EU’s 'Chat Control' shifts again: Danish compromise advances to ambassadors, critics warn of "backdoor" scanning via risk rules

National officials in the Council’s Law Enforcement Working Party met on November 12 and, according to multiple policy briefings and media coverage, motioned broad support for a revised compromise led by Denmark on the EU’s Child Sexual Abuse Regulation (often dubbed "Chat Control"). The draft removes explicit, mandatory detection orders but adds Article 4 duties for "risk‑mitigation measures". This change is now expected to move to COREPER (EU countries’ ambassadors, or Committee of Permanent Representatives) for consideration.​

The Danish text strips the earlier, hard mandate to scan private communications and reframes detection as "voluntary," while obliging high‑risk services to implement "all appropriate risk‑mitigation measures" under Article 4; critics say this can be used to require scanning in practice, including on end‑to‑end encrypted services. Policy explainers also flag review mechanisms and enforcement levers that could create strong incentives to adopt scanning tools despite the "voluntary" label.​

End‑to‑end encryption is designed so only sender and recipient can read messages; scanning typically means checking content before it’s encrypted on user devices, which security advocates argue weakens privacy and system security. Parliament’s earlier position rejects generalized, indiscriminate scanning and seeks to protect encryption. This could set up a potential clash, if the Council’s line relies on Article 4 to push providers toward client‑side scanning.​ Furthermore, in April 2024, a leaked draft reported by Contexte indicated that EU interior ministries were seeking exemptions for professional accounts and "confidential information" from any bulk-scanning regime, which drew criticism from MEP Patrick Breyer and rights groups over a perceived double standard.

The Commission proposed CSAR in May 2022 to create a permanent framework for detecting, reporting, and removing child‑abuse material, including an EU Centre; controversy centered on mass scanning and encryption risks from the outset. Through 2023 and 2024, multiple debates in Council and Parliament failed to reconcile positions, and a tougher push for mandates stalled in October 2025 when a qualified majority could not be assembled, which prompted Denmark to move to the current compromise.​

Analyses of the new draft say Article 4 obliges providers deemed high‑risk to implement "all appropriate risk‑mitigation measures," which could include on‑device scanning for known and new material; campaigners argue this amounts to "de facto" detection without naming it. Commentaries are also raising concerns that identity/age‑verification hooks could completely erode anonymity. This could potentially have worse implications for journalists, activists, and whistleblowers.

If COREPER does endorse the text, ministers could adopt a Council position and enter trilogue talks with the European Parliament to attempt a final deal; the timing is pretty tight, with Denmark’s presidency ending in December and Poland set to take over in January. Onlookers are expecting encryption safeguards, scope of any scanning, and the role of the EU Centre to be central bargaining items if negotiations open.

Privacy and digital‑rights groups are warning that "voluntary plus risk‑mitigation" could pressure platforms into scanning as a compliance safe harbor, which could chip away at encryption even without explicit mandates. As per more neutral speakers, there won’t be any automatic EU‑wide scanning of everyone’s messages unless a single agreed law is formally adopted, and under Parliament’s approach any scanning would only happen through specific, time‑limited orders approved case by case by a court or independent authority. In any case, any future scanning regime will (ideally) have to contend with EU Charter rights, specifically Article 7 on private life and communications and Article 8 on personal data and independent oversight.