The EU's so-called Chat Control plan, which aimed to mandate mass scanning and other encryption-breaking measures, has seen some positive developments recently. The most contentious aspect, the forced scanning of encrypted messages, was abandoned by EU member states. Now, in a further victory for privacy, the EU Parliament has significantly hampered voluntary mass-scanning of chats by voting against prolonging an interim derogation from e-Privacy rules. These rules had temporarily permitted service providers to scan private communications. However, caution remains. While the general and indiscriminate scanning of messages lacks a solid legal basis in the EU (unlike the U.S., which lacks comprehensive federal privacy law), the expiration of the e-Privacy derogation law doesn't guarantee an immediate end to mass scanning. Companies have a history of continuing similar scanning practices during legal gaps. **Google**, **Meta**, **Microsoft**, and **Snap** have jointly signaled their intent to "continue to take voluntary action" on their Interpersonal Communication Services. The implication for continued scanning of private communications remains unclear, but such activity would now risk breaching EU law. However, non-compliance with EU data protection and privacy rules is not new for big tech in Europe. Most critically, the "Chat Control" proposal for mandatory detection of child sexual abuse material (CSAM) remains under negotiation. The focus has shifted towards risk mitigation measures, including problematic age verification and voluntary activities. If platforms are compelled to adopt these measures as part of compliance, their voluntary nature becomes questionable. While mass scanning might be off the table on paper, broader concerns persist. The immediate priority is to prevent the revival of the expired exception for mass scanning. Simultaneously, lawmakers must weaken the currently negotiated Chat Control proposal by narrowing the scope of risk mitigation measures. This entails ensuring that age verification doesn't become a default requirement and that "voluntary activities" don't morph into an expectation to scan communications. As previously stated, this is a zombie proposal. It resurfaces repeatedly and must be prevented from returning through the backdoor.