CJEU: age checks for foreign porn sites, under conditions

The CJEU confirms that an EU Member State may, on a case‑by‑case basis, require pornographic websites established in another Member State to implement age verification, provided the e‑commerce directive’s derogation procedure is followed and measures are necessary and proportionate.

Key facts

In joined cases C‑188/24 and C‑190/24 (16 June 2026), the Court held that a country may target a specific service operated from another Member State to require age checks, after notifying the State of establishment and assessing tailored measures. This framework supports ARCOM’s actions against foreign sites failing to block minors.

Legal basis

• Directive 2000/31/EC (e‑commerce): country‑of‑origin principle, with a service‑by‑service derogation (Article 3(4)) if the measure is necessary, proportionate, targeted, and duly notified.
• GDPR: any age‑gate processes personal data. Controllers must ensure data minimisation and storage limitation, choose an appropriate legal basis, apply privacy by design, and conduct a DPIA for intrusive techniques. See the key GDPR Articles 5, 6, 25 and 35 requirements.

What changes for Luxembourg businesses

• Adult content operators based in Luxembourg: if France or Belgium trigger the e‑commerce derogation after notification, your service may need to deploy an age check aligned with local requirements, even if you are established in Luxembourg.
• Platforms and app stores: expect audit clauses and SLAs for minor blocking where integration is deep.
• Data protection and security: avoid large‑scale ID collection; prioritise identity‑free age proofs with rapid deletion. For CNPD alignment, refer to our guidance on GDPR compliance in Luxembourg.
• Timelines: compliance may be requested within weeks after a targeted order; prepare a market‑by‑market rollout and audit evidence.

Actions to take this week

• Map exposure: identify domains/apps that could be targeted “service by service” and adjust notices/ToS per country.
• Pick a privacy‑first method: anonymous tokens, cryptographic attestations, 24‑hour purges; avoid biometrics unless justified in the DPIA.
• Run a DPIA and vendor PIA: EU hosting, encryption, no commercial re‑use, anti‑bypass testing; document legal basis per country and update Article 30 records.
• Prepare the Article 3(4) path: designate legal/technical contacts, a proportionality dossier, and an authority response playbook. A certified DPO mandate can steward the analysis and communications.
• Implement audit controls: non‑identifying logs, false positive/bypass metrics, regular red‑team tests.
• Adapt user messaging: clearly explain the purpose, the method (identity‑free proof), retention (very short), and security guarantees.

Key takeaways

• Age‑check obligations can apply to services established abroad if the derogation procedure is followed.
• Proportionality and minimisation drive design: avoid ID repositories; prefer identity‑free proofs and very short retention.
• Plan for swift compliance with clear governance and effectiveness evidence.

Article generated by Luxgap regulatory watch. For tailored guidance on this topic, contact us.