Will the EU Chat Control law require scanning of users' historic messages already stored by platforms?
Executive summary
The EU “Chat Control” debate has focused on whether platforms would have to scan private communications — including encrypted messages — and whether that scanning would apply to historical (already stored) messages. Council drafts discussed client-side scanning that inspects communications before encryption, and campaigners warn this could enable scanning of stored content; however recent Council texts reportedly dropped mandatory scanning and introduced a voluntary/targeted approach, leaving the question of historic-message scanning unresolved in available reporting [1] [2] [3] [4].
1. What the original Commission proposal said: broad scanning of private communications
The Commission’s 2022 proposal to prevent and combat child sexual abuse envisaged mechanisms that critics read as mass scanning of private communications, including encrypted conversations; multiple parliamentary questions and civil-society analyses flagged that the draft “envisages mass scanning of private communications” and raised compatibility concerns with fundamental rights [5] [6]. The implication in those sources is that detection would be broad in scope, which critics argue could capture historic content as well as new messages, but the proposal text’s operational details on already-stored messages are not quoted in the sources above [5] [6].
2. The technical hinge: client-side scanning and how it could reach stored content
A recurring technical concept in Council and industry commentary is client-side scanning — analysing content on a user’s device before encryption — which, if mandated, would allow platforms or device-side tools to check messages, images and videos prior to encryption [1] [2]. Sources explain client-side scanning inspects content at the endpoint; that mechanism can be applied to content being created or to content already present on a device or in a user’s account depending on how an obligation is written and implemented. The cited analyses warn this creates a “backdoor” risk that could be used against both live and stored communications [2] [1].
3. Council politics changed the mandate: mandatory scanning removed, voluntary or targeted measures discussed
Reporting from Council negotiations shows a political shift: several EU member states and the Danish Presidency moved away from a regime of mandatory, blanket scanning. Some outlets report the Council “drops mandatory message scanning” and that Denmark produced a compromise making scanning voluntary or more targeted, which changes the legal force that would require platforms to scan historic archives [3] [4]. Those sources indicate the blunt “scan everything” model has been softened in late-2025 Council texts, but they do not fully define the boundary between voluntary scanning, targeted orders, and what would happen to stored messages [3] [4].
4. Advocacy and rights groups: insistence that stored messages remain at risk
Civil-society groups, privacy advocates and some MEPs continue to frame the proposal as a profound threat to the confidentiality of private messages, saying the mechanisms proposed would enable mass surveillance and could apply to encrypted and stored data [7] [8]. These actors emphasize that client-side scanning and mandatory detection orders — if reintroduced or interpreted broadly — could be used to scan both live and historic messages unless the final regulation contains explicit, narrow limits exempting stored content [7] [8].
5. Where the sources leave the question of historic-message scanning: ambiguity remains
The available reporting documents major shifts in political positions and technical proposals, but none of the provided snippets definitively state “historic messages must be scanned” as an unconditional rule in a final, adopted legal text [9] [3] [4]. Several sources describe how the draft would enable scanning of messages “before they are scrambled” or speak of scanning platforms’ stored content in general terms, but they do not quote a final clause obliging retrospective scanning of archives; the Council compromise reportedly removed mandatory scanning though critics say risks persist [1] [2] [3]. Therefore, available sources do not mention an authoritative final rule that requires scanning of users’ historic messages already stored by platforms.
6. Competing readings and what to watch next
There are two competing narratives in the reporting: one — pushed by privacy groups, technologists and some MEPs — that any client-side or detection obligation inherently enables scanning of historic and encrypted content and thus threatens archived messages [2] [7]; the other — reflected in recent Council compromises and some fact-checking pieces — that negotiators have watered down or made scanning voluntary/targeted, reducing or shifting the obligation away from blanket historic scanning [3] [4] [10]. The decisive texts to read are the final Council position, subsequent trilogue compromises and the regulation as published in the Official Journal; sources warn the law could still be reworked in trilogue talks [9] [11].
Limitations: this briefing relies only on the supplied reporting and advocacy material; none of the provided sources quote a final, adopted legal article that explicitly compels platforms to scan historic user messages after law entry into force, so the absolute legal outcome remains not found in current reporting [9] [3] [4].