Europe Implements New Age-Verification and Data Rules

- The "double anonymity" model for age verification involves certified third-party providers who generate a proof-of-age token without knowing which website it will be used for, and the website accepts the token without receiving any of the user's identifying personal data. This ensures a high level of security and data protection. - Italy's communications regulator, AGCOM, has mandated that platforms distributing adult content must implement these age verification systems. The rules, adopted via Resolution No. 96/25/CONS, require a two-step process of identification and authentication for each session. - These age verification requirements are a key component of the broader EU Digital Services Act (DSA), which compels online platforms to take appropriate measures to ensure a high level of privacy, safety, and security for minors. Non-compliant platforms could face significant fines. - To facilitate compliance, the European Commission has developed a "mini-wallet" blueprint for age verification, which is being piloted in several member states including Denmark, France, Greece, Italy, and Spain. This solution is designed to be user-friendly and will be interoperable with the forthcoming EU Digital Identity Wallets. - The EU Digital Identity Wallet, expected to be rolled out by the end of 2026, will allow citizens to securely store and share various digital documents, including a token of age. This will provide a standardized and secure method for online identification across the EU. - The new data protection rules are an update to the General Data Protection Regulation (GDPR) and introduce stricter requirements for obtaining user consent, which must be freely given, specific, informed, and unambiguous. The regulations also emphasize the principle of data minimization, meaning only data that is absolutely necessary for a specified purpose should be collected and processed. - Recent proposals aim to ease some of the burdens of the AI Act and GDPR for businesses, particularly small and medium-sized enterprises, by simplifying cookie consent processes and facilitating data portability. - The legal basis for these regulations stems from a growing need to protect minors from harmful online content and to give individuals more control over their personal data in the digital age. The framework is built upon existing regulations like the eIDAS Regulation and the Law Enforcement Directive.