A European Parliament research document is proposing new restrictions on Virtual Private Networks, marking Brussels' first serious attempt to regulate the privacy tools used by millions across the continent.
The briefing, published in January by the European Parliamentary Research Service, argues that VPN services should be restricted to users above a "digital age of majority" - EU-speak for adults only. The justification? A "significant surge" in young people using VPNs to bypass age verification systems that several member states have introduced for pornography and social media.
## The Proposal That Caught Privacy Advocates Off Guard
Buried in a routine "At a Glance" document titled "Virtual private networks and the protection of children online," the proposal represents a dramatic shift in how Brussels approaches online privacy. VPNs have operated largely unregulated across the EU - until now.
The briefing, authored by research analyst Maria Del Mar Negreiro Achiaga, connects the proposal to the Digital Services Act, the EU's sweeping tech regulation that took effect in 2024. That law introduced "recommended guidelines for age assurance" for social media platforms and online intermediaries. Now, Brussels is eyeing the tools people use to circumvent those very guidelines.
Translation from Brussels-speak: The EU spent years crafting age verification rules. Kids found a workaround in about five minutes. Now regulators want to close the loophole by restricting the workaround itself.
## Why This Matters Beyond Brussels
VPNs are used by an estimated 30% of internet users globally - journalists bypassing censorship, businesses protecting trade secrets, activists in authoritarian states, and yes, teenagers trying to access TikTok. Any EU restriction would set a global precedent.
The proposal raises thorny questions Brussels has historically avoided: How do you verify someone's age to access a privacy tool without defeating the purpose of the privacy tool? Who enforces restrictions on services often based outside EU jurisdiction? And most fundamentally - should the EU be in the business of restricting access to privacy technologies at all?
The timing is significant. This comes after the EU's AI Act, the Digital Markets Act forcing Apple to open iMessage, and ongoing battles with Elon Musk over content moderation on X. Brussels is on a regulatory tear, and VPNs are the latest target.
