Not so PG: The biometric trap in Egypt’s Child Protection Law
On Jan. 25, 2025, Egypt’s House of Representatives formally endorsed the government’s move toward drafting legislation that would place limits on children’s use of social media, citing psychological and behavioral concerns linked to heavy use and what it termed “digital addiction.”
A month later, on Feb. 24, the chair of the House Communications and Information Technology Committee, MP Ahmed Badawi, announced that the committee would begin deliberating a comprehensive bill to regulate children’s use of social media platforms and websites following Eid Al-Fitr, pending receipt of an official copy and in the presence of the relevant ministers and government officials.
On April 5, the committee announced that students from public, private, and international schools and universities would participate in a dedicated session on the bill’s drafting, including representatives from student unions and several academic institutions.
On May 30, Badawi relayed that a special SIM card for children’s mobile phones will go into effect by the start of July.
Assessing the trajectory
Based on publicly available information, the debate remains at the level of legislative intent and parliamentary discussion — no published text yet exists whose provisions can be evaluated with precision. Even so, the proposed framework for regulating children’s internet use falls under the declared banner of protection, and that framing immediately opens a wider set of questions: who holds the authority to define safe use, who decides what is blocked, who collects children’s data, and who bears responsibility when the system errs.
The absence of a draft does not foreclose an assessment of the direction being taken. Legislation governing children’s access to the internet could become a genuinely useful instrument if it targets platform architecture, advertising practices, recommendation systems, and data protection. It could just as easily produce the opposite result if protection is reduced to biometric age verification or dedicated children’s internet lines subject to centralized blocking.
In that scenario, the burden of harm shifts away from the companies that engineer engaging and profitable digital environments, and lands instead on the child, the family, and the service provider, leaving the root causes inside the platform largely untouched and unaccountable.
The Egyptian context makes that kind of reduction particularly consequential. Egypt has a cybercrime law conferring broad, loosely defined authority to block websites, a documented record of website blocking stretching back to 2017, and a Personal Data Protection Law that entered a wider operational phase with the issuance of its executive regulations in 2025.
Against that backdrop, proposals such as dedicated children’s internet SIMs or opaque age-verification mechanisms cannot be treated as routine technical solutions. They will function inside a legal and regulatory architecture that already permits blocking, compels service providers to enforce blocking orders, and classifies children’s data as highly sensitive.
Platform design
The more fundamental risk lies in how the platforms and applications children use are built. Algorithms calibrated to maximize watch time, notifications engineered to compel constant return, and advertising that exploits children’s underdeveloped capacity to distinguish content from marketing. These are design choices, not incidental features. In this model, the child is a source of behavioral data that platforms convert into revenue. A substantial portion of the harm, in other words, is generated inside services that operate entirely within the law and that children use every day: short-form video, gaming, and instant messaging.
Legislation that leaves the platforms’ business model untouched, or affords it insufficient scrutiny, and instead concentrates on monitoring children, effectively opens a new commercial lane: selling safety as a product, through age-verification tools, content classification systems, filtered internet packages, and paid parental-control software.
Meanwhile, the platforms that profit from excessive engagement escape any meaningful restriction on data collection, targeted advertising, and the behavioral design that drives compulsive use, bearing none of the cost of the harm they help produce.
This approach also distributes the burden of protection along class lines. Families with money and technical fluency can circumvent blocking mechanisms or deploy more precise, device-level controls, while lower-income households are left with a centralized, off-the-shelf solution whose terms they do not set and whose keys they do not hold.
Child protection, under these conditions, becomes a tiered service. Digital literacy, itself, becomes a function of socioeconomic status: a broader internet for those with the means to navigate it, and a narrower one for those directed toward blunt, centralized controls.
Deceptive tools
Facial and voice-based age verification is typically marketed as a more rigorous alternative to self-declared age. But biometric data points are, by their nature, irreplaceable after a breach and cannot be treated as changeable credentials.
This is precisely why the digital identity guidelines issued by the US National Institute of Standards and Technology (NIST) approach biometrics with considerable caution. They do not recognize a biometric trait as a stand-alone authentication factor; they emphasize that biometric matching is probabilistic rather than definitive; and wherever feasible, they favor local verification. Meaning, age or identity is confirmed on the user’s own device or within an environment the user controls, rather than by transmitting raw data to a central server operated by a company or a government body. When an age-estimation system makes an error, a child may be wrongly blocked from an educational resource or incorrectly admitted to a space inappropriate for their age.
Nor is the harm from a verification data breach limited to the recovery of a compromised account. Sometimes the more serious risk is the mere existence of a record linking a person to an attempt to access sensitive content or a sensitive service. For an adolescent seeking information about mental health, domestic violence, or sexual health, a stringent verification requirement may deter them from seeking that knowledge at all — or push them toward channels that are considerably less safe.
Restriction in the form of protection
Egypt's Personal Data Protection Law imposes a direct constraint on biometric-based solutions. Article 12 prohibits any controller or processor from collecting, transferring, storing, saving, processing, or making available sensitive personal data without a license from the Personal Data Protection Center.
It requires the explicit written consent of the person concerned, stipulates that any operation involving children’s data requires guardian consent, and prohibits making a child’s participation in a game, competition, or any other activity conditional on providing more data than is strictly necessary for that participation.
The executive regulations reinforce this obligation explicitly. They require explicit written consent from a parent or guardian, in paper or electronic form, before collecting data on children under 15, and subject parental consent for those aged 15–18 to context-specific requirements.
This provision establishes a clear legislative standard of necessity and proportionality. A service that needs only to determine whether a user falls above or below a given age threshold does not necessarily require a facial image, an identity document, or a record that can be linked across platforms. The most that could be accepted in high-risk cases is proof of age that remains local and temporary, generates no cross-service tracking identifier, and offers alternatives for those without documentation or access to a capable device.
Even the most current European model — which proposes an open-source age-verification application allowing users to confirm their age anonymously through identity documents or a passport — does not eliminate the risk that the underlying technical infrastructure may gradually expand beyond child protection into other age-related uses and restrictions. That possibility demands rigorous legislative oversight from the outset.
Centralized blocking
The proposed children’s internet SIM will block children under 13 from accessing social media platforms, including Facebook, TikTok, and Telegram, while still allowing access to educational sites. Parents will receive an activation code to manage their children’s phone access. The new SIM card with centralized blocking presents itself as simpler than biometrics: it requires no facial image, no identity document. But it vests in the service provider — or the body that determines classification lists — the authority to decide what a child may access and what is withheld. In a country with a substantial record of blocking, that authority cannot be treated as a bounded, family-level filter.
Rights organizations have documented website blocking in Egypt since May 24, 2017, beginning with 21 sites and expanding over time to encompass news and human rights platforms, circumvention tools, and VPN and proxy services. That track record makes any proposed children’s SIM susceptible to mission creep: it may begin with categories commanding broad social consensus — such as pornography or sexual exploitation — and gradually extend to wider and more contested terrain: content related to gender, mental health, sex education, rights organizations, political platforms, or privacy tools.
The cybercrime law situates this blocking authority within an existing legal framework. Article 7 allows the competent investigative authority to order the blocking of a website where it finds evidence that the site is broadcasting material deemed a criminal offense under the law and that threatens national security or endangers the country’s security or national economy, provided the order is presented to a court within 24 hours. Article 30 penalizes any service provider that refuses to comply with a blocking decision.
The risk of knowledge deprivation
Relying solely on blocking as a protective instrument reflects a reductive image of the child. It marginalizes a child’s right to information, their gradual movement toward autonomy, and their need for support in situations where family or school is neither sufficient nor safe. A child or adolescent facing bullying, extortion, or violence within the home may need access to resources they would not want visible in a monitored search history. They may need health or psychological information that neither school nor family will provide. When that access becomes a surveilled or filtered pathway, the harm does not disappear — it simply becomes less visible.
The European Data Protection Board’s statement on age assurance, issued in February 2025, sets a meaningful standard: any age-verification or age-estimation system must be risk-based, proportionate, purpose-limited, and designed to collect the minimum data necessary.
The statement further stresses that protecting children is not reducible to protecting their personal data alone. It must account for the full range of children’s rights; including protection from violence and exploitation, access to information from diverse sources, and meaningful consideration of the child’s views and developing capacities.
It also cautions that effective remedies must exist when age-assurance decisions infringe on a person’s rights, and that these systems engage freedom of expression and the right to receive information: not merely privacy.
That standard offers a workable benchmark for any legislative text. A law that takes child protection seriously places the primary burden on corporations. It bans advertising directed at minors, requires platforms to apply high-privacy settings by default, and restricts the use of verification data for building marketing profiles or linking users across services.
This path requires equally important procedural safeguards: giving the child and guardian the right to contest blocking or classification decisions, ensuring prompt human review of access-affecting determinations, and removing barriers that might exclude lower-income children — or those without documentation or modern devices — from services that could benefit them.
Protection from the market, not from the internet
Behaviorally targeted advertising aimed at minors, and recommendation systems that surface and stack harmful content, are the mechanisms through which a child’s time and attention are converted into commercial value. Restricting both strikes at the business model directly. Requiring platforms to adopt privacy-respecting default settings and barring the disclosure of children’s data to third parties except in the narrowest of circumstances raises the cost of data extraction for companies and restructures design incentives in ways that no gateway-level blocking can replicate.
Even where legislation requires users to submit personal data to verify their age for specific high-risk services, the necessity and proportionality standard established in Article 12 of the Personal Data Protection Law significantly narrows the permissible options. Biometrics should not be the default mechanism, and verification should be confined to confirming an age status without disclosing identity or enabling cross-service tracking.
The structural problem with most existing verification models is that the platform itself administers the verification process — combining full knowledge of the user’s identity with a granular record of their digital behavior in a single profile, later monetized through advertising or sold to third parties.
An alternative is for an independent intermediary to conduct the verification and issue an anonymous token that communicates only that the user meets the age requirement, without revealing the user’s identity or which service they are accessing. This separation between the issuing party and the receiving platform severs the link that converts verification into an instrument of mass surveillance. Free alternatives ensure that the verification requirement does not become an access barrier for children who lack documentation or modern devices. And every verification provider or filtering service should be subject to independent audit, with results made publicly available.