The European Parliamentary Research Service has a new word for virtual private networks: loophole.

In a briefing paper reported by CyberInsider, the EPRS described VPNs as “a loophole in the legislation that needs closing” — not as privacy tools, but as defects in Europe’s age-verification architecture.

The concern has data behind it. Proton VPN reported a 1,400% surge in UK signups after the Online Safety Act mandated age checks for adult content. France saw similar spikes when it restricted under-18 access to PornHub.

Some officials want to close the gap at its source. England’s Children’s Commissioner, Dame Rachel de Souza, has called for age verification on VPN services themselves — requiring users to prove they are adults before accessing tools designed to protect their anonymity. The UK government says there are “no plans to ban” VPNs but warned that “if platforms deliberately push workarounds like VPNs to children, they face tough enforcement and heavy fines.”

The framing repositions anonymity as a regulatory problem rather than a right. France offers the most privacy-conscious approach on the table — a “double-blind” system where websites confirm a user meets age requirements without learning their identity, and the verification provider doesn’t see which sites are visited. Even so, the EPRS framing suggests VPNs remain a general workaround for any verification regime currently in place.

Utah has taken a blunter route. A law enacted this month declares users physically present in the state are subject to age verification regardless of their apparent IP address — a legal fiction that acknowledges the technical impossibility of enforcement.

The EPRS suggests future updates to the EU Cybersecurity Act could introduce child-safety requirements aimed at preventing VPN misuse to bypass legal protections.

The European Commission’s own age-verification app, released earlier this year, was found storing biometric images in unencrypted locations.

Sources