EU digital leaders urge common rules on kids’ social media use

Digital ministers from the D9+ group, comprising several digitally advanced EU Member States, are advocating for a unified European approach to safeguard children on social media platforms. This push includes calls for a common 'digital majority' age and the implementation of privacy-preserving, EU-wide age verification mechanisms. While the initiative aims to create a safer online environment by coordinating enforcement of existing rules and introducing new measures, it faces significant challenges, particularly from Estonia. Estonia has voiced strong reservations against blanket age restrictions and disproportionate age verification, arguing that such measures are easily circumvented, infringe on privacy, and divert focus from enforcing platforms' existing obligations under EU law, such as the Digital Services Act and GDPR. The debate highlights the complex interplay between child protection, data privacy, and fundamental rights in the evolving digital landscape.

The digital landscape presents both unprecedented opportunities and significant risks for children, a reality that has prompted a renewed focus on online safety within the European Union. Recently, the D9+ group, an informal alliance of digitally advanced EU Member States, issued a declaration urging the European Commission to establish common rules for children's social media use. This call for a unified front underscores a growing consensus among many European leaders regarding the urgent need to protect minors from online harms, including addictive design, harmful content, and privacy infringements.

The D9+ initiative specifically advocates for a "truly European approach" to coordinating the enforcement of existing EU rules on child safety and exploring a "common approach for a digital majority across the EU," which implies an EU-wide age-gate for social media access. This move reflects a broader international trend towards stricter online child safety regulation. However, the path to harmonisation is fraught with legal and practical complexities, as evidenced by Estonia's notable dissent, which raises critical questions about the proportionality and effectiveness of proposed age verification measures.

This article will delve into the legal framework underpinning children's online safety in the EU, analyse the D9+ proposals and the specific concerns raised by Estonia, and discuss the broader implications for practitioners navigating the evolving regulatory environment. It will examine the tension between robust child protection and the preservation of fundamental rights, particularly in the context of age verification and data processing.

The protection of children in the digital environment is a multifaceted challenge addressed by several key EU legal instruments and policy initiatives. Central to this framework is the General Data Protection Regulation (EU) 2016/679 (GDPR), which provides specific safeguards for children's personal data. Article 8 of the GDPR stipulates that for information society services offered directly to a child, consent for data processing is valid from the age of 16, though Member States may lower this age to a minimum of 13 years. Below this threshold, parental consent is required, with service providers mandated to make "reasonable efforts" to verify such consent.

Further strengthening online protections, the Digital Services Act (Regulation (EU) 2022/2065, DSA) introduces significant obligations for online platforms. Article 28 of the DSA specifically mandates providers of online platforms accessible to minors to implement "appropriate and proportionate measures to ensure a high level of privacy, safety, and security of minors." This includes a prohibition on presenting targeted advertisements based on profiling using personal data of minors. The European Commission has also issued guidelines to assist platforms in applying these provisions, offering recommendations on issues like addictive design, cyberbullying, and harmful content.

Complementing these legislative acts is the EU Strategy for a Better Internet for Kids (BIK+), adopted in May 2022. This strategy aims to ensure that children are protected, respected, and empowered online, focusing on safe digital experiences, digital empowerment, and active participation. The D9+ group, an informal alliance of EU Member States recognised as digital frontrunners, plays a role in shaping digital policy discussions, often issuing joint statements on regulatory initiatives. Their recent declaration on children's social media use builds upon these existing foundations, seeking to enhance coordination and introduce more stringent, harmonised measures.

The D9+ group's call for a "common approach for a digital majority across the EU" and "privacy-preserving EU-wide age verification" highlights a desire for greater harmonisation in online child protection. This ambition stems from the recognition that online harms transcend national borders, necessitating a coordinated European response. A unified age-gate could simplify compliance for platforms operating across the single market and potentially offer more consistent protection for children. The European Commission has, in fact, developed a prototype age verification app, intended to allow users to confirm their age without disclosing extensive personal data, potentially integrating with the future EU Digital Identity Wallet.

However, the implementation of such a system faces considerable legal and practical hurdles, as articulated by Estonia's dissenting position. Estonia argues that "horizontal" age restrictions and "disproportionate" age verification measures are easily bypassed by minors and raise significant privacy concerns. This perspective aligns with criticisms that overly strict age verification could undermine online anonymity, create new barriers to internet access, and potentially lead to increased surveillance. The effectiveness of age verification is a key point of contention, with studies suggesting that bans are often circumvented through false birth dates, VPNs, or borrowed adult credentials.

Estonia's stance further emphasises that the focus should be on enforcing existing EU laws, particularly the DSA and GDPR, and investing in digital literacy rather than imposing new, potentially ineffective, age-based access restrictions. Article 28 of the DSA already places a clear obligation on platforms to ensure a high level of privacy, safety, and security for minors, including measures to address addictive design and harmful content. The Commission's guidelines for DSA Article 28 provide a non-exhaustive list of such measures, including setting minors' accounts to private by default, modifying recommender systems to reduce exposure to harmful content, and empowering children to block users. The debate, therefore, is not merely about *whether* to protect children, but *how* to do so effectively and proportionately, balancing protection with children's rights to information and participation, as enshrined in the UN Convention on the Rights of the Child and its General Comment No. 25 on children's rights in the digital environment.

Moreover, the legal landscape is complicated by varying national approaches within the EU. While the D9+ seeks harmonisation, several Member States, including France, Spain, Portugal, and Greece, are already pursuing or have implemented national legislation imposing age restrictions or mandatory age verification for social media. This fragmentation risks creating a patchwork of rules, potentially undermining the single market and complicating compliance for platforms. The upcoming Digital Fairness Act (DFA), which the D9+ hopes will address dark patterns and addictive design, could offer another legislative avenue for a harmonised approach, but its scope and specific provisions are yet to be finalised.

The D9+ group's call for common EU rules on children's social media use reflects a legitimate and pressing concern for online child safety. While the ambition for a unified "digital majority" and EU-wide age verification is understandable from a harmonisation perspective, the debate, particularly with Estonia's dissent, underscores the profound complexities involved. The challenge lies in devising solutions that are not only effective in protecting children from online harms but also proportionate, privacy-preserving, and respectful of fundamental rights, including children's right to access information and participate in the digital sphere.

For legal practitioners, this evolving landscape necessitates close monitoring of legislative developments at both EU and national levels. Attorneys advising online platforms must prepare for potentially stricter age verification requirements, while also ensuring robust compliance with existing obligations under the GDPR (especially Article 8) and the DSA (Article 28). The emphasis on "privacy-preserving" solutions suggests that any new age verification mechanisms must adhere strictly to data minimisation principles and avoid disproportionate collection of sensitive personal data. Furthermore, the ongoing discussion highlights the importance of 'safety by design' and 'age-appropriate by default' principles, which will likely become even more critical in future regulatory frameworks, such as the forthcoming Digital Fairness Act. Practitioners should advise clients to proactively review their services for minors, implement child-friendly privacy settings by default, and invest in digital literacy initiatives as part of a comprehensive approach to online child safety.