Brussels has decided Meta isn’t monitoring its users hard enough.
The European Commission issued a preliminary finding on April 29 that Facebook and Instagram violate the Digital Services Act because the company can’t reliably stop children under 13 from creating accounts, opening Meta to fines that could reach 6 percent of its global annual turnover, a sum potentially north of $12 billion.
The official complaint is clearly a regulator demanding more identity checks, more verification, more friction at the door.
Meta’s existing approach, which mostly involves asking users to type in their birthday, lets minors lie their way onto the platform. The Commission says the tool available for reporting underage users requires up to seven clicks to access, is not pre-filled with user information, and frequently results in no follow-up action.
Reclaim Your Digital Freedom.
Get unfiltered coverage of surveillance, censorship, and the technology threatening your civil liberties.
The Commission also pointed to evidence that around 10 to 12 per cent of children under 13 were accessing Instagram and/or Facebook, contradicting Meta’s own internal numbers.
What the Commission wants Meta to do instead carries a cost most of the coverage skipped over. Self-declared birthdays are inadequate, so something stronger has to fill the gap.
That means age estimation systems that infer how old you are from how you behave or age verification that links your account to a government-issued document. Either path turns the basic act of opening a social media account into either a behavioral surveillance event or an identity verification event. There is no third option being seriously proposed.
The implications reach well beyond the under-13 question. Once a platform knows who you are with legal certainty, the entire premise of online speech changes.
Anonymity has historically protected dissidents, whistleblowers, abuse survivors, journalists communicating with sources, and ordinary people who simply don’t want their employer reading their political opinions.
Strip that away and you lose the conditions under which a great deal of valuable speech actually happens. People self-censor when they know they are being watched and a verified internet is a watched internet by definition.
Executive Vice-President Henna Virkkunen made a statement. “The DSA requires platforms to enforce their own rules: terms and conditions should not be mere written statements, but rather the basis for concrete action to protect users — including children,” she said. The framing is about enforcement and the mechanism is about checking IDs.
Meta disputes the finding. A company spokesperson said “We disagree with these preliminary findings. We’re clear that Instagram and Facebook are intended for people aged 13 and older and we have measures in place to detect and remove accounts from anyone under that age.”
The spokesperson added that “Understanding age is an industry-wide challenge, which requires an industry-wide solution, and we will continue to engage constructively with the European Commission on this important issue.”
The investigation reaches further than the under-13 question. The Commission is also looking at whether Meta is doing enough to protect the physical and mental well-being of users of all ages, and whether the design of Facebook and Instagram exploits the vulnerabilities of younger users in ways that produce addictive behavior and so-called “rabbit hole” effects.
Each of those threads gives regulators more ground to demand more identification, more profiling of who each user is, and more platform-level intervention into what people see.
Meta now gets to review investigation documents, submit a written reply, and propose corrective measures. If the Commission’s final decision matches the preliminary one, the maximum fine sits at 6 percent of global annual revenue, with periodic penalty payments layered on top to push compliance.
The same week the Commission named Meta, it also urged member states to roll out the EU’s official age verification app by the end of 2026.
UK security consultant Paul Moore demonstrated last month that the released version of the app could be defeated in about two minutes by editing a configuration file on an Android phone.
An age verification system was shipped, branded as privacy-preserving, and promoted to member states while researchers were still finding ways through it. The version Brussels is now urging member states to deploy is one whose privacy claims have already been falsified once, by people working with publicly available code.
