Verification of age to access pornographic content

An anti-obscenity association issued a proposal for an Act on Protection of Minors against Pornographic Content on 16 December 2019. It has gained the official support of the Family Council, which recommended to the Prime Minister that the proposal be adopted for further legislative work. The Minister of Family, Labour and Social Policy announced that work on the bill should conclude in the first half of 2020. The need to restrict children’s access to pornography is obvious, but the proposal has generated much controversy, mainly due to the proposed mechanism for age verification, which may invade internet users’ privacy. The proposal would also impose additional obligations on telecommunications operators, electronic service providers, and payment service providers.

The association Twoja Sprawa, which drafted the proposal, openly admits that before entering into force, the bill will require numerous changes, but it is the fundamental premises of the bill that generate the most controversy. A mechanism for verifying users’ age would have to be introduced to every website providing pornographic content, effectively preventing access by users under age 18. A pornographic website not introducing such a mechanism would be entered in a register and access to the website would be blocked by telecommunications operators.

Age would supposedly be verified while ensuring adequate protection of personal data and privacy, but some commentators claim that this may not be technically feasible if the bill is adopted in its current form.

Premises
of the proposal

The bill includes numerous
definitions, such as the notion of “qualified pornographic content,” which
would be vital for classification of material posted to the internet. Under the
proposed definition, “pornography” could include content of an artistic or
scholarly nature. Art. 9(9) of the bill then provides that oversight would
not be pursued with respect to artistic works or works released as part of a
publication of a purely scholarly or educational nature. This construction
could prove dangerous for creators of such content, because the decision on
whether to apply oversight in relation to such content would depend on the decision
of the supervisory authority. It would be safer if content not truly
constituting pornography were excluded from the scope of the definition.

According to the proposal, an
entity providing access to pornography would include not only the person
immediately publishing pornographic content (e.g. on their own website), but
also a service provider offering this possibility to its users. Under the bill,
the responsibility of an entity operating such an online platform could be
limited only by Art. 14 of the Electronic Services Act (the hosting
exception). A service provider learning (e.g. from an official notification or
other reliable source) that users are storing unlawful data on its resources would
have to prevent access to that data. If the service provider did not take
appropriate measures, the duty to introduce an age-verification mechanism would
then also rest on that service provider.

It is not clear why an exclusion
from liability would be available to service providers only if they provide
hosting services. This overlooks services as a “mere conduit” and caching, which
are shielded from liability under the Electronic Services Act. This creates a
danger that the bill could be interpreted to allow operators of social media
sites to be released from liability for material posted by users, but not for
material transmitted in private messages. This could bring the proposal into
conflict with EU law, particularly the e-Commerce Directive (2000/31/EC), which
was implemented by the Electronic Services Act.

Under the proposal, the supervisory
authority enforcing the act would be the chair of the National Broadcasting
Council. A specially appointed foundation would serve as a joint regulator, overseen
by the Minister of Digital Affairs. The council of the foundation would be
composed of representatives of the supervisory authority and members of
organisations involved in children’s rights and protection of privacy and
representing the interests of electronic service providers. The joint regulator
would pursue certain tasks listed in the act, conduct monitoring of
pornographic content published on the internet, and notify the supervisory
authority of violations.

Additional
obligations for other entities

The supervisory authority would
enter into a newly created register the internet domains and addresses of
accounts providing access to pornographic content without age verification. The
register would be published in the public information bulletin of the National
Broadcasting Council, and the register would be accessible to any interested
person (meaning that the register itself would be a source of knowledge of new
pornography sites). The register would be operated in a manner enabling
automatic transmission of information about entries to the IT systems of
telecommunications operators and payment service providers, and the bill would
impose additional obligations on these two types of entities.

  • Telecommunications operators

All telecommunications operators
providing internet access service would be required to block access by its
subscribers to an internet domain or account address within 48 hours after it
is entered in the register. A user attempting to access a site entered in the
register would be redirected to a domain indicated by the chair of the National
Broadcasting Council. While blocking access does not seem controversial in the
case of websites mainly displaying pornography, questions arise with respect to
platforms where content is transmitted only through one or more accounts
functioning on the platform. In that case, if the service provider effectively
takes advantage of the limitation on liability for hosting providers, the
supervisory authority could enter in the register only the immediate address of
the account providing access to pornographic content. This would create an
additional problem, because the URL address of a specific account on a platform
frequently changes (e.g. due to modification of the username), including at the
request of the service provider’s customer. This would require thousands of addresses
to be entered in the register, and following the proper procedure (which
involves, among other things, attempting to contact the person providing access
to the content) would pose a huge challenge for the authority.

Obviously this also impacts the
scope of duties of telecommunications operators, which would have to block successive
sites within 48 hours after they are entered in the register. Information on
new entries in the register would be transmitted automatically to service
providers’ IT systems (with the details of this technical solution to be
established by the National Broadcasting Council in an executive regulation). This
means that operators would be forced to employ an additional external
technological solution, or would have to assign staff to handle blocking of
addresses as they are entered. If a telecommunications operator failed to block
sites, the chair of the National Broadcasting Council could summon it to cease
violations of the act and then impose a fine on the company of as high as
PLN 100,000.

Monitoring entries in the register
would also be an obligation for telecommunications operators handling payments
for premium-rate services. Under the proposal, the operator would have to prevent
execution of premium SMSs or premium-rate calls, charged for services offered
via domains or user accounts entered in the register.

  • Payment service providers

The method of imposing additional
duties on payment service providers is controversial. The bill would prohibit
providers from offering payment services on websites entered in the register.
If a payment service provider is already offering services on a site when it is
entered in the register, the payment service provider would have 30 days to cease
doing so. The bill thus would de facto
subject payment service providers to an additional regulatory regime they have
not dealt with before. Now they must deal with the Office of the Polish
Financial Supervision Authority and the General Inspector of Financial
Information, but if this bill enters into force, they will also fall under an
additional regulatory body, the National Broadcasting Council. The chair of the
council could not only demand information or documents from payment service
providers necessary to exercise supervision, but could also order them to cease
violations and impose fines on them.

Polish payment service providers only
to a small extent provide support for foreign websites with pornographic
content (and it is mainly foreign sites that will be entered in the register).
But the wording of the bill does not make it entirely clear whether these
regulations could also be applied to EU-based payment service providers
offering cross-border services in Poland. The proposal refers generally to
payment service providers, and under the Payment Services Act this term also
applies to EU payment institutions and branches of foreign banks. In this
situation, entities operating in Poland on the basis of passporting, and also
providing payment services to entities entered in the register, will not be
sure whether they are exposed to fines. Depending how the regulator interprets this
provision, it would raise a question of whether a payment service provider must
abandon its cooperation with an entity listed in the register entirely, or only
disable payments by Polish users. These are just some of the basic doubts
raised by the proposal as presented.

Current
regulations

Despite the broad debate occurring
after publication of the proposal, not many people noticed the similarity to
the regulations already in force in Poland. The clearest example is the duty to
protect minors on the part of operators of video-on-demand platforms. Under Art. 47e
of the Broadcasting Act (implementing EU regulations), a catalogue of
programmes endangering the development of minors, in particular pornographic
content, must not be provided without applying technical security measures or
other means to protect minors from receiving such programmes.

The conditions that must be met by the technical security measures or other means may be specified in an executive regulation issued by the National Broadcasting Council in consultation with the Minister for Digital Affairs. However, from 2014 to this day, the council has not decided to issue such a regulation. The reason may be adoption of the Code of Best Practice in this area drafted by IAB Polska (association of internet employers). The technical security measure proposed by the code is not to deliver inappropriate content to users unless they provide authorisation data for a payment card or make a verification payment.

The mechanism of blocking sites with pornographic content is similar to the existing regulations involving the register of sites offering unlawful gambling. In that case as well, additional obligations were imposed on telecommunications operators. During work on the gambling regulations, the Minister of Digital Affairs commented that entry in the register should be preceded by an order from the state court, but ultimately that condition was not included in the act. Currently there are over 8,400 domains entered in that register, but some publications claim that even if a telecommunications operator manages to block a site, users may still be able to access it thanks to antivirus programmes or other software on their end-user device. This raises the question of the effectiveness of a comparable solution proposed with respect to pornography sites.

Doubts
surrounding age verification

The authors claim in the outline for the proposed Act on Protection of Minors against Pornographic Content that the provisions correspond to the aims of the Audiovisual Media Services Directive (2018/1808), which EU member states are required to implement by 19 September 2020. But this proposal definitely does not constitute implementation of the directive, which covers a much broader area than protecting minors against pornography (also for example combating hate speech and restricting ad content and other messages targeted to children). This bill does not use terms introduced by the directive such as “video-sharing platform service” or “user-generated video.” Adoption of the regulations in this form might result in improper implementation of the directive and conflict with other acts implementing the directive.

However, the greatest doubts are
raised by the possible requirements and actual form of the tools for verifying
users’ age, to be applied by entities offering pornographic content. The
minimum criteria for the tools would be set by the chair of the National
Broadcasting Council through an executive regulation issued in consultation
with the Minister of Digital Affairs, after obtaining an opinion from the
president of the Personal Data Protection Office. It is easy to imagine a
situation in which the age-verification instrument fails to ensure adequate
protection of personal data, thus allowing an unauthorised entity to access information
about the sexual preferences of a large group of citizens.

Additional concerns have been raised by media statements by officials of the Ministry of Digital Affairs, proposing to impose additional duties on providers of web browsers. They would be expected to natively block access to some content available online, but could be unlocked by a key generated by the ministry. It can only be hoped that the team of experts appointed by the Ministry of Family, Labour and Social Policy develops a solution better suited to the realities of the market.

Only a few commentators in the debate so far have pointed to the possibility of including in the bill provisions concerning sex education, which could also help protect children against the negative consequences of pornography.

Adam Polanowski

Previous post
“Dungeons” similar to “Dungeons & Dragons”
Next post
Blockchain/DLT in the Polish Capital Markets Strategy