The European Parliament rejected on Thursday an extension to temporary rules permitting tech companies to voluntarily scan users' private messages for child sexual abuse material, marking a significant setback for mass surveillance efforts.

The vote in the plenary session tallied 311 against, 228 in favor, and 92 abstentions. The decision concerns Regulation (EU) 2021/1232, known as Chat Control 1.0, which provides a derogation from the ePrivacy Directive to allow providers such as Meta, Google, and Microsoft to scan chats, emails, and other communications without user consent. This interim measure, introduced in 2021, is set to expire on April 3, 2026, after the Parliament refuses to extend it.

Privacy advocates hailed the outcome as the end of indiscriminate scanning. Patrick Breyer, a former MEP and digital rights campaigner, described it as a 'massive, hard-fought victory for the unprecedented resistance of civil society and citizens.' He noted the vote followed a 'voting thriller' where an initial rejection passed by a single vote, and a subsequent push by conservative lawmakers failed to secure a majority.

The proposal stemmed from efforts to combat online child sexual abuse material, or CSAM. Proponents argued voluntary scanning by tech firms has generated tips for law enforcement, though critics pointed to high false positive rates, up to 48% in some disclosures, and limited impact on actual convictions. Germany's Data Protection Conference had labeled it 'indiscriminate surveillance' affecting communication confidentiality, while reports showed a 50% drop in tips since widespread encryption adoption.

Earlier this month, on March 11, the Parliament adopted Amendment 5, restricting any scanning to targeted cases involving users or groups under judicial suspicion, aligning with its 2023 stance on the permanent regulation. Trilogue talks between Parliament, Council, and Commission collapsed on March 16 without agreement.

The European People's Party (EPP) attempted to force a repeat vote after the March 11 decision, blaming left-leaning groups for the block. Rapporteur Birgit Sippel of the Socialists and Democrats noted that member states' inflexibility led to the expiration.

Post-expiration, platforms will revert to ePrivacy protections, prohibiting untargeted scans. Companies must still remove known illegal content under the Digital Services Act. The vote strengthens Parliament's negotiating position in ongoing trilogues for the broader Child Sexual Abuse Regulation, or Chat Control 2.0, where the Council favors retaining voluntary elements despite privacy concerns.

The European Data Protection Supervisor had urged addressing shortcomings to prevent indiscriminate practices. Over 400 scientists recently called for halting related age verification mandates pending feasibility studies.

This development ends a chapter of controversy that drew opposition from Germany and civil society groups, who argued such measures undermine encryption and expose innocents to errors without effectively curbing live abuse.