Does the EU chat-control law permit retrospective scanning of message archives?
Executive summary
The available reporting indicates the Chat Control / CSAM regulation centers on client‑side scanning of messages before they are sent and on mandatory scanning by service providers, but it does not clearly or consistently authorize a blanket, retrospective automated scanning of end‑to‑end encrypted archives without breaking encryption — and several sources explicitly note that encrypted archives are not detectable by the proposed algorithms [1] [2] [3]. At the same time, for communications that are not end‑to‑end encrypted (for example many emails or server‑stored messages), providers already scan stored content and the proposal would reinforce or expand such scanning in practice [4] [1].
1. What the proposal says about how scanning happens: before-send client-side scanning vs. server-side scanning
A central technical hook of the Chat Control debate is client‑side scanning — analysing content on a user’s device before encryption and transmission — which the draft law repeatedly contemplates as the mechanism to catch CSAM on otherwise end‑to‑end encrypted channels, while server‑side scanning remains the routine method for services that do not use E2EE [2] [1] [4]. Multiple explainers and civil‑society critics describe the regime as requiring providers to build upload‑moderation or detection systems that examine content “before it is sent” or while it “sits on” provider servers, depending on the service architecture [1] [4] [2].
2. Encrypted archives: what reporting says about retrospective scanning of stored encrypted messages
Reporting and expert commentary underscore a practical limit: the detection algorithms and client‑side approaches do not “recognize encrypted archives or links,” meaning automated retrospective scanning of already‑encrypted archives on a device or in storage is not presented as feasible without access to plaintext or a weakening of encryption [3] [2]. Several sources stress that forcing retrospective scanning of end‑to‑end encrypted archives would effectively require breaking or bypassing encryption — a step opponents argue the draft explicitly sought to avoid or that would be legally and technically fraught [5] [6] [2].
3. For non‑E2EE archives, retrospective scanning is already plausible and would likely expand
Where messages are not protected by end‑to‑end encryption — notably many email services and server‑stored communications — the law’s logic and existing practice make retrospective or stored‑data scanning straightforward: providers can and do scan content stored on their servers, and the proposal’s expansion of detection obligations would likely extend that practice and standardize reporting pipelines to authorities [4] [1]. In short, retrospective automated scanning of archives is practically permitted and already occurring for non‑E2EE services, and the proposal would institutionalize broader scanning obligations [4] [2].
4. Legal uncertainty, safeguards and the political fight over scope
Across the sources there is clear disagreement about legal permissibility and proportionality: data‑protection bodies warned the proposal risks “de facto generalized and indiscriminate scanning” of communications [7], campaigners say it would scan “every private message, photo, and file” [8], while other stakeholders note the Danish Council position backed away from forcing encryption‑breaking but left room for voluntary detection and expanded scanning of non‑encrypted content [5] [9]. That political back‑and‑forth leaves a legal grey zone: the draft envisions powerful scanning mechanisms, but whether those mechanisms will lawfully permit autonomous retrospective scanning of encrypted archives remains unresolved in the public reporting and hinges on final text, technical definitions, and judicial review [5] [7] [6].
5. Bottom line: permitted in practice for unencrypted archives; not clearly permitted for encrypted archives without breaking encryption
The synthesis of reporting is categorical on one point and ambiguous on another: retrospective automated scanning of stored, unencrypted message archives is already feasible and the regulation would likely extend and normalize it [4] [1], whereas retrospective scanning of end‑to‑end encrypted archives is not presented as a realistic capability under the proposal without compromising encryption — and sources explicitly note the algorithms do not recognize encrypted archives and that forcing access would mean weakening encryption [3] [2] [5]. The final determination therefore depends on the law’s ultimate wording and implementation details, and the current public reporting does not show a clear, explicit authorization to retroactively scan encrypted archives without breaking encryption [3] [5] [7].