The EU's Chat Control Law has been criticized by security experts because it forces private messages to be scanned before encryption, threatening digital trust and potentially pushing users to Web3 platforms.
At the heart of the controversy is the Draft Regulation on the Prevention and Combating of Child Sexual Abuse, which is said to create “backdoors” into end-to-end encryption systems, which would contravene the EU’s privacy commitments and could Shard the European digital market.
- Chat Control requires scanning content on user devices before encryption, raising privacy concerns under the EU Charter.
- The loss of trust could push users to move to Web3 platforms where data is protected by design.
- Germany holds the key vote: the 15 countries in support have yet to reach the 65% population threshold for approval.
What is Chat Control?
It is a proposed EU regulation aimed at preventing child sexual abuse by requiring platforms to scan private messages for illegal content before end-to-end encryption.
According to the draft, “client-side scanning” takes place directly on the user’s device. Critics say this approach is equivalent to building a backdoor into the encryption system, which goes against EU data protection standards, especially the right to privacy of communications under the EU Charter.
Why do experts consider this a dangerous precedent?
Experts warn it sets a bad legal and technological precedent, opens up the risk of abuse of surveillance tools and erodes trust in digital infrastructure.
Hans Rempel, co-founder and CEO of Diode, said there was no guarantee that the tool would not be abused, noting that more than 10% of data breaches occurred in government systems. In the same vein, Elisenda Fabrega, general counsel of Brickken, pointed out the risk of conflict with the case law of the Court of Justice of the EU and Articles 7 and 8 of the EU Charter on privacy of communications and data protection.
“Giving an Capital corruptible entity virtually unlimited access to an individual's private life is inconsistent with a bona fide claim to digital privacy.”
– Hans Rempel, CEO Diode, Cointelegraph, 2024
How does client-side scanning work and what are the risks?
Client-side scanning scans content on the device before it is sent, even if there is no sign of infringement.
Fabrega explained that this mechanism allows for monitoring of content on a user’s device before it is transmitted, raising concerns about broad and vague interference. Real-world lessons: Apple announced plans to detect CSAM on iCloud Photos and devices in 2021, but canceled it in 2022 after a strong privacy backlash (The Verge, 2022; Apple). On-device scanning also increases the attack surface for Spyware and identity fraud.
“Client-side scanning would allow monitoring of content on a user's device before transmission, even in the absence of signs of illicit activity.”
– Elisenda Fabrega, General Counsel Brickken, Cointelegraph, 2024
Does this measure conflict with EU privacy standards?
Many legal analyses suggest yes, especially given the principle of necessity and proportionality in EU law and CJEU case law.
Fabrega cites Articles 7 and 8 of the EU Charter guaranteeing the confidentiality of communications and data protection. The European Data Protection Authority and the European Data Protection Board (EDPS–EDPB) have also warned in their Joint Opinion 04/2022 that mass scanning measures pose a serious risk of interfering with fundamental rights (EDPB–EDPS, 2022). The CJEU’s case law on mass data storage further emphasizes the strict criteria of necessity and proportionality.
How will digital trust be affected?
Trust in encrypted messaging is a promise that data will always be private. If that promise is broken, users may leave the platform.
Fabrega stressed that encryption is not just a technical feature but a commitment to users. An erosion of trust could lead users, especially those who value privacy, to seek safer alternatives, risking Shard of the European digital market and undermining the EU’s ability to shape international standards.
Is Web3 the Way Out for Privacy-Concerned Users?
Web3 platforms are designed to protect data by default, giving data sovereignty to users, making them attractive to privacy-conscious groups.
According to Rempel, the spirit of Web3 is self-governing keys and data, allowing users to control information throughout its lifecycle. However, Web3 also comes with challenges: user experience, scalability, and legal compliance. However, the wave of partial migration from centralized platforms to decentralized solutions is likely to increase if Chat Control is adopted.
How does Germany decide?
Germany is the key vote. Currently 15 countries support it but it falls short of the 65% threshold required by the EU Council's double majority rule.
Under the qualified majority mechanism, a minimum of 55% of member states (currently met) and 65% of the EU population (not yet met) are required. If Germany supports it, the chances of it passing are very high; if it abstains or votes against it, the bill is likely to fail. This fact makes Germany's decision a decisive factor in the Chat Control roadmap (Council of the EU, QMV rule).
Passability and next scenario
The chances of passage are low by some experts, but similar efforts could be made again in the name of safety.
Rempel said the chances of passage were low, but this would hardly be the last time proposals to restrict fundamental rights in the name of safety emerged. Whatever the outcome, the debate over the balance between child safety and privacy will continue, requiring solutions that are transparent, have strong judicial oversight, and are proportionate.
Comparison table: Client-side scanning, traditional end-to-end encryption, and Web3 platform
Below is a brief comparison of the goals, risks, and user trust impacts between the three approaches.
| Criteria | Client-side scanning (Chat Control) | Traditional end-to-end encryption | Web3 platform (decentralized) |
|---|---|---|---|
| Target | Detect illegal content before encryption | Protect the integrity and confidentiality of communications | Empower data autonomy, reduce intermediary dependence |
| Scope of collection | Scan device content, even if it's not suspicious | No content access; minimal metadata only | User-controlled data/private keys |
| Risk of abuse | High: backdoor, confusion, abuse of power | Lower: backdoor strongly opposed | Medium: UX challenges, key security, compliance |
| EU legal compatibility | Controversy over Articles 7 and 8 of the EU Charter; warning opinion of the EDPB–EDPS (2022) | In accordance with the principles of necessity and proportion | Depends on design, protocol governance, and local compliance |
| Impact of belief | Erosion: users fear being monitored | Reinforcement: promise of secret communication | Growth in privacy-first groups, but market Shard |
Frequently Asked Questions
Does Chat Control force scan all private messages?
The draft requires scanning content on the device before encryption, even if there is no sign of violation, to detect illegal content related to child abuse (according to Cointelegraph and related legal analysis).
How does the EU qualified majority rule work?
A minimum of 55% of member states and 65% of the EU population is needed for approval in the Council of the EU (QMV rule). Currently, the 15 countries supporting it have not yet reached the 65% population threshold.
How is client-side scanning different from end-to-end encryption?
Client-side scanning scans content on the device before encrypting it, creating a backdoor risk. End-to-end encryption ensures that the provider cannot read the content, only the sender and recipient can decrypt it.
Does Web3 completely eliminate privacy risks?
No. Web3 gives users more control over their data, but it also presents challenges in terms of experience, key security, and compliance. However, it is an attractive option for privacy-conscious groups.
Why does Germany play a decisive Vai in Chat Control?
Germany has a large population. If Germany supports it, the 65% threshold could be met; if it opposes or abstains, the bill is likely to fail.
