Chat control EU: child protection vs. data protection | IT-Medienrecht

Explore the planned EU chat control: balancing child protection and data privacy. Understand its impact on messenger services and user rights. Get…

EU Chat Control: Child Protection vs. Data Protection in Messenger Regulation

In May 2022, the EU Commission presented a draft regulation (COM(2022) 209 final) aimed at more effectively combating child sexual abuse on the internet. This initiative, referred to by critics as “chat control,” responds to alarming statistics: at least one in five children are victims of sexual violence, and over a third of young people surveyed in 2021 reported being asked to perform sexual acts online. The Commission identifies an urgent need for action because the digital spread of abusive images is increasing rapidly, and current, purely voluntary measures by companies are proving insufficient. The core objective is to better protect children online, navigating the inherent tension with data protection and users’ fundamental rights.

Content of the Draft Regulation: Scanning Private Communications

The draft regulation proposes extensive obligations for providers of digital services. Specifically, messenger and hosting services—including chat functions within apps or games—would be mandated to scan all private communications and user files for depictions of child abuse. This proposed scanning extends beyond images and videos to include text messages and even audio communications, aiming to detect known CSAM (Child Sexual Abuse Material), new illegal content, and grooming attempts (sexual advances towards children).

A competent authority would be empowered to issue "detection orders," compelling service providers to automatically scan all content on their platforms. This approach seeks to leave no digital stone unturned in the fight against online child abuse.

Technical Mechanisms and Implementation

To capture content within end-to-end encrypted communications, the draft outlines two technical approaches: either directly breaking encryption via server-side access or implementing client-side scanning (CSS) on the user’s device. Client-side scanning means software on a mobile phone or computer would inspect messages and media before encryption or after decryption. This ensures that content is checked locally, regardless of the encryption status during transmission.

Furthermore, the EU Commission proposes establishing a new EU center to facilitate implementation. This center would be responsible for providing testing technologies, maintaining hash databases of known illegal content, and pre-screening suspected cases reported by services before forwarding them to national law enforcement authorities. The draft also mandates the removal of reported content through deletion orders.

A particularly sensitive aspect is the introduction of mandatory age checks. App stores, for example, might be required to verify user ages and restrict access to certain apps for specific age groups. This could effectively lead to a de facto identification requirement for users of many digital services.

Technical and Legal Feasibility Challenges

The technical implementation of these measures is both extremely demanding and highly controversial. End-to-end encryption (E2EE) presents a significant hurdle: if it is bypassed or compromised for scanning, the security of all users would be jeopardized. Even with client-side scanning, the outcome remains similar – private chats would no longer remain truly confidential.

Critics highlight that any weakening of encryption creates security loopholes that criminals could exploit. Major messenger services like Signal have already indicated they would withdraw from the EU market if such obligations were enforced. Furthermore, the recognition software is not infallible; current AI and hashing technologies for content analysis exhibit error rates of up to 12%.

For a global service with billions of users, such as WhatsApp, this error rate could lead to hundreds of millions of innocent individuals being mistakenly targeted. The potential consequences are severe, as their private photos or messages could be erroneously classified as illegal and reported to authorities.

A key question remains whether companies can develop powerful CSS scanners that only detect illegal content without infringing on the privacy of law-abiding users. For instance, Apple’s similar plan in 2021 to scan iCloud photos for CSAM faced massive opposition and was ultimately abandoned in 2022. Additional concerns revolve around law enforcement and supervision.

Ideally, detection orders should be issued solely by courts or independent authorities, and the technologies employed should be "state of the art" and maximally data-efficient. However, the draft severely limits the intervention capacity of data protection authorities, restricting their role to non-binding statements before new scanning technologies are deployed. This raises significant doubts about the practical sufficiency of these proposed protection mechanisms.

Fundamental Rights and GDPR: A Critical Conflict

The proposed measures significantly conflict with European fundamental rights. Specifically, Article 7 of the EU Charter of Fundamental Rights (respect for private and family life) and Article 8 (protection of personal data) are deemed to be at risk. Critics argue that the unprovoked and comprehensive monitoring of private communications, even with the legitimate aim of child protection, exceeds the limits of proportionality.

The Federal Data Protection Commissioner views the draft as disproportionate and contrary to fundamental rights. It effectively constitutes mass surveillance, potentially covering protected communications such as those between lawyers and clients or doctors and patients. Moreover, it would likely violate German telecommunications secrecy (Art. 10 para. 1 GG).

From a data protection perspective, questions arise regarding compatibility with the GDPR. While the regulation aims to establish a specific legal basis for data processing to combat abuse, it could undermine the basic principles of Art. 5 GDPR, such as data minimization and purpose limitation. This occurs if every chat conversation is preventively screened without concrete suspicion, contradicting the existing prohibition on unwarranted communication monitoring.

Such extensive access to messages would also involve processing special categories of personal data (Art. 9 GDPR), including health data, political opinions, or intimate details. The processing of such sensitive information requires strict conditions, and there are strong doubts whether a general scanning obligation meets the "absolutely necessary" standard required by case law for fundamental rights infringements.

In 2022, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) jointly expressed serious doubts about the draft’s compatibility with EU fundamental rights and data protection law. Consequently, the legal conformity of the EU chat control is highly questionable, and its adoption in this form would almost certainly lead to extensive judicial reviews, potentially reaching the ECJ or the Federal Constitutional Court.

Impact on End-to-End Encryption (E2EE)

The future of end-to-end encryption is a central point of contention. This technology has traditionally ensured that only the sender and recipient can read a message’s content, inaccessible to platform operators or authorities. The EU chat control regulation, however, would fundamentally undermine this principle. While the Commission states that encryption itself won't be banned, any scanning obligation necessitates that content must be accessible in plain text, either through client-side inspection or server backdoors.

For users, this would severely erode trust in the confidentiality of their communications. Many perceive this as a dangerous precedent: today CSAM scanning, tomorrow potentially expanding to terrorism, hate speech, or other objectives. Once a surveillance infrastructure is established, it could be susceptible to misuse for broader mass surveillance.

IT security researchers and even intelligence agencies have voiced concerns about the ramifications. For instance, the Dutch domestic intelligence service AIVD has warned against chat control, highlighting the inherent security risks. Companies built on privacy principles are also raising alarms: Signal has declared it would exit the European market if compelled to weaken its encryption.

Other services, including WhatsApp and Threema, hold a similarly critical stance. They argue that strong encryption is vital not just for privacy but also for protecting users from criminals (e.g., hackers, data thieves) and for national security. The regulation presents these companies with a dilemma: compromise their service integrity or face legal repercussions and fines for non-compliance.

Consequently, a heated public debate is ongoing regarding whether child protection can be achieved without weakening encryption, or if a fundamental component of digital security is being sacrificed. This balance between security and child protection remains a complex challenge.

Current Status of Negotiations (2024/2025)

As of early 2025, the legislative initiative remains stalled. The EU Council has not yet reached a consensus, effectively blocking the proposal. Despite urgent calls for action, tough negotiations are underway.

Positions of the European Parliament and Member States

The European Parliament and member states often hold diametrically opposed views. In November 2023, after extensive discussions, the EU Parliament adopted amendments designed to significantly weaken the draft. MEPs, for instance, advocate for the targeted, event-driven use of scan orders, meaning scanning would occur only in cases of specific suspicion rather than across the board. They also proposed entirely excluding audio messages from the regulation's scope.

Essentially, Parliament has positioned itself against mass surveillance without probable cause, demanding that, at most, unencrypted content from identified suspects be scanned. This parliamentary stance directly contradicts the Commission’s initial proposal for a general scanning obligation.

Divisions within the Council of the EU

Within the Council of the EU (member states), no agreement has yet been reached. Several scheduled votes have been postponed or canceled due to a lack of sufficient majority. Notably, Germany clarified in 2024 that it would not approve the draft in its current form.

Federal Minister of the Interior Nancy Faeser explicitly stated that chat control was “not compatible with the liberal constitutional state” and amounted to “nothing more than the mass scanning of private communications without cause.” The German government instead advocated for “targeted and constitutional” solutions for child protection. Germany has thus led a blocking minority within the Council, including Austria, the Netherlands, Poland, Finland, Ireland, and Luxembourg, all of whom share significant data protection concerns.

Conversely, a majority of approximately 16 member states, spearheaded by Spain, France, and Italy, continue to push for mandatory chat controls. These governments contend that a voluntary or merely occasion-based regulation would be an unacceptable regression, failing to achieve the core objective. Spain, for instance, labeled any move towards voluntariness as a “red line,” while Italy warned that services might otherwise “do whatever they want.” For these nations, chat control must be mandatory, and violations must be sanctioned.

Compromise Attempts and Future Outlook

Throughout 2024/25, various EU Council presidencies attempted to forge compromises. Under the Hungarian Presidency, one proposal suggested initially limiting client-side scanning to images, videos, and links, while excluding text and audio. Additionally, users of encrypted services would need to provide prior consent, with refusal resulting in a ban on sending images or links. Yet, these models still faced resistance, as they fundamentally involved screening private chats.

In early 2025, the Polish Council Presidency put forward a proposal to make chat control voluntary rather than mandatory. However, this was also vehemently rejected by 16 member states. To date, no general approach has been agreed upon in the Council, which is a prerequisite for entering the final trialogue with Parliament.

Observers anticipate that negotiations could extend into late 2025 or even 2026. It is also conceivable that a new German federal government (post-2025) might adopt a different stance, potentially breaking the deadlock. Alternatively, a fundamentally revised draft could be reintroduced to address existing criticisms. For now, however, the door remains closed for the EU chat control in its current form.

Obligations for Companies: What Messenger, Cloud & Co. Would Face

Should the regulation be adopted, regardless of its final form, tech companies—including messenger services, social network providers, cloud storage, and even online games with chat functions—would need to prepare for extensive compliance obligations. The current draft outlines several layers of requirements:

Naturally, smaller app developers or start-ups would face significant challenges. However, these obligations, when managed strategically, can also offer a competitive advantage. Early investment in child protection compliance can build trust with users and business partners. For instance, messenger services developing innovative, data protection-compliant solutions for abuse detection could differentiate themselves from less prepared competitors.

Similarly, for gaming platforms, a secure chat environment for children—with robust filtering and moderation—can attract parents and expand the user base. Legally compliant compliance, meaning precise understanding and implementation of legal requirements, thus becomes a quality hallmark, usable for marketing.

Companies proactively cooperating with authorities and presenting transparent protection concepts might also receive preferential treatment or more lenient conditions during detection orders. To seize this opportunity, companies should review and adapt their internal guidelines and technical systems early. In the complex intersection of data protection, IT security, and criminal prosecution, obtaining expert legal advice is highly advisable to maintain compliance while safeguarding user rights.

Controversy: Arguments from Supporters and Opponents

Arguments from Supporters

The debate surrounding EU chat control is highly polarized. Supporters—primarily child protection organizations, domestic politicians, and law enforcement officials—underscore the urgent need for action. Their core argument is: “No perpetrator should be able to evade accountability behind the shield of encryption.” They contend that in light of daily online abuses, the state must employ all available means to protect children.

Proponents argue that voluntary industry reports have been insufficient, and a legal obligation would unequivocally signal that child protection takes precedence over absolute confidentiality. They highlight the "success figures" from existing scans: in 2020, US services like Facebook and Google generated tens of millions of CSAM reports across Europe, leading to thousands of investigations. This level of detection, they insist, must not diminish; instead, the "blind spots" created by encrypted messengers must be eliminated. Many abusive acts now occur in secret, which can no longer be tolerated.

Advocates also emphasize the use of targeted filter technology. The aim, they explain, is not to spy on every private detail but to locate clearly illegal content using technical indicators. They assert that the privacy of innocent citizens remains protected because automated systems, not human officials, search for hashes of known abuse images or typical grooming patterns. Another argument is that children also possess rights, including to protection and physical integrity, which should apply equally in the digital space as data protection rights for adults.

From the supporters' viewpoint, chat control represents a necessary compromise to balance child protection and data protection. Some even suggest that without this regulation, companies might voluntarily reduce their efforts to avoid liability, reverting to a less protective status quo. Finally, it is argued that the regulation incorporates sufficient legal safeguards—such as judicial orders, transparency, and legal remedies—to prevent misuse. The proponents' guiding principle is clear: “We must not turn a blind eye; effective controls save children from exploitation.”

Arguments from Opponents

Conversely, a broad coalition of opponents has emerged, including data protection authorities, the IT industry, civil rights organizations, and academics. They warn that chat control sets a dangerous precedent for mass surveillance in the digital age. Fundamental rights activists argue that such a far-reaching intrusion into citizens' intimate communications is disproportionate and violates the essence of online privacy and freedom of expression. They contend that even a noble goal cannot justify the preventive surveillance of millions of innocent people, a practice more characteristic of authoritarian regimes than liberal democracies.

The term “general suspicion” is frequently invoked, highlighting how every user is effectively treated as a potential perpetrator. Data protectionists point out that current voluntary scanning practices are already legally contentious, as the EU General Data Protection Regulation and ePrivacy Directive generally prohibit the reading of private messages. A statutory extension, they argue, would be a breach of taboo unlikely to withstand judicial scrutiny.

IT security experts, moreover, foresee that mandatory client-side scanning will weaken overall Internet security. They question: “Who can guarantee that these built-in ‘scan backdoors’ won’t be exploited by hackers?” Criminals already employ various methods to evade detection, such as using darknet forums, encrypted niche apps, or disguised communication channels. Consequently, hardcore criminals might simply shift their activities, leaving average citizens subject to surveillance.

Further counter-arguments include false detection and potential misuse. The aforementioned false positives could ensnare innocent individuals in criminal investigations, with their data potentially ending up in an EU register even without an offense. This could ruin livelihoods before errors are rectified. There are also concerns that authoritarian regimes could co-opt the chat control infrastructure for their own purposes, such as spying on political dissidents—a significant risk once the technology is established.

Both the public and experts are debating whether alternative, more efficient approaches exist. These could include enhanced preventive intelligence, increased funding for traditional darknet investigations, or mandatory reporting channels on platforms without scanning all content. Opponents argue that resources would be better allocated to combating organized abuse networks rather than building a surveillance apparatus that is potentially easy to circumvent. Their overarching conclusion is that the regulation overshoots its mark and jeopardizes fundamental freedoms. Real child protection, they believe, must be conceived differently, without sacrificing the principle of privacy. This stance is, as mentioned, shared by several EU member states and the EU Parliament.

Given this intense debate, the ultimate outcome remains uncertain. What is clear, however, is that tech companies must stay informed and prepare proactively. The balance between child protection and data protection will continue to be a pivotal issue for messenger regulation in Europe. It is foreseeable that some form of scanning obligations, or at least stricter requirements, will eventually emerge.

A forward-looking compliance strategy, combined with careful consideration of both legal and ethical dimensions, can help companies navigate this complex area successfully.

Checklist: Preparing for the EU Chat Control

FAQ on EU Chat Control

What exactly is “EU chat control”?

This is the colloquial term for the draft EU regulation designed to prevent child abuse online. The core idea is to mandate online service providers (such as messengers, cloud storage, and social networks) to automatically search for child pornography and cyber-grooming in private messages. Therefore, chat control is not a single tool but a comprehensive regulatory package prescribing scanning technologies and reporting obligations—akin to a digital scanner law for child protection.

Who would be affected by the new obligations?

In principle, almost all services enabling users to share content would be affected. This includes messaging apps (WhatsApp, Signal, Threema, iMessage, Telegram, and in-game chats), email services, forums, and cloud platforms for photo/video sharing. Even smaller app providers would fall under its scope if their applications offer communication functions.

Hosting providers like Dropbox or Google Drive would have to search for illegal files, while communication services would scan for suspicious messages or media. Pure telecommunications providers (internet access, telephony) are not the primary target, but could face web-blocking orders to restrict access to foreign abuse websites.

Should encrypted chats also be scanned?

Yes, this is one of the most contentious aspects. The draft explicitly includes end-to-end encrypted services. Providers such as WhatsApp or Signal would need to develop technical solutions to access content for scanning despite encryption. In practice, this would primarily involve client-side scanning, where chat content is checked before encryption on the sender's device or after decryption on the recipient's device.

The Commission maintains that “encryption is not broken” because messages are still transmitted in encrypted form. However, critics argue that it makes no difference where state-mandated access occurs. Essentially, E2EE messages would no longer be solely a private matter between sender and recipient.

Does this violate data protection and fundamental rights?

This accusation is frequently leveled. From a data protection law perspective, it occupies a gray area. While the regulation aims to create a uniform EU legal basis (thus fulfilling Art. 6 GDPR), Art. 8 of the Charter of Fundamental Rights demands proportionality and respect for the essence of privacy. Many legal experts consider the blanket, permanent monitoring of all communications to be incompatible with the EU Charter.

The ECJ, for instance, has previously overturned data retention laws that were far less intrusive than the proposed chat scanning. The EU data protection authorities (EDPB/EDPS) explicitly stated in 2022 that chat control, in its current form, raises serious fundamental rights concerns. Therefore, immediate legal action is probable if adopted, potentially invalidating or severely restricting certain provisions. In essence, the tension between data protection and fundamental rights is substantial, with a final assessment likely resting with the highest courts.

When would the regulation come into force, and how likely is it?

As of early 2025, it is currently unclear whether and when the regulation will come into force. The Commission initially hoped for adoption by late 2024, but negotiations have stalled, further delayed by the 2024 European elections.

Optimistic estimates project an agreement in 2025, with entry into force in 2026 after a transitional period. A pessimistic view suggests the project could fail entirely or be reconsidered in the next legislative term if resistance remains too strong. Nevertheless, companies should not consider this an all-clear. The issue warrants serious attention, and developments should be closely monitored, as political dynamics—such as new abuse scandals—could increase pressure. It is prudent to be prepared for a short-notice implementation.

How can companies prepare themselves now?

Companies should prioritize staying informed, perhaps through industry associations or newsletters on EU digital law. An internal stocktake is advisable: identify data flows and potential misuse points. Many companies already utilize compliance tools (e.g., Microsoft’s PhotoDNA for CSAM detection in cloud storage). Evaluate whether such tools are available and compatible with your data protection policy.

Consider a pilot implementation of detection technology to gain experience. Simultaneously, avoid hastily compromising user privacy promises; transparency is crucial. Prepare communication strategies to explain any future changes to users. Finally, seeking legal advice is highly recommended. The subject involves criminal law, data protection, and technology, so specialized law firms or data protection experts can help craft a legally compliant roadmap for implementation and strategic positioning. This ensures a secure stance, regardless of the EU chat control’s ultimate structure.

Fazit

The planned EU chat control highlights the ongoing tension between robust child protection and stringent data protection. It presents significant legal and technical challenges for messenger and online service providers. While the final form of the regulation remains uncertain, companies should proactively use this time to prepare.

By diligently completing their compliance homework and simultaneously respecting the fundamental rights of users, companies can successfully navigate this challenge. This approach ideally ensures that children are effectively protected while maintaining essential privacy standards.