On April 16, European Commission President Ursula von der Leyen laid down the next gauntlet challenging social media platforms to act responsibly by protecting children from harms occurring on their sites: announcing a new age verification app that’s technology ready and soon available for use.

The app aims to provide a harmonized, privacy-preserving solution supporting enforcement of the Digital Services Act (DSA) obligations requiring gatekeeper firms to manage risks to underage users, while also facilitating General Data Protection Regulation requirements that the platforms protect user privacy. The EU approach differs fundamentally from Australia’s by refraining from imposing statutory obligations on platforms. While some individual member states have either passed (France) or proposed (Spain, Austria, Denmark, Italy, and Slovenia) social media age restriction laws, the commission’s focus is on a single tool that can be used by member states (and, via the Brussels effect, by other EU-influenced jurisdictions) to support enforcement of their own legislation within the wider EU legal framework.

The age verification app’s origins date to a blueprint released in July 2025 and updated in October. The blueprint consists of technical specifications aligned with those of the EU Digital Identity Wallet for an open-source app customizable for national contexts. Technically, users will download the app and supply it proof of age based on official documents, such as national electronic IDs, passports, and ID cards, or by pre-installed apps with verified age information from trusted sources, such as banking apps or postal services and other third-party affiliates. After receiving proof of age information, the link between the app and the user’s proof is severed. The app doesn’t hold any ID information or trace back to the user. When the user requests access to an online service, the service will request and receive anonymous proof of age on which to base its decision about granting access.

The EU approach has benefitted from both theoretical analysis of and experience with Australia’s Social Media Minimum Age (SMMA) regulations. These regulations have been strongly criticized for expecting platform-determined age verification by multiple methods, including uploaded IDs and biometric data, such as face scans shared with third-party providers and usage patterns inferred from individual user data retained by the platforms. These tools push the limits of the trade-off between protecting children and protecting user privacy. In Australia, this balance is managed via strict governance provisions in the SMMA requiring platforms to adhere to a “ring-fence and destroy” protocol, requiring separation of data required for age verification from the rest of the platform’s business and the data’s destruction as soon as the purpose for which they have been collected has been met. If the EU app proves successful, then identifiable age information never reaches the platform, rendering such governance obligations redundant.

The proof of the pudding, then, will be in the eating.

When unveiling the app, President Von der Leyen praised it as “technically ready” and aligned with “the highest privacy standards,” emphasizing its open-source nature as a transparency feature. But that transparency may prove to be problematic. Open-source code is vulnerable to experts capable of perusing it for weaknesses and then constructing work-arounds that can quickly promulgate among the community of marginal and marginalized users—in this case, tech-savvy under-16s looking to take risks, push boundaries, and retain (or obtain) social media access. Already, such weaknesses have been detected. One security expert claims to be able to bypass the app in under two minutes. The EU Commission’s response is that the open-source app is still a demo and will continue to be updated before any final public rollout. However, this solution invokes a new trade-off between commitment to transparency and the ongoing obligation to update the app as each new weakness is revealed.

Ultimately, the question must be asked whether continuing to make platforms alone responsible for managing all risks of user harm is either feasible or plausible. Technological solutions will be subject to continual whack-a-mole competition between developers seeking work-arounds and the custodians of the regulator-preferred apps.

The problem with the EU and Australian approaches is that regulatory responsibility (and penalties) is being shifted onto platform operators, leaving the under-16s (and their parents) unaccountable and unpenalized for thwarting the platforms’ efforts. Perhaps it’s time to consider the role of human accountabilities, at least in addition to the technological ones. By contrast, New Zealand’s ban on smartphones in schools, which relies on human enforcement and penalizes noncompliant students, appears to be working. While not perfect, the country’s near 50 percent reduction in student in-school phone use bests Australia’s reported 30 percent reduction in underage account ownership under the SMMA. Learning has improved and bullying has been reduced as a result of the New Zealand legislation—something not found in the recent Australian SMMA compliance review.

Much food for thought for US policymakers and legislators.