Will the eu chat control law require scanning of messages sent before it took effect?
Executive summary
The current EU “Chat Control” proposal (the Regulation to Prevent and Combat Child Sexual Abuse, or CSA Regulation) has been negotiated through 2025 with shifting texts: earlier drafts envisaged mass scanning of private communications including encrypted messages, but more recent Council compromise texts moved away from mandatory interception/scanning toward voluntary or mitigated approaches (see Council timeline and compromise steps) [1] [2] [3]. Available sources do not definitively state that the final law — still under negotiation as of late 2025 — would require retroactive scanning of messages sent before it takes effect; reporting instead focuses on whether scanning would be mandatory, voluntary, or limited and on technical and legal safeguards [2] [4] [5].
1. What the proposal has said so far: mass scanning, then compromises
Early proposals explicitly contemplated broad, even client‑side, detection that critics called “mass scanning” of private communications, including encrypted conversations, which raised Article 7 privacy concerns in Parliament and civil‑society reporting [1] [2]. By mid‑to‑late 2025 the Danish Presidency and Council texts softened that approach: the most controversial mandatory interception/scanning language was pulled back in some drafts and replaced by voluntary or risk‑based measures in the Council compromise [2] [3] [4].
2. What reporters and advocates are focusing on: future scope, not retrospection
News outlets and digital‑rights groups have concentrated on whether scanning would be mandatory versus voluntary, whether client‑side scanning would be required, and whether the law would indirectly pressure firms to scan [6] [3] [7]. These accounts and parliamentary questions frame the debate around prospective obligations and technical feasibility, not around explicit retroactive scanning of historical messages [2] [1].
3. No clear evidence in available sources that the law would require retroactive scanning
The reporting and official documents in the provided set do not state that the draft regulation would compel providers to scan communications sent before the law enters into force. Sources describe obligations applying to providers going forward, possible mitigation measures, and the risk that scanning tools could be repurposed — but not a rule requiring retrospective scanning of stored messages as an explicit, universal mandate [2] [6] [4]. Therefore, the definitive claim that Chat Control would force scanning of pre‑existing messages is not documented in these sources.
4. Why people raise the retroactivity worry anyway
Campaigners and critics argue that any obligation to implement detection systems creates a practical pathway for scanning stored content — for example, when providers are told to take “all appropriate risk mitigation measures” or to scan links, images and videos shared on their services — which could be interpreted to include analysing already‑stored data [4] [3]. Tech and rights groups warn that even “voluntary” frameworks and indirect pressure could produce de facto mass scanning over time [6] [7].
5. Competing views in the sources: Council vs Parliament vs activists
The European Parliament’s 2023 mandate insisted on targeted measures and sought to rule out indiscriminate scanning, while Council compromise texts have oscillated between stronger and weaker obligations; campaign sites and privacy NGOs portray the proposal as mandating scanning, whereas some Council and Danish Presidency statements present the November 2025 compromise as moving to voluntary scanning or preserving the status quo on interception [8] [3] [4].
6. Practical and legal limits to retroactive scanning noted in reporting
Analysts and media reports highlight feasibility, legal and technical barriers: false positives, encryption challenges, and ePrivacy safeguards that constrain mass monitoring. Journalists also reported that the Danish Presidency’s revised text explicitly avoided making interception and scanning mandatory — a change that, in practice, reduces the plausibility of a blanket retroactive mandate [5] [2] [4].
7. What to watch next
The law’s final text will emerge only after Council‑Parliament trilogues and formal votes; key procedural dates and the Danish Presidency’s November 2025 compromise matter for how obligations are framed [2] [3]. If the final text contains wording requiring “risk mitigation measures” without clarifying scope, activists warn courts or regulators could interpret that to include historic data; conversely, explicit limits in the final regulation would block retroactive scanning [4] [6].
Limitations: the provided sources document shifting proposals, political positions and advocacy claims through late 2025 but do not contain a final, published regulation text that would definitively answer whether retroactive scanning is mandated; available sources do not state that the law requires scanning of messages sent before it takes effect [2] [4].