A so called 'Chat Control 1.
EU Parliament did not reject a dormant ePrivacy exemption on Thursday, and that failure to block has unlocked a legal pathway for online platforms to scan user messages for child sexual abuse material without a warrant. The vote itself was unremarkable: a motion to reject fell short of the absolute majority it required. The procedure that produced the vote is the part that has Brussels talking.
The text in question is the so-called "Chat Control 1.0," a temporary ePrivacy derogation that lets messaging services voluntarily detect CSAM in user communications and sidestep Europe's electronic-privacy rules. Parliament had rejected earlier versions of it. On Thursday, the Council sent it back under a procedural pathway that requires Parliament to muster an absolute majority to actively reject the text, rather than a simple majority to pass amendments. With MEPs scattering for summer recess and no whip count organized, the rejection threshold was not met, and the derogation stands.
Patrick Breyer of the Greens/EFA, who has tracked the file, framed the move as a reactivation of a previously rejected position timed to the recess. Heise, the German tech outlet, called it a "procedural trick." Euronews reported the outcome as having "passed the European Parliament through the back door." These are not neutral characterizations. They are the framing of MEPs and outlets opposed to the move, and they reflect a real procedural complaint: the text that survived Thursday's vote is materially similar to one Parliament had previously said no to.
Three things to keep separate.
The derogation gives platforms legal cover to scan. It does not require them to. Gmail, iCloud, Hotmail, Discord, Instagram, Slack, Teams, Snapchat, and Xbox all fall in scope if they choose to deploy detection.
End-to-end-encrypted services such as WhatsApp and Signal are exempt by amendment. The vote did not break encryption, and platforms are not being compelled to weaken it. Law enforcement did not get new warrantless powers; getting a warrant to compel scanning of a specific account still requires going to a judge.
And this is not the broader CSAM detection law. That regulation, tracked in the EU's legislative observatory as procedure 2025/0429(COD)) and widely called "Chat Control 2.0," would mandate detection on a wider set of services and is the file civil-society groups have spent two years fighting. Thursday's vote does not advance that file. It reactivates the ePrivacy exemption window through 2028 and sets a separate stage for the September discussion of the broader bill.
The mechanism is the story. The Council can now use an absolute-majority re-vote pathway to send previously rejected text back to Parliament and time the re-vote for moments when an organized blocking coalition is hardest to assemble. The text does not have to win fresh support. It only has to survive a vote that almost certainly will not reach the rejection threshold. That is a new tool in the EU's inter-institutional kit, and the precedent lasts beyond CSAM.
The vote is recorded on HowTheyVote, with the Parliament's own press release confirming the outcome. The Council's underlying position is document 11261/2026. After publication in the EU Official Journal, the derogation takes effect.
The September legislative session will bring the broader CSAM detection bill back into committee. That fight runs on different procedural rails. But the absolute-majority trap is now proven, and any file the Council wants to push through a thin, recess-depleted Parliament has a working blueprint.