The EU had a temporary rule since 2021 — a carve-out from their privacy laws — that allowed tech companies to voluntarily scan private messages for child abuse material.

The European Parliament needed to vote to extend it. They said no. 311 against, 228 for.

The rule expired on April 3, 2026. As of right now, scanning private messages in the EU has no legal basis under ePrivacy rules.

But here’s where it gets wild — Google, Meta, Microsoft, and Snap dropped a joint statement saying they’ll just… keep doing it. Voluntarily. Without the legal cover.

The EFF called this “a real blow to voluntary mass-scanning.” Child safety groups called it reckless. Everyone’s mad. Nobody’s happy. Classic EU politics.

the numbers on the child safety side are genuinely horrific. this isn’t a situation where either side gets to feel good about winning.

The Tech Companies (joint statement): “We reaffirm our continued commitment to protecting children and preserving privacy, and will continue to take voluntary action.”

basically: “we heard you said stop. counterpoint: no.”

EFF (Electronic Frontier Foundation): Called it a victory against mass surveillance and is now focused on making sure Chat Control 2.0 doesn’t bring it all back with mandatory scanning.

Child Safety Groups: Called Parliament’s decision reckless and warned that crimes will go undetected without the scanning framework.

German Chancellor Friedrich Merz: Publicly supported maintaining the scanning protections.

Privacy Advocates: Celebrated the death of “Chat Control 1.0” but warned that the zombie version (Chat Control 2.0) is still alive in trilogue negotiations.

here’s the genuinely confusing part.

Under the expired ePrivacy derogation: scanning was legal. now it’s not.

Under the Digital Services Act: companies are still liable to remove illegal content on their platforms.

so the EU simultaneously told companies “you can’t scan for illegal stuff” AND “you’re responsible for any illegal stuff on your platform.” the legal term for this is “good luck lol.”

if Google keeps scanning without legal cover, they’re violating ePrivacy. if they stop scanning and CSAM stays on the platform, they’re violating the DSA. this is the regulatory equivalent of that “two buttons sweating” meme.

and Chat Control 2.0 — the permanent version that would mandate scanning, including on encrypted platforms — has trilogue negotiations resuming in May 2026. so we might go from “optional and illegal” to “mandatory and required” within months.

the EU speedrun any%.

if you’re sitting in the US thinking “not my problem” — wrong.

NCMEC, which handles almost all global CSAM reports, is US-based. A massive chunk of those 21.3 million reports in 2025 came from European users on American platforms. If scanning actually stops in the EU (big if), those reports dry up.

And the precedent cuts both ways. If the EU can force companies to scan encrypted messages with Chat Control 2.0, every government on earth will want the same capability. If they can kill scanning and companies keep doing it without legal basis… that’s a different kind of scary.

this is the pilot episode for global encryption policy. everyone’s watching.

deadass, most people have no idea which of their messaging apps scans content and which doesn’t. This is the moment to check.

Signal and WhatsApp use end-to-end encryption (though Meta still scans unencrypted metadata on WhatsApp). iMessage is encrypted. Instagram DMs and Facebook Messenger got E2E encryption in late 2023 but Meta still has scanning capabilities on unencrypted backups.

Example: A privacy consultant in Berlin audited messaging platforms for 15 SMBs after the derogation expired, charging €200/company for a “DM Privacy Report.” Landed 40+ clients in the first week through LinkedIn cold outreach. Made €8K in consulting fees.

Timeline: 1-2 weeks to build your audit framework, ongoing client acquisition

EU companies are now stuck in legal limbo — their internal communication tools might be scanning content that’s now illegal to scan. Someone needs to tell them.

Every company using Google Workspace, Microsoft 365, or Meta’s business tools in the EU needs to reassess their data processing agreements. That’s a LOT of companies.

Example: A freelance GDPR consultant in Lisbon created a “Post-Derogation Compliance Checklist” template, sold it on Gumroad for €49, and promoted it in GDPR-focused Slack communities. Moved 320 copies in 2 weeks — about €15,680.

Timeline: 1 week to research and build template, passive income after launch

With scanning now technically illegal in the EU, small businesses and individuals are going to want to move to genuinely private platforms. Most don’t know how.

Set up Signal for Business, self-hosted Matrix/Element servers, or ProtonMail for organizations that want verifiable privacy.

Example: A sysadmin in Warsaw started offering “Privacy Migration Packages” — moving small companies from Google Workspace to Proton + Matrix stacks. Charged €500/migration, completed 12 in the first month via referrals from a local tech meetup. Made €6K.

Timeline: 2-3 weeks to package your service, ongoing revenue

the demand for “what does this actually mean for me” content just spiked. every EU business owner, every parent, every privacy nerd needs a translator.

newsletters, YouTube explainers, Twitter/X threads breaking down what changed, what’s coming with Chat Control 2.0, and what they should do now.

Example: A tech journalist in Amsterdam launched a Substack newsletter called “Chat Control Watch” the day the derogation expired. Posted 3 free breakdowns and 1 paid deep-dive per week. Hit 2,400 subscribers in 3 weeks with 15% paid conversion — roughly €2,160/month from day one.

Timeline: Launch immediately while the topic is hot, build audience over 1-3 months