Three MEPs from the Patriots for Europe (PfE) group have submitted a written parliamentary question to the European Commission, raising serious security and privacy concerns about the EU's new age verification app. The app, presented by Commission President Ursula von der Leyen as 'technically ready' and built to 'the highest privacy standards', is now under scrutiny after independent code reviews reportedly uncovered critical vulnerabilities. The MEPs question whether citizens can trust the Commission's digital tools and highlight potential risks to biometric data.
The question, filed on 22 April 2026 under reference E-001659/2026, targets the Commission's handling of the app's development and deployment. The MEPs point to specific flaws: researchers claim the app's PIN can be bypassed in under two minutes by editing a local configuration file, and that rate limiting and biometrics can be disabled similarly. They ask whether this is accurate and how such issues passed security reviews.
Data protection concerns
The MEPs also question whether the app stores unencrypted facial images from passport scans and selfies on the device without reliably deleting them. They contrast this with a recent case in Spain where the data protection authority (AEPD) fined private provider Yoti nearly EUR 1 million for unlawful processing of biometric data, asking how the Commission's approach is compatible with GDPR.
Deployment readiness questioned
Finally, the MEPs note that the app's repository describes it as 'not feature-complete' and requiring 'further integration', contradicting the Commission's presentation of it as technically ready. They demand an independent security audit before any Member State deploys the app.
The Commission is expected to respond within approximately six weeks. The answer will signal the Commission's stance on the app's security and its willingness to address the MEPs' concerns, potentially influencing Member States' decisions on adoption.