Did the EU Parliament really vote not to protect children online?

What went wrong with Chat Control 1.0 negotiations?

In April 2026, EU lawmakers tried to achieve an incredibly fast deal to extend the interim ePrivacy derogation – sometimes known as “Chat Control 1.0” – for a second time.

Getting a deal to extend this law would allow Big Tech companies like Microsoft and Meta to keep on mass scanning their users’ private messages to search for child abuse material. This is something EU law has supposedly permitted them to do since 2021 as a temporary measure under Regulation (EU) 2021/1232, the interim ePrivacy derogation. More than 5 years later, however, it seems the EU is in dire need of a dictionary to look up the definition of “temporary”.

Despite the important aim of the derogation to protect children, EDRi and many legal experts have argued that under the European Charter of Fundamental Rights, scanning everyone’s messages – rather than just those reasonably suspected of serious criminal acts – is a disproportionate violation of everyone’s communications confidentiality.

There are also concerns about what else Big Tech companies are doing with the private information in the messages that they scan. In a time of many lawmakers and communities rightly calling to reign in Big Tech and hold them accountable for systemic violations of our rights, giving them a carte blanche to scan our private messages – with very few safeguards – is a serious risk.

However, amid a flurry of finger-pointing, final negotiations on the proposed second extension collapsed – and the derogation officially expired on 4 April 2026. Big Tech companies were vocal across Brussels about their outrage, and child protection groups expressed significant disappointment. However, with the European Parliament going in to negotiations with a position that aimed to strike a balance between stopping the spread of CSAM and upholding privacy and data protection, it didn’t have to be this way. So what went wrong?

A common claim has been that the Parliament – in particular the Socialists and Democrats (S&D) group – are to blame for the lack of a deal. But this claim completely overlooks the actions taken by several other key players in the EU lawmaking process.

The Commission played with fire

The European Commission is the sole EU institution with the power to officially propose to extend the derogation. Yet despite EU legislative proposals usually taking at least 12 months to pass – and often significantly longer than this – the Commission decided to wait until the last minute. They only proposed to extend the derogation on 19 December 2025, at the start of the EU institutions’ winter shut-down, with fewer than four months until the expiration.

This was presumably a deliberate tactic to exert time pressure on the Parliament and the Council. The Commission would have been aware that only a minimally-amended text could even have a chance at passing so quickly. But this seeming attempt to limit the ability of the co-legislators to make changes to the text also limited the Parliament’s and Council’s democratic right to scrutinise and amend the Commission’s proposal – which seems to have been a key factor in what went wrong.

The Council offered their way, or nothing!

Once both the Council of EU Member states and the European Parliament had their individual positions, final “trilogue” negotiations started. But with only one political meeting planned due to lack of time, the scope for meaningful negotiation was limited. While the Council stuck to the Commission’s original text, the Parliament called for adding safeguards to better protect the privacy of both adults and children, and to make the derogation comply with the fact that generalised surveillance is not lawful in the EU. These major differences already signalled that getting a deal would be difficult – and a fast one nearly impossible.

The main problem that unfolded was that the Council refused to accept any of the Parliament’s safeguards. They reportedly offered a small bit of flexibility on the timeline, but not on anything else. Leaked documents even showed that the Council strategy may have been to not make a deal if it required a compromise – which seems like a show of bad faith seeing as EU law is supposed to represent a compromise between the positions of Council and Parliament.

The Parliament rightly still insisted that at least some of their safeguards should be considered. As an equal legislative institution representing people across Europe, it would have been unthinkable that they would give up their entire position. But with the Council ultimately refusing to move, negotiations fell apart, and it seemed that the derogation would simply elapse.

EPP asked for a do-over

Except it didn’t end there. Even though there was no deal, the Parliament’s administrative services had already scheduled a final vote of all Members of the Parliament (MEPs), expecting that there would be a trilogue agreement to sign off.

Because this vote was already on the agenda, the Conservative group, EPP, tried to reopen the Parliament’s position. They proposed a new amendment which, if it were adopted, and all other amendments (previously adopted for the Parliament’s position) were rejected, then it would have aligned the Parliament’s position perfectly with the Council’s position. This would then catalyse the automatic adoption of the Council’s position.

Whilst this doesn’t break any rules, it risked undermining the Parliament’s credibility by effectively repeating the vote on the Parliament’s position because the Council wouldn’t accept it. In response, MEPs including lead negotiator Birgit Sippel (Socialists & Democrats group) re-tabled most amendments from the previous position of the Parliament. In a tense vote, a majority of MEPs voted to uphold the mandate already given to MEP Sippel, and the derogation was not automatically adopted.

Normally under EU procedures, negotiations would be able to re-start, but with mere days until the derogation lapsed, there was no time left, and the derogation expired.

So while some stakeholders claim that the Parliament voted not to protect children, the full story shows that instead, the Parliament voted not to undermine their own democratic mandate of finding the right balance between protecting children and safeguarding all fundamental rights. It was not the simple “protect children or do nothing” vote that some stakeholders have claimed. And it certainly was not the “protect children or protect abusers” vote that the EPP group disgracefully claimed on social media.

If the Commission had allowed more time for negotiations, or if the Council had been willing to compromise on safeguards, perhaps there might have been a real chance for a deal.

The Commission’s final nail in the democracy coffin

The night before the Parliament’s re-vote, four European Commissioners took things to the next level by writing to all Parliamentarians. In a letter leaked to Politico, they encouraged MEPs to vote to align the Parliament’s text with the Council text.

In our opinion, this was a serious overreach by these Commissioners, who have a duty to play the “honest broker” and to be guided by evidence, not politics. Whilst they are of course allowed to explain what they believe are the merits of their proposal, they absolutely should not lobby fellow EU lawmakers. If referred to the EU Ombudsperson, we believe that these Commissioners could potentially be found culpable of maladministration.

It’s a familiar pattern for this topic, with former EU Home Affairs Commissioner Ylva Jonahnsson and her services being found culpable of maladministration three times for improper lobbying for the long-term version of the derogation, the CSA Regulation. So it’s not surprising if some MEPs might have felt that the Commission was trying to strong-arm them into dropping their democratic powers.

The CSA Regulation, coming summer 2026?

The story does not end here. Negotiations on the CSA Regulation are scheduled to conclude on 29 June, offering the possibility for a balanced, proportionate, permanent alternative to the interim derogation.

In theory, we are cautiously optimistic about what the final CSA Regulation will look like, because both the Parliament and Council have positions that protect encryption and reject mandatory mass surveillance of private communications.

However, given how the Commission have already acted, can we be sure they will only play the role of “honest broker” in the final CSAR negotiations? And with some stakeholders pressuring the co-legislators to change their positions, can we be sure that essential fundamental rights and digital security protections will be maintained? As EDRi, we are following these negotiations closely, and remain particularly concerned – among other things – about the threat of mass “voluntary” scanning of communications and ill-conceived age verification mandates ending up in the final text.

—

* The interim ePrivacy derogation doesn’t actually create any legal basis for such scanning. It merely instructs providers to find their own legal basis under the General Data Protection Regulation (GDPR) instead of the ePrivacy Directive. Yet it remains unclear what GDPR basis could actually permit mass scanning – even leading to the government of Germany advising German providers not to scan, given that it lacks a clear legal basis. For this reason, it is more accurate to say that the interim derogation gives only the illusion of legal certainty.