EU private communications law

EU private communications law

This note is a dated legal-policy snapshot as of 2026-07-10. It is not legal advice.

“Chat Control 2.0” is a political nickname, not the name of one enacted rule. Two separate EU legislative tracks must not be conflated. Neither justifies promising customers that a privacy service can legally evade a future obligation.

The permanent CSA proposal

The long-term proposal is procedure 2022/0155. It remains under negotiation and is not enacted law.

The Council’s November 2025 negotiating mandate deleted the proposed mandatory detection-order provisions. It also includes an explicit proposed protection for encryption: Article 1(5) says the Regulation must not prohibit, make impossible, weaken, circumvent, or otherwise undermine encryption, including end-to-end encryption. It also says the Regulation must not require decryption or access to end-to-end encrypted data.

That is a Council negotiating position, not a guarantee of the final text. The Parliament’s 2023 position likewise rejected indiscriminate scanning and called for judicially authorized, time-limited, last-resort, targeted detection orders while excluding E2EE. The final compromise remains uncertain.

The interim ePrivacy derogation

The older temporary ePrivacy derogation expired on 2026-04-03. The Council adopted a first-reading position on a proposed interim bridge on 2026-07-02. The Parliament must still complete second reading before it becomes law.

If adopted in that form, the bridge would run until 2028-04-03 and permit specified voluntary detection activity under conditions. Its recital protects encryption, but its operative permission does not contain the same robust explicit E2EE carve-out as the Council’s permanent-proposal mandate.

The Parliament’s March 2026 interim position sought an E2EE and traffic-data exclusion. The point is not that one outcome is certain. The point is that the legislative uncertainty itself is a product and governance risk.

Business implications of legislative uncertainty

Positioning a product as “Chat Control evasion” would turn an unsettled legislative question into an absolute legal and technical promise. Infrastructure outside Europe, a VPN, a foreign key holder, or a particular protocol likewise cannot establish immunity from a future law without knowing its final scope and jurisdictional reach.

The lower-exposure operating position is to:

  • protect content with end-to-end encryption where the product claims it
  • minimize identity, content, network, and support data separately
  • publish a precise threat model
  • state whether a material legal change would alter the product
  • maintain a legal-change gate before feature changes or new markets
  • have a lawful-request policy, transparency reporting, and a process for challenging overbroad demands
  • use open standards and customer exportability

Privacy product architecture supplies the engineering direction. Privacy trust and governance supplies the customer promise.

Constitutional and policy constraints

The EDPB and EDPS raised serious necessity and proportionality concerns about the original proposal, especially generalized access to communications and probabilistic detection. EU data-protection opinion on CSA regulation preserves the opinion.

The CJEU’s data-retention cases also constrain general and indiscriminate retention. They do not decide the legality of a future CSA law, but they show that fundamental-rights limits remain material.

At the same time, the Commission is developing a policy roadmap on effective and lawful access to data and future data-retention policy. That is a risk to monitor, not an adopted European ban on encryption.

Outside the EU is not a durable escape route

Foreign servers or a foreign company do not automatically remove EU exposure. GDPR can apply to a non-EU organization that offers services to people in the EU or monitors their behavior. The DSA and the EU e-evidence regime also create representative or establishment obligations for qualifying providers serving the Union.

A genuine non-EU product for a non-EU market is a commercial choice. Targeting EU customers while claiming to be beyond EU law is not a sound legal or reputational model. Sweden as a privacy venture base explains why jurisdiction should be an integrity and resilience decision, not an evasion tactic.

Sources

  1. eur-lex.europa.eu
  2. data.consilium.europa.eu
  3. data.consilium.europa.eu
  4. europarl.europa.eu
  5. europarl.europa.eu
  6. edpb.europa.eu
  7. eur-lex.europa.eu
  8. home-affairs.ec.europa.eu
  9. curia.europa.eu