On July 9, 2026, the European Parliament voted to extend the existing data protection exemption for messenger and email providers. Services are allowed to continue automatically scanning user messages for child sexual abuse material. The crucial detail: end-to-end encrypted messages are exempt from this rule, because without the matching key their content is technically unreadable.
Which Apps Actually Protect You
Signal, WhatsApp, Threema, iMessage (between Apple devices and via RCS), Wire, Session, Wickr, and Element (Matrix) all enable end-to-end encryption by default. Facebook Messenger has also made E2EE its default.
Telegram is a different story. Only chats explicitly marked as "secret" are end-to-end encrypted. Regular chats are stored on Telegram's servers in the US, Singapore, or the Netherlands. Instagram disabled E2EE for direct messages on May 8, 2026. X describes its private messages as encrypted, but private keys are stored on the company's own servers, which significantly undermines that claim.
What Chat Control 2.0 Would Mean
Earlier drafts of Chat Control 2.0 proposed mandatory client-side scanning. Messages would be checked on the device before being sent and only encrypted afterward. Services like Signal and WhatsApp would have been required to scan all user communications without any specific suspicion. So far, these proposals have failed due to resistance from EU member states.
For anyone who wants to stay secure: Signal remains the benchmark. Those who want additional control over their data can self-host services like Mastodon or use Briar, which requires no internet connection at all.