Spain’s Minister of Youth Calls for UN Working Group to Regulate Big Tech and Protect Children Online

Spain’s Minister of Youth and Children, Sira Rego, has proposed the creation of a multilateral working group through the United Nations to regulate digital environments and protect children from what she described as “abuses by large technology platforms.” The proposal calls for binding rules and oversight mechanisms that guarantee children’s rights and freedoms online — and puts the weight of a national government behind a push to move child online safety from domestic legislation to the international governance level.

The proposal is notable not only for its ambition but for its timing. It arrives as the European Union’s Digital Services Act enforcement machinery is beginning to produce real consequences for platforms, as Australia has enacted a hard social media age ban for under-16s, and as the United States continues to stall on comprehensive federal children’s online privacy legislation. The call for a UN working group reflects a growing view among governments that national-level regulation is insufficient when the platforms are global, the harms are cross-border, and the companies’ legal structures allow them to route regulatory exposure through the most permissive available jurisdiction.

What the Proposal Calls For

Minister Rego’s proposal targets large technology platforms specifically. The working group she envisions would develop rules and control mechanisms that guarantee children’s rights and freedoms — language that maps to existing international frameworks, particularly the UN Convention on the Rights of the Child (UNCRC), which has been ratified by every UN member state except the United States.

The UNCRC already provides a foundation. General Comment No. 25, adopted by the Committee on the Rights of the Child in 2021, extended the Convention’s protections explicitly to the digital environment, addressing children’s rights in relation to digital media, privacy, data protection, and protection from exploitation and abuse online. Spain’s proposal would build a regulatory and enforcement superstructure on top of that existing normative foundation.

The specific mechanisms proposed — oversight of large platforms, binding rules, control mechanisms — track closely with what the DSA has attempted at the EU level: transparency requirements, algorithmic accountability, risk assessments for systemic platforms, and the ability to impose penalties for non-compliance. A UN working group framework would aim to extend comparable logic globally, covering jurisdictions where no equivalent domestic regulation currently exists.

The Regulatory Gap the Proposal Is Trying to Close

The problem Spain’s proposal names is real and well-documented. Large technology platforms design engagement systems, recommendation algorithms, and monetization architectures that have measurable effects on children’s wellbeing, development, and safety. The evidence base — from the UK Children’s Commissioner, from the U.S. Surgeon General’s advisory on social media and youth mental health, from academic research across multiple jurisdictions — has reached a point where the policy debate is no longer about whether harm exists but about what form regulation should take.

The regulatory gap is structural. A platform headquartered in the United States, with EU operations structured through Irish subsidiaries, serving children in Spain, Australia, Brazil, and Nigeria simultaneously, faces a patchwork of obligations that vary dramatically by jurisdiction. Where domestic law is strong — the EU’s GDPR children’s provisions, the UK’s Age Appropriate Design Code, the U.S. Children’s Online Privacy Protection Act — platforms face compliance pressure. Where domestic law is weak or absent, children in those jurisdictions have significantly less protection from the same products.

This creates a compliance arbitrage problem that domestic regulation alone cannot solve. A company can be fully compliant with every applicable national law and still operate systems that harm children in jurisdictions where no protective framework exists. The UN working group model attempts to address this by establishing a floor of global obligations rather than a ceiling of national ones.

The Existing International and Regional Framework

Spain’s proposal does not emerge into a vacuum. Several regulatory instruments already address children’s online rights at the international and regional level, and understanding them clarifies both what the working group would add and where the gaps remain.

At the UN level, the UNCRC and its General Comment No. 25 establish normative standards but lack enforcement mechanisms. The Committee on the Rights of the Child can review state parties’ compliance and issue recommendations, but it cannot sanction platforms directly and cannot compel national governments to act.

At the EU level, the GDPR establishes that children’s personal data requires heightened protection and that consent obtained from children under 16 — or under 13, at member state discretion — is invalid without parental authorization. The DSA imposes specific obligations on very large online platforms regarding minor users, including prohibitions on profiling children for advertising purposes and requirements to assess and mitigate systemic risks to minors. The forthcoming EU Child Sexual Abuse Regulation addresses detection and reporting obligations. Together these instruments create the most comprehensive regional framework currently in operation.

Outside the EU, the UK Age Appropriate Design Code (Children’s Code) has been influential beyond its jurisdiction, prompting design changes by major platforms that were applied globally rather than UK-only — a demonstration of the Brussels Effect dynamic that Spain’s proposal implicitly relies on at the UN level. Australia’s Online Safety Act and the social media age ban legislation represent a more aggressive domestic approach. In the United States, the Children’s Online Privacy Protection Act is widely viewed as outdated, and federal comprehensive children’s online safety legislation has repeatedly stalled in Congress despite bipartisan support.

What a UN Working Group Could and Could Not Achieve

The UN working group model has a mixed track record. It is effective at norm development — producing treaty text, standards documents, and political consensus around shared principles. It is less effective at enforcement, which ultimately depends on national implementation and domestic legal mechanisms.

The most optimistic scenario for the working group Spain envisions is that it produces a binding international instrument — a treaty or convention — on children’s digital rights that obligates state parties to enact domestic legislation meeting defined minimum standards, with a monitoring body that reviews compliance and names non-compliant jurisdictions publicly. This is the model of the UNCRC itself, extended with digital-specific obligations and, ideally, stronger enforcement architecture.

The more likely near-term outcome is a soft law framework: a set of agreed principles, voluntary commitments, and technical guidance that informs domestic legislation without creating binding obligations. This is still valuable — the UNCRC’s General Comment No. 25 has shaped legislation in multiple jurisdictions without being legally binding on platforms — but it does not solve the enforcement gap in jurisdictions with weak domestic regulation.

The significant obstacle is the United States, which has not ratified the UNCRC and which houses the majority of the platforms the proposal targets. A UN working group that produces a convention the U.S. does not ratify has limited leverage over Meta, Google, TikTok’s U.S. operations, Snap, and the other platforms whose products are at the center of the debate. This is not a reason not to proceed — the Brussels Effect has demonstrated that regulatory frameworks can influence platform behavior even without U.S. government participation — but it is a material constraint on the working group’s direct enforcement reach.

Compliance Implications for Technology Platforms

For platforms and their compliance teams, Spain’s proposal signals a direction of regulatory travel that is now operating at multiple governance levels simultaneously — domestic, regional, and international. The accumulation of children’s online safety obligations is accelerating, not stabilizing.

The specific compliance pressure points that platforms should anticipate as this framework develops include:

• Age verification and assurance: Every major children’s online safety framework is converging on an expectation that platforms know — with reasonable certainty — whether a user is a minor. The technical and legal debate about how to accomplish this without creating new privacy risks is ongoing, but the direction is clear. Platforms that have not invested in age assurance infrastructure are behind the compliance curve.
• Algorithmic accountability for minor users: The DSA already prohibits profiling minors for advertising. Spain’s proposal would extend similar obligations globally. Platforms need to be able to demonstrate that their recommendation and content delivery systems are not optimized in ways that foreseeably harm children — and that they have conducted and documented the risk assessments to support that position.
• Data minimization for children’s data: GDPR, COPPA, the UK Children’s Code, and every emerging framework in this space require that children’s data be collected only to the minimum extent necessary. Platforms whose data architectures were built on maximizing collection will face increasing tension with this requirement as more jurisdictions adopt it.
• Default privacy settings for minors: The UK Children’s Code’s requirement that privacy settings be set to high by default for child users has become a global standard expectation. Platforms that require children to opt out of data collection rather than opt in face regulatory exposure in an expanding set of jurisdictions.
• Transparency in design: Features that exploit psychological vulnerabilities — infinite scroll, variable reward notifications, social validation mechanics — are increasingly the subject of regulatory and litigation scrutiny when applied to minor users. Documentation of design decisions and their anticipated effects on children is becoming a compliance requirement, not just a public relations consideration.

Five Steps for Organizations Assessing Children’s Online Safety Compliance

1. Map your minor user exposure. Identify all products, services, and platforms your organization operates that are likely to be accessed by users under 18. Assess whether your current terms of service, age gating, and data handling practices are aligned with the most protective applicable framework — not the minimum required by your most permissive jurisdiction.
2. Audit your data practices for children’s data. Review what data is collected from or about minor users, the legal basis for collection, retention periods, and whether data minimization and purpose limitation principles are being applied. Identify gaps against GDPR Article 8, COPPA, and the UK Children’s Code as a baseline.
3. Review your recommendation and engagement systems. Assess whether algorithmic systems that surface content to users have been evaluated for their effects on minor users specifically. Document the evaluation methodology and findings. This documentation is your defense in both regulatory inquiry and litigation.
4. Monitor the EU DSA enforcement pipeline for minors-related decisions. The European Commission and national Digital Services Coordinators are actively investigating major platforms’ compliance with DSA obligations regarding minor users. Enforcement decisions will set the standard for what regulators consider adequate — monitoring them is essential for calibrating your own compliance posture.
5. Engage your government affairs and legal teams on the UN process. If Spain’s proposal advances to a formal UN working group, the drafting process will include stakeholder consultation periods where platforms and civil society can participate. Organizations with significant minor user populations should be engaged in that process rather than waiting for a final instrument to respond to.

The Signal in Spain’s Proposal

Spain is not a regulatory superpower. It does not have the market size of the United States, the regulatory infrastructure of the European Commission, or the geopolitical leverage of the largest UN member states. What it has is a seat at the table, a coalition of like-minded governments behind the UNCRC framework, and a proposal that names the structural problem clearly: national regulation is insufficient for global platforms, and the children in the least-regulated jurisdictions pay the price for that gap.

Whether the UN working group materializes, and whether it produces binding obligations or soft law guidance, the proposal reflects a consensus that is forming across governments with very different political systems: that large technology platforms have not voluntarily made their products safe for children, that self-regulation has not worked, and that the regulatory response needs to match the scale of the platforms it is trying to govern.

For compliance professionals, the practical implication is straightforward. The direction of regulatory travel on children’s online safety is toward more requirements, higher standards, and broader geographic coverage. Building compliance programs to the most protective current standard — not the minimum required — is no longer just good practice. It is the only durable strategy for organizations that serve global audiences and want to stay ahead of a regulatory curve that is moving in one direction.