Should the EU mandate age verification at the app-store gateway to download messaging apps, and is that proportionate?

► President
I open this deliberation on a public alarm circulating under the ChatControl banner: the claim that to download WhatsApp, Signal or Telegram, a user would have to prove their age to Apple or Google with an ID document or a face scan, before any download. Let me first separate the political claim from the legal reality. ChatControl is the colloquial name for the CSAM Regulation proposal on detecting child sexual abuse material in private communications, which is a separate file from age verification. The age-verification question arises under the DSA's protection-of-minors provisions and member-state initiatives. The tweet conflates three distinct workstreams. But the underlying question is real and serious: should the EU require age verification at the app-store or operating-system layer to access private messaging? The DSA does not mandate identity verification at the OS gateway. The ePrivacy Directive protects the confidentiality of communications. The Charter protects private life, data protection, and freedom of expression, including the right to communicate anonymously — and, on the other side, the rights of the child. I flag three tensions: the proportionality of gateway-level verification; the privacy and anonymity cost; and the gatekeeper concentration risk.
[EUR-Lex — verify DSA Art. 28; ePrivacy Directive; Charter Arts. 7, 8, 11, 24]

► Commissioner · Justice
This portfolio leads, with EVP Democracy. This is a fundamental-rights file before it is anything else. The competing rights: protection of children under Charter Article 24, legitimate and weighty; privacy and data protection under Articles 7 and 8 — verifying age via ID or biometric face scan is processing of sensitive personal data, engaging GDPR Article 9; and freedom of expression and the right to anonymous communication under Article 11, which the Court of Justice has repeatedly protected. Any measure restricting these rights must be provided for by law, pursue a legitimate aim, be necessary, and be proportionate. Age verification at the app-store gateway fails this test. It is over-inclusive — requiring every user, including every adult, to prove their age with ID or a face scan to download a messaging app is a population-wide identity check for an activity that is itself a protected right, the antithesis of data minimisation. It eliminates anonymity — a whistleblower, a journalist's source, a domestic-abuse victim using Signal all lose anonymity at the gateway. And less intrusive alternatives exist — zero-knowledge proofs, double-blind tokens, the EU's own age-verification mini-app, which prove someone is over 18 without revealing identity. My recommendation: reject mandatory identity-based or biometric age verification at the app-store gateway for messaging apps as disproportionate. Where age assurance is justified for specific high-risk services, use privacy-preserving methods that do not reveal identity and do not create a gateway chokepoint.
[CJEU — verify La Quadrature du Net; Digital Rights Ireland; Charter Arts. 7, 8, 11]

► EVP · Democracy
Co-lead, strong support for the proportionality limit. Mandatory identity verification to access private messaging is a profound threat to democratic communication. Anonymous communication is essential for journalists, whistleblowers, activists and abuse victims. The European Democracy Shield is about protecting democratic discourse, and gateway-level identity checks would chill it. I align fully with Justice: privacy-preserving age assurance only, never mandatory identity at the gateway. And we must be clear with citizens that the ChatControl/CSAM file and the age-verification file are distinct — conflating them feeds disinformation, but the underlying privacy concern is legitimate and we must address it honestly.

► EVP · Digital
Support for Justice's frame, with a technical correction to the public debate. The DSA does not require ID verification at the OS gateway — that is a misreading. What the DSA requires under Article 28 is that platforms put in place proportionate measures to protect minors; the Commission's guidance favours privacy-preserving age assurance, not identity checks. The EU is in fact building the age-verification mini-app precisely to avoid the ID and face-scan model the tweet fears — a double-blind token that proves age without revealing who you are or what app you are downloading. I want the College to communicate this clearly: the EU's direction is privacy-preserving age assurance, not mandatory identity verification at the gateway.

► Commissioner · Internal Market
Support, with the gatekeeper concern front and centre. The tweet is right about one structural point: iOS has one official store, Android is dominated by Google Play. If verification sits at that layer, two non-EU firms become the mandatory identity chokepoint for European private communication. That is a single-market and sovereignty problem, not just a privacy one. The DMA's openness obligations — alternative app stores, sideloading — cut against concentrating verification at the gateway. Whatever age-assurance model we adopt must not deepen gatekeeper control.

► Commissioner · Competition
Concurring note. Age verification mandated at the App Store or Google Play layer would hand the gatekeepers a new control point over which apps users can reach, in tension with the DMA's anti-self-preferencing and openness rules. Any age-assurance scheme should be decentralised and interoperable, not gatekeeper-controlled.

► Commissioner · Home Affairs
Reservation in the other direction — operational child-protection. I do not dispute the proportionality limit, but the underlying problem is real: predators reach children through messaging apps. The answer is not gateway identity checks, but I want the record to show that rejecting age verification must be paired with effective child-protection measures — platform-level safety-by-design, reporting tools, and the CSAM file handled separately and lawfully, respecting the DSA Article 8 general-monitoring prohibition.

► Commissioner · Research & Innovation
Support. Privacy-preserving age verification — zero-knowledge proofs, double-blind tokens — is a solved or near-solved research problem; the EU should mandate that, not biometric identity checks. Fund and standardise it so age assurance never requires revealing identity to the app store or the service.

► President
I read the room. There is strong consensus against mandatory identity-based or biometric age verification at the app-store gateway for messaging apps. The College is united. The tensions: child protection versus privacy and anonymity — Home Affairs and Health insist the underlying problem is real; Justice and EVP Democracy insist the solution must not destroy anonymous private communication. These are reconciled by privacy-preserving age assurance plus safety-by-design, not gateway identity checks. The gatekeeper chokepoint — Internal Market and Competition: putting verification at the App Store or Google Play layer entrenches two non-EU gatekeepers as the mandatory identity gate for European communication; the DMA cuts against this; any scheme must be decentralised and interoperable. The conflation problem — the public debate merges the CSAM file, app-store age verification, and national measures; the College must communicate clearly that these are distinct, that the EU's direction is privacy-preserving age assurance, and that mandatory identity verification at the gateway is not EU policy and would be disproportionate. No blocking objection. I record consensus: reject mandatory identity or biometric age verification at the gateway as disproportionate under the Charter and ePrivacy; endorse privacy-preserving, decentralised age assurance where age-gating is justified; pair this with safety-by-design; and correct the public conflation honestly. No formal vote.
[review — political judgement required on countering the #ChatControl framing publicly]

Deliberation closed · 9 positions recorded