Online Safety Code — the live criticism
Coimisiún na Meán's Online Safety Code is the most significant piece of online regulation Ireland has introduced in a decade. It has also attracted unusually strong criticism — not from the platforms it regulates, but from civil-society groups, legal academics, and digital-rights organisations who argue that key provisions risk creating a state-controlled choke-point on internet access. This page lays out the criticisms, the regulator's response, and the open questions.
What's at stake
Most online-safety regulation around the world has converged on three things: requiring platforms to remove illegal content; protecting children from harmful content via age assurance; and requiring transparency about how platforms moderate. Ireland's Code does all three. The criticism focuses not on the goals but on the methods — specifically the planned use of a government-controlled digital identity app for age assurance on social-media platforms.
The five main criticisms
1. Mandatory government-app-based age verification
Communications Minister Patrick O'Donovan confirmed in early 2026 that the Government intends to deliver age assurance for age-restricted online content through a state-developed wallet app built on MyGovID. If implemented as currently described, adults wishing to access age-restricted content on Irish-HQ'd Video-Sharing Platform Services would need to install the app.
The civil-society objection: requiring a state-controlled application as a precondition for accessing social media is structurally different from requiring document verification with a private vendor. It centralises identity assertion in a way that creates new surveillance capacities and new exclusion risks (people who can't or won't use the app, people without smartphones, people for whom downloading a state app carries risk).
The Government's response: the app uses selective disclosure ("over 18" is asserted without transmitting identity), is operated by an EU member state to EU data-protection standards, and is no more invasive than the alternatives already in use by private vendors. Critics counter that the architecture and the politics are separate questions.
2. The choice of "Video-Sharing Platform Services" as the scoping
The Code applies to platforms classified as Video-Sharing Platform Services (VSPS) with EU headquarters in Ireland. That brings several US-owned platforms (Meta, X, TikTok, YouTube, Reddit and others to varying extents) into scope, because Ireland is their EU base. It does not, in the same way, apply to non-Irish-HQ'd platforms used by the same Irish audience.
This creates a discriminatory effect: Irish users of Meta-owned platforms encounter the Code's requirements, while users of an equivalent service headquartered elsewhere in the EU may not. Critics argue this distorts the digital market and pushes users toward less-regulated alternatives. The regulator's response: the EU's cross-border supervisory framework is intended to handle this; the discrepancy is transitional rather than structural.
3. Penalty asymmetry and chilling effects
The €20M / 10%-of-turnover penalty for breach is the largest in any Irish regulatory regime. Some legal commentators argue that, faced with that scale of penalty, platforms will over-enforce — applying age verification, content removal and account suspension more broadly than strictly required, simply to insulate themselves from regulatory risk. The risk is described as "regulatory weaponisation" or "compliance theatre".
4. Definitional vagueness around "gratuitous violence"
"Pornography" is reasonably well-defined. "Gratuitous violence" is not. The Code obliges platforms to apply age assurance to content with "gratuitous violence" without giving a precise definition. Platforms will define it themselves, in a context of large penalties for under-enforcement. Critics argue this gives platforms an incentive to define gratuitous violence broadly, which will sweep in journalism, conflict reporting, war-zone documentation, and political content.
5. Privacy-by-architecture concerns
Even with selective disclosure, every assertion creates a transaction log somewhere. The MyGovID-based age-assurance app, in its planned architecture, generates a record each time you assert "over 18" to a platform. Critics ask: where is the log? Who can subpoena it? What is the retention period? What does the answer look like in a future political context less favourable to digital rights?
The Government's response is that the log will be minimised by design and access restricted by law. The civil-society response is that "by design" promises have a poor track record over decades.
Who is making the criticism, in their own words
Irish Council for Civil Liberties (ICCL)
ICCL has been the most consistently active critic. The Council's published position covers all five issues above; it has called specifically for the planned government age-assurance app to be paused, scrutinised by the Oireachtas, and only implemented if at all with judicial oversight rather than executive discretion. ICCL's submissions to Coimisiún na Meán consultations and to relevant Oireachtas committees are published on iccl.ie.
Digital Rights Ireland (DRI)
DRI's critique focuses on the technical-architecture concerns (3 and 5 above) and on the precedent set for other EU member states. DRI has also raised the question of whether the Code's age-assurance provisions are compatible with the Charter of Fundamental Rights, especially the right to private life and the right to receive and impart information.
Irish Legal News / legal academic commentators
Several legal commentators in Irish publications have described the proposal in stronger terms — Irish Legal News carried analysis describing parts of the plan as "veering into authoritarianism". The legal-academic objection is more procedural: the lack of a clear statutory basis for the planned mandatory state app, separate from the broader Online Safety Code framework.
Coimisiún na Meán's response
CNAM is the regulator, not the policy-maker — many of the criticisms above are aimed at the Government's stated intentions for implementation rather than at CNAM's Code itself. CNAM's position has consistently been that the Code is a proportionate implementation of the Online Safety and Media Regulation Act and that the practical details of age assurance are matters for the platforms and for cooperation with relevant authorities (including identity providers).
The international comparison
No other country has yet required its government-issued digital identity app for age assurance on social-media platforms. France considered a similar plan; the French data-protection regulator (CNIL) raised concerns and France instead opted for a "double anonymity" architecture with a private intermediary. The UK's Online Safety Act mandates age assurance for adult content but does not require a government identity app. Australia is considering a government age-verification system but the implementation is multi-year and contested. Ireland is therefore an experiment ahead of an internationally settled approach.
What you can do
- Read the primary documents. Coimisiún na Meán publishes the Code text and its enforcement decisions at cnam.ie. The Government's relevant statements appear at gov.ie.
- Respond to consultations. CNAM consults from time to time on Code revisions and enforcement strategy. Public submissions become part of the record and are sometimes quoted in subsequent decisions.
- Support the organisations representing the critique. ICCL and DRI both rely on public donations. They are the structural defenders of these positions in the Irish public sphere.
- Write to your TD. The planned government age-assurance app will require Oireachtas debate; constituency contact moves the political weather.
How this story is likely to unfold
Three signposts to watch:
- Publication of the technical architecture for the MyGovID-based age-assurance app. Once specifics exist, structural critique becomes possible at engineering level.
- Any judicial challenge — domestic, or at the Court of Justice of the European Union — to the planned mandatory app.
- Cross-implementation comparison with other EU member states under EUDI Wallet — if Ireland's approach diverges significantly, the EU itself may push back.
Primary sources
- Online Safety Code text — cnam.ie.
- Online Safety and Media Regulation Act 2022 — oireachtas.ie.
- Ministerial statements on the age-assurance app — gov.ie.
- ICCL public submissions — iccl.ie.
- Digital Rights Ireland public submissions — digitalrights.ie.