News Analysis 11 min read

EU ePrivacy Vote Excludes Encrypted Chats, But The Law Is Not Final

Parliament excluded end-to-end encrypted communications from a temporary EU scanning derogation. The Commission supports the amendments, but the Council must still decide.

By Protocol Report Editorial | Updated July 16, 2026
Encrypted messages bypassing a transparent inspection plane beside an unfinished three-stage legislative process
Short Version

The European Parliament amended a proposed temporary derogation from EU ePrivacy rules on July 9, 2026. Its three amendments exclude number-independent interpersonal communications to which end-to-end encryption is, has been, or will be applied. On July 15, the European Commission gave the amendments a positive opinion while saying the exclusion would benefit from more precision and clarity.

This is not a final law and it is not a general EU mandate to scan chats. The file remains at second reading, awaiting a Council decision. If the Council accepts every amendment, the text can be adopted. If it does not, the institutions move toward conciliation. The old interim derogation expired on April 3, so no restored framework is currently in force and the proposal expressly has no retroactive effect.

Key Takeaways

  • check_circle Treat Parliament's July 9 action as an amended second-reading position, not a completed regulation.
  • check_circle The proposed carve-out covers communications to which end-to-end encryption is, has been, or will be applied.
  • check_circle The measure concerns voluntary provider activity under a temporary ePrivacy derogation; it does not itself order every service to scan messages.
  • check_circle The prior framework expired on April 3, 2026, and the proposed restoration would not operate retroactively.
  • check_circle The Commission supported the amendments on July 15 but warned that the encryption exclusion lacks precision and clarity.
  • check_circle Messaging providers should map service modes and data flows now, while avoiding implementation claims until the Council acts and final text is published.

What Parliament Changed

On July 9, the European Parliament considered the Council's first-reading position on a temporary derogation from parts of the ePrivacy Directive. Parliament adopted three amendments. According to the Parliament's press release and the Commission's subsequent opinion, all three exclude number-independent interpersonal communications to which end-to-end encryption is, has been, or will be applied from the proposed regulation's scope.

The wording is broad in time as well as technology. It is not limited to a message that happens to be encrypted at the instant of inspection. The phrase covers communications to which end-to-end encryption is applied, was applied, or will be applied. That matters for queued delivery, encrypted history, migration, device linking, and systems that transform a communication as it passes through different service components.

The vote also needs procedural context. An absolute majority was required to reject or amend the Council position at second reading. Parliament reports that 314 members initially supported rejection, short of the required 360. After the amendments were considered, there was no majority to reject the amended Parliament position. Second reading in Parliament therefore closed and the amended position went to the Council.

The July 15 Commission Opinion Matters

The European Commission issued its formal opinion on Parliament's amendments on July 15. It supports adopting the temporary derogation as amended, calling it an exceptional and strictly temporary response to the legal gap. The Commission also says the restoration would have no retroactive effect. That opinion removes one institutional objection, but it does not convert Parliament's position into law.

The support is qualified. The Commission says the scope of the encryption exclusion would benefit from more precision and clarity to protect children from sexual violence and secondary victimisation. It nevertheless considers the amendments acceptable because of the interim measure's limited duration and purpose. Providers should read that as a live interpretation issue, not as permission to invent a narrow or broad definition on their own.

The Commission also separates this interim file from negotiations on the permanent regulation. Its positive opinion is expressly without prejudice to its position on that longer-term framework. A temporary exclusion for encrypted communications therefore does not settle how a later, mandatory regime might address encryption, risk assessments, detection orders, or provider duties.

Why The Proposal Is Not Yet Law

The Legislative Observatory lists the file as 'Awaiting Council decision, 2nd reading.' Parliament says the Council has three months to approve or reject the amendments. If the Council accepts all of them, the act can proceed to adoption and publication. If it does not accept them all, Parliament and Council move to conciliation in an effort to agree a joint text. Until that process produces and publishes an act, the amended position is not an operative scanning rule.

The timeline explains the urgency. Regulation (EU) 2021/1232 created a temporary derogation that allowed qualifying providers, subject to conditions, to conduct certain voluntary activities to detect and report online child sexual abuse and remove relevant material. After a 2024 extension, that framework expired on April 3, 2026. The Council adopted a first-reading position on July 2 to restore the derogation until April 3, 2028.

Parliament's July action followed the Council text rather than starting a fresh proposal. The Commission now supports Parliament's three encryption amendments, but the current public procedure record still awaits the Council. Headlines that say the EU has adopted chat scanning, permanently banned it, or enacted an encryption exception all move beyond the confirmed legal stage.

What The Temporary Derogation Would Do

The ePrivacy Directive protects the confidentiality of communications and traffic data. The expired interim regulation temporarily derogated from Articles 5(1) and 6(1) for a narrow purpose. It did not itself create a legal basis under the GDPR. Instead, it removed specified ePrivacy obstacles when a provider voluntarily chose to use qualifying technologies to detect online child sexual abuse, report it, and remove child sexual abuse material, while meeting the regulation's conditions and other data-protection law.

Those conditions are substantive. The 2021 regulation required processing to be strictly necessary and proportionate, use technologies that are least privacy-intrusive according to the state of the art, limit systematic text analysis, address accuracy and false positives, provide complaint and redress mechanisms, restrict retention, and publish transparency information. It also stated that nothing in the regulation should be interpreted as prohibiting or weakening end-to-end encryption.

Parliament's new exclusion is stronger than that recital-level protection because it changes scope: encrypted communications would sit outside the derogation rather than merely receiving an assurance that encryption should not be weakened. Even then, the proposal remains an exception governing voluntary provider processing. It is different from the separate permanent proposal, which has contemplated mandatory risk and detection mechanisms and remains under negotiation.

What Messaging Providers Should Map Now

Providers should inventory communication modes instead of classifying an entire brand as encrypted or unencrypted. One service can contain end-to-end encrypted private messages, server-readable group spaces, public channels, cloud backups, abuse-report attachments, safety metadata, support exports, and optional encrypted modes. The proposed wording attaches to communications, so product teams need a data-flow map that identifies where content is encrypted, who holds keys, when state changes, and which supporting data remains outside content encryption.

Legal and engineering teams should separately document the basis for any existing voluntary detection, the data processed, the technology used, recipients of reports, retention, false-positive handling, user redress, and geographic scope. The April expiration means a provider should not assume the old EU derogation silently continued. National law, the GDPR, ePrivacy implementation, and service-specific facts still need review while the institutions decide the new text.

Architecture choices should remain reversible. Do not weaken encryption, introduce client-side inspection, or expand server access on the assumption that the Council will reject Parliament's carve-out. Do not promise that all encrypted features are permanently outside future EU rules either. Preserve clean separation between encrypted content, server-visible metadata, abuse reports initiated by users, and non-encrypted service areas so a final legal obligation can be implemented without silently changing the security claim made to users.

A Precise Reading For Users And Operators

For users, the strongest confirmed development is Parliament's explicit scope exclusion for end-to-end encrypted communications, backed by a positive Commission opinion. It is not evidence that a provider can never access backups, reports, metadata, or unencrypted service modes. End-to-end encryption describes who can read protected content and under what key design; it does not make every datum associated with an account invisible.

For operators, the strongest confirmed limitation is procedural. The Council has not yet accepted the amendments, the regulation has not been published, and the prior derogation is expired. Product notices, compliance plans, and public statements should use conditional language. State what the service encrypts today, what processing occurs outside encrypted content, and which legal development would trigger a change.

The next decisive event is the Council's response. Acceptance would restore a temporary voluntary framework with encrypted communications excluded. Rejection of any amendment would open conciliation and another text could emerge. The practical discipline is to follow the official procedure file, retain a versioned legal and technical data-flow map, and distinguish current product behavior from proposed EU authority.

Checklist

  • Track procedure 2025/0429(COD) for the Council decision and any conciliation documents.
  • Do not describe the July 9 Parliament vote as final adoption or a current scanning mandate.
  • Map each messaging mode, backup path, report flow, and metadata store instead of applying one label to the whole service.
  • Record where end-to-end encryption begins and ends, who controls keys, and whether content changes state during delivery or storage.
  • Review the legal basis for any current voluntary detection after the April 3 expiration of Regulation 2021/1232.
  • Keep user-initiated reporting, encrypted content, server-readable areas, and safety metadata technically and contractually distinct.
  • Prepare conditional implementation paths, then wait for adopted and published text before claiming a new EU obligation.

Sources

Related Articles

Continue Reading