A fresh vote in the European Parliament has pushed one of Brussels’ most controversial digital policy battles back to the top of the agenda. But despite the political noise, the legal reality is more complicated than the slogan “Chat Control” suggests — and the outcome could matter greatly for Poland.
The European Union’s long-running effort to police child sexual abuse material online has once again collided with privacy law, encryption and national politics. On July 9, 2026, the European Parliament voted on the latest attempt to revive interim rules allowing online services to scan for child sexual abuse material and report it to authorities.
For critics, the issue is a test of whether Europe will normalise large-scale monitoring of private communications. For supporters, it is about preserving one of the few tools platforms can still use to detect and remove some of the most serious criminal material online. For Poland, it lands directly in a familiar political fault line: how to protect children without opening the door to broad surveillance of ordinary citizens.
What happened in Brussels this week?
To understand the July 9 vote, it helps to separate two different legal tracks that are often collapsed into one debate.
The first is the permanent regulation proposed by the European Commission in May 2022. That proposal would create a long-term framework to prevent and combat child sexual abuse online. It has become widely known as “Chat Control” because of fears that it could lead to intrusive scanning obligations, especially if applied to private messaging services or encrypted communications.
The second is the temporary ePrivacy derogation. This is an interim legal exemption that lets certain providers voluntarily detect, report and remove child sexual abuse material on their services, even though EU privacy rules would otherwise restrict that kind of monitoring.
That temporary regime was extended once in 2024, but it expired on April 3, 2026 after talks between Parliament and the Council broke down. Before that collapse, Parliament had adopted a narrower position on March 11, 2026, backing a more limited extension only until August 3, 2027 and insisting that any voluntary measures remain proportionate, targeted and outside end-to-end encrypted communications. But on March 26, after no deal was reached with the Council, Parliament rejected the broader extension proposal and the interim law lapsed.
The Council then moved on July 2, 2026 to reinstate the interim regime, arguing that a legal gap had opened and that providers needed to be able to resume voluntary detection while the long-term legislation remains under negotiation. The Council wants the temporary measure back in force until April 3, 2028.
That is what brought the file back to Parliament this week under second reading.
Why the phrase “Chat Control” is so politically explosive
The term “Chat Control” is not the official name of the law. It is the political label used by civil-liberties groups, privacy advocates and some lawmakers who believe the Commission’s broader project risks turning private digital communication into something closer to a monitored space.
The concern is not limited to public social media posts. It reaches into private messaging, cloud storage, email and the architecture of encrypted services. Opponents argue that once lawmakers normalise scanning at scale — even in the name of a universally condemned crime — the precedent becomes very difficult to contain.
Supporters answer that this framing is too dramatic. Their argument is that the objective is not blanket state surveillance of all Europeans, but preserving lawful mechanisms that help detect known child sexual abuse material, identify victims and assist police investigations. The Council’s public line has been that voluntary reporting by online services has real operational value and should not disappear while the EU still struggles to agree on a permanent framework.
That tension explains why the debate has become one of the most emotionally and constitutionally fraught digital files in Brussels.
Encryption remains the red line
The single most sensitive issue is end-to-end encryption. Services such as Signal, WhatsApp and other secure messengers depend on the principle that only the sender and the intended recipient can read the content of a message. Journalists, lawyers, businesses, activists and public officials depend on that promise every day.
Parliament has repeatedly tried to draw a line here. In its March 11 position, MEPs argued that voluntary detection should not apply to end-to-end encrypted communications and that scanning traffic data alongside content data should not be allowed. In Thursday’s second-reading vote, Parliament again backed amendments aimed at excluding communications to which end-to-end encryption “is, has been or will be applied.”
At the same time, the July 9 vote showed how messy the legislative process has become. A simple majority supported rejecting the Council position, but it fell short of the absolute majority required at this stage of procedure. Parliament also adopted amendments, which now go back to the Council. In other words, the file is still alive, still contested and still procedurally unsettled.
That matters because it means the headline is not “Europe has definitively imposed permanent chat surveillance.” It is closer to this: Europe is still fighting over how far temporary scanning powers can go, while the broader long-term law remains unresolved.
What this could mean for Poland
For Poland, the immediate implications are political, legal and practical.
First, there is the civil-liberties angle. Poland has its own history of heated disputes over surveillance powers, state access to data and the boundaries of constitutional privacy. A proposal that even indirectly touches private messages, encrypted services or automated scanning is almost certain to become part of a wider domestic argument about digital rights.
Second, there is the security and institutional angle. Encrypted communication is not an abstract issue for Poland. It matters to investigative journalists, lawyers handling sensitive client data, NGOs, whistleblowers, opposition figures, business executives and ordinary citizens who simply do not want their private messages exposed to weak or compromised systems. Even a partial weakening of trust in encrypted services would have consequences far beyond the original child-safety objective.
Third, there is the business angle. If the EU eventually settles on a more intrusive compliance model, digital platforms, messaging providers, cloud services and enterprise software firms operating in Poland could face higher legal and technical costs. That may include more reporting obligations, internal risk assessments, content moderation systems and pressure to prove they can cooperate with future EU rules. For startups and smaller providers, the burden would be proportionally heavier.
Fourth, there is the political positioning angle. According to statements cited through European newsroom reporting, Poland’s Ministry of Digital Affairs has said that Poland defends internet users’ privacy and opposes the mass scanning of private correspondence, while also supporting effective action against child sexual abuse material. That wording is important. It suggests Warsaw is trying to occupy a middle ground: tough on abuse, but resistant to normalising indiscriminate monitoring.
That balancing act may become harder to maintain if pressure grows inside the Council for a stronger long-term enforcement model.
What happens next?
In procedural terms, the story is not over. After Parliament’s July 9 second-reading vote, its amended position goes back to the Council. If the Council accepts all amendments, the interim rules can move forward in the narrower form Parliament wants. If it does not, the process goes into conciliation, where both institutions try to reach a common text.
Alongside that interim fight, negotiations also continue on the broader permanent child sexual abuse regulation first proposed in 2022. That is the file with the deepest long-term significance, because it is the one that could define future obligations for platforms, the role of national authorities and the extent to which encryption remains politically protected in Europe.
For now, the most honest conclusion is that the EU has not settled the matter. What it has done is reopen a divisive legal pathway that many privacy defenders hoped had closed in March.
The Polish question will not go away
For Warsaw, the real question is no longer whether this Brussels fight is relevant. It is whether Poland can keep defending strong privacy protections while supporting credible child-safety enforcement — and whether that balance can survive the pressure of EU-level compromise.
If the eventual answer from Brussels edges toward broader scanning or indirect pressure on encrypted services, Poland will not be watching from the sidelines. It will be one of the member states forced to decide where it stands when the promise of child protection meets the architecture of private communication.
Sources: European Parliament press release of March 11, 2026; European Parliament press release of July 9, 2026; European Parliament Legislative Observatory procedure 2025/0429(COD); Council of the EU press release of July 2, 2026; European Parliament Legislative Train and topic materials; European Newsroom reporting on member-state positions.


















