NOLO
EU privacy · updated July 2026

What is Chat Control?

The EU's plan to scan private messages for illegal content has become one of Europe's biggest digital-rights fights. Here is an honest, up-to-date explainer: what it is, how the scanning would work, where the law actually stands after the July 2026 vote, and what it means for your privacy.

314 voted no

On 9 July 2026, 314 MEPs voted to reject the Council's text and 276 to keep it, but blocking it needed an absolute majority of 361. So it survived: the majority of voters said no, and it passed anyway.

Runs until 2028

Chat Control 1.0, the temporary regime, was reinstated and now runs until 2028, but this version was amended to exclude end-to-end encrypted services like Signal and WhatsApp.

2.0 not agreed

The permanent regulation (CSAR / "Chat Control 2.0"), the one that could force scanning inside encrypted apps, is not law. Five negotiation rounds have failed; the next is expected around September 2026.

Background

Two laws, one nickname.

"Chat Control" is not a single law. It is shorthand for two parallel EU tracks aimed at detecting child sexual abuse material (CSAM) by scanning communications. Keeping them apart is the key to understanding the news.

Chat Control 1.0

A temporary derogation from the EU's ePrivacy rules that lets providers voluntarily scan content for known CSAM. It expired in spring 2026 and was reinstated on 9 July 2026, now running until 2028.

  • Voluntary, not mandatoryCompanies may scan; they are not ordered to.
  • Encrypted apps excludedThe July 2026 version leaves E2EE services out.
  • Mostly known-CSAM detectionHash matching against existing databases.

Chat Control 2.0 (CSAR)

A proposed permanent regulation that could make scanning mandatory through "detection orders", and could reach into end-to-end encrypted apps via client-side scanning. This is the controversial one, and it is not agreed.

  • Could be mandatoryDetection orders instead of voluntary scanning.
  • Could target encryptionClient-side scanning is the disputed mechanism.
  • Still blockedTrilogue talks keep collapsing over mass scanning.
Technical mechanism

How the scanning would work.

It depends entirely on whether a service is end-to-end encrypted. That single fact splits the whole debate in two.

Server-side scanning

On services without end-to-end encryption, the provider can already read content on its servers, so it scans there before delivering or storing it. This is technically simple and already common for known CSAM.

  • Applies toTraditional email, non-encrypted cloud and platforms.
  • Encryption impactNone: there was no end-to-end encryption to break.

Client-side scanning

For end-to-end encrypted apps the servers cannot read anything, so the proposal puts a scanner on your device, checking a message just before it is encrypted or just after it is decrypted. Critics call this a backdoor inside your own phone.

  • Would apply toSignal, WhatsApp, iMessage and similar, under 2.0.
  • Encryption impactA scanning agent lives inside the trusted device boundary.
Timeline

How we got here.

  • 2021 — Chat Control 1.0 beginsThe EU adopts a temporary derogation allowing voluntary scanning for CSAM.
  • 2022 — Chat Control 2.0 proposedThe Commission proposes the CSAR regulation to make detection possible on a permanent basis.
  • Spring 2026 — 1.0 expiresThe temporary regime lapses after Parliament resists a straightforward renewal.
  • 9 July 2026 — reinstated by default314 MEPs vote to reject, 276 to keep, but the 361 needed to block is not reached. 1.0 returns (E2EE excluded) until 2028.
  • Ongoing — 2.0 stalledRepeated trilogue rounds collapse over suspicionless scanning; the next attempt is expected around September 2026.
Both sides

The case for, and against.

This is a genuine dilemma between protecting children and protecting everyone's privacy. Both sides are argued in good faith.

The case for

  • Child protectionCSAM spreads through private channels; detection can find and stop it.
  • Legal clarityA common rule instead of an inconsistent patchwork across the EU.
  • Existing toolsHash matching for known material is already used at scale.

The case against

  • Mass surveillanceEveryone's messages are scanned without any suspicion.
  • Weakens encryptionClient-side scanning puts a backdoor on every device.
  • False positivesInnocent photos and chats can be flagged and exposed.
  • Unproven benefitNo clear evidence it meaningfully increases convictions.
Why we care

Where NOLO stands.

NOLO is not a messaging app, but it is built on the same idea Chat Control puts under pressure: your private conversations should stay private, by design, not by permission.

No account, no email

NOLO asks for no registration. Your identity is an anonymous ID kept on your device, so there is no profile to scan, subpoena or leak.

Your chats stay yours

Conversation history lives in your browser, not in a NOLO database. The chat models run on GDPR-compliant providers configured for zero data retention, and we do not train on your chats.

No tracking

No tracking cookies, no ad profiling, no selling your data. Privacy is the product, not a setting you have to go and find.

FAQ

Chat Control questions.

"Chat Control" is the nickname activists and journalists gave to a set of EU measures that would have providers automatically scan private messages, images and files to detect child sexual abuse material (CSAM) and grooming. Supporters frame it as child protection; critics call it mass surveillance of everyone's communications.

Chat Control 1.0 is a temporary derogation from the ePrivacy rules that lets companies voluntarily scan (mostly unencrypted) content for known CSAM. Chat Control 2.0 (the proposed CSAR regulation) would be permanent and could make scanning mandatory via detection orders. As of July 2026, 1.0 has been reinstated but 2.0 has not been agreed.

Effectively yes, by default. On 9 July 2026, 314 MEPs voted to reject the Council's fast-tracked text and 276 to keep it, but rejecting it required an absolute majority of 361 MEPs. Because that threshold was not reached, the measure survived. The reinstated temporary regime runs until 2028. In short: a majority of those voting said no, and it passed anyway.

Not under the version reinstated in July 2026: it was amended to exclude end-to-end encrypted services like Signal and WhatsApp. The encryption fight centers on Chat Control 2.0, which could require "client-side scanning" inside encrypted apps. Critics argue that scanning a message on your device before it is encrypted is a backdoor by another name. 2.0 is not law yet.

For end-to-end encrypted apps the provider's servers cannot read your messages, so the proposed workaround places detection software on your own device. It checks content just before it is encrypted to send, or just after it is decrypted on receipt, using hash matching against known illegal images plus AI classifiers to flag new material or grooming patterns.

Depending on the final text: messaging apps (WhatsApp, Signal, Telegram, iMessage), private chats in social apps, email providers, cloud storage and VoIP. The reinstated 1.0 excludes end-to-end encrypted services; a future 2.0 could pull them back in.

That it enables suspicionless mass surveillance, structurally weakens encryption for everyone, generates false positives that expose innocent people, and has not been shown to meaningfully increase convictions. Data-protection authorities, security researchers and much of the European Parliament have raised these concerns.

NOLO is not a messaging app, but it is built on the same principle Chat Control threatens: your private conversations should stay private. NOLO is an AI chat with no account, no email, no tracking, that stores your history on your own device and does not train on your chats. We follow this debate because it is about the same right.

Private by design

Talk to an AI
that can't watch you.

NOLO is a private AI chat: no account, no email, no tracking, and your history stays on your device. Whatever the EU decides, this is how it should work.