The European Council has quietly advanced a new iteration of its controversial Child Sexual Abuse Regulation (CSAR), a move privacy advocates are calling a "Trojan Horse" for mass surveillance. On November 26, in a closed session, member states approved a negotiating mandate that, while dropping the language of "mandatory scanning," effectively coerces tech companies into implementing it voluntarily.
Here is what this means for the future of digital privacy in Europe.
The "Voluntary" Trap
The previous draft of the CSAR—dubbed "Chat Control"—faced immense backlash for proposing a direct mandate that would compel platforms to scan private, encrypted messages (Client-Side Scanning). The new mandate attempts to circumvent this opposition by shifting the burden from legal compulsion to business coercion.
Instead of explicitly forcing companies to scan, the new framework incentivizes "voluntary" scanning. Online services will be categorized by their risk levels; those that refuse to adopt "upload moderation" tools to scan for Child Sexual Abuse Material (CSAM) could face strict penalties or be categorized as high-risk. Critics, including former MEP Patrick Breyer, argue this replaces legal obligation with regulatory blackmail, effectively making mass surveillance a condition of doing business in the EU.
The Death of Anonymity?
Perhaps even more alarming than the scanning provisions is the introduction of mandatory age verification. To "reliably identify minors," the regulation would require platforms to implement strict age-checks for all users.
In practice, this could mean the end of anonymous internet usage in Europe. Users may be forced to upload government IDs or submit to facial recognition biometrics just to use basic messaging apps or email services. This creates a massive honey pot of sensitive data and disproportionately affects whistleblowers, journalists, and activists who rely on anonymity for their safety.
Tech and Political Pushback
The proposal is not without its detractors. The "voluntary" nature of the scanning is seen by many experts as a distinction without a difference. If the only way to avoid punitive regulation is to scan messages, then scanning becomes mandatory in all but name.
• Political Opposition: The Netherlands, Poland, and the Czech Republic voted against the mandate, citing concerns over the erosion of privacy and the technical infeasibility of the proposals. Italy abstained.
• Tech Sector Reaction: Privacy-focused companies like Mullvad VPN and tech figures such as David Heinemeier Hansson have publicly condemned the move. The consensus among security experts remains that you cannot build a backdoor (or a scanning mechanism) for "good guys" without breaking encryption for everyone.
What Happens Next?
The approval of this mandate is not the final law, but it paves the way for "trilogue" negotiations between the EU Council, the Commission, and the Parliament. The goal is to finalize the regulation before April 2026.
For the tech community, the signal is clear: the battle for end-to-end encryption in Europe is entering a critical new phase. The strategy has shifted from direct legislative attacks to a more subtle pressure campaign, but the end goal—access to private communications—remains the same.
