While a growing number of countries - including France, Spain, Poland and Austria - are working on national laws to ban young adolescents from accessing social networks, the European Commission is calling for consistency across the EU.
On Wednesday 29 April, the Commission published a non-binding recommendation addressed to the Member States. At this stage, the EU institution is not in favour of a harmonised age limit across the 27 Member States. This choice “falls within the competence of the Member States”, reiterated Henna Virkkunen, Executive Vice-President for Technological Sovereignty.
Spain, France and Austria, for example, are moving towards different national thresholds, which would be set at 16, 15 and 14 years of age respectively.
Nevertheless, the Commission would like to see all capitals deploy an age verification solution operating across the EU by 31 December. The text published on Wednesday suggests drawing up an “implementation plan” by 30 June. In addition to social networks, the issue of age verification also concerns access to pornographic sites and online betting.
Declaring its readiness to support Member States, the Commission has already developed an EU application dedicated to age verification, which has been tested in several countries since last year (see EUROPE 13849/6). The institution maintains that it respects “the highest privacy standards”. The advantage of this is that if Internet users want to connect to a social network where adolescents are not allowed, for example, they can prove their age (typically by means of an identity document) without having to send any personal information to the platform in question.
However, when the Commission assured the press, on 15 April, that the application was now “technically ready”, Henna Virkkunen appeared less confident about its viability when speaking to the press. Soon after it was unveiled, this open source software came in for criticism from experts, with one British IT security consultant, Paul Moore, claiming to have detected major security flaws in the space of “two minutes”.
“That’s why it's published as open source. That’s what the ‘demo’ model is all about: allowing everyone to test it, explore it and push it to its limits, right now. Of course, this isn’t the final model yet - it's still under development. But once it has been adopted by the Member States, it will be completely secure”, explained Ms Virkkunen.
The Finnish Christian Democrat also acknowledged the “difficulty” of designing a system that could not be easily circumvented, such as by using a VPN (virtual private network) programme.
The Commission does not require Member States to use the same version of the application as it proposes. Rather, it is seen as a blueprint “so that Member States and market players can take it up and further develop it into (...) solutions customised to their needs”, the recommendation states.
However, the EU institution insists that Member States use this blueprint as a starting point for developing their age verification systems, in particular to ensure “interoperability between Member States” of the various national solutions. The model developed by the Commission has the merit of being able to be “integrated into the European Digital Identity Wallets to be created by the Member States by the end of 2026”, as the recommendation goes on to say.
“It is very important for us to establish a single digital market. So we shouldn’t have 27 different systems that aren’t compatible”, explained Henna Virkkunen.
However, the European Commission is not closing the door to private companies, such as the social networks themselves, “providing age verification solutions or proof of age attestations”, under certain conditions. In future, the European institution plans to publish a “scheme” defining the requirements that these suppliers must meet, particularly in terms of governance, reliability, security and data protection.
The Commission then intends to “draw up a list of trusted proof-of-age providers and a list of age verification solutions recognised as reliable” by the EU. The entities on the list “will have been validated as complying with the requirements of the European system (...)”, the text states.
On Wednesday, at the same time, the Commission’s Executive Vice-President announced the preliminary conclusions of an investigation into allegations that Meta had breached the ‘DSA’ governing digital services by failing to prevent minors under the age of 13 from using Instagram and Facebook (see other news).
See the Commission’s recommendation: https://aeur.eu/f/lr4 (Original version in French by Clément Solal)