# The European Privacy Paradox

## Regulate everything, protect little, watch ever more

The European Union built its digital identity on a promise: we would be the continent that protects citizens. The GDPR was sold to the world as the gold standard of privacy. Eight years later, the same Union that forces us to click through thousands of cookie banners is preparing, once again and in haste, to legalise the automatic scanning of private messages belonging to hundreds of millions of Europeans.

It is worth stopping and looking at the full picture. What is at stake is not only one law, one exception, or one technical dispute about encryption. It is a deep contradiction in the way Europe claims to protect privacy while building, piece by piece, the legal and technical infrastructure to watch it.

## First act: the GDPR, heavy bureaucracy, limited real protection

The General Data Protection Regulation came into force in 2018 with noble goals. In practice, it produced two effects that no one can honestly ignore.

The first was a disproportionate bureaucratic burden on those who create and innovate in Europe. Any SME trying to launch a digital service faces compliance costs, legal opinions, treatment records, impact assessments and the permanent uncertainty of divergent interpretations by national authorities.

The large American platforms absorbed these costs with armies of lawyers. European startups did not. The Draghi report on European competitiveness, published in 2024, identified fragmentation and regulatory overload as structural brakes on innovation across the continent. Academic studies published after 2018 measured declines in investment in European technology startups and the exit of applications from the European market after the regulation came into force.

The second effect is the most ironic: the giants whose business depends on the commercial exploitation of data continued to live from exactly that. Meta and Google received historic fines, yes, but the business model remained intact.

Consent became an empty ritual of clicks on banners no one reads. Meta's "pay or consent" model showed how the system can be bypassed: either you pay, or you consent to the exploitation of your data. The asymmetry is glaring. The ordinary citizen did not become the owner of his data. He was simply given more friction. Those with enough scale to turn compliance into a competitive advantage came out stronger.

## Second act: the same Union that protects your cookies wants to read your messages

While the GDPR suffocates part of innovation in the name of privacy, Brussels has for years pursued a persistent effort to legalise the mass monitoring of private communications. It is called Chat Control and it has two fronts.

Chat Control 1.0, formally Regulation (EU) 2021/1232, created a temporary exception to the ePrivacy Directive. That exception allowed providers such as Google, Meta and Microsoft to voluntarily scan messages, emails and photographs from all users, without any prior suspicion, in search of child sexual abuse material. The exception was extended in 2022 and again in 2024.

On 26 March 2026, the European Parliament refused a further extension. The rule expired on 3 April. It looked like the end. It was not.

The Council of the European Union reintroduced the same content in the form of a new regulation. On 7 July 2026, Parliament narrowly approved a rarely used urgency procedure: 331 votes in favour, 304 against and 11 abstentions. The decisive vote was scheduled for 9 July, the final sitting before the summer break.

The procedural detail is revealing. Because the text is in second reading, rejecting or amending it requires an absolute majority of 361 MEPs, while approving it requires only a simple majority of those present. In a sitting where many MEPs have already left, the design is not neutral. It is procedural engineering designed to push through what Parliament had already democratically rejected three months earlier. MEP Markéta Gregorová described the procedure as a breach of Parliament's own rules and an abuse of position by the largest political group.

Chat Control 2.0, the Child Sexual Abuse Regulation proposed in 2022, is the structural and permanent version. It allows for the possibility of forcing platforms to detect content. In end-to-end encrypted services such as Signal or WhatsApp, this is technically possible only by analysing content on the user's device before it is encrypted. This is known as client-side scanning.

After strong public opposition, Germany, the Netherlands, Poland and Austria rejected mandatory scanning without suspicion. The Danish presidency moved back to a model of risk assessment and mitigation. But critics, including former MEP Patrick Breyer, warn that the obligation to take "all appropriate risk mitigation measures" may reintroduce scanning through the back door, now combined with mandatory age verification that threatens online anonymity.

Signal has already stated that it would leave the European market before compromising its encryption.

## The facts that dismantle the argument

No one acting in good faith disputes the gravity of child sexual abuse or the need to fight it. The question is different: whether indiscriminate scanning of the entire population works. The available data says it does not.

According to Germany's Federal Criminal Police Office, the BKA, of around 300,000 chats reported each year in the European Union under voluntary scanning, 48% were false positives and criminally irrelevant. Almost half. Each false positive is an innocent citizen whose private conversation, family photograph or intimate message may be exposed to human reviewers and authorities.

In Germany, 40% of the resulting investigations targeted minors who had shared images with each other, often consensual sexting between teenagers, rather than predator networks. Around 99% of all reports sent to European police forces came from a single American company, Meta. In practice, this turns big tech into a private auxiliary police force, without sufficient European scrutiny.

A study by the European Parliament itself concluded that there is currently no technology capable of detecting this material without unacceptably high error rates. The European Court of Human Rights ruled in 2024 that requiring degraded encryption cannot be considered necessary in a democratic society.

The Center for Democracy and Technology made the essential point: the expiry of Chat Control did not leave authorities blind. Targeted surveillance based on concrete suspicion and judicial warrant remains fully available, as do content removal orders, reporting mechanisms and the European framework for electronic evidence. The instruments to pursue criminals already exist. What is being created is something else: a legal basis for treating all citizens as suspects.

There is also the lobbying dimension, exposed by investigations from European media. The preparation of the proposal involved close contact with foreign technology and security lobbyists, including Thorn, an American organisation that sells precisely the scanning software at stake and spends hundreds of thousands of euros lobbying in Brussels. Commissioner Ylva Johansson was criticised for using micro-targeting to promote the proposal, in breach of Europe's own data protection rules.

The irony would need no comment, if it were not so serious.

## The contradiction as a symptom

Put the pieces together.

A Union that imposes one of the world's heaviest data protection regimes on European companies, to the point of weakening their ability to compete, simultaneously creates exceptions for the same American big tech companies it struggles to control, and whose business models the GDPR did not stop, to analyse the private communications of all citizens.

A Union that enshrines the secrecy of communications in the ePrivacy Directive and the Charter of Fundamental Rights temporarily renews, year after year, the suspension of that secrecy.

A Union whose Parliament rejects a rule in March then sees its own machinery resurrect it in July, by urgency procedure, on the eve of the summer break.

This does not look like mere incompetence. It looks like a pattern.

Each measure arrives wrapped in a noble pretext: child protection, national security, counter-terrorism, public health. Each one normalises a little further the idea that preventive and generalised monitoring is a legitimate instrument of the state and of platforms.

The temporary exception becomes permanent. The voluntary becomes mandatory. The scanning of known content expands into AI detection of new content and patterns of conversation. Surveillance infrastructure, once built, is rarely dismantled. It is repurposed.

Europe's twentieth-century history should be warning enough about what happens when the state gains systematic access to citizens' private communications.

And the most perverse part is this: none of this will deliver the promised security.

Organised criminals easily move to encrypted channels, closed networks or platforms outside European jurisdiction. Those left exposed are ordinary citizens, journalists, lawyers, doctors, teenagers and victims of domestic violence who need a secure channel.

Flooding police forces with false positives diverts resources away from targeted investigations that can actually dismantle abuse networks. Children are protected less, while everyone is watched more.

## What should be done

The alternative is not inaction. It is the proportionality that the European Parliament itself defended in 2023: targeted surveillance of concrete suspects with judicial authorisation, swift removal of illegal material at source, stronger police capacity for undercover investigation, safety by design in applications used by minors and digital education.

All of this is compatible with the rule of law. Mass scanning is not.

The vote on 9 July will show whether the European Parliament can still defend the position it took in March, or whether procedural engineering defeats representative democracy. But Chat Control 2.0 will continue to be negotiated after that. That is where it will be decided whether end-to-end encryption, the last technical guarantee of private correspondence in the digital age, survives in Europe.

Privacy is not a luxury for those who have something to hide. It is the condition that makes freedom of thought, a free press, legal defence, medicine and intimacy possible.

A society that accepts the preventive reading of all correspondence in exchange for a promise of security will have neither. We are moving, silently and strategically, towards a more controlled and monitored society. Not through one single visible decree, but through the accumulation of exceptions, emergencies and pretexts. It is happening now, in a half-empty plenary, on the eve of the summer break.

## References

1. Regulation (EU) 2021/1232, temporary derogation from the ePrivacy Directive: https://eur-lex.europa.eu/legal-content/PT/TXT/?uri=CELEX%3A32021R1232
2. Proposal for the CSAR Regulation, 2022/0155 COD, European Commission, 11 May 2022
3. Rejection of the extension by the European Parliament, 26 March 2026: https://www.computerweekly.com/news/366640781/EU-Parliament-rejects-Chat-Control-message-scanning
4. Urgency procedure of 7 July 2026: https://tugatech.com.pt/t86909-parlamento-europeu-viabiliza-votacao-para-acelerar-regresso-do-chat-control and https://euperspectives.eu/2026/07/parliament-forced-back-to-the-chat-control-question/
5. EPP manoeuvre and political context: https://www.euronews.com/my-europe/2026/07/07/eu-to-extend-temporary-message-scanning-regime-to-detect-child-sexual-abuse-online
6. BKA data on false positives, Meta reports and investigations involving minors: https://www.patrick-breyer.de/en/historic-chat-control-vote-in-the-eu-parliament-meps-vote-to-end-untargeted-mass-scanning-of-private-chats/
7. Timeline and comparison of Chat Control 1.0 and 2.0: https://fightchatcontrol.eu/chat-control-overview
8. CDT Europe position on expiry and existing legal instruments: https://cdt.org/insights/cdt-europes-response-to-the-european-parliament-rejection-of-the-chat-control-1-0s-extension/
9. ECtHR, Podchasov v. Russia, 2024
10. D3 Defesa dos Direitos Digitais, Portuguese analysis: https://direitosdigitais.pt/noticias/173-chat-control-1-0-morreu-mas-chat-control-2-0-e-pior-e-continua-em-aberto
11. Chat Control, timeline, Thorn lobbying and criticism of Ylva Johansson: https://en.wikipedia.org/wiki/Chat_Control
12. Draghi report on European competitiveness, European Commission, September 2024
13. Meredith Whittaker's statements on Signal potentially leaving the European market: https://stateofsurveillance.org/