Australia’s under-16 social media restrictions have become a practical reference point for regulators who are moving beyond theory and into enforcement.
As the system settles into routine use, its side effects are becoming clearer. One of the most visible has been the renewed political interest in curbing tools that enable private communication, particularly Virtual Private Networks. That interest carries consequences well beyond “age assurance.”
A January 2026 briefing we obtained from the European Parliamentary Research Service traces a sharp rise in VPN use following the introduction of mandatory age checks.
The report notes “a significant surge in the number of virtual private networks (VPNs) used to bypass online age verification methods in countries where these have been put in place by law,” placing that trend within a broader policy environment where “protection of children online is high on the political agenda.”
Australia’s experience fits this trajectory. As age gates tighten, individuals reach for tools that reduce exposure to monitoring and profiling. VPNs are the first port of call in that response because they are widely available, easy to use, and designed to limit third-party visibility into online activity.
The EPRS briefing offers a clear description of what these tools do. “A virtual private network (VPN) is a digital technology designed to establish a secure and encrypted connection between a user’s device and the internet.”
It explains that VPNs hide IP addresses and route traffic through remote servers in order to “protect online communications from interception and surveillance.” These are civil liberties functions, not fringe behaviors, and they have long been treated as legitimate safeguards in democratic societies.
Pressure move toward private infrastructure
European debate has increasingly framed VPNs as an obstacle to enforcement. The EPRS report records that “some argue that access to VPN services should be restricted to users above a digital age of majority.” That framing effectively recasts privacy-enhancing technology as a regulatory gap to be closed.
The UK experience illustrates how quickly this logic escalates. After the Online Safety Act came into force, VPN apps flooded app store rankings.
According to the report, “half of the top 10 free apps in app-download charts in UK app stores have reportedly been VPN services,” with one developer citing “a 1,800% spike in downloads in the first month after the legislation started to apply.”
Those figures are now used to justify proposals that would limit who can access encryption tools.
The Children’s Commissioner for England has called for VPNs to be restricted to adults. The EPRS briefing captures the stakes of that approach: “While privacy advocates argue that imposing age-verification requirements on VPNs would pose significant risks to anonymity and data protection, child-safety campaigners claim that their widespread use by minors requires a regulatory response.”
From a civil liberties perspective, this is bad. Age assurance moves from regulating specific services toward regulating how people protect their connections in general. That expansion affects journalists, activists, whistleblowers, and ordinary users who rely on VPNs to reduce tracking, avoid profiling, or communicate safely.
Regulatory alignment amplifies risk
Australia is contributing directly to this policy direction. The eSafety Commissioner, Julie Inman Grant, has been meeting with a cooperation group on age assurance convened by Ofcom, with participation from the European Commission.
A joint release following one such meeting states that “throughout 2026, the three regulators will continue to have regular exchanges to further explore effective age-assurance approaches, enforcement against adult platform services and other providers to ensure minors are protected, relevant technological developments, and the essential role of data access and independent research in supporting effective regulatory action.”
The emphasis on data access reflects language already present in European policy documents. The EPRS briefing warns that “as the EU reviews cybersecurity and privacy legislation, VPN services may also come under stricter regulatory scrutiny.”
It adds that “it is likely that the revised Cybersecurity Act will introduce child-safety criteria, potentially including measures to prevent the misuse of VPNs to bypass legal protections.”
Embedding child-safety criteria into cybersecurity law risks collapsing the distinction between content regulation and communication security. That distinction has traditionally protected private correspondence from becoming a tool of routine governance.
The EPRS report outlines why scaling remains contentious, noting that existing measures “including verification, estimation and self-declaration are relatively easy for minors to bypass.” Proposed alternatives rely on biometrics, identity documents, or persistent age signals tied to devices.
France’s “double-blind” requirement is often cited as a privacy-conscious approach. The briefing explains that under this model, “the adult platform receives no information about the user other than confirmation of eligibility, while the age-verification provider has no knowledge of which websites the user visits.”
Even here, the solution depends on expanding verification infrastructure rather than limiting data collection at the source.
In France, officials are hinting that efforts to restrict children’s access to social media may extend beyond platform rules and into the tools people use to stay private online.
Lawmakers are advancing a proposal that would bar anyone under 15 from using social media services, and at least one senior figure has suggested that virtual private networks could become part of the next phase of enforcement.
Speaking on public broadcaster Franceinfo, Minister Delegate for Artificial Intelligence and Digital Affairs Anne Le Hénanff framed the issue as an ongoing process rather than a finished policy. “If [this legislation] allows us to protect a very large majority of children, we will continue. And VPNs are the next topic on my list,” she said.
At the EU level, the direction is increasingly explicit. The EPRS briefing records that the European Parliament has adopted a resolution supporting age-verification methods and calling for a digital age limit of 16 for social media. Investigations under the Digital Services Act are already underway, and multiple governments are backing the concept of a pan-European digital age of majority.
