EU Policy Reversal: Mandatory client-side scanning Eliminated from Chat Control Proposal

The European Union has taken a significant step back from its most controversial surveillance proposal. In late November 2025, EU officials officially removed mandatory client-side scanning requirements from the proposed Chat Control law, responding to sustained pressure from privacy advocates, digital rights organizations, and technology companies. This reversal addresses one of the most technologically invasive aspects of the legislation.

Client-side scanning would have required applications to scan users’ private messages and media files before they were encrypted—essentially creating backdoors into encrypted communications. The technology posed fundamental threats to digital privacy, potentially exposing personal conversations to state surveillance and misuse.

What Changed: Privacy Victory and Remaining Concerns

The elimination of mandatory client-side scanning represents a notable win for privacy advocates who spent months warning against the surveillance implications. However, this victory comes with significant caveats. The revised Chat Control proposal still retains multiple privacy-threatening mechanisms.

The updated legislation maintains mandatory age verification mechanisms, which require users to submit personal identity data to access certain services. Such verification systems introduce their own privacy vulnerabilities, as collected data could be misused or compromised. Additionally, the law grants platforms voluntary powers to scan messages and media for harmful content, including child sexual abuse material (CSAM).

The distinction between mandatory and voluntary scanning may seem meaningful, but privacy experts argue it’s largely semantic. Platforms facing regulatory pressure and reputational risks may feel compelled to implement voluntary client-side scanning-like technologies. This creates de facto surveillance through indirect coercion rather than explicit legal mandate—a phenomenon critics describe as “backdoor enforcement.”

Age Verification and Voluntary Powers: Privacy Risks Persist

While the removal of mandatory client-side scanning addresses the most extreme proposal, the remaining provisions continue to concern privacy advocates. Age verification mechanisms require sensitive personal data collection, creating security risks that extend beyond the intended purpose. Users’ identity documents and personal information could become targets for theft or state surveillance.

The law’s voluntary scanning framework permits tech companies to implement content monitoring tools. Though framed as optional, platforms may struggle to resist adoption. Companies fear regulatory penalties, public backlash, and legal liability if they don’t actively search for CSAM. This creates a permission structure where widespread surveillance becomes normalized through seeming consent rather than legal requirement.

Civil rights organizations like EDRi and the European Data Protection Supervisor have emphasized that these remaining provisions still facilitate mass surveillance infrastructure, even without the explicit client-side scanning mandate that sparked the fiercest opposition.

Multi-Stakeholder Tensions: Finding Balance Between Safety and Privacy

The policy debate reflects genuine competing interests. Privacy advocates emphasize that strong encryption and user confidentiality are essential rights. Child safety organizations counter that such protections enable exploitation and argue for stronger detection and enforcement capabilities.

EU policymakers face pressure from both sides as the Council and Parliament continue negotiating final legislation details. The updated Chat Control proposal represents an uneasy compromise—eliminating the most visible privacy threat while preserving multiple mechanisms for content monitoring and user data collection.

The outcome illustrates the ongoing tension between security, child protection, and privacy rights in digital policy. While the removal of mandatory client-side scanning marks a policy shift, the conversation surrounding EU surveillance architecture is far from concluded. Future proposals will likely revisit these same contested issues.