On 20 April 2026, the independent expert commission Kinder- und Jugendschutz in der digitalen Welt handed Federal Family Minister Karin Prien its long-awaited Bestandsaufnahme — a status assessment of how German law actually protects minors online. The eighteen-member panel, co-chaired by Prof. Dr. Olaf Köller and former Bundestag deputy Nadine Schön, singled out two enforcement failures by name: unzureichende Altersabsicherung (insufficient age verification) and platform dark patterns engineered to maximise screen time and data disclosure from children. Binding action recommendations are due at the end of June 2026, with a full report in mid-September.
The commission has identified the right problems. The question now is whether Berlin will reach for the proportionate tool already sitting on the shelf in Brussels — or whether it will follow the louder, blunter wave of identity mandates and platform bans rolling across Europe.
The steelman: Germany's existing regime really is leaking
It would be glib to treat the commission's findings as moral panic. They are not. Germany's Jugendmedienschutz-Staatsvertrag (JMStV) and the 2021 update to the Jugendschutzgesetz (JuSchG) created one of the most ambitious child-safety frameworks in Europe. Section 17a of the JuSchG put the Bundeszentrale für Kinder- und Jugendmedienschutz (BzKJ) in charge of supervising digital service providers, using a model the agency calls dialogische Regulierung.
In practice, the regime depends on platforms doing two things they have not consistently done: meaningfully verifying age, and not designing interfaces that prey on adolescent psychology. Self-declared birthdays remain the industry norm. Recommender feeds reward compulsive scrolling. Streak counters, variable-reward notifications and friction-laden privacy controls are not bugs but business model. When the commission writes that age controls are inadequate and that manipulative design pushes excessive use, it is describing the platforms readers' children actually use, not a hypothetical. That is the case for stronger action, and it deserves to be heard fairly before any rebuttal.
The wrong reflex: ID-on-the-internet and platform bans
The danger is that the Handlungsempfehlungen due in June will reach past the commission's diagnosis and import the harshest tools now in vogue. Australia has banned under-16s from social media outright. Several US states have tried to mandate hard ID checks for any account creation, prompting a string of First Amendment defeats. California's most recent attempt was described by the Electronic Frontier Foundation in May 2026 as "paternalistic and privacy-destroying" — a critique that lands because broad ID mandates do not just gate teenagers; they require every adult to hand a government credential or a biometric scan to every social network they touch.
The technical critique is just as serious. As participants at a MediaNama roundtable in Bengaluru observed on 15 May 2026, "any technical measure can be circumvented" — children share devices with parents, swap OTPs, use VPNs, and route around app-store age gates. A regime that promises a hard wall and delivers a porous one buys neither safety nor liberty; it merely concentrates sensitive identity data in new honeypots and shifts traffic to less compliant corners of the web.
The proportionate option: the EU age-verification blueprint
Nine days after the German commission published its assessment, the European Commission issued a Recommendation on 29 April 2026 urging Member States to roll out the EU age-verification app by the end of 2026. The app — feature-ready since 15 April 2026 — is built on the same technical specifications as the forthcoming EU Digital Identity Wallet. Crucially, it is designed to let a user prove they are over 13, over 18 or over 65 without revealing their identity, exact age, or any other personal data to the requesting platform. The Commission's own guidance describes "anonymous proof-of-age technologies that ensure the highest possible standard of privacy."
This is the architecture Germany should be operationalising. It addresses the commission's first finding — that age signals are too weak — without creating the surveillance side-effects that have sunk hard-ID mandates elsewhere. Member States, including Germany, can customise the blueprint for national rollout; what they cannot do is strip out the privacy-preserving features. That is the right kind of guardrail: it lets enforcement be tough on platforms while keeping the cost to users (and to the open internet) bounded.
On the second finding — dark patterns — Germany already has leverage it has barely used. The Digital Services Act prohibits deceptive interface design in Article 25, and the European Commission's July 2025 Guidelines on the Protection of Minors under the DSA spell out what very large platforms must do on default privacy settings, recommender transparency and addictive design for under-18s. The BzKJ and the German Digital Services Coordinator can bring enforcement actions today. New national statutes are not the missing ingredient; resourced enforcement is.
What the June recommendations should — and shouldn't — say
A proportionate package would: (1) commit Germany to a hard rollout deadline for the EU age-verification app, ideally Q4 2026 in line with the Commission's Recommendation; (2) direct the BzKJ to publish a public dark-patterns enforcement docket under existing DSA powers, with named cases; (3) fund the Medienkompetenz infrastructure — schools, libraries, parent programmes — that the commission flagged as patchy; and (4) explicitly rule out a blanket under-16 social-media ban as both legally fragile under EU free-expression jurisprudence and unsupported by the commission's own evidence base.
What it should not do is replicate the Australian or Californian playbook, mandate government ID at the point of platform sign-up, or push age-gating down to the operating-system or telecom layer, where it captures every adult user as a side-effect.
Germany's commission has done the unglamorous work of mapping where existing law fails. The win for pro-innovation, pro-rights policy is to channel the political energy of that finding into the EU's privacy-preserving infrastructure, and into enforcement of rules already on the books — not into a new generation of identity mandates that would trade one set of harms for another.