Message 002
Communication from the Commission - TRIS/(2022) 03675
Directive (EU) 2015/1535
Translation of the message 001
Notification: 2022/0694/F
No abre el plazo - Nezahajuje odklady - Fristerne indledes ikke - Kein Fristbeginn - Viivituste perioodi ei avata - Καμμία έναρξη προθεσμίας - Does not open the delays - N'ouvre pas de délais - Non fa decorrere la mora - Neietekmē atlikšanu - Atidėjimai nepradedami - Nem nyitja meg a késéseket - Ma’ jiftaħx il-perijodi ta’ dawmien - Geen termijnbegin - Nie otwiera opóźnień - Não inicia o prazo - Neotvorí oneskorenia - Ne uvaja zamud - Määräaika ei ala tästä - Inleder ingen frist - Не се предвижда период на прекъсване - Nu deschide perioadele de stagnare - Nu deschide perioadele de stagnare.
(MSG: 202203675.EN)
1. MSG 002 IND 2022 0694 F EN 14-10-2022 F NOTIF
2. F
3A. Ministères économiques et financiers
Direction générale des entreprises
SCIDE/SQUALPI - Pôle Normalisation et réglementation des produits
Bât. Sieyès -Teledoc 143
61, Bd Vincent Auriol
75703 PARIS Cedex 13
3B. Ministères économiques et financiers
Direction générale des entreprises
SEN / SDCEP - Pôle de la réglementation des communications électroniques
Bât. Necker
120 rue de Bercy
75572 Paris CEDEX 12
4. 2022/0694/F - V20T
5. Decree in Council of State implementing Law No 2022-300 of 2 March 2022 aimed at strengthening parental control over the means of access to the Internet
6. The products covered by this draft Decree are terminal equipment equipped with operating systems and intended for the French market.
7. -
8. The draft Decree subject to notification concerns the application the Law of 2 March 2022 aimed at strengthening parental control over means of access to the internet. This law has led to the creation of obligations applicable to terminal equipment enabling access to the internet in order to facilitate the use, by parents of minor users, of parental control devices.
The draft Decree clarifies this law on several points.
Firstly, it specifies the technical features required to recognise as compliant the parental control devices whose activation must be proposed to the user. In order to ensure minimum protection for any child whose parent would like to activate the parental control device installed on the terminal, a new Article R. 20-29-10-1 of the Postal and Electronic Communications Code provides that such a device must at least provide for the possibility of blocking, from app stores, the download of content whose access is legally prohibited to those below 18 years of age (pornographic content, gambling content) as well as content classified by the publisher according to age categories recommended for their access. The parental control device should also enable the same types of content to be blocked when they are pre-installed on the terminal.
In parallel with these required functionalities, the draft Decree controls the terms of their configuration and use. It thus requires, for the minimum functionalities requested by the Decree, that they be implemented locally without involving the transmission of personal data of the minor user to servers and without the requirement that the setting up of parental control requires the creation of an account or user profile. The configuration and use of the functionalities must also not give rise to the processing of personal data of minors. Exceptions are provided for in the Decree in the event of the express consent of the adult user to the use of the child's personal data or in the event of technical impossibility.
The Decree provides for a framework for additional functionalities that could be put in place by economic operators on a voluntary basis: they must not result in the processing of personal data of minors or result in the collection of data of these minor users for commercial purposes. The same exceptions as for the functionalities listed in the Decree are provided.
The draft Decree also specifies the modalities for certification of the presence of compliant parental control devices by manufacturers, with the possible support of operating system providers. The compliance of terminal equipment will first be certified by the manufacturer, then controlled by distributors, importers and service providers for the execution of orders, via technical documentation already in place for the EC marking.
The manufacturer’s certification of the terminal's compliance is regulated by Articles R. 20-29-10-2 to 5 of the Postal and Electronic Communications Code. These Articles provide for:
- The drawing up of technical documentation and a declaration of compliance by the manufacturer attesting to the compliance of each type of terminal. The manufacturer may request from the operating system provider a certificate attesting to the compliance of the operating system and the parental control device with the technical functionalities of Article R. 20-29-10-1;
- Article R. 20-29-10-3 details the minimum content of the technical documentation to be produced by the manufacturer prior to the placing on the market of the equipment;
- Article R. 20-29-10-4 details the content of the declaration of compliance to certify that the terminal incorporates the technical functionalities. It also provides for the possibility for the manufacturer whether to include this declaration of compliance in the EU declaration of compliance or not.
- Article R. 20-29-10-5 sets out the content of the certificate of compliance.
- Article R. 20-13-2 of the Post and Electronic Communications Code integrates the category of order fulfilment service provider into the distribution chain and aligns their obligations concerning the placing on the market of compliant products with the existing obligations applicable to distributors and importers under this code.
- Article R. 20-29-10-6 sets out the obligations of importers and distributors concerning the placing on the market of compliant products accompanied by the necessary documentation.
The draft Decree defines, in Article R. 20-29-10-7, the conditions under which the National Frequencies Agency, the national market surveillance authority, will monitor the obligations of the Law and the Decree. Subsequent verification and any penalties for failure to comply with the obligations laid down in the Law and the Decree shall be the responsibility of the National Frequencies Agency, in its capacity as products surveillance authority. Its powers are extended by the draft Decree so that it can carry out assessments and investigations and recall or withdraw products found to be non-compliant.
Finally, the Decree lays down the modalities in which manufacturers must participate in the dissemination of risk information related to the use of online public communication services by minor users. A new Article R. 20-29-10-8 provides for an obligation to provide information on the functionalities offered by the parental control device and its configuration. Manufacturers will also have to provide users with information on risk prevention related to the use of online public communication services by minors (addictive practices, online harassment, exposure to inappropriate content) as well as related to the overexposure and early exposure of the youngest users to screens. An obligation to make available information is also provided for persons marketing second-hand terminal equipment whose first placing on the market predates the entry into force of the draft Decree: for these actors, information on existing parental control devices will be made available to users. All this information may be made available in a format chosen by the manufacturer (computerised or otherwise).
Specific provisions for internet access providers are also included in the notification text, but will be codified at a lower regulatory level in the Postal and Electronic Communications Code. These provisions apply Article 6 of the Act of 21 June 2004 on confidence in the digital economy and are intended to specify the minimum functionalities that must be made available free of charge to Internet access providers: these will be functionalities allowing the blocking of access by minors to harmful content.
A necessary period of compliance of all actors concerned by this text will be necessary: the obligations of the Decree will not come into force until 12 months after its publication.
9. The aim of the draft Decree is to provide for an ambitious level of protection granted to minors through parental control systems and to be part of existing procedures so as not to excessively disrupt the production and distribution chains in place with economic operators.
As regards the functionalities and technical features it lays down in Article R. 20-29-10-1, the draft Decree is in line with the Law of 2 March 2022 by providing functionalities limited to blocking content, pre-installed or downloaded, that is inappropriate for minors. This concerns content whose access to minors is regulated by law (pornographic content, violent, hateful content, etc.) but also content reported by the publisher as inappropriate to users of a certain age. These functionalities will enable both to block any type of content strictly prohibited from access to people under the age of 18 but also to refine the selection of content to be blocked according to classifications made by content publishers. The parent of a minor under the age of 13 will thus be able to block any downloadable content in an app store indicated by the publisher as inappropriate to users under 13 years of age.
The personal data protection system for minors which accompanies the functionalities provided by the Decree aims to guarantee the collection and limited and controlled use of the personal data of minors. Wherever possible, and unless technically impossible or agreed by the parent, the configuration of the parental control device should not require the creation of a user account or profile. This requirement aims to limit the consolidation of customer databases, especially of minors, for the benefit of large players or even platforms, and to enable the parent to configure parental control without authenticating himself/herself or authenticating his/her child. A limitation of the processing of the personal data of minors is also foreseen in order to reduce this processing only to situations of pure technical necessity or in case of consent given by the parent.
The draft Decree provides for a flexible system for the protection of personal data for the functionalities set up on a voluntary basis by economic actors: their use should only result in the processing of personal data of the minor strictly necessary or authorised by the parent and may not, under any circumstances, give rise to any collection for commercial purposes (direct marketing, targeted advertising, profiling). The aim here is to ensure that the additional functionalities put in place in the parental control devices will not be a diverted route to collect more personal data in a timely manner than necessary.
The system of participation by terminal manufacturers in the dissemination of information provided for in Article R. 20-29-10-8 of the Post and Electronic Communications Code completes the technical aspect of parental control by providing parents with the necessary information on the risks incurred by their children in their use of Internet access methods. First of all, the aim is to provide the user with the information necessary for the optimum use of the parental control solution installed on the terminal by providing an explanatory manual on the operation and configuration of the device. Additional information must then be made available to the parent user regarding the risks inherent in the use of terminal equipment by the child: addictive practices, online harassment, exposure to inappropriate content and risks associated with overexposure and early exposure of young children. All this information will enable to ensure complete protection of minors both by technical solutions but also, and above all, by raising awareness among parents. The provision of this information in a computerised format, if the manufacturer so chooses, to avoid disruption of the production chains by changing the packaging or the instructions for use of terminals.
In line with this objective, the draft Decree also provides for the provision of information for repackaged terminals, the first placing on the market of which predates the entry into force of the Decree, insofar as the repackaged terminals represent a significant proportion of the first telephones entrusted to minors. Those marketing these refurbished terminals will have to inform users about the existence of devices to protect minors online.
The system for verifying compliance with the law of 5 September 2022 is largely inspired by the traditional market surveillance mechanism as provided for in the so-called “New Approach” European regulation. This inclusion of mechanisms from the European framework has several major advantages. Firstly, this device enables a comprehensive approach to the entire economic chain, from the development of the terminal to its placing on the market, and its actors, ranging from manufacturers to distributors. In addition, the attestation of compliance with the obligations by documents such as technical documentation, for the market surveillance authority, and the certificate of compliance, for importers, order fulfilment service providers, distributors and agents, will allow each actor concerned to obtain the necessary information in a quick and reliable manner. Finally, this inspiration from the Community framework for national provisions will enable the actors concerned to quickly understand the functioning of this market surveillance system and thus avoid unnecessary waste of time.
The draft Decree provides that the supervision of compliance with the obligations of economic operators is entrusted to the National Frequencies Agency, which has solid expertise in market surveillance, being in particular in charge of surveillance under Directive 2014-53 known as RED. The provisions provided for in the event of doubt as to the compliance of the product - assessment and, where appropriate, formal notice, withdrawal and administrative sanction - are gradual and proportionate so as to provide an effective balance between cooperation with the relevant economic actors and compliance with the regulations.
The implementation period of 12 months stems from a consultation with the sector and aims to allow a period of adaptation of contracts and software where necessary.
10. Reference texts should be sent as part of the previous notification: 2022/103/F
11. No
12. -
13. No
14. No
15. -
16. TBT aspect
NO - The draft does not have a significant impact on international trade.
SPS aspect
No - The draft is not a sanitary or phytosanitary measure.
**********
European Commission
Contact point Directive (EU) 2015/1535
Fax: +32 229 98043
email: grow-dir2015-1535-central@ec.europa.eu
