A law aimed at establishing a digital majority and combating online hate (the “Digital Majority Law” or “Law”) was enacted on 7 July 2023[1].
1. The Digital Majority Law creates new obligations for social network service providers operating in France.
According to this Law, an online social network service is defined as “any platform enabling end-users to connect and communicate with each other, share content and discover other users and content, across multiple devices, in particular through online conversations, posts, videos and recommendations” (Article 1 of the Law). This definition is identical to the one given in the Digital Markets Act (Article 2 (7) of the DMA[2]).
This definition is broad and purposefully technology-neutral: messaging services seem currently out of scope since their functionalities generally do not allow discovery of new users by requiring prior knowledge of a contact’s phone number to enable communication. Such services could nevertheless become in-scope of the Law, as technology and tech-based services are ever-evolving.
Much like the definition of online social network services, the scope of regulated entities is broad. As this Law concerns social network service providers operating in France, it is an exception to the ‘country of origin principle’ provided for by the E-commerce Directive[3]. For the French legislator, this exception is justified by the protection of minors and the fight against any incitement to hatred on grounds of race, sex, religion or nationality, and violations of human dignity concerning individual persons. Thus, all social network service providers will be concerned by this Law if they operate in France – even if they are not established on the French territory.
This potential friction with key EU law principles creates a number of questions, which we address below. But what are the takeaways from this Law?
The biggest one certainly is the obligation for social network service providers to decline to register minors under 15 on their service, except with the express consent of one of the minor’s legal guardians. In order to do so, social network service providers will be obligated to verify the age of their end users, using technical solutions. This extends to existing accounts held by minors under the age of 15, for which providers will be required to obtain the express authorization. In addition to the above, social network service providers will also be required to enable legal guardians to request the suspension of the account of a minor under the age of 15.
Additionally, providers must activate a device to monitor the time of use of their service by the minor upon registration, and the user must be regularly informed of his/her time of use via notifications. We note that the Law does not specify that this obligation only applies to “minors under the age of 15”.
The Law also contains information requirements upon registration to the service. This information must be provided in relation to (i) the risks associated with the use of digital media and the means of prevention of such risks, as well as (ii) the conditions of use of the personal data of users under the age of 15 and their data privacy rights under the French Data Protection Act[4] and, by extension, the GDPR.
Non-compliance with these obligations can lead to a penalty up to 1% of the worldwide sales revenue of the previous year.
The Law raises many uncertainties about the available technical solutions to check the age of users and about its date of entry into force.
2. Social network providers should not rush to install new software to comply with this Law just yet.
2.1 Firstly, the French Audiovisual and Digital Communication Regulatory Authority(ARCOM) must draft guidance on technical solutions to check the age of users and the authorization of the legal guardians.
This step will be crucial, as the use of technical solutions to identify individuals and their perceived age certainly raises questions for the data privacy-minded… Biometric data, anyone?
In this endeavour, the ARCOM will be assisted by the French Data Protection Authority (CNIL). We know that the CNIL has had age verification in mind for some time already: as recently as September 2022, the CNIL has published content regarding online age verification – in English no less, which is not the norm for CNIL publications[5].
Social network providers should definitely stay abreast of these developments, since the technical solutions they will be required to implement will need to comply with ARCOM’s guidance.
2.2 Secondly, and more broadly, the entry into force of the Law remains uncertain.
The question of the entry into force of the Digital Majority Law is rather convoluted. The date of entry into force will be set by a decree, which itself must be taken less than three months after the date on which the Government receives the approval of the European Commission as to the compliance of the Digital Majority Law with EU law.
This approval has not been given yet, on the contrary.
On 9 June 2023, the French Government notified the Digital Majority bill to the European Commission in compliance with the Single Market Transparency Directive[6]. The French Government was then supposed to postpone for three months (until September 2023) the adoption of the bill in order to allow other Member States, stakeholders and the European Commission to examine the bill and to assess its impact on the single market: this is the so-called “standstill period”.
However, the French legislator did not wait until September to adopt the bill, as it became Law on 7 July 2023. On 14 August, the European Commission expressed doubts about the compliance of the Digital Majority Law with EU legal principles.
In summary:
- On a procedural level, the fact that the Digital Majority Law was adopted during the standstill period is incompatible with both the Single Market Transparency Directive’s requirement not to adopt measures during the standstill period and with the principle of legal certainty.
- The fact that the Digital Majority Law essentially contains a suspensive clause regarding its entry into force does not change the European Commission’s analysis.
- On a substantive level, the European Commission has highlighted the risk of EU market fragmentation and the infringement of the famed ‘country of origin principle’.
- According to the Commission, the exceptions to this principle can only target one specific information society service provider on a case-by-case basis. In other words, general and abstract provisions on a category of information society services providers, such as those laid down by the Digital Majority Law against social network service providers, cannot benefit from the exceptions to the ‘country of origin principle’.
It should be noted that the French Government has reacted to the European Commission’s letter as regards another law7, which had also been adopted during the standstill period with a similar mechanisms to determine their date of entry into force as the Digital Majority Law. Indeed, a bill submitted on 15 November contains provisions authorising the Government to modify the law on influencers and bring it to compliance with EU requirements8.
Similarly, the Government could seek to amend the Digital Majority Law. But would an updated version be any more compliant with the ‘country of origin principle’? Even if the answer is “yes”, the necessary implementation decree still seems far away.
To be continued…
[1] Law No. 2023-566 of 7 July 2023 aimed at establishing a digital majority and combating online hate, available in French here
[2] Regulation (EU) 2022/1925 of 14 September 2022 on contestable and fair markets in the digital sector, accessible here
[3] Directive 2000/31/EC of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market, accessible here
[4] Law No. 78-17 of 6 January 1978 relating to data processing, data files and individual liberties, accessible here
[5] CNIL, Online age verification: balancing privacy and the protection of minors, 22 September 2022, accessible here
[6] Directive (EU) 2015/1535 l of 9 September 2015 laying down a procedure for the provision of information in the field of technical regulations and of rules on Information Society services, available here
[7] Law No. 2023-451 of 9 June 2023 aimed at regulating commercial influence and combating abuses by influencers on social networks, accessible here
[8] Bill on adaptation to European Union law, No. 112 (2023-2024), submitted to the Senate on 15 November 2023, accessible here
