Strengthening Online Safety for Minors: A Deep Dive into the SREN Law

Strengthening Online Safety for Minors: A Deep Dive into the SREN Law

Key Takeaways

 

Enacted on May 21, 2024, the French Security and Digital Space Regulation Law (SREN Law) aims to reinforce the protection of minors from accessing inappropriate content online, such as pornography. (1) This law imposes a minimum age verification system for users, sets compliance requirements for relevant platforms, and imposes penalties on non-compliant websites.

 

The scope of the SREN Law is extensive, addressing various digital issues, from protecting minors and regulating content to fighting cybercrime, facilitating easier cloud service provider transitions, and aligning national regulations with the DSA and DMA standards. Given the breadth of topics covered, each will be discussed in separate articles.

 

 

1. Age Verification Requirements for Internet Users

 

Up until now, there has been no reliable age verification process for internet users, whether for registering on a social network (digital majority set at 15 years old)(2) or for accessing pornographic content (majority of 18 years old).

 

Under the new French SREN Law, website publishers and platforms providing pornographic content online must implement a robust age verification system to prevent minors from accessing such content.

 

The Audiovisual and Digital Communication Regulation Authority (ARCOM) has been tasked with developing a framework that outlines the minimum technical standards for age verification systems, in coordination with the Data Privacy Commission (CNIL). (3) This framework must meet reliability standards and respect privacy requirements. It may be updated periodically as needed.

 

The framework defining the minimum technical requirements for age verification was published on October 10, 2024. (4)

 

Upon publication, content providers and video-sharing platforms have three months to comply by implementing the age verification system. After the system is operational, users attempting to access these websites will be prompted to verify their age before viewing any content.

 

The ARCOM may also require publishers and video-sharing platforms to conduct independent audits of their age verification systems to ensure compliance with the technical standards defined in the framework. These audits are to be conducted by independent organizations. Non-compliance may lead to a formal notice from the ARCOM, requiring adherence within one month.

 

Failure to meet these requirements may result in fines of up to 150,000 euros or 2% of the previous fiscal year’s worldwide, pre-tax revenue, whichever is higher. These penalties are doubled in the event of a repeat offense within five years from the date of the initial sanction.

 

 

2. Blocking of Non-Compliant Websites

 

The ARCOM may impose financial penalties on website publishers and video-sharing platforms that fail to restrict minors’ access to pornographic content following receipt of a formal notice. These penalties may not exceed 250,000 euros or 4% of the previous fiscal year’s worldwide, pre-tax revenue. In cases of repeat offenses, the penalties increase to 500,000 euros or 6% of the previous fiscal year’s worldwide, pre-tax revenue.

 

Internet service providers (ISPs) and hosting providers may also face penalties if they do not restrict access to URLs identified by the ARCOM within 48 hours of receiving a formal blocking notice. This requirement applies solely to websites that remain non-compliant after receiving a formal notice from the ARCOM.

 

A notification from the ARCOM explaining the reasons for the restriction will be displayed on the screen of any user attempting to visit a blocked website. Additionally, the ARCOM may require search engines and directories to delist offending websites within 48 hours.

 

These blocking measures are imposed for a maximum duration of two years, subject to annual review. The blocking measures are lifted once the site in question has become compliant.

 

Various parties (website publishers, content-sharing platforms, hosting providers, etc.) may contest the ARCOM’s decision by appealing to the president of the administrative court within five days of receiving a formal notice.

 

If ISPs or other providers fail to delist, they risk financial penalties up to 75,000 euros or 1% of the previous fiscal year’s global, pre-tax revenue, with doubled fines for repeat offenses.

 

Lastly, the ARCOM may request app stores to block downloads of non-compliant applications. App stores must comply within 48 hours of receiving ARCOM’s notification, or they risk a penalty of up to 1% of the previous fiscal year’s worldwide, pre-tax revenue.

 

These provisions apply to website publishers and video-sharing platforms based in France or outside the European Union. For website based in another EU Member State, these provisions apply to publishers and platforms provided they meet the conditions outlined in Article 3, par. 4, of the e-Commerce Directive.(5)

 

 

3. Combatting Online Child Pornography

 

The SREN Law strengthens online protection for minors by intensifying the fight against child pornography. (6)

 

Hosting providers are now required to remove child pornographic content within 24 hours of receiving a takedown request. Failure to comply with this takedown requirement may result in a penalty of up to one year in prison and a 250,000-euro fine. For repeated offenses by legal entities, fines may reach 4% of the previous fiscal year’s worldwide, pre-tax revenue.

 

Various parties may contest the ARCOM’s decision by appealing to the president of the administrative court within 48 hours of receiving ARCOM’s formal notice.

 

Similar provisions apply in cases involving the dissemination of images depicting torture or barbaric acts.

 

 

The SREN Law aims to establish a more effective protective framework for minors, reinforced by deterrent sanctions. However, questions remain regarding the effectiveness of these measures (formal notices, financial sanctions, blocking measures) against website publishers and internet providers located outside the European Union, except for those providers who choose to cooperate to enhance online protection for minors.

 

 

* * * * * * * * * * *

 

(1) Law No. 2024-449 of May 21, 2024, “Security and Digital Space Regulation” (Loi Sécurité et Régulation de l’Espace Numérique). See specifically Articles 1 to 6, amending the LCEN Law

 

(2) See the law of July 7, 2023, which sets the digital majority at 15, below which it is generally not possible to register on a social network without the consent of the person holding parental authority (Law No. 2023-566 of July 7, 2023, aimed at establishing a digital majority and combating online hate). The age of 15 had already been established for the application of the GDPR.

 

(3) On April 11, 2024, the ARCOM released a “Public Consultation on the Draft Framework Setting the Minimum Technical Requirements Applicable to Age Verification Systems Implemented for Access to Online Pornographic Content.” Stakeholders were invited to respond until May 13, 2024. The results of this consultation had not yet been published at the time of this article.

 

(4) The Framework Setting the Minimum Technical Requirements Applicable to AgeVerification Systems Implemented for Access to Online Pornographic Content was released on October 10, 2024.

 

(5) Directive 2000/31/EC of 8 June 2000 ('Directive on electronic commerce')

Art. 3, par. 4 (a)

4. Member States may take measures to derogate from paragraph 2 in respect of a given information society service if the following conditions are fulfilled:

(a) the measures shall be:

(i) necessary for one of the following reasons:

- public policy, in particular the prevention, investigation, detection and prosecution of criminal offences, including the protection of minors and the fight against any incitement to hatred on grounds of race, sex, religion or nationality, and violations of human dignity concerning individual persons,

- the protection of public health,

- public security, including the safeguarding of national security and defence,

- the protection of consumers, including investors;

(ii) taken against a given information society service which prejudices the objectives referred to in point (i) or which presents a serious and grave risk of prejudice to those objectives;

(iii) proportionate to those objectives.

Decree No. 2021-1306 of October 7, 2021, concerning the procedures for implementing measures to protect minors from accessing sites distributing pornographic content, issued in application of Article 23 of Law No. 2020-936 of July 30, 2020, aimed at protecting minors from accessing pornographic content on the internet. This article was repealed by the SREN Law.

 

(6) See Law No. 2004-575 of June 21, 2004, on Confidence in the Digital Economy (LCEN) as amended, specifically Articles 6-1 to 6-2-2.

 

 

Bénédicte DELEPORTE

Avocat

 

Deleporte Wentz Avocat

www.dwavocat.com

 

October 2024