Verification of age to access pornographic content
An anti-obscenity association issued a proposal for an Act on Protection of Minors against Pornographic Content on 16 December 2019. It has gained the official support of the Family Council, which recommended to the Prime Minister that the proposal be adopted for further legislative work. The Minister of Family, Labour and Social Policy announced that work on the bill should conclude in the first half of 2020. The need to restrict children’s access to pornography is obvious, but the proposal has generated much controversy, mainly due to the proposed mechanism for age verification, which may invade internet users’ privacy. The proposal would also impose additional obligations on telecommunications operators, electronic service providers, and payment service providers.
The association Twoja Sprawa, which drafted the proposal, openly admits that before entering into force, the bill will require numerous changes, but it is the fundamental premises of the bill that generate the most controversy. A mechanism for verifying users’ age would have to be introduced to every website providing pornographic content, effectively preventing access by users under age 18. A pornographic website not introducing such a mechanism would be entered in a register and access to the website would be blocked by telecommunications operators.
Age would supposedly be verified while ensuring adequate protection of personal data and privacy, but some commentators claim that this may not be technically feasible if the bill is adopted in its current form.
Premises of the proposal
The bill includes numerous definitions, such as the notion of “qualified pornographic content,” which would be vital for classification of material posted to the internet. Under the proposed definition, “pornography” could include content of an artistic or scholarly nature. Art. 9(9) of the bill then provides that oversight would not be pursued with respect to artistic works or works released as part of a publication of a purely scholarly or educational nature. This construction could prove dangerous for creators of such content, because the decision on whether to apply oversight in relation to such content would depend on the decision of the supervisory authority. It would be safer if content not truly constituting pornography were excluded from the scope of the definition.
According to the proposal, an entity providing access to pornography would include not only the person immediately publishing pornographic content (e.g. on their own website), but also a service provider offering this possibility to its users. Under the bill, the responsibility of an entity operating such an online platform could be limited only by Art. 14 of the Electronic Services Act (the hosting exception). A service provider learning (e.g. from an official notification or other reliable source) that users are storing unlawful data on its resources would have to prevent access to that data. If the service provider did not take appropriate measures, the duty to introduce an age-verification mechanism would then also rest on that service provider.
It is not clear why an exclusion from liability would be available to service providers only if they provide hosting services. This overlooks services as a “mere conduit” and caching, which are shielded from liability under the Electronic Services Act. This creates a danger that the bill could be interpreted to allow operators of social media sites to be released from liability for material posted by users, but not for material transmitted in private messages. This could bring the proposal into conflict with EU law, particularly the e-Commerce Directive (2000/31/EC), which was implemented by the Electronic Services Act.
Under the proposal, the supervisory authority enforcing the act would be the chair of the National Broadcasting Council. A specially appointed foundation would serve as a joint regulator, overseen by the Minister of Digital Affairs. The council of the foundation would be composed of representatives of the supervisory authority and members of organisations involved in children’s rights and protection of privacy and representing the interests of electronic service providers. The joint regulator would pursue certain tasks listed in the act, conduct monitoring of pornographic content published on the internet, and notify the supervisory authority of violations.
Additional obligations for other entities
The supervisory authority would enter into a newly created register the internet domains and addresses of accounts providing access to pornographic content without age verification. The register would be published in the public information bulletin of the National Broadcasting Council, and the register would be accessible to any interested person (meaning that the register itself would be a source of knowledge of new pornography sites). The register would be operated in a manner enabling automatic transmission of information about entries to the IT systems of telecommunications operators and payment service providers, and the bill would impose additional obligations on these two types of entities.
-
Telecommunications operators
All telecommunications operators providing internet access service would be required to block access by its subscribers to an internet domain or account address within 48 hours after it is entered in the register. A user attempting to access a site entered in the register would be redirected to a domain indicated by the chair of the National Broadcasting Council. While blocking access does not seem controversial in the case of websites mainly displaying pornography, questions arise with respect to platforms where content is transmitted only through one or more accounts functioning on the platform. In that case, if the service provider effectively takes advantage of the limitation on liability for hosting providers, the supervisory authority could enter in the register only the immediate address of the account providing access to pornographic content. This would create an additional problem, because the URL address of a specific account on a platform frequently changes (e.g. due to modification of the username), including at the request of the service provider’s customer. This would require thousands of addresses to be entered in the register, and following the proper procedure (which involves, among other things, attempting to contact the person providing access to the content) would pose a huge challenge for the authority.
Obviously this also impacts the scope of duties of telecommunications operators, which would have to block successive sites within 48 hours after they are entered in the register. Information on new entries in the register would be transmitted automatically to service providers’ IT systems (with the details of this technical solution to be established by the National Broadcasting Council in an executive regulation). This means that operators would be forced to employ an additional external technological solution, or would have to assign staff to handle blocking of addresses as they are entered. If a telecommunications operator failed to block sites, the chair of the National Broadcasting Council could summon it to cease violations of the act and then impose a fine on the company of as high as PLN 100,000.
Monitoring entries in the register would also be an obligation for telecommunications operators handling payments for premium-rate services. Under the proposal, the operator would have to prevent execution of premium SMSs or premium-rate calls, charged for services offered via domains or user accounts entered in the register.
-
Payment service providers
The method of imposing additional duties on payment service providers is controversial. The bill would prohibit providers from offering payment services on websites entered in the register. If a payment service provider is already offering services on a site when it is entered in the register, the payment service provider would have 30 days to cease doing so. The bill thus would de facto subject payment service providers to an additional regulatory regime they have not dealt with before. Now they must deal with the Office of the Polish Financial Supervision Authority and the General Inspector of Financial Information, but if this bill enters into force, they will also fall under an additional regulatory body, the National Broadcasting Council. The chair of the council could not only demand information or documents from payment service providers necessary to exercise supervision, but could also order them to cease violations and impose fines on them.
Polish payment service providers only to a small extent provide support for foreign websites with pornographic content (and it is mainly foreign sites that will be entered in the register). But the wording of the bill does not make it entirely clear whether these regulations could also be applied to EU-based payment service providers offering cross-border services in Poland. The proposal refers generally to payment service providers, and under the Payment Services Act this term also applies to EU payment institutions and branches of foreign banks. In this situation, entities operating in Poland on the basis of passporting, and also providing payment services to entities entered in the register, will not be sure whether they are exposed to fines. Depending how the regulator interprets this provision, it would raise a question of whether a payment service provider must abandon its cooperation with an entity listed in the register entirely, or only disable payments by Polish users. These are just some of the basic doubts raised by the proposal as presented.
Current regulations
Despite the broad debate occurring after publication of the proposal, not many people noticed the similarity to the regulations already in force in Poland. The clearest example is the duty to protect minors on the part of operators of video-on-demand platforms. Under Art. 47e of the Broadcasting Act (implementing EU regulations), a catalogue of programmes endangering the development of minors, in particular pornographic content, must not be provided without applying technical security measures or other means to protect minors from receiving such programmes.
The conditions that must be met by the technical security measures or other means may be specified in an executive regulation issued by the National Broadcasting Council in consultation with the Minister for Digital Affairs. However, from 2014 to this day, the council has not decided to issue such a regulation. The reason may be adoption of the Code of Best Practice in this area drafted by IAB Polska (association of internet employers). The technical security measure proposed by the code is not to deliver inappropriate content to users unless they provide authorisation data for a payment card or make a verification payment.
The mechanism of blocking sites with pornographic content is similar to the existing regulations involving the register of sites offering unlawful gambling. In that case as well, additional obligations were imposed on telecommunications operators. During work on the gambling regulations, the Minister of Digital Affairs commented that entry in the register should be preceded by an order from the state court, but ultimately that condition was not included in the act. Currently there are over 8,400 domains entered in that register, but some publications claim that even if a telecommunications operator manages to block a site, users may still be able to access it thanks to antivirus programmes or other software on their end-user device. This raises the question of the effectiveness of a comparable solution proposed with respect to pornography sites.
Doubts surrounding age verification
The authors claim in the outline for the proposed Act on Protection of Minors against Pornographic Content that the provisions correspond to the aims of the Audiovisual Media Services Directive (2018/1808), which EU member states are required to implement by 19 September 2020. But this proposal definitely does not constitute implementation of the directive, which covers a much broader area than protecting minors against pornography (also for example combating hate speech and restricting ad content and other messages targeted to children). This bill does not use terms introduced by the directive such as “video-sharing platform service” or “user-generated video.” Adoption of the regulations in this form might result in improper implementation of the directive and conflict with other acts implementing the directive.
However, the greatest doubts are raised by the possible requirements and actual form of the tools for verifying users’ age, to be applied by entities offering pornographic content. The minimum criteria for the tools would be set by the chair of the National Broadcasting Council through an executive regulation issued in consultation with the Minister of Digital Affairs, after obtaining an opinion from the president of the Personal Data Protection Office. It is easy to imagine a situation in which the age-verification instrument fails to ensure adequate protection of personal data, thus allowing an unauthorised entity to access information about the sexual preferences of a large group of citizens.
Additional concerns have been raised by media statements by officials of the Ministry of Digital Affairs, proposing to impose additional duties on providers of web browsers. They would be expected to natively block access to some content available online, but could be unlocked by a key generated by the ministry. It can only be hoped that the team of experts appointed by the Ministry of Family, Labour and Social Policy develops a solution better suited to the realities of the market.
Only a few commentators in the debate so far have pointed to the possibility of including in the bill provisions concerning sex education, which could also help protect children against the negative consequences of pornography.
Adam Polanowski, New Technologies practice, Wardyński & Partners