EU Chat Control law is a step towards mass surveillance

The EU’s controversial Chat Control Law is back on the spotlight. The current Danish presidency of the Council of the European Union has chosen to throw considerable political capital at it; so much, in fact, that the resubmission of the legislation was its very first formal step upon its assumption of duties in July this year. Danish Prime Minister Mette Frederiksen is now aiming to secure the adoption of the initiative by mid-October. 

Known in official Brusselese as the Regulation to Prevent and Combat Child Sexual Abuse, the proposal seeks to curb the spread of child sexual abuse material (CSAM) online. The goal could hardly be more decent or commendable. However, the method championed by the Brussels mandarinate, which effectively mandates the scanning of private communications, including those currently protected by end-to-end encryption, poses a severe threat to personal privacy, national sovereignty, and the EU’s supposedly most sacred principles. By betting on centralised control over the digital communications of European citizens, what the Danish presidency is doing is transforming the EU into a surveillance state. It is liberal techno-authoritarianism at its worst. It is positively Orwellian. It must, therefore, be rejected.

The Chat Control Law was first proposed well before Mrs. Frederiksen got her hands on the presidency of the Council of the European Union. As a matter of fact, this concerning legislation was first presented in May 2022. If enacted, the bill would require popular instant messaging platforms such as WhatsApp, Signal, and Telegram to scan all user content—texts, images, and videos—for CSAM, even when encrypted. The measures would apply to all citizens, regardless of whether there is any actual, justified suspicion that they may be engaging in criminal or otherwise harmful activity.

Both Copenhagen and the Commission have long advocated for this outrage. With Frederiksen now holding the Council’s presidency, she has made it a cornerstone of its agenda. In particular, she has been emphasising stronger law enforcement tools to combat serious crime while addressing the misuse of these new technologies. The mechanism at the heart of the proposal is client-side scanning. Through it, content is analysed on a user’s device before encryption. What this means, for the less tech-savvy reader, is opening a permanent backdoor that bypasses the privacy guarantees of secure communication. This would be like having the state read your letters before you seal the envelope, and would subject every EU citizen’s private messages to automated scrutiny. East German readers may find such Stasiesque instruments familiar; most wouldn’t want them making a grand comeback, either in Germany or elsewhere. 

Unfortunately, instead of reading the room and studying alternative, milder versions of the legislation, Frederiksen has instead chosen to double down on this major political and historical mistake. As many as 19 EU states now apparently back the proposal. Germany remains uncommitted for the moment, but will likely be pivotal. Indeed, if Berlin joins the “yes” camp, a qualified majority vote—requiring 15 states representing 65 per cent of the EU population—could see the law passed by mid-October. The Danish presidency is driving this process through Council working groups, with its objective being to finalise positions by September 12, 2025. The only step that would then be missing is the final vote in October.

The law’s implications are profoundly troubling. By mandating client-side scanning, it violates the EU’s Charter of Fundamental Rights, specifically Articles 7 and 8, which protect the right to private communications and personal data. Whatever its flaws, the European Court of Human Rights has already ruled against measures that weaken encryption, as indeed it should. Denmark’s proposal presses forward nonetheless. In so doing, it ignores both these legal constraints and the principle of subsidiarity, according to which decisions should be made at the most local possible level. The regulation of digital communications has, of course, traditionally been a national competence. By imposing a uniform surveillance mandate, Brussels—under Danish leadership—usurps this authority, therefore alienating privacy-conscious nations and potentially fracturing EU unity. One has to wonder if Mrs. Frederiksen thought this through.

At the same time, such outreach will have global implications. They won’t be good—not, surely, for anyone who believes in the right to confidentiality. Encryption is nothing short of the backbone of digital security. It secures everything from financial transactions to the communications of dissidents in evil, despotic regimes. By so egregiously undermining it, the EU sets a terrible precedent. In fact, it will embolden other governments—democratic or not, accountable or not, well-meaning or not—to demand similar access to what their citizens are saying, seeing, thinking, sharing, or complaining about. Two years ago, digital autonomy advocates like the Electronic Frontier Foundation warned that such policies could normalise surveillance worldwide, weakening protections for millions and considerably strengthening the apparatuses of tyrannies the world over.

Proponents of this liberticidal initiative claim that it can be balanced with privacy concerns, citing AI-driven scanning as a solution to the problem. This is gibberish. Rather, the fact of the matter is that client-side scanning embeds a surveillance mechanism into every device, not only opening everyone’s private conversations to state surveillance but also creating vulnerabilities that could be similarly exploited by hackers or hostile states. That’s what this Pandora’s Box will actually mean. 

Of course, it gets worse. Once it is in place, the system’s scope could expand beyond CSAM to virtually any other content, be it political dissent—surely a reasonable concern when, in Britain, Starmer is hard at work forbidding your VPN, France’s leading presidential candidate was barred from running in the next election or, in Germany, almost 10,000 are being charged every year for sharing “politically incorrect” memes and jokes online. Indeed, even as the Eurocrats are trying to snoop into your online conversations, Brussels is also pushing for aggressive content moderation under the Digital Services Act. 

So the downsides are self-obvious, and should by themselves illustrate why this legislation should be soundly rejected by European nations. How about its advantages? They’re way less clear. A year ago, Europol noted in a report that sophisticated criminals often use secretive, unregulated platforms, rendering mass scanning ineffective against the intended targets while burdening ordinary citizens with the full weight of a repressive Leviathan. Confidentiality-focused platforms like Signal have threatened to exit the EU market rather than comply. So they should, but what that will do is harm Europe’s digital economy while pushing users to less secure alternatives.

Chat Control is unacceptable in a free society. There’s no lack of nations in this world where citizens know that whatever they say online can and probably will be known to the state. It shouldn’t be like that in Europe. What Frederiksen’s manoeuvres do reveal, however, is a worsening and highly concerning trend of the EU seeking to increase its control over the internet. From the Digital Services Act to the proposed AI Act, Brussels is intent on centralising authority over digital communications. This undermines the EU’s foundational principles—liberty, subsidiarity, and respect for fundamental rights. There are alternatives: Targeted law enforcement, more international cooperation, and the courage to impose higher penalties on abusers can combat CSAM without sacrificing privacy or sovereignty. The Danish presidency’s insistence on rushing the vote by October, despite so many legal, ethical, and technical objections, should be resolutely opposed.