Chat Control: From GDPR to Mass Surveillance – Europe’s Dangerous Shift

The European Union is on the verge of enacting one of the most profound intrusions into digital privacy since the inception of the internet. The draft law for the so-called “Chat Control,” officially the “Regulation to Prevent and Combat Child Sexual Abuse,” initially appears to be a necessary protective measure. However, in reality, it is a proposal that not only undermines encrypted communication but also questions the fundamental rights of hundreds of millions of EU citizens.

A Law That Abolishes Encrypted Communication

The draft proposes that providers like WhatsApp, Signal, or Telegram be required to scan messages before encryption. In other words, every private photo, text message, and video could be scrutinized—regardless of whether there is any suspicion. This effectively nullifies the principle of end-to-end encryption.

15 member states have already indicated their support for the law. But that’s not enough. To achieve a qualified majority in the Council, the supporters must represent states that make up at least 65% of the EU population. This is where Germany comes into play. According to analyses by Cointelegraph, the decision of the German government could be decisive. If Germany supports it, the necessary majority would be reached.

Germany on the Brink

Particularly critical: Germany has already passed laws in 2021 that allow authorities to monitor communications without specific suspicion. A “little brother” of Chat Control already exists—and could now be extended to the entire EU. Netzpolitik.org published internal documents showing that there is no clear line within German politics. While the Greens and AfD firmly oppose the draft, members of SPD, CDU, and CSU remain conspicuously silent.

This indecision could have fatal consequences. If Germany tips or abstains, the path would be clear for a law that places all citizens under general suspicion.

Growing Criticism from Civil Society and Academia

Civil society organizations, data protection advocates, and IT experts are up in arms. More than 400 scientists have pointed out in an open letter that the planned technology simply does not work reliably. Automated scanners produce a mass of false positives—false alarms that ultimately burden innocent citizens rather than criminals. A harmless vacation photo or a medical message to one’s doctor could be enough to trigger investigations.

The German company Tuta Mail, a provider of an encrypted email service, was even more explicit: “We will sue the EU if Chat Control comes into force,” announced CEO Matthias Pfau to TechRadar. For Tuta, the matter is clear: The regulation destroys the fundamental principle of end-to-end encryption and thus the privacy of all users. The alternative would be to leave the European market—a scenario that other providers are also considering.

From GDPR to Mass Surveillance

The absurdity of this endeavor is evident: The same EU that set global standards for data protection and informational self-determination with the GDPR is now about to undermine these achievements with a single law. Instead of protecting encryption as a cornerstone of a free and secure society, it is being declared the enemy.

The argument of “child protection” should not obscure the fact that a dangerous precedent is being set here. Once it is accepted that all private communication can be scanned, the door is opened for surveillance in all areas—whether for counter-terrorism, political control, or simply for enforcing economic interests.

The Crucial Question

How is this law supposed to be compatible with the GDPR? How can the EU preach the highest data protection standards on one hand and establish a surveillance instrument that undermines the core of these standards on the other?

The coming weeks will show which course Europe will take: Does it want to continue being a pioneer for digital fundamental rights—or willingly pave the way into an era of total surveillance?