EU "Chat Control" NOT Withdrawn – Just Delayed Again (3rd Time): Denmark Drops Mandatory Scanning After Germany Blocks Vote

Compliance Hub

01 Nov 2025 — 9 min read

BREAKING UPDATE: Temporary Victory for Privacy Advocates as Voluntary Scanning Continues Until April 2026, But Poland's Upcoming Presidency Signals Renewed "Child Safety" Push

Bottom Line Up Front: Denmark has backed away from mandatory message scanning in the EU's controversial Child Sexual Abuse Material (CSAR) regulation after Germany's decisive opposition created a blocking minority. However, this marks the third delay—NOT an official withdrawal—of legislation that privacy advocates warn represents the most comprehensive surveillance system ever proposed in the democratic world. With voluntary scanning provisions expiring in April 2026 and Poland assuming the EU presidency in January 2026, the battle over encrypted communications is far from over.

What Actually Happened: A Strategic Retreat, Not a Surrender

On October 31, 2025, Danish Justice Minister Peter Hummelgaard announced that mandatory CSAM detection orders would no longer be part of the EU presidency's compromise proposal, opting instead to support voluntary detection by technology companies. This decision came after Germany announced on October 8 that it would not support the proposal, effectively tanking the Danish effort.

Critical Context: This is the third time the so-called "Chat Control" proposal has been blocked since its introduction in May 2022. Each previous iteration—under Hungary, Belgium, and Sweden—failed to secure the necessary qualified majority in the Council of the EU.

The Numbers That Matter

On October 7, 2025, a "blocking minority" of EU governments stopped the chat control plan, and the vote originally scheduled for October 14 did not take place because there was no majority for the proposal. Under EU qualified majority voting rules, a blocking minority requires either:

At least 4 member states representing more than 35% of the EU population, OR
At least 13 member states (regardless of population)

Germany's 83 million citizens proved decisive in achieving the population threshold needed to block the proposal.

The Blocking Minority: Who Actually Led Opposition

Correcting the Record: Early social media reports incorrectly identified Poland, Netherlands, and Italy as "leading" the opposition. Here's what actually happened:

Countries Firmly Opposed (The Real Blocking Minority):

Germany, Poland, Austria, Estonia, Slovenia, Luxembourg, the Netherlands, Finland, and the Czech Republic remained firm in their opposition to mandatory encryption-breaking provisions.

Germany: The Decisive Factor

Germany's position was critical because:

Population weight: 83 million citizens (18.7% of EU population)
Historical stance: The German Federal Constitutional Court has repeatedly declared data retention "disproportionate"
Public statement: German Federal Justice Minister Stefanie Hubig declared "Random chat monitoring must be taboo in a constitutional state"

Clarifying Other Countries' Positions:

Poland: Opposed, but will assume EU presidency in January 2026 (raising concerns about renewed attempts)
Netherlands: On October 1, following significant mobilization from civil society including Bits of Freedom and national opposition politicians, the Netherlands officially abstained from the proposal
Italy: Shifted from supporter to undecided—it did NOT lead opposition

For comprehensive background on the September blocking minority formation, see our analysis: EU Chat Control Fails Again: Blocking Minority Secured as Germany and Luxembourg Join Opposition

Why This Isn't Over: The April 2026 Cliff

Denmark's retreat is tactical, not ideological. The current model allowing for voluntary scanning expires in April 2026, creating what Danish officials characterize as a crisis that demands immediate action.

Denmark's Stated Concerns:

According to Justice Minister Hummelgaard: "Right now we are in a situation where we risk completely losing a central tool in the fight against sexual abuse of children. That's why we have to act no matter what. We owe it to all the children who are subjected to monstrous abuse."

What Denmark Is Proposing Now:

The Danish presidency circulated a discussion paper with EU country representatives on October 31, aiming to:

Codify voluntary scanning within the future CSAR framework
Strip out mandatory detection orders to achieve Council consensus
Progress to trilogue negotiations with Parliament before the presidency ends in December 2025

Critical Analysis: Privacy advocates argue this framing manufactures a false crisis. The voluntary Chat Control 1.0 system allows companies like Meta, Microsoft, and Google to scan for CSAM—but doesn't force encrypted services like Signal and WhatsApp to break their security architecture.

For detailed analysis of Denmark's tactics, see: "Do As I Say, Not As I Do": How Denmark Is Accused of Manufacturing a Crisis to Impose Mass Surveillance

The Poland Factor: What Happens in January 2026?

Poland assumes the rotating EU Council presidency on January 1, 2026—just three months before voluntary scanning provisions expire. This creates a perfect storm for renewed pressure:

Why Poland's Presidency Matters:

Timeline alignment: April 2026 expiration creates natural urgency
"Child safety" narrative: Poland can position itself as protecting children from a "regulatory gap"
Fresh negotiating mandate: New presidency brings new political capital to revive the proposal
Lesson from Denmark: Poland may avoid Denmark's mistakes by proposing less obviously invasive measures

Likely Polish Strategy:

Narrower scope: Target only "known" CSAM using hash-matching (not AI for "unknown" material)
Risk-based approach: Limit scanning to "high-risk" services (though encryption would still classify as high-risk)
Voluntary-to-mandatory pipeline: Start with voluntary framework, transition to mandatory after building political support

Historical Precedent: Poland's February 2025 proposal classified scanning as voluntary "preventive" action. While experts found this version "major progress," they still lamented the risk of mass surveillance, and lawmakers ultimately failed to attract the needed majority.

Technical Reality: Why "Voluntary" Scanning Still Threatens Encryption

Privacy advocates warn that even a "voluntary" framework creates dangerous precedents:

The Coercion Problem:

Platform liability: Companies face pressure to "voluntarily" scan or risk being seen as CSAM havens
Market pressure: Platforms that don't scan may lose users concerned about child safety
Regulatory creep: Today's voluntary framework becomes tomorrow's mandatory requirement

The False Positive Crisis:

Germany's own data from 2024 shows 99,375 of 205,728 reports (48.3%) forwarded by the US-based National Center for Missing and Exploited Children were not criminally relevant. These aren't statistics—they represent family beach photos, medical images shared with doctors, and artistic photography mistakenly flagged and forwarded to authorities.

For technical analysis of detection accuracy, see: Germany's 2024 Report Exposes Chat Control's Fatal Flaw: 48% Error Rate

Expert Consensus Against Client-Side Scanning:

Over 500 cryptography experts and security researchers signed an open letter warning that Chat Control is "technically infeasible" and would create catastrophic security vulnerabilities.

What the CSAR Proposal Actually Contains

The Child Sexual Abuse Regulation (CSAR) isn't just about scanning—it's a comprehensive framework that includes:

Detection Requirements (The Controversial Part):

Known CSAM: Hash-matching against databases
Unknown CSAM: AI image recognition to identify new material
Grooming detection: Real-time text analysis of conversations

Other Provisions (Less Controversial):

Establishment of an EU Centre to coordinate responses
Age verification requirements for platforms
Mandatory reporting obligations
Enhanced cooperation between service providers and law enforcement

Risk Classification System:

Detection orders would be limited to "high risk" services, with governments having broad discretion concerning risk classification. Anonymity, encryption, or real-time communications are per se considered "high risk".

Translation: Virtually every modern communication service—WhatsApp, Signal, Telegram, Proton Mail, even Apple iMessage—would fall under CSAR's scope.

For comprehensive overview written before the October vote, see: The EU Could Be Scanning Your Chats by October 2025 – Here's Everything We Know

The Signal Threat: Why This Matters Beyond Europe

Encrypted messaging provider Signal has repeatedly warned it will exit the EU market rather than comply with mandatory scanning requirements.

Signal Foundation President Meredith Whittaker directly appealed to Germany to reject the measure, warning that the platform will exit the EU market entirely rather than comply with mandatory scanning of private communications.

Why Signal's Position Matters:

Sets precedent: Other privacy-focused services may follow Signal's lead
Global impact: Many services operate single global platforms—EU requirements become worldwide standards
Security implications: Creating scanning infrastructure for EU compliance creates vulnerabilities everywhere

For Signal's full position, see: Signal Calls on Germany to Vote Against Chat Control, Threatens EU Exit

Compliance Implications: What Organizations Need to Know

Immediate Actions (November 2025 - April 2026):

Status: Voluntary scanning continues under Chat Control 1.0 derogation

For Communication Service Providers:

✅ Continue voluntary CSAM detection if already implemented
✅ Monitor Danish/Polish presidency developments
✅ Prepare contingency plans for both mandatory and continued-voluntary scenarios
✅ Review encryption architecture for potential compliance conflicts

For Organizations Using Encrypted Communications:

✅ No immediate changes required
✅ Assess dependency on EU-based encrypted service providers
✅ Develop alternative communication strategies if key services exit EU market

Post-April 2026 Scenarios:

Scenario 1: Voluntary Framework Codified

Current system continues with formal legal basis
Encrypted services remain intact
Service providers face market/political pressure to "voluntarily" scan

Scenario 2: No Agreement Reached

Voluntary scanning derogation expires
Legal uncertainty for platforms currently scanning
Potential compliance gaps in CSAM detection

Scenario 3: Mandatory Framework Returns Under Poland

Renewed political push with "child safety" narrative
Potential phased implementation (known CSAM first, then unknown)
Service providers must choose: implement scanning, exit EU, or challenge in court

The Broader Pattern: Chat Control in Global Context

Chat Control isn't happening in isolation—it's part of a global trend toward surveillance justified by "child safety" narratives:

United States:

California's New Laws: On October 13, 2025, California passed three laws requiring age verification and content moderation that critics warn amount to "state-mandated surveillance." For analysis, see our California coverage on ComplianceHub.wiki.

EARN IT Act: Federal legislation would create liability for platforms that don't scan, effectively mandating detection without technically requiring it.

United Kingdom:

Online Safety Act: Entered age verification enforcement phase July 25, 2025, with provisions that could require scanning of encrypted content.

For UK/EU regulatory comparison, see: Digital Compliance Alert: UK Online Safety Act and EU Digital Services Act Cross-Border Impact Analysis

The Precedent Problem:

Once the EU establishes client-side scanning as acceptable for CSAM, other jurisdictions will expand to:

Terrorism content
Copyright infringement
"Misinformation"
Politically sensitive content

Historical parallel: Data retention laws initially justified for serious crimes expanded to include copyright enforcement and minor offenses.

How We Got Here: Timeline of Chat Control

May 2022: European Commissioner Ylva Johansson proposes CSAR with mandatory detection orders

June 2024: Belgium proposed a version restricted to shared media and URLs with user consent, but didn't satisfy industry or voting members

February 2025: Poland's proposal classified scanning as voluntary "preventive" action but failed to attract needed majority

July 2025: Denmark assumes EU presidency, makes Chat Control top priority

September 12, 2025: Member states were supposed to finalize positions, but blocking minority formed

October 7, 2025: Germany joins opposition, creating decisive blocking minority

October 14, 2025: Scheduled vote cancelled due to lack of majority

October 31, 2025: Denmark announces shift to voluntary-only framework

For complete September analysis, see: EU Chat Control: Final Hours Before September 12 Deadline – What Compliance Teams Need to Know

The Citizen Movement That Stopped Chat Control

The Fight Chat Control movement became the central organizing hub for what may be the most successful digital rights campaign in European history, providing real-time country tracking, direct action tools, educational resources, and coordination across 27 different political systems.

Key Success Factors:

Grassroots pressure: Citizens flooded government offices with calls and emails
Technical expertise: 500+ cryptographers provided credible opposition
Industry alignment: Companies from Signal to Mozilla united against proposal
Cross-border coordination: Pan-European campaign prevented divide-and-conquer tactics

For full analysis of the citizen movement, see: Chat Control Defeated: How Europe's Privacy Movement Stopped Mass Surveillance

What Happens Next: Critical Dates and Actions

December 2025:

Denmark's presidency ends
Last chance for Danish compromise before Poland takes over
EU Justice Ministers may attempt final vote on voluntary framework

January 1, 2026:

Poland assumes EU Council presidency
New political dynamics, fresh negotiating approach
Likely renewed push using "child safety" narrative

April 2026:

Voluntary scanning derogation expires
Legal basis for current Chat Control 1.0 disappears
Platforms must choose: continue scanning without legal cover, stop scanning, or wait for new framework

Actions for Compliance Professionals:

Monitor:

Danish presidency proposals (December 2025)
Polish presidency priorities (January 2026)
European Parliament positioning on voluntary extension
National-level implementations of EU frameworks

Prepare:

Risk assessments for encrypted communication dependencies
Alternative communication platform evaluations
Legal challenge strategies if mandatory scanning returns
Stakeholder communication plans for service disruptions

Engage:

Industry associations and advocacy groups
National data protection authorities
EU policymakers during Polish presidency
Technical standards bodies on encryption protection

Bottom Line: A Temporary Win, Not a Final Victory

Denmark's October 31 announcement represents a significant tactical retreat—but not the end of the EU's push to scan private communications. With voluntary scanning expiring in April 2026 and Poland assuming the presidency in January, advocates for encrypted communications must remain vigilant.

The Real Question: Will Poland learn from Denmark's mistakes and craft a politically viable compromise that sacrifices encryption on the altar of "child safety"? Or will the blocking minority hold firm against any mandatory framework?

For now: The architecture of end-to-end encryption remains intact across Europe. But the battle over whether governments can read your private messages is far from over.

From ComplianceHub.wiki:

From MyPrivacy.blog:

Stay informed: Subscribe to ComplianceHub.wiki for breaking updates on EU digital regulations, data privacy frameworks, and cybersecurity compliance requirements. For privacy-focused analysis, follow MyPrivacy.blog's coverage of surveillance legislation and encrypted communications.

Compliance professionals: Have questions about how Chat Control developments affect your organization? Contact us through the CISO Marketplace platform for expert consultation on EU digital compliance strategies.