In the EU, lawmakers continue to debate the Chat Control regulation, which is intended to protect children from sexual abuse and grooming. Critics fear that, under this pretext, Europe may build a system of automated surveillance over private communications.
Even within the European Parliament, opinions remain divided. On 9 July, MEPs voted on restoring the temporary Chat Control regime. More MEPs voted to reject the Council's position than to support it, but the motion failed because it did not secure the absolute majority required from the full Parliament. With many MEPs absent, the procedure looked like manipulation.
Officially, the vote concerned restoring a temporary framework that allows platforms to voluntarily detect child sexual abuse material. At the same time, the EU is negotiating permanent legislation that would establish long-term obligations for platforms.
This permanent proposal raises the most serious concerns: how far should the state be allowed to reach into private communications, and can platforms be forced to scan messages without breaking end-to-end encryption?
Built-in parental control tools and ordinary parental supervision have apparently proved insufficient.
The Russian Lesson
I felt a chill recalling the laws Russia adopted under the banner of protecting children. Children did not become safer in the country where I was born. But the state certainly gained far greater powers to detain, fine and prosecute people, first under laws against so-called "gay propaganda" to minors, and later on extremism charges.
Under the pretext of combating fake news, terrorism, crime, "discrediting the army" and protecting children from harmful information, Russia blocks content, accounts and entire platforms. People are fined and imprisoned for posts and comments.
Messaging services must identify users and, upon request from the FSB, provide the information needed to decrypt messages. Telecom operators are required to retain the contents of calls and messages for up to six months and metadata for up to three years. The SORM system gives the security services direct technical access to operators' networks, with virtually no effective independent oversight.
Over time, this system of restrictions made it impossible for many Western platforms to operate normally in Russia. Some were blocked for refusing to localise data or provide technical access; others for refusing to comply with censorship and content-removal demands. The space was filled by Russian alternatives, which never achieved the same popularity as Instagram or WhatsApp.
Europe can therefore appear to be moving in the same direction, introducing tools for monitoring private communications under the respectable pretext of protecting children and citizens.
How Client-Side Scanning Works
The key debate around the permanent law is whether it can compel messaging services to scan private messages for illegal content and send suspicious material for review.
The temporary regime supported by the European Parliament on 9 July excludes end-to-end encrypted communications. However, client-side scanning remains a contentious issue in the negotiations over the permanent law.
Client-side scanning is viewed as one possible way to detect prohibited content in end-to-end encrypted services such as Signal, WhatsApp and iMessage. In a properly designed E2EE system, the server cannot access the contents of conversations.
One way around this is to scan content on the user's device while the message or file is still available in plaintext, either before encryption by the sender or after decryption by the recipient. The application can compare images against a database of hashes associated with known material or analyse content using algorithms. If something suspicious is found, it can trigger further review.
Following the European Parliament vote, many users on X claimed that the EU was turning into China and was close to building its own Great Firewall.
I agree: it does look as though good intentions are being turned into an infrastructure of control that will be extremely difficult to dismantle. Is it possible to build such a system without destroying the confidentiality of private communications?
Three Models of Technological Power
Broadly speaking, the world has long been divided into three technological models: the American, the Chinese and the European.
In the American model, the market comes before the state. Private companies create platforms, set standards and establish the de facto rules of behaviour. The state intervenes only sporadically, usually after scandals, lawsuits, pressure from Congress or threats to national security. The main risk is that private power becomes stronger than public power.
In the Chinese model, the state is embedded in the technology itself. Platforms exist, but they are not independent centres of power. User identification, content moderation, state access, algorithmic control and political security are built into the system from the beginning.
What sets Europe apart is the primacy of law. The EU rarely creates the world's largest platforms, but it seeks to define the rules under which they may operate in the European market. The GDPR, DSA, DMA, AI Act and child-protection rules all stem from the same principle: technological infrastructure must exist within public law.
The EU, however, is not simply a middle ground between the United States and China. What sets it apart is its courts, competing institutions, strong data protection, parliamentary politics and the ability to challenge decisions.
The European Commission cannot simply call Signal and demand a particular dissident's messages. Access requires legal grounds, formal procedures and judicial oversight. This is far more difficult than in an authoritarian system. But once a technical capability exists, it remains available regardless of the noble intentions of those who created it.
Why Europe Is Different
In my view, it would be foolish to criticise Europe simply for trying to protect children from sexual abuse and exploitation. There is no serious reason to believe that the European Commission is pushing CSAM regulation because it wants to read ordinary people's private conversations.
The stated goal of the permanent proposal is to prevent and detect child sexual abuse, remove such material, support victims and establish a European centre to process reports from platforms and cooperate with Europol and national law-enforcement authorities.
The problem is real. Private platforms are used to distribute known child sexual abuse material, create new images, groom children and locate victims. The temporary derogation from the ePrivacy rules allowed providers to voluntarily detect, report and remove such content.
Reducing the issue to "the authorities simply want to read everyone's messages" is therefore too simplistic. Protecting children is a genuine objective. But a genuine objective does not automatically justify every tool chosen to achieve it.
Why is the EU different from Russia? The difference lies not only in intentions but also in the structure of power.
In Russia, laws on data retention, data transfers and technical cooperation with the security services operate within a system where courts barely constrain the security apparatus, Parliament is not an independent political force, and concepts such as extremism, fake news and national security can be broadened by administrative fiat. As a result, infrastructure supposedly created to fight crime or terrorism quickly becomes an instrument of political control.
In the EU, the proposal must pass through the Commission, the Council, the European Parliament, national governments, courts and data-protection authorities. European data-protection bodies themselves strongly criticised the original draft. The EDPB and EDPS warned that it could lead to general and indiscriminate scanning of communications, weaken encryption and create serious risks for fundamental rights.
This is the crucial difference between the EU and China or Russia: the European system publicly argues with itself.
Encryption Only on Paper
The debate over Chat Control goes far beyond the question of officials gaining direct access to private chats.
In a true end-to-end encrypted system, the platform does not hold the contents of conversations in plaintext. It therefore cannot simply hand the state a universal decryption key. In a properly designed architecture, such a key may not even exist.
If the permanent law ultimately extends its requirements to E2EE services, several controversial options remain: scanning content on the device before encryption, matching files against known hashes, analysing unencrypted backups, applying AI classifiers before sending, restricting a service's functionality, or banning services that refuse to comply.
This is why critics argue that client-side scanning preserves encryption only on paper. The transmission channel remains encrypted, but the content is inspected on the device before encryption or after decryption. This is the core technical dispute.
The Real Danger
So where is the real danger?
The greatest risk is mission creep. A system built to detect known CSAM can later be expanded to detect new material, grooming, terrorism, incitement to hatred and extremism. Each step may seem reasonable on its own.
False positives are another problem. Algorithms are far less reliable at identifying new illegal material or inferring an adult's intentions from a conversation than they are at matching known hashes. This is where the risk of widespread false suspicion begins.
There is also the danger of institutional growth. A new European centre, national authorities, databases, certification processes, audits and reporting requirements create a bureaucracy with its own budget and its own incentives to expand.
Finally, there is technological irreversibility. Political decisions can be reversed. A scanning architecture built into millions of devices is much harder to dismantle.
For now, the EU is not becoming China or Russia. The difference will ultimately be determined not by the stated goals of the law, but by the limits Europe places on its own system of control.
Protecting children is a real and necessary goal. The real question is whether Europe can achieve it without turning every smartphone into a device that monitors its owner.
