Chat Control was first proposed in 2022, but despite several attempts by Hungary, Sweden, and others, the draft has still not made it into law. In 2025, the Danish presidency of the EU Council was proposing a new version of Chat Control - and one that was worse than the others that came before: If the Hungarian proposal was bad, the Danish version was even more extreme pushing for a creation of an Orwellian world. Danish Minister of Justice and chief architect of this Chat Control proposal, Peter Hummelgaard, even said:

“We must break with the totally erroneous perception that it is everyone’s civil liberty to communicate on encrypted messaging services.”

Stop Chat Control: Fight for privacy isn’t over!

The Chat Control proposal by Denmark wanted to force mandatory scanning of all private communications — including secure, encrypted chats — by inserting dangerous client-side scanning into your messaging apps.

It’s very telling that government and military accounts would be exempt from this privacy invasion while citizens’ and businesses’ data would be up for grabs.

But what made this even worse is that this 2025 version didn’t just recycle previous proposals for client-side scanning by the EU — it went further. If passed, law enforcement all over Europe would have been able to compel online communication providers to scan for “unknown” content using unreliable AI, not just for known illegal material.

With all the privacy-issues we are already seeing around AI tools - just think about how Google might train its AI with all your data, how LinkedIn opted users into AI training without asking for consent - people are now actively looking into how to disable Gemini on Android, or how to turn off Meta AI on WhatsApp. And, yes, as a privacy-first email provider, we can also say that using AI in email is not a good idea.

Despite this trend - to protect ones data from aggressive AI-abuse - EU politicians wanted to give AI even more and deeper access into everything we do online, including scanning of encrypted messages. Instead of protecting users’ data, politicians wanted to create an encryption backdoor that threatens the security and privacy of everyone.

Turn ON Privacy in one click.

Get

Encryption will not be broken

But resistance to this draft version of Chat Control was huge. People did not agree with the immense extent of mass surveillance and pushed back:

If Chat Control is passed, opaque AI algorithms will decide whether your personal messages and your private pictures will be flagged or leaked. This undermines online privacy for over 450 million EU citizens, which is something we must not accept. What’s more, a leaked German government memo confirms the Council’s own lawyers believe this draft law violates fundamental rights, weakens encryption, and is unlikely to survive in court — achieving nothing for child protection while destroying privacy for all.

As a result, the Danish presidency amended its proposal, and the new version that the EU Council passed on November 26 came with many changes.

The Chat Control draft passed on November 26 2025 by the EU Council:

• 🎉 No longer asks for mandatory scanning
• 🎉 No longer forces providers to break encryption
• ❌ Enables companies to perform voluntary scanning
• ❌ Asks for mandatory age verification checks

This draft law means two things: First, Google, Meta, and other Big Tech companies will be able to continue scanning all your private messages. Email providers, chat apps, and other communication providers will be obliged to perform age verification, which will harm your right to privacy and kill anonymity online.

For once, Big Tech is already moving ahead with legal compliance, for instance YouTube has already started to ask for age verification.

We at Tuta, do not agree with this approach. Check here why anonymity matter, and why we must continue to fight Chat Control.

Take action now

The fight in the EU Council is now over. We fought hard to stop the EU Council from passing mandatory Chat Control that would have included undermining of encryption, and we’re excited that with all of your help we’ve won! But the fight for privacy is far from over.

The fight continues in the trilogue where the EU Council must find a compromise with the European Parliament.

**Now is the time to contact your representatives in the EU Parliament to stop mandatory age verification. Contact your MEPs now!

And make noise on social media! One fact that makes Chat Control so controversial in Germany - and should be in the entire EU - is that we in Germany actually call this law “Chat Control” - not Upload Moderation, ProtectEU, or whatever name the EU Council comes up with. So follow this call on YouTube, and call this law by its real name: Chat Control.

The clock is ticking and the time to stop Chat Control is now!

Make Germany oppose Chat Control again!

Germany, under a new government since May 2025, is no longer clearly opposing Chat Control. This is a warning to everyone in favor of privacy, and must make everyone act now to turn the tide in this large EU country. The politicians point of view is particularly worrying as they seem to no longer to clearly oppose Chat Control, despite of its disproportional mass surveillance - which is a very delicate topic to many Germans given that in our recent history mass surveillance was daily business in Eastern Germany. The approach of Chat Control looks very similar to the history of data retention legislation in Germany - which was declared illegal multiple times. But politicians kept trying, until finally agreeing on data retention that explicitly excluded emails as a means of personal communication that deserves privacy.

This approach is highly questionable, and we must not allow politicians to get away with it.

So back to Chat Control: In 2024, the legal experts of the EU Parliament’s Scientific Service concluded in a study on the legality of Chat Control:

“When weighing the fundamental rights affected by the measures of the CSA proposal, it can be established that the CSA proposal would violate Articles 7 and 8 of the Charter of Fundamental Rights with regard to users.”

According to the legal services of the EU, the CSAR proposal’s parts on client-side scanning are disproportionate and contrary to fundamental rights. In our view, this is still true even if scanning is not mandatory, but voluntary.

This leads to the major Chat Control criticism: The EU CSA Regulation is illegal under EU law.

EU Commission’s conflicting statements

The EU Commission, however, rejects the arguments of the opponents and claims that you can protect and scan chats at the same time - however, giving no evidence on how this should be done.

At the same time, another fact within the draft law makes it clear that Chat Control is a surveillance tool: Non-public communication services, for example the military services, are to be exempted. This is to protect “confidential information, including classified information.”

States do not want Chat Control for their own communications, but the chats of others should be monitored.

Turn ON Privacy in one click.

Get

A look into the past: Criticism of Chat Control during the last three years

1. Chat control may be illegal

The core problem of CSAR is the following: scanning the communications of unsuspected persons en masse without cause is disproportionate and contrary to fundamental rights.

In May 2022, the European Commission proposed to introduce mandatory requirements for all chat, messaging and email services, even when providing end-to-end encryption, to scan messages for illegal child sexual abuse material (CSAM). But since their publication, the proposed measures are criticized across Europe as these could lead to the de facto “permanent surveillance of all interpersonal communications”.

The EU Charter of Fundamental Rights guarantees the right to privacy for all people living in the European Union. Consequently, the EU legal advisors have concluded that European Chat Control proposals which would require tech companies to scan private and encrypted messages for child abuse material (CSAM) are in breach with EU law.

The controversial EU law will enable governments to serve “detection orders” on technology companies, requiring them to scan private messages and emails for “indicators of child abuse”. This could undermine encrypted communications, which is criticized by security experts as well as privacy advocates as being general and indiscriminate mass surveillance. In addition, one must remember that the German Federal Constitutional Court has even declared data retention illegal in Germany for being “disproportionate”.

It is highly likely that the CSA Regulation - should it become law - would be declared illegal by the European Court of Justice (ECJ) as well. The requirement for companies such as WhatsApp, Signal and others to scan every message - even when encrypted - for child abuse material infringes people’s right to privacy, which is in conflict with the EU Charter of Fundamental Rights.

2. Lobbying from AI companies

In September 2023 a new research was published that threw a very different light on Chat Control - and who would really benefit if all Europeans would be monitored 24/7 on the internet.

Next to Ashton Kutcher and his organization Thorn, a long list of organizations, AI companies and law enforcement are lobbying pro Chat Control in Brussels. The research for example exposes the WeProtect Global Alliance as a government-affiliated institution that is closely linked to ex-diplomat Douglas Griffiths and his Oak Foundation. The latter has invested more than 24 million US dollars in lobbying for Chat Control since 2019, for example via the Ecpat network, the Brave organization and the PR agency Purpose.

The research “confirms our worst fears,” said Diego Naranjo, head of policy at civil rights organization European Digital Rights (EDRi). “The most criticized European law on technology in the last decade is the product of lobbying by private companies and law enforcement.” EU commissioner, Ylva Johansson, ignored “science and civil society” and proposed a law to “legalize mass surveillance and break encryption,” he said. “Child protection is being abused here as a door-opener for an infrastructure for mass surveillance without any reason,” complains Konstantin Macher of the data protection association Digitalcourage.

3. Mostly criticized EU law ever

According to the non-profit organization EDRi an “unprecedentedly broad range of stakeholders have raised concerns that despite its important aims, the measures proposed in the draft EU Child Sexual Abuse Regulation are fundamentally incompatible with human rights”.

EDRi has published an impressive collection of 69 opposing voices from EU politicians, EU member states, tech companies and even child protection experts explaining why Chat Control must fail.

It also published an open letter signed by over 80 NGOs adding to the voice of almost 500 scientists and ~90 organizations explaining why we must fight for privacy in Europe.

No matter how politicians try to convince the public: Scanning our private messages for child sexual abuse material is mass surveillance. We must never allow this.

We at Tuta won’t accept Chat Control

At Tuta we are freedom fighters: We are at the forefront of the privacy revolution by offering everyone around the world a private email account.

Should the CSA Regulation continue to move forward in its current form, we would be willing to defend people’s right to privacy in court as we have done so before in Germany.

We put your privacy and security first, our code for Tuta’s automatic end-to-end encryption is publicly available, published as open source. We would never undermine our privacy promise or our encryption.

Our position remains firm: We will do whatever it takes to ensure your right to privacy.