Cyprus’ social media ban is really about digital identity

We must be honest about the difference between protecting children and building surveillance infrastructure that applies to everyone

By Andreas Shialaros

On Thursday, President Nikos Christodoulides announced that Cyprus will ban social media for children under 15, joining Greece, and potentially Turkey, in a wave of similar measures sweeping across the region.

The stated aim is to protect children. Who could possibly object? Well, perhaps those who have been watching the EU’s digital policy trajectory long enough to notice a pattern.

The centrepiece of this effort is the European Commission’s new age verification application, which its president Ursula von der Leyen unveiled on Wednesday with all the fanfare of a product launch, which, in fairness, is exactly what it was. The app, which Cyprus intends to integrate into the national ‘Digital Citizen’ platform, will require users to scan their passport, driving licence, or connect to their bank or educational records. The app then acts as an intermediary between the user and every digital service they wish to access.

Let us be precise about what this means. This is not simply a tool that checks whether a child is old enough to use Instagram. It is a state issued digital gateway positioned between every citizen and the online world. Once you must authenticate through a government application to access social media, the infrastructure exists to track which platforms you use, when you log in, and from where. The question is not whether this data can be collected, but whether we trust that it won’t be. Given the track record, one would need a remarkably generous disposition to answer yes.

Von der Leyen herself drew a revealing comparison, perhaps more revealing than intended. She likened the new app to the EU’s Covid certificate system, saying it follows “the same principles, the same model”. That system, we may recall, was also presented as a temporary, targeted measure born of necessity. It became a prerequisite for attending concerts, boarding planes and participating in ordinary public life across 78 countries. The new app carries the same expansionist potential, only this time, the “emergency” is permanent, because children will always need protecting. How convenient.

The promise is that the app will share only your age with platforms, shielding your personal data from tech giants. This deserves scrutiny. Companies like Meta and Google already know how old their users are. They have known for years. What they value, and what governments increasingly want, is behavioural data: where you are, who you communicate with, what content you consume. A mandatory authentication layer does not protect this data from governments. It hands it to them on a silver platter, wrapped in the language of child safety.

There is also the matter of open source design. The European Commission has made the app’s code freely available so that partner countries, inside and outside the EU, can implement it alongside their own social media regulations. This is interoperability by design. It means that the same verification architecture can be adopted globally, creating a unified digital identity infrastructure that extends far beyond keeping 13-year-olds off TikTok. But we are not supposed to notice that part.

Cyprus, as a small EU member state, often finds itself adopting European frameworks without the robust public debate they deserve. President Christodoulides has said a bill will follow, regulating scope, age verification obligations, sanctions for non-compliance and transitional provisions. This is the moment for serious legislative scrutiny, not a rubber stamp dressed up as progress.

At minimum, any proposed legislation should address the following questions. What data will the app collect beyond age, and who will have access to it? What independent oversight mechanisms will be established? Will there be sunset clauses, or will this infrastructure become permanent? How will the system interact with our existing data protection framework and the GDPR? And crucially, what safeguards will prevent the gradual expansion of this system from age verification to broader digital identity requirements?

The UK parliament, it is worth noting, voted down a similar proposal on Wednesday night. Whatever one thinks of that decision, it reflects a political culture willing to debate the trade-offs involved. In Cyprus, by contrast, the announcement arrived as a triumphant social media post, on the very platforms the government now wishes to regulate. The irony, one assumes, was unintentional.

No reasonable person opposes protecting children online. But we must be honest about the difference between protecting children and building surveillance infrastructure that applies to everyone. History teaches us that powers granted to governments in the name of safety are rarely relinquished once the original justification fades. The architecture being constructed today will outlast any particular government or policy, and its eventual uses may bear little resemblance to the noble intentions invoked at its creation.

As this bill makes its way to the House of Representatives, I urge my fellow citizens and our lawmakers to look beyond the reassuring language of child protection and examine the machinery being built beneath it. Our children deserve safety. But they also deserve to inherit a society where digital freedom is not quietly traded away in their name, while we all applaud.

Andreas Shialaros is a Cyprus-based lawyer who deals with digital rights and data protection issues among other areas