EU has the Charter of Fundamental rights which is a part of the Treaty of Lisbon which is the constitutional basis of EU: https://en.m.wikipedia.org/wiki/Charter_of_Fundamental_Right...
In the charter, the protection of personal data and privacy is a recognized right. So chat control is also probably against the EU law.
Both the right to privacy and the right to protection of personal data appear to have pretty big exemptions for government.
The right to private communications was modified by the ECHR to give an exemption for prevention of crime/protection of morals/etc.[1] and the right to protection of personal data exempts any legitimate basis laid down by law[2].
I imagine they'd be able to figure out some form of Chat Control that passed legal muster. Perhaps a reduced version of Chat Control, say, demanding secret key escrow, but only demanding data access/scans of those suspected of a crime rather than everyone.
Legal rulings also seem to indicate that general scanning could be permitted if there was a serious threat to national security, so once a system to allow breaking encryption and scanning is in place, then it could be extended to what they want with the right excuse.
[1] https://fra.europa.eu/en/eu-charter/article/7-respect-privat...
[2] https://fra.europa.eu/en/eu-charter/article/8-protection-per...
> I imagine they'd be able to figure out some form of Chat Control that passed legal muster. Perhaps a reduced version of Chat Control, say, demanding secret key escrow, but only demanding data access/scans of those suspected of a crime rather than everyone.
Isn't that pretty much excatly how it is done in Russia, which was ruled by ECHR to be illegal[0]?
https://hudoc.echr.coe.int/fre#{%22itemid%22:[%22001-230854%...
I'm not familiar with EU law, but reading Title II article 7 and 8 makes me feel this could be an optimistic interpretation of what the Treaty of Lisbon guarantees. I'm sure the supporters of chat control would love to argue something like "ChatControl respects the private communications of an individual by protecting how the data is processed to ensure only the legitimate basis of processing the data is incurred by the law" in court.
I would hope the EU courts would disagree, but I'm not sure if anyone can say until it's tested directly.
Even the EU council's legal service thinks the law as-proposed is probably incompatible with Article 7 and 8:
> The CLS concludes that, in the light of the case law of the Court of Justice at this stage, the regime of the detection order, as currently provided for by the proposed Regulation with regard to interpersonal communications, constitutes a particularly serious limitation to the rights to privacy and personal data protection enshrined in Article 7 and 8 of the Charter.
https://data.consilium.europa.eu/doc/document/ST-8787-2023-I...
I think there are variants of the ChatControl proposal which were clearly problematic, but the different variations of the proposal try to toe the line since. This report talks to the 2022 era proposal.