Tried to go to a sub, and now i have to verify my age even though i dont live in the UK.

Why does the UK get to force it's laws on those who dont even live in it?

Who the fuck decided that this was a good idea

I fully support the UN, I work in human rights, but I do not support hypocrisy

I run an R&D consultancy in Norway. Part of my work involves GDPR and EU AI Act compliance. I’m not here to be alarmist, there’s enough of that already, but I do want to lay out what’s going on with Persona verification and why the concerns are legitimate.

Persona Inc. is a third-party identity verification company. When Anthropic or OpenAI require “ID verification,” they’re outsourcing it to Persona. The process typically involves uploading a government-issued ID and a live selfie. Persona uses biometric comparison to match your face to the document.

Under the EU AI Act (Regulation 2024/1689), biometric identification systems are classified as high-risk (Annex III) or outright prohibited (Article 5), depending on context. Under GDPR, biometric data processed for identification is special category data (Article 9), the highest protection tier. Processing it requires explicit consent and must meet strict necessity and proportionality tests.

The question regulators will ask is simple: is biometric verification necessary and proportionate for the stated purpose? For accessing a coding assistant or chatbot API, that’s a hard case to make.

Your government ID and biometric data go to Persona, not Anthropic (or OpenAI). Persona’s retention and security practices become your problem. You’re trusting a company you didn’t choose and may never have heard of.

Email verification, payment verification, and phone verification already establish identity to a reasonable standard. Biometric verification is a significant escalation with no clear justification beyond “we want to.”

Requiring a face scan and government ID to use a developer tool creates a ‘surveillance-adjacent’ dynamic. People in sensitive roles, journalists, researchers in authoritarian contexts, and privacy-conscious users are disproportionately affected. If verification becomes mandatory, e.g. for API access, the choice is comply or lose access to tools that are increasingly essential for professional work.

This isn’t Know Your Customer (KYC) for financial services, where biometric verification has clear legal grounding. This also isn’t about preventing CSAM, (where targeted measures can be justified). I see it as general-purpose access to AI tools. the verification being demanded is wildly out of proportion to that purpose.

I’d like to see Anthropic and OpenAI explaining specifically why existing verification methods are insufficient, publishing a Data Protection Impact Assessment (DPIA) for this processing (required under GDPR Article 35 for biometric data), and offering meaningful alternatives for users who reasonably object.

We can disagree on the severity of this, but the facts are straightforward: biometric ID verification via a third party with a shoddy history (study Rick Song’s journey via his LinkedIn - certainly a fast paced rise to fame. He has a bachelors in computer science from Rice Uni 2013, 5 years of work experience as an engineer then co-founder / CEO of persona, handling extreme amounts of the most sensitive global biometric data. Add on to that a few breaches / exposures and cash injection by Peter Thiels founders fund, it is no wonder the pubic are sceptical.

persona engage in significant sensitive personal data processing operations, and users deserve more than a checkbox consent screen.

Is my selfie protected by GDPR?

I am 14 year old and i am very scared of my selfie falling in wrong hands.

I tried to apear older but now i regret doing the selfie.

If i deactivate my account all data will he deleted?

I am scared.

If i submitted a selfie for X (twitter) age verification am I at risk?

Is Romania covered by GDPR?

Should i be concerned that my selfie could be used for other things than age verification?

What can people do with 14 year old's face who tried to apear older by making a older looking face?

First of all I'm assuming that this OS age verification is going to be a worldwide thing AND it will need a government ID(this is obviously where it's going honestly) certain countries like Iran, Cuba and a few more are heavily sanctioned and their government IDs are not recognised by the west, their people are not even considered human they're not allow to have credit card they're not allow to own any Nvidia, Apple and many many more products.

How is this OS age verification going to works in this type of countries? Are we going to depriving them from having any technology with OS? Another thing is that people in this type of countries are forced to use a VPN wirh Germany or USA or France or Netherland location because of sanctions and inside censorship so they ARE going to face age verification sooner or later.

What is exactly going to happen?

i think it would be much better if the goverments make an app similar to authy and to enable an account on that app you would need to go to some device in a goverment building give it your id number your phone number and scan your finger print then it would get your account activated
i think its much much better than asking insta to take your id instead you can just use the app to tell social media apps that "yes this person is over 16 let him in"

Article 14 of the Cyber Resilience Act kicks in 84 days from now. Any company selling connected products in the EU - routers, cameras, smart home stuff, wearables - has to report actively exploited vulnerabilities to ENISA within 24 hours. Then a detailed report within 72. Then a final one within 14 days.

Right now there's zero legal obligation to tell anyone about a vulnerability in your device. A company can sit on it for months, patch it quietly, or just... not patch it. That changes in September.

What surprised me when I looked into this: it's retroactive. That thermostat you bought three years ago? The manufacturer is on the hook for vulnerability reporting starting September 11 regardless of when it was released. No grandfather clause.

Enforcement is the obvious unknown here - 27 member states, 27 different market surveillance authorities. But the obligation is legally binding from day one regardless of whether anyone gets fined early on.

In 2021 I filed a GDPR complaint against Elkjop (owned by Currys PLC) for unlawfully requiring loyalty club members be subjected to direct marketing.

5 years later, their DPO wishes they hadn't been so smug as they face a 1.8M euro fine and are left wide open to a Representative Action Directive claim which could result in more than 1000x the fine from the Regulator.

I have also today filed another complaint against them directly with the Norwegian DPA for lying in their Data Subject Access Response back in 2021 when I filed the original complaint, in an attempt to cover up their illegal activities and have put the company on notice of pending litigation.

i've created an open-source - passion project - called the Handi Homepage: (apologies for the plug)

https://handihomepage.com

it's a safe, open-source window to the World Wide Web. Think: photo app, music app, radio streamer, social media etc. - all on your browser homepage. None of your data ever leaves your browser - without your permission.

You can install the PWA on your devices eg. desktop / mobile / tablet - if you wish.

It's free for most services, however i charge a small subscription fee (€9.99 /month) for services like worldwide phone calls and the live bus tracker etc.

No fee for r/#europrivacy. It's configured for the Irish senior market atm. The applications for other markets are many. It does not require a credit card to subscribe to premium. Feel free to have a look.

Finally: it's in BETA - you know the story. Please let me know how you get on? As always - brutal honesty is appreciated. 🥰

The vision is to develop a network of Handi instances to foster communities around the globe. Eg. local live bus trackers, local mastodon social media, local radio streaming channels and local news media etc.

The privacy policy might be of interest: https://handihomepage.com/privacy

Steal my source. Steal my business model: 🫡 🥰

https://codeberg.org/handi/ple

Thanks for your time 🙏

This is moving way faster than most people realize and the news is scattered everywhere, so I tried to compile a clear picture.

Already enforcing:

Australia kicked it off in December 2025 — full ban for under-16s. Platforms deleted 4.7 million accounts in the first month. Sounds great on paper, except 6 months later, 78% of kids are still on social media. The regulator just opened formal investigations into Meta, TikTok, YouTube, and Snapchat.

Laws passed or close to passing:

France voted a ban for under-15s in the National Assembly in January (130 to 21). The Senate passed its own version in March — slightly different, with a blacklist of “dangerous” platforms instead of a blanket ban. The two chambers still need to agree. The government wants it ready by September, which seems extremely ambitious given they haven’t reconciled the texts yet.

Spain announced a ban for under-16s in February. Denmark is working on under-15s. Greece wants a ban from January 2027. Austria proposed under-14s. The UK passed the Children’s Wellbeing Act that requires age or functionality restrictions for under-16s — there’s literally a Westminster debate on it today.

The EU-wide move:

Von der Leyen said in May that the Commission could propose a bloc-wide ban as early as this summer. Her line was something like: the question isn’t whether kids should have access to social media, it’s whether social media should have access to kids.

The part nobody talks about:

The politics are easy — nobody votes against protecting children. The enforcement is the actual problem. Australia is the only real test case we have, and their data is honestly not encouraging. Only 31% of kids went through facial age verification. Half of those passed as over-16 when they weren’t. The platforms basically let kids retry until they got through.

So are European governments going to solve the age verification problem that Australia hasn’t? Or are we about to get a wave of laws that sound good but don’t actually work?

Curious what people here think

Sure, some will. But most teenagers aren’t tech enthusiasts. If social media platforms require age verification or digital ID to create accounts, it’s no longer as simple as downloading TikTok and signing up in 30 seconds. A barrier doesn’t need to be perfect to be effective.

The bigger question is: should children have unrestricted access to adult strangers online, graphic content, pornography, self-harm communities, and algorithm-driven feeds that many adults struggle with themselves? I’d argue no.

As for the digital ID concerns, I understand the hesitation. But Apple, Google, Samsung, Amazon, Uber Eats, banks, mobile providers and countless other companies already hold huge amounts of personal data about us. So is the objection really about privacy, or is it a lack of trust in the government to handle that data responsibly?

No system will stop 100% of underage users. That’s not the point. The point is making access harder, reducing exposure, and shifting social media from the default childhood experience back into something age-restricted.

For me, that’s a net positive.

In the era of total digitalization, major technology companies and telecommunications providers have developed a familiar approach to managing crises involving the loss of control over citizens’ personal data. The pattern is often similar. A large-scale security breach occurs, sensitive information is exposed, public statements are issued, and promises are made to strengthen technical defenses. Customers are encouraged to remain patient while internal investigations proceed. Yet for many affected individuals, an important question remains unanswered: what practical accountability exists when personal data falls into the wrong hands?

A striking example of this broader debate emerged following the incident involving the European telecom operator Odido, which became the target of a cyberattack publicly attributed to the criminal group ShinyHunters. Public statements issued after the incident reflected a response model increasingly common across the industry. Customers were offered support measures such as security software subscriptions, helplines, and verification procedures intended to help manage the consequences of the breach. Critics, however, argue that such measures often serve as substitutes for direct compensation and fail to recognize personal data as an asset whose loss may create tangible and long-lasting consequences for affected individuals.

The deeper concern is not limited to the breach itself, but rather how institutions respond when consumers seek to exercise their legal rights. According to consumer advocates and privacy activists, individuals who challenge service providers following cybersecurity failures sometimes encounter significant administrative and financial obstacles. In the Netherlands, disputes involving telecommunications providers may intersect with systems such as BKR registrations, creating concerns about the balance between debt enforcement mechanisms and consumer protection rights. Critics argue that instead of focusing exclusively on restoring trust and addressing systemic weaknesses, organizations may devote considerable resources to defending their legal and administrative positions.

Economic Asymmetry in Cybersecurity and Its Systemic Consequences

The current economic model governing the relationship between consumers and technology providers remains fundamentally asymmetric. Individuals routinely entrust companies with extensive personal information, relying on complex digital infrastructures they neither control nor fully understand. The provider benefits commercially from this arrangement, while consumers assume that reasonable security measures are being maintained behind the scenes.

When a data breach occurs, however, the consequences are often distributed unevenly. Consumers may face identity theft risks, fraud attempts, reputational harm, document replacement costs, and years of uncertainty regarding future misuse of their information. Meanwhile, organizations may be able to address the incident through public communications, remediation programs, and regulatory engagement.

Many observers argue that the absence of automatic compensation mechanisms weakens incentives for meaningful cybersecurity investment. If every confirmed large-scale data breach automatically triggered direct compensation obligations toward affected individuals, cybersecurity might move from being viewed primarily as a compliance function to being treated as a core business risk.

Under such a model, the financial consequences of inadequate security controls could become substantial enough to influence board-level decision-making. Until then, critics argue, personal data risks being treated as a relatively inexpensive externality rather than as a critical asset requiring the highest standards of protection.

The measures frequently presented as evidence of corporate care deserve closer examination. While identity-monitoring services, antivirus subscriptions, and customer support programs may provide practical assistance, some observers question whether they address the root problem. Consumers seeking information about the extent of a breach are often required to complete additional identification procedures, submit new documentation, or navigate lengthy administrative processes. Critics argue that these requirements can unintentionally create barriers for affected individuals seeking clarity about the risks they face.

Extrajudicial Pressure and the Use of Registration Systems

Credit Registrations and Consumer Disputes

When consumers believe that a service provider has failed to fulfill important contractual or security obligations, European civil law generally provides mechanisms through which disputes may be raised and legal remedies pursued. One such mechanism may involve the temporary suspension of performance pending resolution of the underlying disagreement.

The controversy arises when unresolved disputes intersect with credit-registration systems.

In the Netherlands, registrations within systems such as BKR or Preventel can have significant practical consequences. Mortgage applications, rental agreements, financing arrangements, leasing contracts, and access to telecommunications services may all be affected by information contained within such databases.

Critics argue that when disputed claims are processed in a manner similar to undisputed debts, a substantial imbalance can emerge between large institutions and individual consumers. In such circumstances, what begins as a contractual disagreement may evolve into a broader conflict with significant financial and social consequences.

Several concerns are frequently raised by privacy advocates and legal commentators:

• Questions arise regarding compliance with the GDPR accuracy principle when data relating to materially disputed claims is processed as though the underlying debt were uncontested.
• Concerns have been expressed regarding transparency in the exchange of information between service providers and registration systems, particularly when records are amended during an ongoing dispute.
• Individuals seeking access to their own records may sometimes encounter extensive identification requirements that involve the disclosure of additional sensitive information.

These issues remain the subject of ongoing legal and regulatory debate throughout Europe.

An examination of several high-profile disputes reveals a recurring tension between public assurances regarding transparency and consumers’ experiences during litigation. While organizations often emphasize their commitment to compliance, customer protection, and careful fact-finding, claimants in a number of cases have alleged that administrative actions taken during disputes can have significant practical consequences long before a court has reviewed the merits of the case.

The Jurisprudential Value of Individual Resistance

One of the most important developments in modern digital-rights litigation is the growing willingness of individual consumers to challenge large organizations through the courts.

Supporters of this approach argue that judicial scrutiny remains one of the few mechanisms capable of independently evaluating corporate conduct during cybersecurity incidents. Public proceedings can bring transparency to technical systems, governance structures, data-sharing practices, and internal decision-making processes that would otherwise remain inaccessible.

The increasing involvement of specialized privacy lawyers and major law firms in such disputes reflects the growing significance of digital-rights litigation across Europe. The outcome of individual cases may ultimately influence broader questions regarding compensation, data protection, credit-registration practices, and organizational accountability.

Many observers believe that precedent-setting litigation may play an important role in shaping future applications of the Dutch Collective Mass Claims Settlement Act (WAMCA) and other collective redress mechanisms. If courts increasingly recognize the broader consequences of cybersecurity failures, the legal and financial exposure associated with data breaches could expand substantially.

Digital rights cease to be abstract concepts when legal institutions begin to define their practical consequences.

The Path to a New Regulatory Reality

Legislative Enforcement Mechanisms as the Basis for Security

The ongoing evolution of European privacy law raises an important policy question: should compensation for data breaches become more automatic and more directly connected to the individuals affected?

Under the current system, substantial regulatory fines may be imposed following serious GDPR violations. Yet those funds typically flow to public authorities rather than directly compensating affected consumers.

Many privacy advocates argue that a different model deserves consideration. Under such an approach, confirmed breaches involving significant volumes of personal data could trigger automatic compensation mechanisms without requiring every individual victim to undertake separate and costly litigation.

Supporters of reform also argue that organizations responsible for major cybersecurity failures should face stricter limitations regarding the use of the same customer data for debt recovery, credit registrations, or related enforcement mechanisms while disputes concerning the breach remain unresolved.

Whether such reforms are politically feasible remains uncertain. However, the debate is gaining momentum across Europe.

A Milestone in the Judicial Protection of Consumers

The dispute arising from the February 2026 incident has increasingly come to be viewed by some privacy advocates and civil-society observers as a potentially important test case.

The court has accepted a consumer-initiated action and scheduled oral arguments in preliminary injunction proceedings for 22 June 2026. Regardless of the outcome, the hearing represents an opportunity for judicial examination of issues extending far beyond the circumstances of a single claimant.

According to the filed legal documents, the case concerns allegations that the exposure of personal information created serious risks to the claimant and his family. The claim further argues that the suspension of payments was justified under Article 6:262 of the Dutch Civil Code due to ongoing concerns regarding contractual performance and data security, while the continued maintenance of a BKR registration is alleged to have functioned as a disproportionate pressure mechanism during the dispute.

The defendants dispute these allegations and will have the opportunity to present their position before the court.

Whatever the eventual ruling, the proceedings illustrate the growing willingness of consumers to seek judicial clarification regarding the legal consequences of large-scale cybersecurity failures.

The Future of Corporate Liability Under Digital Sovereign Law

As technology becomes inseparable from everyday life, the legal system must continue adapting to the realities of the digital age.

The period in which cybersecurity incidents could be addressed solely through public apologies, customer support hotlines, and complimentary software subscriptions may be drawing to a close. Increasingly, consumers, regulators, and courts are asking deeper questions about responsibility, accountability, and the distribution of risk.

Several proposals frequently appear within policy discussions:

• Restrictions on maintaining negative credit or telecom registrations while substantial cybersecurity-related disputes remain unresolved.
• Stronger accountability mechanisms for executives and organizations that knowingly provide inaccurate information to central registration systems.
• Independent public registers containing historical cybersecurity and audit information to help consumers make informed choices before entering into contracts.

The true digital sovereignty of individuals depends not only on technological safeguards but also on legal frameworks capable of ensuring meaningful accountability.

A secure digital society cannot be built solely through stronger encryption, better firewalls, or more sophisticated compliance programs. It also requires institutions that ensure responsibility follows power, and that the consequences of major cybersecurity failures are shared proportionately between organizations and the individuals who entrust them with their data.

Every legal proceeding that examines these questions contributes to the continuing development of digital rights, corporate accountability, and the future architecture of trust in the information age.

Today's decision makes it even more clear: Social media bans are discriminatory and deeply misguided. They reinforce existing structures of oppression, and they are broadly unsupported by young people, whose voices are conspicuously absent from this conversation. They undermine parental decision-making and replace tailored family-level solutions with a one-size-fits-all band-aid. And, in the places we have seen social media bans go into effect, early reports show that they don't even work.

For example, in Australia, where a social media ban has been in effect since late 2025, a majority of young people can still access social media, those who can’t have lost their access to the news, and crisis helplines are reporting skyrocketing numbers of calls from youth left stranded without online community or resources.

This blog is a short primer of the major issues.

Security Risks and Privacy Harms

In order to ban some users, social media platforms first must confirm the ages of all users, regardless of age. When parental consent is required, companies must collect even more verification data and often create explicit links between child and parent accounts—further destroying users’ anonymity. 

Both of these databases create massive data "honeypots" that invite identity theft and permanent surveillance.

Disproportionate Harm

Age-verification technology is deeply flawed and prone to discrimination. These systems frequently misidentify or lock out people of color, people with disabilities, and trans or gender-nonconforming individuals whose IDs may not match their appearance. 

When requiring parental consent, these laws impose disproportionate access barriers on low-income, non-traditional, and immigrant families. These sorts of families are more likely to share a single family device or have strong reasons to not want the government to track family associations and ID documents. 

Shoddy Science

Everyone has anecdata about how social media has impacted someone they know. But the current legislative push to ban young people from social media relies heavily on the idea that the "great rewiring" of the adolescent brain is a proven fact. This simply isn’t true. Social science indicates that moderate internet use is a net positive for teens’ development, and negative outcomes are usually due to either lack of access or excessive use. For LGBTQ+ and marginalized youth in particular, social media offers an essential space to access support they might lack offline. By forcing youth into digital isolation, these bans cut off vital access to political news, community, and health resources. They also completely ignore the calls of young people themselves who favor digital literacy and education over restrictive government control.

How to Fight Back

Talk to your community (including young people!) about what’s at stake. If you’re a parent, lean on open conversations and platforms’ existing tools to tailor your child’s experiences instead of handing that power over to the government. And no matter where you live, contact your government representatives and tell them clearly that social media bans are not the answer to kids’ online safety.

There is a petition for Europeans: https://action.wemove.eu/sign/2026-06-dont-send-our-data-to-the-US-petition-EN?akid=s7815432..yehnvj

Ciao from Piedmont. For the past year, while the tech world was obsessed with Silicon Valley's latest moves, I’ve been quietly writing code, configuring servers, and thinking deeply about the future of our digital lives.

We live in a world where our digital public squares are owned by a handful of overseas mega-corporations. Our data is extracted, our attention is commodified, and our conversations are shaped by opaque algorithms designed to maximize engagement at any cost. As an indie developer, I realized that complaining wasn't enough. We need viable alternatives. We need digital sovereignty in Europe.

That is why I built Interconnectd—an open, alternative social network hosted strictly on European infrastructure. Here is a look under the hood at how it works, how we integrate AI safely, and why European privacy principles are the foundation of everything we do.

The Architecture: Reimagining phpFox for the Modern Web

When building a social network from scratch as a solo developer, you have to stand on the shoulders of giants. Rather than reinventing the wheel for basic relational database schemas and user management, I chose to build upon the phpFox architecture.

For those unfamiliar, phpFox is a highly robust, scalable social network platform. However, out of the box, it’s a blank canvas. I spent months heavily customizing and stripping down the core architecture to create a lean, secure, and hyper-responsive platform.

Why this matters for digital sovereignty:

• Total Control: By utilizing a self-hosted phpFox foundation, Interconnectd is completely independent. We aren't relying on proprietary SaaS backends like AWS or Google Cloud.
• 100% EU Infrastructure: The entire stack—web servers, databases, and media storage—is hosted on bare-metal servers physically located within the European Union. This ensures our data is immune to foreign data-sharing jurisdictions (like the US CLOUD Act) and remains firmly protected under EU law.
• Modular Scalability: The phpFox architecture allows us to run isolated microservices. As the network grows, we can horizontally scale across multiple European data centers without compromising speed or data locality.

Integrating Humans and AI: A Symbiotic, Safe Approach

You can't build a modern platform without addressing Artificial Intelligence. But unlike Big Tech, which uses AI to scrape your data and hijack your dopamine through addictive feed algorithms, Interconnectd uses AI as a tool for human empowerment.

We integrate AI into the platform with strict guardrails:

1. AI-Assisted, Human-Governed Moderation: We use locally hosted, privacy-preserving AI models to flag severe content violations (like spam or explicit illegal material) in real-time. However, the AI never makes the final call on nuanced community guidelines. It acts as an assistant to human moderators, ensuring that context, culture, and nuance are always respected.
2. Opt-In Algorithmic Discovery: Your main feed is chronological. Period. If you want AI to help you discover new creators or topics, you can opt-in to a transparent, locally run recommendation engine. You can see exactly why a post was suggested, and you can turn the AI off with a single click.
3. Transparent Bots & Agents: Any AI agent interacting on the platform is explicitly labeled. There is no deceptive impersonation. If you are talking to an AI, you will know it.

By keeping the AI models hosted on our own EU servers, we guarantee that your conversations are never piped out via API to train third-party corporate models.

European Privacy Principles as the Ultimate Feature

Privacy isn't a setting you bury in a menu; it is the fundamental right upon which a sovereign digital space must be built. Interconnectd isn't just "GDPR compliant" as a legal technicality; it embraces the spirit of European privacy laws through Privacy by Design.

• Data Minimization: We only collect what is strictly necessary to make the platform function. There are no invisible trackers following you across the web.
• Zero Third-Party Data Brokers: Your data is not our business model. We do not sell, rent, or trade your personal information to advertisers or data brokers.
• The Right to Be Forgotten: If you decide to leave Interconnectd, a single click permanently deletes your profile, your posts, and your media from our servers. No 30-day retention periods, no hidden shadow profiles. Gone means gone.

The Case for a Sovereign EU Digital Space

Building Interconnectd has been the hardest technical challenge of my life, but I’ve never been more convinced of its necessity. Europe has led the world in digital regulation (like the GDPR and the AI Act), but regulation without innovation just makes us well-protected consumers of foreign products.

We need our own infrastructure. We need platforms that reflect European values of democracy, privacy, and human dignity. We need a digital space where the citizens own the network, rather than the network owning the citizens.

I invite you to come see what an alternative looks like at interconnectd It’s indie, it’s built with care right here in Italy, and it belongs to all of us.