Does the EU chat control law require providers to scan archived messages sent before enactment?
This fact-check may be outdated. Consider refreshing it to get the most current information.
Executive summary
Available reporting on the EU “Chat Control” (CSAR) proposal shows no single, settled text requiring providers to scan archived messages sent before the law’s enactment; instead, recent Council amendments moved the proposal away from a blanket mandatory interception and replaced it with softer or voluntary measures in places [1] [2]. Critics and civil-society groups say earlier drafts and advocacy language create practical pressure that could functionally push providers toward scanning, including archives, but the public sources do not quote an explicit retrospective-archive scanning mandate in the most recent compromise texts [3] [2].
1. What the debate is about: scanning, encryption and archives
The core dispute is whether the EU should require platform providers to detect child sexual abuse material (CSAM) in private communications — including end-to-end encrypted messages — and whether any obligation would extend to stored (archived) content as well as new messages. Early proposals envisaged client-side or upload-moderation scanning that would operate at the point of messaging, which critics warned could be extended to stored content; recent Council work, however, backed away from an explicit mandatory interception model, making the legal picture unsettled rather than plainly retroactive [4] [1] [2].
2. Where recent political movement has changed the terms
In late 2025 political compromise in the Council significantly altered the trajectory of Chat Control: Denmark’s presidency produced a revised draft and the Council’s November/December activity scaled back the most controversial mandatory interception language, shifting toward a “softer” compromise that avoids an explicit, across-the-board requirement to break end-to-end encryption [2] [1]. Multiple observers report that the most explosive element — a blanket forced scan of encrypted content — has been removed or downgraded in the Council text [5] [1].
3. What critics say about archives and “indirect” obligations
Privacy advocates, MEPs and campaign groups warn that even without a direct retroactive scanning clause, wording like “all appropriate risk-mitigation measures” or obligations on providers to take steps to ensure safety could create strong indirect pressure to deploy scanning — including on archives — to avoid sanctions or liability. Patrick Breyer and civil-society groups explicitly argue that such phrasing can operate as a back-door obligation to scan stored material [1] [3].
4. Technical and practical constraints noted by experts
Independent assessments and Parliament analyses documented in reporting flag that technologies for reliable CSAM detection produce high error rates and false positives, a problem that worsens at scale and with diverse archived datasets; those technical limits inform lawmakers’ caution and explain why Council actors have stepped back from a blunt mandatory interception rule [6] [1].
5. Diverging member-state and stakeholder positions
Supporters from countries such as France, Italy, Spain and Sweden have argued for strong measures to close gaps in private messaging where harmful content circulates; other member states and many digital-rights groups oppose making interception mandatory because it undermines encryption and privacy. That split produced the “softer” compromise described in Council materials and prompted continued parliamentary questions and scrutiny [4] [7] [8].
6. What the available sources do not say (and why that matters)
Available sources do not present a single final legal text that explicitly orders scanning of archived messages created before enactment; reporting instead describes shifting drafts, political compromises, and warnings about ambiguous wording that could be interpreted as obliging providers in practice [1] [2]. That absence matters: until a final legislative text is published and translated into implementing acts, legal obligations on archives remain a matter of interpretation and risk, not a confirmed retrospective rule [6].
7. Practical implications for providers and users
Providers face legal and reputational pressure either way: if the final regulation includes liability-linked “risk mitigation” duties, many firms could choose to scan archives proactively to avoid penalties; if the final law preserves stronger encryption protections and optional approaches, providers may keep archives unscanned. Civil-society groups warn that voluntary or indirect regimes still create incentives that function like mandates in practice [3] [9] [2].
8. Bottom line for readers and advocates
At present, reporting indicates no clear-cut statutory command in the latest Council compromises to retroactively scan archived messages, but the legislative language remains contested and ambiguous; critics see words that could be enforced as de facto obligations, while supporters highlight scaled-back mandatory interception language. Watch for the final consolidated trilogue text and the Official Journal publication — only those will definitively show whether archives are expressly covered [1] [6].