Online safety and "vulnerable" consumers: the new OFCOM's draft codes of practice

The English Office of Communications (OFCOM) has recently released its new draft "Children's safety online" codes of practice in line with the Online Safety Act (OSA) the main act providing for online safety in the UK, which became law in October 2023. 

OFCOM is responsible for enforcing the OSA. Its draft codes of conduct are meant to complement it and to suggest platforms (especially, social media) how to shape a safer environment, with a focus on underage consumers. Accordingly, the guidelines encourage platforms to be stricter in setting up adequate procedures for age-checking, to provide users with the due instruments to report harmful content, to remove it when necessary, and to clarify the systems used to monitor and moderate online content, particularly with respect to young people.

Platforms ought to take measures based on their size, the purpose of their services, and the risk of harm to children. Thus, the Online Safety Act adopts a risk-based approach, similar to the European Digital Services Act (Regulation EU, 2022/2065). The purpose is indeed the same: ensuring that online service providers implement procedures that are able to tackle the threats to online safety while safeguarding users’ privacy rights and freedom of expression. The two acts therefore cover issues such as content moderation, and other generative AI outputs, such as deep fakes. They both show the increasing attention placed by lawmakers on new forms of digital vulnerability, and how to address them.

OFCOM’s choice to enact codes of conduct is in line with the European approach, too; in fact, the EU lawmaker has also emphasized the relevance of codes of conduct and soft laws in shaping a safer digital environment. The draft codes of conduct provide for transparency, placing on platforms the duty to make available to the public their risk-assessment findings, and providing systems to easily report illegal content. 

And the Agency has gone even further. Indeed, it has declared that it could even impose a ban on people under the age of 18 to access platforms that fail to comply with its guidelines. 

However, some questions arise from reading the new OFCOM document. Will the procedures for ascertaining the age of users lead to the collection of an excessive amount of personal data, violating the data minimization principle under the GDPR? Are OFCOM’s codes too restrictive if compared to the DSA, forcing platforms to adopt a “double standard” between users based in the UK, and those that are based in the rest of Europe? Is the Online Safety Act “technologically neutral” enough when differentiating platforms’ obligations on the basis of the content type or the most comprehensive approach adopted by the DSA, based on equal risk mitigation for all the illegal content, is to be preferred?

Despite these concerns, which undoubtedly will be further examined by many scholars and privacy advocates in the coming months, the guidelines seem promising for improving the online safety of English users, especially children. The true test will be their implementation and enforcement.

European Data Protection authorities speak up on targeted advertisement

 Dear readers, 

this is a teaching-intensive autumn across European universities - with all the excitement, uncertainty and overall strains of being mostly back in class after over a year of mostly living room lecturing. 

This, however, should not mean that we let crucial developments go unnoticed: last week, in fact, the European Data Protection Board (EDPB) has issued its most resolved opinion yet on the matter of privacy and behavioural tracking. Cookies, in other words - a staple not only of many people's secret kitchen stashes but also of equally elusive locations on our devices. 

The occasion for issuing this opinion is commenting on the Commission's Digital Services Act, which according to the Board should be brought more clearly in line with data protection rules. Couched among guidelines and standpoints on a number of highly salient issues - from counterterrorism to face recognition AI - the EDBP has called for 

1) considering a phase-out of targeted ads based on "pervasive tracking";

2) in any event, prohibiting targeted ads addressed at children.   

The opinion does not expand on the reasons for such standpoint, but mainly refers to previous positions  contained in comments on the DSA by the European Data Protection Supervisor (EDPS) and the European Parliament. In fact, criticism of the current rules' focus on informed consent has been around at least for the better part of the past decade (see for a classic Frederik Borgesius). 

The European data protection board is composed of representatives from the national data protection authorities. As a collective body mirroring positions in the Member States, its position can perhaps have more sway than the occasionally more principled stances of the EDPS. 

Connect with respect

Yesterday was the 10th Safer Internet Day 2013 and the European Commission presented results of joint commitment of various companies who have been working together for the past few years on safeguarding internet for children's use (currently, the average age for fist going online in Europe is seven). This year these companies decided to set an even higher benchmark for the industry, proposing to set parental and control classification tools on all devices (incl. game consoles, smartphones, etc). (Safer Internet Day 2013: "Connect with Respect")

Better Internet for Children

The Council of the EU adopted at a meeting yesterday its conclusions on the European strategy for a Better Internet for Children. (see our earlier posts on this subject: Children Online, or EU needs to better monitor this new reality, or Big online wolf) It endorses European Commission's proposal while recommending actions to be taken in the areas of: assuring more quality of online content for children (understood as the content that benefits children in some way in addition to being attractive, usable, reliable and safe); stepping-up awareness and empowerment (e.g. by including the teaching of online safety and digital competences in schools; by further developing media literacy; by improving parental control tools). The Council expects the final report on this subject from the Coalition in January 2013.

Big online wolf

One of the most controversial issues regarding the safety of internet users and their privacy online is the protection of children online. While children use internet more and more often ("All young Europeans aged 9 to 16 use a computer to play or do their homework, and half of those between 11 and 16 say they find it easier to express themselves on line than in real life, according to a survey done in the member states.", see: Parliament calls for better protection for children), they may be faced with internet fraud, online violence, pornography, harassment etc.

Yesterday, the European Commission Vice President for the Digital Agenda - Neelie Kroes - and the US Secretary of Homeland Security - Janet Napolitano - signed a Joint Declaration promising to safeguard children in their online endeavours. The promises stretch to organising, annually, joint campaigns on the Safer Internet Day, further combating child sexual abuse online worldwide, working on giving parents and guardians informed choices online as to the content their children are able to access. (EU and US sign joint declaration to make the internet safer for kids) Interestingly, on the same day the European Parliament adopted a resolution in which it calls for better protection for children online, arguing for an increase of educational campaigns about digital media, as well as easier and more accessible means to report online abuse.

Privacy on everyone's mind

KillR-B

This week has been rich in European news concerning data protection. I had a pleasure to participate in a three-day long, interdisciplinary Amsterdam Privacy Conference, participants of which focused on identifying various problems with the current definition and measures adopted to protect privacy (on- and offline). It is fascinating to hear views on privacy from not only lawyers, but also communication officers, IT specialists, etc. If we ever manage to design an effective system to protect privacy that could only happen due to cooperation of all these specialists. Unless of course we decide to abandon all hopes of ever reaching that effective level of privacy protection and stop treating it as a fundamental right, but instead see it as a commercial good - to be bought and sold to the highest bidder. Such ideas were also being discussed during the conference.

Aside the academics and practitioners, the European Parliament has also been debating the current data protection rules (Directive 95/46) together with members of national parliaments. The video of the meeting is available online. Interestingly, one of the issues discussed, namely the need to obtain the data holder's explicit consent before processing personal data, has been also the key topic of many presentations at the APC 2012 and almost everyone agreed that this requirement did not fulfil its function of offering effective data protection yardstick.

The Committee on Culture and Education adopted a resolution this Tuesday focusing on the protection of children online. The MEPs are worried that current rules are not compatible with the extensive use of modern technologies influencing children (through smart phones, software etc.). One of the recommendations is to improve the European coordination of hotlines and other contact points where anyone could report illegal content or harmful behaviour. Further development of parental controls as well as age verification systems is needed.

EU needs to better "monitor this new reality"

Yesterday, the European Economic and Social Committee in its plenary session adopted two opinions that argue for introducing more measures that would protect children against harmful advertising and damaging online content.

"More and more often, children, including very young children, have access to a television and the internet alone and unsupervised. 38% of children between the ages of 9 and 12 already have an online profile, and this figure rises to 78% for 13-16 year olds. We need to monitor this new reality" said Jorge Pedago Liz, who was the rapporteur for the EESC on the opinion on advertising aimed at young people and children. (EESC slates harmful ads and pushes for balance of e-commerce and kids' safety)

The EESC believes that the EU should introduce a coherent framework that would protect young Europeans by introducing certain restrictions on advertising directed at them (not only in audio-visual media but also in online advertising), with special attention being placed on food advertising (due to concerns about children obesity and eating disorders). Advertising aimed at children is seen as having a potential of harming their physical, mental or moral health (e.g., by encouraging children to over-consumption, which could lead to debt and consumption of harmful products). One of the EESC' recommendations is to set at the European level a universal minimum age for advertising specifically aimed at children. The EESC advises also to enrich the current school curricula by teaching children how to interpret advertising messages and how to properly use information technologies.

The second opinion focuses exclusively on the protection of children online. The European Strategy for a Better Internet for Children calls for stricter rules, especially in case of infringements having been discovered. The sanctions should include closure of the infringing websites and withdrawal of licenses (e.g., if data protection rules were breached or the website promoted child pornography) and cannot be left to the market to self-regulate. The EESC is worried that the European Commission in pursuing its Digital Agenda will place more importance on the business growth instead of on making sure that the highest level of children protection online is assured. This could be seen in the previous Communication of the European Commission (COM(2012) 196 final) where only generic commitments have been made.

The full texts of the opinions may be found here.

Children and (safe) medicines

It is a sensitive topic, isn’t it? When it comes to children, special rules applies. That is why all (EU) institutions – without any exceptions – are obliged to increase the transparency of procedures for ensuring that children can benefit from medicines.

In order to protect better the health of children, the EU adopted a Paediatric Regulation in 2006. The Regulation includes an obligation requiring pharmaceutical companies to conduct tests to determine whether and how their medicines can be used to treat children. European Medicines Agency (EMA) is responsible for ensuring that pharmaceutical companies comply with their obligations under the Paediatric Regulation.

In October 2009, two pharmaceutical companies lodged a complaint with the the European Ombudsman because EMA was obliging them to test how their heart failure medicine could be used to treat children. They alleged discrimination, since EMA had exempted two similar medicines from the requirement to be subjected to such tests.

EMA stated that the limited number of children suffering from heart failure meant that only one heart failure medicine could be tested effectively. According to EMA, the complainants' medicine was the most promising, and thus the most appropriate medicine to test.

The Ombudsman conducted an investigation into the assessment procedures for the different medicines. He came to the conclusion that EMA was indeed entitled to oblige the complainants to conduct the tests. However, he criticised EMA's failure to ensure adequate transparency in its decision-making process. He called on EMA to document fully and disclose its assessments in the future and also to introduce relevant guidelines in this respect. He asked EMA to reply to his recommendation by 30 September 2012.

Children online

Within the Digital Agenda the European Commission set out a plan for introducing better online content for children as well as for protecting them from harmful sides of digital world. According to the gathered data today 75% of children use the internet, a third of them on mobile phones. Right now there are varying degrees of protection of children online applied across Member States, which makes it difficult for businesses to market child-friendly services and products in the EU, as well as to protect children using the same measures in the EU. The European Commission suggests certain measures that could be introduced, e.g., through self-regulation of the industry. It will be enforced partially by the Coalition to make a better internet for children which was set up in December 2011.

"4 in 10 children report having encountered risks online such as cyber-bullying, being exposed to user-generated content promoting anorexia or self-harm or misuse of their personal data. While by 2015 it is expected that 90% of jobs across all sectors will require technology skills, only 25% of young people across the EU say they have "high" levels of basic Internet skills (such as using the Internet to make phone calls, create a web page, or use peer-to-peer file sharing)." (Digital Agenda: New strategy for safer internet and better internet content for children and teenagers)

The initiative revolves around 4 goals:

1. Delivering high quality content online

- by stimulating production of creative and educational online content for children

- by promoting positive online experiences for young children

2. Increasing awareness and empowerment of children

- teaching online safety, digital and media literacy in schools

- scaling up awareness activities and youth participation

- designing simple and robust reporting tools for internet users

3. Creating a safe environment for children online

- age-appropriate privacy settings

- parental control tools

- age rating and content classification

- online advertising and overspending

4. Fighting against child sexual abuse and exploitation

- faster and systematic identification of material disseminated through various online channels, notification thereof and takedown of the websites

- cooperating with international partners to fight against child sexual abuse and exploitation

Are words all we have? - on EP's resolution on child labour in cocoa sector

Today the European Parliament passed a resolution aimed at increasing awareness of the problem of child labour in cocoa fields (Chocolate without the guild of child labour). The EU is the world's leading consumer of chocolate (40% of world's cocoa) and home to many major chocolate manufacturers. While they enjoy consumption of delicious chocolate products, not many Europeans stop to wonder about the process of its production. We may know that chocolate is made of cocoa, but would anyone gather a guess that it is over 215 million children worldwide that are used as child labourers (according to the ILO's estimations) and many of these children work in cocoa fields? The resolution of the European Parliament calls on everyone in the cocoa value chain (not only cocoa growers, but also governments, traders and consumers) to be aware of forced child labour and child trafficking and to fight it. Of course, not all children work can be classified as child labour and many children work to help their families survive in Africa. However, certain studies conducted in Ghana and Cote d'Ivoire suggest that children working on cocoa farms may suffer from exposition to pesticides and may have been trafficked. 

Unfortunately, the new International Cocoa Agreement that was approved today by the European Parliament does not address a problem of child labour. Since it is the main commodity agreement between cocoa exporters and importers, one could expect that a provision on detecting whether goods are produced by forced child labour and prohibiting trade of such goods could be the most effective if it were included in this agreement. The resolution expresses nice ideas, but they remain just ideas as long as they are included in non-binding documents. After all, in the past the European Parliament had even called for a ban on child labour in trade, not to mention for an introduction of "child labour free" product labelling. It's only words...

7 February 2012 - Safer Internet Day

Today is a Safer Internet Day, organized by the European Commission's INSAFE network in order to encourage children, their families and teachers to discover the online world together ("Digital Agenda: Safer Internet Day 2012, linking up generations for a safer digital world"). Currently 77% of 13-16 year olds and 38% of 9-12 year olds who use the Internet admit to having a profile on a social networking site. 12% of the latter group admitted to having been bothere or upset by something they have seen online. Since most children receive advice on safety online from their parents, teachers, relatives - then it makes sense to organize this year's event around the communication about online world between generations.

It's not only a European event, it's celebrated worldwide to promote safer Internet for children and teenagers. However, it fits perfectly within the programme of the Digital Agenda. In December 2011, the Commission arranged for 28 leading companies to commit to making a better and safer Internet for children, and three more companies joined the coalition in January 2012. These companies enable easier reporting of harmful content, ensure privacy settings at age-appropriate levels, offer wider options for parental control and control classification.

The 6 key tips that INSAFE gives to parents and teachers to keep children safe online are:

• Talk about the internet and dedicate time to explore it together with the child. Ask the child to show them what he or she likes to do online, and try not to be shocked or overreact if they do not share the same interests. 
  
  
• Stimulate the child's creativity. Point them in the direction of the best online content to explore for their development (or just for fun). The child can learn and discover new sites, play games, write blogs, create websites. Stretch his or her imagination. 
  
  
• Set up rules or boundaries together. When\Where\Why and for how long can the child use their mobile phone or computer? If you listen to the child and establish fair rules, then he or she is more likely to stick to them.
  
  
• Protect personal data and help the child understand that information or photos they put online can remain visible to everybody forever. Help them set up the highest level of privacy settings on social networks. 
  
  
• Think about using parental control tools to automatically filter certain topics (e.g. violence, porn) and limit the time the child will be able to navigate the web.
  
  
• Avoid having a computer in the child's bedroom. Put it in the living room instead. It will make it easier to follow the child's web-surfing habits on a daily basis. 

I agree with these tips except the latter one. I don't think we need to shield our children to the point of infringing their right to privacy. I had a computer in my room when I was growing up and maybe I encountered a few times something that had bothered me online but at least then I was not at risk of being embarrassed as well, knowing that my parents could be walking any time in the room and seeing it. It's all about trust and communication that we have with children, not absolute control (which is impossible to achieve, anyway), in my opinion.

Protecting minors' privacy in social networking

As part of the Digital Agenda, the European Commission aims at enhancing consumers' trust in the Internet. One way to do this is, would be by reviewing protection of minors online from such risks as grooming (some child abusers will pose as children online and make arrangement to meet with them in person) or cyber-bullying (using the Internet to harm other people in a deliberate, repeated and hostile manner) (more in: Digital Agenda: social networks can do much more to protect minors' privacy). A report on the Safer Social Networking Principles for the EU focused partially on the protection granted to minors by social networking sites. 

The worrying finds included the following: 

• only 2/9 social networking sites have default settings which make minors' personal profiles accessible only to their approved list of contacts;
• all sites tested allow for anyone to send friend request to minors;
• 6/9 sites allow friends of friends to access directly minors' profiles.

The good finds were, e.g.:

• majority of sites gives youngsters age-appropriate safety information, guidance, etc.;
• all sites provide shorter and more child-friendy version of their Terms of Use or Service.

Your face tomorrow

Just a brief addition to yesterday's post and a new instalment in the series on privacy & social networking: Facebook has announced it will implement some significant changes in the way users can manage their privacy settings. This way, it is aimed to give users more direct control over whom they share the items they post with.

Facebook's vice president does not confirm suggestions that the adaptations may be related to possible preparations to make the social network available to children under 13. In this context, worries had been expressed concerning the protection of children's rights online (see also an earlier post on the EU's initiatives to protect children's fundamental rights).

The new privacy settings will be made available from 25 August onwards.

EUCFR, child-friendly justice and consumer law

Today, it is exactly 10 years ago that the European Parliament, the Council and the European Commission solemnly proclaimed the EU Charter of Fundamental Rights (EUCFR). Commissioner Viviane Reding commemorated this fact in a speech she gave this morning at the 'Fundamental Rights Conference 2010: Ensuring Justice and Protection for all Children'.

Reding emphasised the importance of the Charter for ensuring the compliance of EU legislation with the rights laid down in the now-binding document:

'This means in particular that rigorous and systematic assessment of the fundamental rights impact of new legislative proposals is crucial. For this purpose, the Commission has developed a special methodology, which is reinforced now by a "fundamental rights check list", which the Commission services will use to identify and evaluate the effect of policy options on fundamental rights. This analysis can therefore better inform policy makers throughout the EU legislative process of the way fundamental rights can be affected and lead to a stronger legal grounding of the final act.'

From the consumer law perspective, it may be expected that future initiatives in this field, such as an optional instrument for European Contract Law, will likewise be assessed in light of this 'check list'.

Furthermore, Reding considered:

'The Charter explicitly recognises children as citizens with their own rights. This recognition is essential towards seeing children not just as in need of protection but also as independent and autonomous holders of rights. The Lisbon Treaty is a remarkable step forward in this respect.'

In light of the broader European contract law debate, the protection of children's rights and autonomy seems to be of special importance in the digital context (on which an earlier post appeared on this blog). Many consumers of digital content products, such as ringtones, music and movies, are minors. This raises the question to what extent an optional instrument should explicitly regulate their interests.

From another point of view, finally, it may be asked to what extent European consumer law should take into account children's rights when assessing the validity of contracts: should it consider to be invalid contracts concerning the sale of products that were made by children (in developing countries)? A difficult topic, which one of our PhD researchers in Amsterdam is analysing (a working paper she prepared on this subject may be found here), and fundamentally engages the legal possibilities for (or law's limits to) fully 'ensuring child-friendly justice' within as well as across the European borders.