Executive Vice-President Henna Virkkunen has sought to allay fears of digital surveillance, stating the European Commission has no plans to restrict virtual private networks (VPNs) in the EU and that age verification systems under the Digital Services Act (DSA) are designed to preserve anonymity. In a written answer on 1 July 2026 to a question from ECR MEP Emmanouil Fragkos, Virkkunen stressed the need to balance user privacy with protecting minors online, while rejecting claims that the EU is building a system to control internet access.
The answer comes amid public concern that age verification measures could be used to limit anonymous expression and enable broader monitoring. Virkkunen emphasised that the principle of online anonymity, established in the e-Commerce Directive, remains unchanged under the DSA. She described the EU's Age Verification Blueprint as privacy-preserving, device-based, and developed with guidance from the European Data Protection Board. The system generates only an anonymous attestation that a user is over a certain age, using zero-knowledge proofs to avoid revealing personal data, thereby limiting data breach risks. On liability, Virkkunen pointed to existing rules under Regulation (EU) 910/2014 for data breaches and identity systems.
The response contains no concrete proposals for new legislation or numerical targets, instead reaffirming existing legal frameworks and technical standards. The Commission's policy orientation remains one of maintaining online anonymity while advancing age verification as a barrier to minors' access to age-restricted content, even if VPNs could circumvent it. Institutional follow-up is likely to focus on implementation of the Age Verification Blueprint and continued dialogue with data protection authorities, with no immediate legislative action signalled.
EU citizens gain reassurance on anonymity and VPN use, but the answer does not address technical weaknesses flagged by cybersecurity experts. Tech companies may face continued pressure to integrate privacy-preserving age verification, while minors' safety advocates see progress in barrier measures. Data protection authorities benefit from the Commission's alignment with EDPB guidance, though liability rules for mass data leaks remain governed by existing regulation, potentially leaving gaps in accountability for novel digital identity infrastructure.