation
Each time, a crisis justifies infrastructure expansion. The infrastructure persists after the crisis is forgotten.
The Tech Lobbying Machine: €151 Million and Growing
The tech industry’s lobbying presence in Brussels is massive - and growing rapidly. According to Corporate Europe Observatory research from October 2025, tech companies now spend €151 million annually on EU lobbying, a 33% increase from €113 million in 2023 (Corporate Europe Observatory).
Who’s Spending What
Meta: €10 million annually
Microsoft: €7 million annually
Apple: €7 million annually
Google/Alphabet: €6-7 million annually
Amazon: €5 million annually
Qualcomm: €4 million annually
Perhaps most striking: there are now more tech lobbyists in Brussels than MEPs in the European Parliament. This creates an enormous asymmetry between industry access and democratic representation.
The Detection Industry Coalition: ECLAG
Beyond Big Tech, a coalition of child protection NGOs has actively supported Chat Control. The ECLAG (European Child Sexual Abuse Legislation Advocacy Group) was formed in April 2022 and now includes more than 60 organisations (Child Safety in Europe).
Notably, ECLAG’s steering group includes Thorn itself - the only technology company included alongside NGOs. This unusual arrangement places a commercial vendor in the same coalition as organizations it supplies with “evidence” for why mandatory scanning is necessary.
In March 2024, ECLAG hosted a high-profile event in Brussels featuring Ashton Kutcher as keynote speaker, using his celebrity status to push for the legislation (Corporate Europe Observatory).
Important context: Many child protection NGOs genuinely believe mandatory scanning is necessary. The conflict of interest lies specifically with Thorn’s dual role as both (1) a vendor selling detection technology and (2) an advocate influencing the legislation that creates demand for its products.
International Comparison: A Global Surveillance Trend
Chat Control is not an isolated EU phenomenon - it is part of a global trend toward mandated content scanning, with the UK, US, and Australia leading parallel approaches.
The United Kingdom: Online Safety Act 2023
The UK’s Online Safety Act 2023 received Royal Assent on 26 October 2023 and came into force in 2024. It establishes a comprehensive regulatory regime overseen by Ofcom.
Section 121 is the centrepiece - it grants Ofcom the power to issue notices requiring providers to:
Use accredited technology to identify terrorism content communicated publicly and take it down
Use accredited technology to identify CSEA content (whether communicated publicly or privately) and take it down
Use best endeavours to develop or source technology that achieves detection of CSEA content
Critical distinction: The Act explicitly mandates scanning of CSEA content in private communications - this is direct interference with encrypted messaging (UK Legislation).
The Encryption Problem in UK Law
The UK Act creates a fundamental tension with end-to-end encryption (E2EE):
Section 121(2)(a)(iii)-(iv) mandates scanning of CSEA content communicated “privately”
To scan private content, services would need client-side scanning or encryption compromise
The Act does not explicitly exempt E2EE services
Services like WhatsApp or Signal could theoretically be required to implement scanning
Enforcement Powers
Ofcom’s enforcement powers include:
Penalties up to £18 million or 10% of global annual revenue (whichever is higher)
Daily penalty rates for continuing non-compliance
Service restriction orders that can block entire services in the UK
Criminal offences for failure to comply
The United States: EARN IT Act
The US EARN IT Act (Eliminating Abusive and Rampant Neglect of Interactive Technologies Act) takes a different approach - targeting encryption itself:
Creates a national commission to develop best practices for child safety
Platforms that don’t follow these practices lose Section 230 liability protections
Effectively threatens encryption via liability for platforms that don’t comply (US Congress)
Would make platforms legally liable for user content they host
Unlike the EU’s detection mandate approach, the EARN IT Act uses the liability framework to pressure platforms into abandoning end-to-end encryption.
Australia: Online Safety Act 2021
Australia’s approach uses a regulatory codes model with severe penalties:
eSafety Commissioner has power to issue removal notices
Non-compliance can result in significant fines
Adult content age verification requirements (eSafety Commissioner)
Basic Online Safety Expectations (BOSE) framework
Comparative Analysis: Which is More Invasive?
The Five Eyes Connection
The Five Eyes intelligence alliance (UK, USA, Canada, Australia, New Zealand) has historically shared signals intelligence and cooperated on child protection issues. This creates potential for:
Cross-border data requests: Ofcom could share information with counterpart agencies
Technology standards coordination: Potential alignment of detection technology across Five Eyes
De facto global standards: Global services complying with UK requirements would create global surveillance infrastructure
Section 115-117 of the UK Act address information disclosure to overseas regulators, and Section 116 allows disclosure of “intelligence service information” - creating legal pathways for extending surveillance beyond UK borders (UK Legislation).
Verdict: UK is More Directly Invasive
The UK Online Safety Act represents a more direct and immediate threat to encryption and privacy than EU Chat Control for these reasons:
Explicit private communication scanning: Section 121(2)(a)(iii)-(iv) explicitly requires scanning of CSEA content communicated “privately”
Political rather than judicial oversight: Secretary of State sets technology standards, not a court
Business disruption powers: Ofcom can restrict access to entire services
Active implementation: UK Act is being implemented now, while EU proposal remains contested
No encryption carve-out: Unlike EU Chat Control 1.0, the UK Act does not include a specific exemption for E2EE
However, the EU debate has influenced global understanding of the encryption-privacy-security trilemma. The UK implementation will be watched closely internationally, as global services face the choice of implementing scanning or losing access to one of the world’s largest markets.
This global trend - from Brussels to London to Washington to Canberra - represents a coordinated effort to normalize mass surveillance of communications, justified by the emotionally compelling argument of protecting children. The technical reality, as the data shows, is that these systems produce far more false positives than true detections, and the infrastructure built today cannot be easily undone.
This is not just an EU phenomenon - it is a global trend toward surveillance infrastructure justified by child protection.
The Legal Vulnerability
The Chat Control regulation contains a remarkable admission: “the lawfulness and proportionality of such detection methods remains uncertain under the GDPR” (EDRi).
No CJEU cases have been brought yet, but the European Data Protection Board warned in 2022 that the proposal enables “generalized and indiscriminate scanning” that violates GDPR principles (EDRi statement).
If challenged, there is a strong case the regulation violates Article 7 (right to privacy) and Article 8 (data protection) of the EU Charter.
A Chronology of Surveillance: The Chat Control Timeline 2017-2026
The EU’s journey toward mandatory message scanning began not in 2020, but earlier with foundational legislation that set the stage for what would become the most ambitious surveillance proposal in peacetime Europe. Understanding this timeline reveals how each step built toward the next, creating an incremental path toward mass surveillance of private communications.
The Precedent Years: 2017-2019
In 2017, the European Commission began laying groundwork for expanded online security measures. The discussion initially focused on combating disinformation and terrorist content, but child sexual abuse material (CSAM) emerged as a powerful emotional lever. By 2018, the Commission had begun exploratory talks with tech companies about voluntary detection measures, establishing the precedent that platforms could proactively scan user content.
2019 marked a critical turning point. The European Electronic Communications Code (EECC) was finalized, expanding the scope of electronic communications regulation to cover “number-independent interpersonal communications services” (NI-ICS) including WhatsApp, Facebook Messenger, and similar services. This seemingly technical legislation broughtchat apps under the strict ePrivacy rules that traditionally protected the confidentiality of letters and phone calls.
2020: The Crisis Narrative Takes Shape
July 2020 saw the Commission formally adopt its strategy for fighting CSAM, establishing the policy basis for what would become Chat Control. The choice of child protection as the justification proved strategically brilliant: it was almost impossible to argue against without appearing to condone abuse. In September 2020, the Commission proposed the temporary derogation from the ePrivacy Directive that would become known as “Chat Control 1.0” - allowing platforms to continue voluntary detection practices that might otherwise violate privacy laws.
October 2020 brought Council agreement on its negotiation mandate, with member states’ deputy ambassadors agreeing on a position that would eventually lead to the Regulation’s adoption.
2021-2022: The Interim Period
April 2021 saw Council and Parliament reach provisional agreement on the interim regulation, adopted as Regulation (EU) 2021/1232 on 14 July 2021. The regulation entered into force on 2 August 2021, originally set to expire on 3 August 2024. Parliament secured important privacy-preserving points including the exclusion of audio communications, mandatory data protection impact assessments, and compulsory human review before submitting reports. However, critics noted the agreement allowed systematic scanning of text messages and contained no maximum error rates for algorithms.
May 2022 brought the Commission’s proposal for permanent rules - the Chat Control 2.0 or CSAR (Child Sexual Abuse Regulation). This ambitious proposal included mandatory risk assessments for platforms, detection orders with judicial oversight, 24-hour removal orders, blocking orders, app-store controls with age verification, and the creation of an EU Centre on Child Sexual Abuse.
2023-2024: The Political Battle Intensifies
November 2023 proved to be a landmark moment. The European Parliament voted 311-228 to reject mandatory scanning of encrypted messages, a decisive victory for privacy advocates. However, this was not the final word. February 2024 saw a provisional agreement to extend the interim regulation until 3 April 2026, and by April 2024, both Parliament and Council had approved this extension.
February 2024 also brought an important legal development: the ECHR ruled that requiring degraded end-to-end encryption “cannot be regarded as necessary in a democratic society” - a legal precedent that would inform the ongoing debate.
2025-2026: The Procedural Wars
October 2025 marked a critical shift: Germany announced it would vote against the proposal, representing the largest member state’s explicit opposition. In November 2025, the Council adopted its position, maintaining the “voluntary” scanning framework, age-verification mandates, and broad “risk mitigation” obligations while dropping the mandatory scanning requirement.
March 2026 saw MEPs reject extending Chat Control 1.0, but subsequent talks failed to sustain this rejection. On 3 April 2026, the original derogation expired - briefly ending the legal framework for voluntary detection. Then came the dramatic reversal in late June 2026 when European Parliament President Roberta Metsola intervened, reopening the file and sending it back to Council, warning that the expired rules left “a dangerous gap in online child protection.”
The timing was strategic: early July 2026, during vacation season, when securing a necessary majority to dismiss the proposal would be difficult. The first vote achieved a simple majority supporting rejection (314-276-17) but failed to reach the absolute majority of 360 needed to reject the amended position. The second vote resulted in 276 in favor, 286 against, and 30 abstentions - closing the second reading and effectively re-authorizing Chat Control 1.0 through procedural mechanics.
The September 2026 Deadline
September 2026 represents the next major deadline for Chat Control 2.0 - the permanent legislation. The real fight over permanent rules continues, with trilogue negotiations ongoing between Parliament, Council, and Commission. A political deal is targeted for late 2026.
Legal Challenges and the GDPR Contradiction
The Chat Control proposal exists in a state of permanent legal uncertainty. The regulation itself contains a remarkable admission: “the lawfulness and proportionality of such detection methods remains uncertain under the GDPR” - an extraordinary acknowledgment from the EU’s own executive body that the core mechanism may be unlawful.
The CJEU Question
As of July 2026, no direct legal challenge has been brought to the EU Court of Justice specifically targeting Chat Control 1.0 or Chat Control 2.0. However, this does not mean the proposal is legally secure. Several factors explain the absence of litigation:
Timing: The CSAR remains in trilogue negotiation, so no final legislation exists to challenge
Uncertainty: Chat Control 1.0 was a temporary derogation that expired and was renewed through procedural maneuvers
Standing: No platform or civil society group has yet borne the cost of litigation
Related CJEU jurisprudence provides the legal framework for potential future challenges. The landmark case C-511/18 (La Quadrature du Net and Others) established that general and indiscriminate data retention is incompatible with EU fundamental rights. Similarly, the Digital Services Act case saw the ECHR rule that requiring degraded end-to-end encryption “cannot be regarded as necessary in a democratic society.”
The EDPB Opinions
The European Data Protection Board has issued three formal opinions (2023, 2024, 2025) opposing the CSAR’s detection mandate. The EDPB warned that client-side scanning breaks the security model of end-to-end messaging and enables “generalized and indiscriminate scanning” that violates GDPR principles. The European Data Protection Supervisor has stated that mandatory, indiscriminate scanning of private content would likely breach Articles 7 and 8 of the EU Charter of Fundamental Rights, which guarantee the right to privacy and data protection.
GDPR Contradictions
The Chat Control proposal conflicts with multiple GDPR principles:
Data Minimization (Article 5(1)(c)): Mass scanning collects far more data than necessary - every message is analyzed, not just those with evidence of abuse
Purpose Limitation (Article 5(1)(b)): The specific purpose of combating CSAM does not justify scanning all communications
Storage Limitation (Article 5(1)(e)): The proposal contains no clear data retention limits
Lawful Basis (Article 6): No valid lawful basis exists for blanket scanning of communications without individual suspicion
Integrity and Confidentiality (Article 5(1)(f)): Client-side scanning fundamentally undermines the encryption that protects user data
The European Parliament’s own impact assessment found that AI detection of “unknown” CSAM produces false positive rates as high as 20% - a staggeringly high rate that raises serious questions about the proportionality of the measure.
Council Legal Service Opinion
The Council of the EU’s Legal Service issued a critical opinion questioning the proposal’s compatibility with fundamental rights. Their analysis stated that “the screening of interpersonal communications of all citizens affects the fundamental right to respect for private life” - a significant assessment from the body representing member state governments.
The Path to Litigation
The most likely path to CJEU litigation would involve: (1) CSAR passing into law through trilogue agreement, (2) a platform (Signal and WhatsApp have both stated they would leave the EU rather than comply) or civil society group challenging the law, and (3) national courts referring questions to CJEU under Article 267 TFEU.
Member States Divided: Who Supports and Opposes Chat Control
The EU’s proposed Chat Control regulation has divided member states along predictable lines - between those prioritizing child protection and those emphasizing fundamental rights. This division has made trilogue negotiations particularly contentious.
The Strong Advocates
Germany, despite its strong privacy traditions, has taken an active role in pushing for EU-wide measures. In June 2026, Germany was reportedly pushing for an EU-wide social media ban for children under 13. The German federal government has generally supported the Commission’s approach while seeking to balance it with data protection safeguards.
France has been among the most vocal advocates, consistently arguing that child protection justifies the measure. French officials have framed the debate as a child protection issue rather than a privacy concern.
Belgium played a central role during its EU Council Presidency (January-June 2024), with Belgian diplomats instrumental in bridging differences between member states.
Italy, Spain, Portugal, Greece, and Hungary have also supported the regulation as a necessary tool for law enforcement and child protection.
The PrivacyConcerned Bloc
The Netherlands has emerged as the most vocal critic, with the Dutch Data Protection Authority publicly criticizing the proposal as disproportionate interference with fundamental rights. Dutch authorities have consistently advocated for a more targeted approach limited to cases involving reasonable suspicion.
Austria has expressed significant privacy concerns, emphasizing the need for individually warranted, judicial oversight and protection of end-to-end encryption.
Ireland, home to many major tech companies, has taken a nuanced position, seeking to balance child protection objectives with operational feasibility for industry.
These positions align with the broader coalition analysis: Germany, France, Belgium, Italy, Spain, Portugal, Greece, and Hungary form the strong advocate bloc, while the Netherlands, Austria, Ireland, Luxembourg, Estonia, Latvia, Lithuania, and Malta emphasize privacy concerns.
The October 2025 Turning Point
October 2025 marked a critical shift when Germany announced it would vote against the proposal - representing the largest member state’s explicit opposition. This announcement significantly influenced the Council’s November 2025 position, which dropped mandatory scanning while maintaining the “voluntary” framework.
Beyond Chat Control: Patrick Breyer’s Alternative Vision
Patrick Breyer, the Pirate Party MEP who has been among the most vocal opponents of Chat Control, has proposed a comprehensive alternative approach to child protection that does not require mass surveillance. His five-point plan represents a alternative paradigm - targeting actual predators rather than scanning everyone’s messages.
Point 1: Targeted, Individually Warrants
Breyer’s first principle is that surveillance should be targeted, not mass. Instead of scanning everyone’s messages, law enforcement should obtain individual warrants based on reasonable suspicion - the traditional standard that has governed investigations for centuries. This approach respects the fundamental principle that innocent people’s communications should not be scanned.
Point 2: Address the Actual Problem Vectors
The second point addresses where CSAM actually spreads: not through encrypted messaging apps, but through underground forums, dark web platforms, and peer-to-peer networks. Breyer argues that resources should be directed toward infiltrating these networks rather than building surveillance infrastructure that primarily affects legitimate communication channels.
Point 3: Strengthen International Cooperation
Rather than building EU-centric surveillance, Breyer advocates for improved international cooperation with countries where CSAM production is more prevalent. This includes better legal assistance treaties, joint investigation teams, and information sharing with countries that have demonstrated commitment to child protection.
Point 4: Support Victims, Not Surveillance
The fourth point shifts focus from surveillance to support: funding for victim assistance programs, better mental health resources, and long-term support for survivors. Breyer argues that the emotional appeal of “doing something” often distracts from effective solutions.
Point 5: Address Root Causes
The fifth point addresses the uncomfortable reality that CSAM production involves actual offenders who need to be identified and prosecuted. Rather than building surveillance infrastructure that affects billions of innocent users, resources should focus on identifying producers and distributors of CSAM through traditional investigative techniques enhanced with appropriate technology.
The Voluntary Detection Alternative
Breyer and other critics have noted that the current voluntary detection framework already exists - platforms can and do report CSAM that users voluntarily share. The debate is not about whether any detection occurs, but whether detection should be mandatory and whether it should extend to encrypted communications where users have a reasonable expectation of privacy.
The Trilogue: What Happens Next
As of July 2026, the Chat Control 2.0 regulation is in trilogue negotiation between the European Parliament, the Council of the EU, and the European Commission. These negotiations will determine the final form of the permanent legislation.
Where Each Institution Stands
The Parliament’s Position (November 2023): Blocks mandatory scanning of encrypted messages. Passed with 311-228 vote. This represents the most privacy-protective position.
The Council’s Position (November 2025): Maintains “voluntary” scanning framework, age-verification mandates, and broad “risk mitigation” obligations. Represents a middle ground that keeps detection on the table without making it mandatory.
The Commission’s Position: Originally proposed the most extensive mandatory framework. Now mediates between Parliament and Council positions.
Key Negotiation Flashpoints
End-to-end encryption: Whether encrypted services are in scope or exempt
Mandatory vs. voluntary: Whether detection should be obligatory or optional
Age verification: Requirements for app stores and platforms
Liability framework: Consequences for platforms that fail to detect
Human review: Whether AI-detected content requires human verification before reporting
The RENEW Amendment
The liberal RENEW group has proposed an amendment that would explicitly “exclude communications to which end-to-end encryption is, has been, or will be applied.” Analysts expect the Council to reject this amendment, making the final outcome uncertain.
Timeline for Resolution
A political deal is targeted for late 2026, with the permanent regulation potentially coming into force in 2027 or 2028. However, if no agreement is reached, the temporary derogation (Chat Control 1.0) continues to govern the framework, having been effectively reauthorized through the July 2026 procedural resolution.
The Risk of Inaction
Proponents argue that failure to pass permanent legislation leaves a “dangerous gap” in online child protection. This argument has proven effective, as demonstrated by Roberta Metsola’s intervention in July 2026. However, critics note that the temporary framework never produced compelling evidence of effectiveness, and the permanent proposal may create more problems than it solves.
The Sequential Erosion Pattern: How Surveillance Normalizes
Perhaps the most significant pattern underlying the Chat Control debate is what analysts have termed “sequential erosion” - the gradual normalization of surveillance measures through incremental expansion. This pattern appears consistently across surveillance legislation worldwide.
Stage 1: The Emotional Justification
The first stage establishes the emotional framework that makes opposition difficult. Child protection is perhaps the most powerful justification available - anyone questioning the measure appears to prioritize privacy over children’s safety. This psychological lever creates enormous political pressure to “do something” regardless of effectiveness.
Stage 2: The Temporary Exception
The second stage introduces a “temporary” measure that is explicitly time-limited. This addresses civil society concerns about permanence while establishing the infrastructure and legal framework. The temporary nature creates a natural mechanism for extension - once the infrastructure exists, the argument becomes that removing it would create a “dangerous gap.”
Stage 3: The Extension and Expansion
The third stage involves extending the temporary measure while gradually expanding its scope. Chat Control 1.0 was extended from 2024 to 2026, and discussions have progressively expanded from “known CSAM” detection to “unknown CSAM” detection to age verification to broader content categories.
Stage 4: The Permanent Framework
The fourth stage converts the temporary exception into permanent legislation. By this point, the infrastructure exists, the legal arguments have been made, and the political narrative has been established. Opposition becomes increasingly difficult as the measure becomes “normal.”
Stage 5: The Expansion Begins
The fifth stage - which the UK Online Safety Act demonstrates - involves expanding the surveillance framework beyond its original scope. What was justified for child protection becomes available for terrorism, then for organized crime, then for “disinformation,” and eventually for any category the state deems problematic.
Evidence of Sequential Erosion in Chat Control
The Chat Control timeline demonstrates each stage:
Stage 1: 2020 Commission strategy emphasized CSAM as emotional justification
Stage 2: 2021 Regulation was explicitly temporary, expiring 2024
Stage 3: Extended to 2026, scope expanded to include “unknown” CSAM detection
Stage 4: CSAR proposed as permanent framework
Stage 5: Age verification requirements expand to broader population
The procedural maneuvers of July 2026 - where Chat Control 1.0 was effectively reauthorized through procedural mechanics rather than democratic debate - demonstrate how difficult it has become to reverse course even when Parliament explicitly rejected extension.
Why This Pattern Matters
The sequential erosion pattern explains why civil society organizations have been so adamant about stopping Chat Control at its current stage. Each incremental step makes the next step easier, and the infrastructure built for one purpose creates capabilities for others. As the UK experience shows, what begins as child protection becomes a framework for restricting free speech, limiting encryption, and building comprehensive state surveillance capability.
The question is not whether Chat Control will pass - it is whether European citizens will accept the normalization of mass surveillance as the cost of child protection, or whether they will demand alternatives that target actual predators without sacrificing the privacy that underpins democratic society.
Sources
BKA Bundeslagebild 2024 - German Federal Criminal Police Office annual report on sexual offenses against children
Netzpolitik.org - “Chat Control: Number of False Suspects Has Risen Sharply” (June 2024)
HowTheyVote - European Parliament vote tracker for Chat Control July 9, 2026
eu-LISA - European Union Agency for the Operational Management of Large-Scale IT Systems
Corporate Europe Observatory - Tech lobbying in Brussels report
LobbyFacts.eu - Thorn EU lobbying meetings database
EU Transparency Register - Thorn registration
EU Ombudsman - Decisions and complaints database
INHOPE - CSAM statistics 2024 (218% increase)
EDRi - European Digital Rights advocacy group
Patrick Breyer - Pirate Party MEP, 5-point action plan for real child protection
Euronews - Chat Control passed through parliamentary procedure
Wired - EU Parliament votes to exclude encrypted messages (July 2026)
UK Legislation - Online Safety Act 2023
Microsoft - PhotoDNA technology information
Politico EU - “President vs Parliament: Metsola overrides MEPs in bid to force through child abuse law” (June 2026)
Strategic Culture Foundation - “Democracy in action: Sidelined EU Parliament unable to stop chat control extension” (July 2026)
Heise.de - “Chat control & Kutcher: Ombudsman criticizes secrecy” (2025)
Heise.de - “EU Ombudsman criticizes flying change from Europol to Thorn” (2025)
Balkan Insight - “Who Benefits Inside the EU’s Fight Over Scanning for Child Sex Content” (September 2023)
Fortune Europe - “Kutcher-founded Thorn lobbied for EU CSAM law” (September 2023)
Patrick Breyer - “EU Ombudsman criticises revolving door between Europol and Thorn” (2025)
State of Surveillance - EU Chat Control tracking
Child Safety in Europe - ECLAG coalition documentation





A thorn in all our lives.
Pegasus already de-encrypts wgatsapp