
In recent days there has been a lot of discussion around the EU “Chat Control” proposal, and people are understandably worried. The historical parallel many evoke is the Stasi opening letters with steam: back then, at least in theory, it was limited to those deemed “suspects”. Today, the risk is that similar techniques could apply to everyone by default.
Once you build an infrastructure for systematic surveillance, experience tells us it will sooner or later be abused – by authoritarian governments, corrupt insiders, hostile states or simple mission creep. Meanwhile, the truly “bad actors” will migrate to even more inaccessible systems. Currently, for example, WhatsApp can, under specific conditions and subject to due process, give law enforcement access to previous messages in a targeted way. What is now being discussed is something qualitatively different: routine, large‑scale scanning of communications.
The political narrative has slightly changed with a recent amendment: the text adopted in the European Parliament includes a clause stating that:
“This Regulation shall not apply to interpersonal communications to which end‑to‑end encryption has been or will be applied.”
This makes an important difference, because it formally excludes end‑to‑end encrypted interpersonal communications from the scope of systematic scanning. But it does not solve the deeper legal and constitutional issues.
One crucial problem is secrecy of communications and the ban on mass surveillance embedded in several European constitutions. The Italian Constitution, for instance, in Article 15 states that:
“The freedom and secrecy of correspondence and of every other form of communication are inviolable. Their limitation may be permitted only by a reasoned decision of the judicial authority with the guarantees established by law.”
This is not a uniquely Italian feature. Similar protections exist in Germany (Article 10 of the Grundgesetz on the secrecy of telecommunications), in Spain (Article 18.3 of the Constitution on the secrecy of communications), and, in different formulations, in France through the “bloc de constitutionnalité” and case law on privacy and correspondence. Across these systems, the structural rule is secrecy as the default, and limitation only as an exception, on a case‑by‑case basis, with a clear legal basis and judicial oversight.
Beyond national constitutions, the EU legal framework itself makes wide‑ranging surveillance difficult. The Charter of Fundamental Rights, the GDPR and the case law of the Court of Justice on data retention have all converged on a core idea: generalized, preventive monitoring of communications data – whether content or certain types of metadata – is very hard to reconcile with fundamental rights. This is exactly why the EU‑wide data retention directive was struck down and why several national implementing laws have been invalidated or severely curtailed. Italy is one of the few countries that has tried to hold on to broader retention schemes, and these remain legally controversial.
Against this background, a natural question arises: how can an EU regulation like Chat Control even be proposed?
It is important to remember that this is not a “Brussels whim”. The initiative responds to strong political demands coming from some national capitals – starting with Stockholm and Paris, but not only – asking for more powerful tools against online child sexual abuse. On that basis, the Commission tabled a proposal and launched the co‑legislative process between Council and Parliament, which is still ongoing and increasingly contentious.
Both EU institutions and national governments are fully aware that, even with exemptions for end‑to‑end encrypted interpersonal communications, a Chat Control regulation would face serious obstacles:
- On the EU side, it could be challenged before the Court of Justice for violating the Charter and established principles on mass surveillance and data retention.
- On the national side, its implementation could be blocked or sharply limited by constitutional courts invoking protections of secrecy of communications (Italy, Germany, Spain, and others).
Nonetheless, the political pressure from some chancelleries remains strong. Supporters of the proposal see the fight against child sexual abuse as a “crowbar” to force legal systems to accept more intrusive surveillance techniques. If Chat Control were to survive judicial scrutiny, it might become a precedent and a model for future security and public‑order legislation built on similar monitoring architectures.
Paradoxically, this very controversy is also a sign of the relative “health” of the European system. The proposal exists, but it meets strong resistance at multiple levels – in the Parliament, among several governments, from data protection authorities and from courts. It cannot be adopted and applied with the same ease we would see in more authoritarian settings. In Russia or China (and potentially, in a different way, in the United States), comparable tools could be decided and deployed much more quickly and “efficiently”, but at the cost of democratic guarantees that in Europe we still take seriously.
So one can criticise the choices of the European Parliament – that is part of political debate – but it is important not to lose sight of the bigger picture. What we are witnessing is a complex struggle between the legitimate objective of protecting children and the equally fundamental objective of preserving privacy and secrecy of communications. In other systems, this tension would be resolved brutally and unilaterally. In the European Union and its Member States, it produces friction, delays and sometimes frustrating compromises, but only because constitutions and fundamental rights continue to operate as real constraints.
In that sense, however unsettling the current debate may be, it is also a reminder of why it still matters to be part of a legal and constitutional space where surveillance is not simply a technical choice, but a political and judicial battlefield.
Categories: Data Retention, GDPR, Online child pornography, Online platforms, Privacy