AMETIC is the Multisectorial Association of Electronics, Information and Communication Technologies and Telecommunications and Digital Content Companies in Spain, we represent the main companies in this sector, and we have a wide experience and recognition for the plurality of our high number of members and the value and sectorial balance of the positions.
As an Association of companies immersed in the digital field, we represent companies with the great knowledge and experience necessary to address the challenges of digitalization.
In relation to notification No 2024/0531/ES by Spain in accordance with the Draft Organic Law for the Protection of Minors in Digital Environments (the "Draft") which aims to establish a comprehensive protection framework for minors against digital risks in Spain, we argue that there is currently no alignment on the measures for the protection of minors in the digital environment. As a result, laws and guidelines are multiplying in fragments across the EU. This poses challenges for the various business activities of companies operating in the EU and legal uncertainty.
Such is the case that Spain's national competition authority (the CNMC) has published a report on the Draft Organic Law proposing several recommendations and suggestions. Among them, the CNMC suggests assessing the impact on competition of the obligations imposed on manufacturers of devices with an Internet connection, as well as questioning the subjection of age verification systems to the eIDAS Regulation (Regulation (EU) No. 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and by repealing Directive 1999/93/EC). According to the report, the CNMC recommends that the Draft Organic Law specify the subjective scope of its application and clarify that the obligations in communications to minors are considered to be of a general nature and not limited to the digital environment, which could go beyond the scope of the Draft Organic Law.
In a similar way, we can find the conclusions of the TRIS procedure No 2024/0188/DE, where the Commission stresses that "as a result, Member States are prevented from adopting national measures that overlap or contradict the full harmonisation framework of the Digital Services Act". Warning of market fragmentation and highlighting the harmonization of the DSA, which impedes regulatory development by Member States[1].
In this context and after analysing the Preliminary Draft, we will present below a summary of the Preliminary Draft, and we will explain how this regulation conflicts with the existing regulation and violates European laws and principles. We will also analyse specific articles and conclude with a request to the European Commission to adopt a reasoned opinion compelling the Spanish Government to review the notified draft law and ensure its conformity with EU law
- Description of the Draft
The draft organic law for the protection of minors in digital environments in Spain seeks to establish a comprehensive protection framework for minors against digital risks, promoting a safe, balanced and responsible use of technology. The main measures of the draft are:
- Obligations for manufacturers: Device manufacturers must include free and accessible parental controls that must be activated by default at the time of initial device setup, as well as inform about the risks of excessive use of technology for minors.
- Restrictions on harmful content: random reward mechanisms (such as lootboxes in video games) for minors are prohibited and an age verification system is established.
- Educational regulation: educational institutions must regulate the use of devices and promote an education that includes the responsible and critical use of technologies.
- Health measures: create prevention and health promotion programs related to the excessive use of digital devices, encouraging specialized care for minors with addictive behaviors without substance.
- Public-private collaboration: Encourage cooperation between the public and private sectors to ensure compliance by internet access service providers from a fixed location to establish protection measures in the use of the internet in public places.
- Legal amendments: changes to the Penal Code to punish conduct affecting minors in digital environments, including the distribution of harmful content and the imposition of penalties related to the prohibition of access to social networks.
Protecting children online is a shared priority for digital businesses, and we are committed to collaborating with stakeholders to create a safe and empowering digital environment for them. However, it is crucial that any national measures are aligned with the EU's harmonised framework and the principles of the single market. While we support the objectives of the law, we believe that it conflicts with established EU law.
- Incompatibilities with existing regulation
- Digital Services Act
The Digital Services Act (DSA) aims to create a harmonised Digital Single Market by establishing clear and consistent rules for online intermediation services across the EU. It introduces EU-wide rules to ensure online safety, protect fundamental rights and foster innovation. By establishing this comprehensive framework, the DSA aims to prevent Member States from imposing additional national rules that could create inconsistencies and hinder the functioning of the internal market.
However, the Draft Organic Law seems to create inconsistencies with the objectives of the DSA that may compromise the collective objective of protecting minors in digital environments. Since the DSA, being an EU Regulation, applies directly, Member States should avoid regulating matters that fall within its scope.
In this context, it is necessary to review the key concepts of the Spanish bill, as they interfere with the scope of the full harmonization nature of the DSAs, in particular with regard to articles 28, 34 and 35.
Article 28 of the DSA establishes the legal framework for the protection of minors in digital environments. It requires providers of digital services accessible to minors to implement appropriate and proportionate measures to ensure a high level of privacy, safety, and security for minors on their service. In addition, it also requires providers not to display advertising based on the profile and use of minors' personal data. We understand that the European Commission is currently drafting guidelines on the implementation of Article 28 of the DSA to support the implementation of this provision by digital platform providers.
On the other hand, Articles 34 and 35 require very large online platforms to (1) identify systemic risks (including assessing potential harm to children's rights and well-being) and (2) implement safeguards with age assurance and parental control tools as one of the possible mitigation measures that could be taken to address the systemic risks identified in specific services.
In conclusion, key concepts of the Draft Organic Law interfere with the idea of greater harmonization of the protection of minors under the DSA.
- Directive on the placing of radio-electronic equipment on the market
The parental control requirements of the draft law conflict with the Radio Equipment Directive (RED), which reserves the power to define such technical standards for radio equipment only for the EU.
The Directive on the placing on the market of radio equipment (RED Directive) limits the competence of Member States to legislate in this area with the aim of promoting harmonisation: it provides that it is solely for the EU legislator to define the essential requirements to be met by radio equipment and to determine the rules applicable to its marketing (Articles 3 and 9), and Member States can only regulate the commissioning or use of radio equipment, always complying with very specific requirements.
In other words, the Member States have no authority to subject the placing on the market of radio equipment to requirements other than those provided for in Article 3 of the RED Directive, such as the mandatory inclusion of parental control functionality. In addition, it directly prohibits preventing "the marketing in its territory of radio equipment that complies with this directive".
- GDPR and Sales of Goods Directive
The Draft Organic Law obliges manufacturers to report on data protection measures and risks related to privacy and security; however, there is already a general requirement for transparency in the scope of the GDPR.
Likewise, the Draft Bill incorporates the obligation for the operating systems of the terminals to include parental controls during configuration and to provide specific warning information to the Law on the Protection of Consumers and Users in Situations of Social and Economic Vulnerability (TRLGDCU) as an objective requirement for the conformity of the terminal. However, the Sales of Goods Directive already harmonises the objective compliance requirements for goods within the EU, so the introduction of this new conformity requirement in the TRLGDCU creates a disproportionate burden for retailers operating within the EU, in particular those engaged in cross-border trade activities.
Therefore, adding paragraph 7 to Article 115b of the TRLGDCU seems to conflict with the objective of harmonisation of the Sale of Goods Directive.
- Market Surveillance Regulation
We consider that the Preliminary Draft is incompatible with the Market Surveillance Regulation, which sets out the tasks of economic operators in relation to products subject to certain Union harmonisation rules, and which defines who is considered an economic operator, and specifies that it is this operator who is responsible for making the EU declaration of conformity or a declaration of performance and technical documentation.
- Violation of European laws and principles
- Breakdown of the EU's single market
A central objective of the EU is a unified market where digital goods, services and activities can flow freely across borders. Fragmented national regulations on digital issues force companies to adapt to different requirements in each country, contradicting the concept of a digital single market and creating obstacles for companies operating across the EU. Which leads to:
Operational burden for pan-European companies: With each EU country implementing unique regulations on digital privacy, child protection or data handling, companies face duplicate compliance costs and operational complexity. Meeting diverse national standards requires reengineering of products, systems, and practices. Pan-European companies must overlap legal rules, which add to technical and administrative burdens. Specifically, different rules on age verification systems may force companies to redesign IT infrastructure and create separate policies, further increasing costs.
Unequal consumer experience in the EU/consumer confusion and erosion of trust: EU consumers expect consistent protection and experiences across Member States; however, fragmented regulations lead to varying levels of protection, causing confusion and eroding trust. For example, if one country applies stricter data protection than another, consumers in less regulated areas may lack the same privacy safeguards, creating a fragmented experience that undermines trust in digital services across the EU.
- Technical barriers and obstacles to the free movement of goods
According to the Draft Organic Law, operating system providers must ensure that they include a system for the protection of minors. These provisions would require the operating systems of devices that are commonly used by children (such as smart TVs, mobile phones or computers) sold across the EU to be adapted to the Spanish market. Given the technical complexity of adapting the operating system for only one domestic market, this obligation would significantly impede the free movement of devices and constitute a barrier to the free movement of goods in the internal market.
In addition, existing legislation, such as the AVMSD, DSA, and GDPR, requires organizations to take appropriate measures to protect underage users. The implementation of the Spanish age rating system poses a particular challenge for international providers of audiovisual services, operating systems and applications.
The Court of Justice of the EU (CJEU) has recently confirmed that a similar national approach is contrary to EU law "which guarantees the free movement of information society services through the principle of control in the Member State of origin of the service in question".[2] Member States should therefore refrain from adopting 'measures of a general and abstract nature that apply without distinction to any provider of a category of information society services', as this would undermine mutual trust between Member States and conflict with the principle of mutual recognition enshrined in the e-Commerce Directive.
By treating operating systems as commodities, mandatory parental control functionalities at operating system level create barriers to the free movement of goods within the EU. The notified draft law does not justify the imposition of new requirements that could stifle innovation and competition in the market, especially since effective solutions for child protection already exist on the market. There is a risk of fragmenting the Digital Single Market, in particular as other Member States (such as France and Germany) are implementing their own approaches to parental controls. This creates inconsistencies and compliance challenges for companies operating across borders.
- Failure to comply with the country of origin principle
The provisions of the Spanish Draft Organic Law conflict with the "country of origin principle", which assigns the country of establishment the supervision of regulations (Article 3 (1) and (2) eCD eCommerce/Article 3, 4 AVMSD). Therefore, the Preliminary Draft negatively affects the free movement of goods and unduly restricts the freedom to provide information society services and audiovisual services.
Specifically, it requires manufacturers to ensure that the operating system of their devices has parental control functionality, the characteristics of which will be subject to regulatory development. Imposing a certain model of parental control functionality may violate the country of origin principle, as both terminals and services, applications and content may include parental control functionalities certified in other member countries of the European Union.
The Commission recently confirmed this opinion (TRIS Notification 2023/0205/I) in response to the notification procedure issued by the Italian authorities on the implementation of prominence requirements. The European Commission referred to the principle of the free movement of cross-border services in Article 56 of the Treaty on the Functioning of the European Union (TFEU), as well as in Article 3 of the eCD, according to which information society services are subject only to the law of the Member State in which the service provider is established (country of origin principle).
While the e-Commerce Directive provides for exceptions to the country of origin principle, these are limited to specific circumstances, namely: 1.) specific measures (exceptions only apply to measures taken against a specific online service, not to broad regulations), 2.) serious risk (the service in question must pose a demonstrable threat to public policy or other vital interests) and (3) procedural requirements (strict procedural safeguards must be followed, including notification to the provider's home Member State and the European Commission). The Spanish bill does not appear to meet these exception criteria.
Likewise, the Digital Services Act, in line with the e-Commerce Directive, maintains the country of origin principle as a fundamental pillar of EU law. This principle ensures that online service providers are primarily regulated by the law of the EU Member State in which they are established. It prevents Member States from imposing potentially onerous additional obligations on providers established in other Member States.
However, the Draft Law introduces obligations for manufacturers of internet-connected devices (e.g. mobile phones, tablets, smart TVs and laptops) that offer their devices in Spain, regardless of their establishment. Specifically, it introduces obligations for manufacturers (1) to ensure that their devices include parental control functionalities in the operating systems of the devices, which must be enabled by default during the initial configuration of the device, (2) to provide information on the packaging of the products and in the manuals/user guides warning of risks related to harmful content, data protection, recommended usage time, parental controls, and the potential impact on cognitive development, emotional well-being, and sleep quality.
- Comments on specific articles of the Preliminary Draft
Article 4
As we have been discussing, Article 4 of the draft imposes on manufacturers the obligation to ensure that their devices include parental control functionalities to restrict or control access to services, applications and content, which creates inconsistency with Article 28 of the Digital Services Law. In addition, the Preliminary Project imposes that the activation of this system must occur by default at the time of the initial configuration of the terminal equipment. We understand that the parental control function should be offered to the user in the initial configuration and give them the possibility of activation from the first use. However, we consider it inappropriate and disproportionate that it should always be activated by default as it could and additional market barrier. In many cases, the terminal equipment will not be accessible to any minors, and this protection will only lead to a worse user experience, without any benefit. It is more effective to require parents to make a series of choices as to the level of parental control and filtering on a device, making them mentally engage with what is appropriate for their family, than to simply have all such controls switched on automatically when they first use the device.
Likewise, the article establishes that manufacturers of digital terminal equipment must provide information on their products, at least on the packaging and in the instruction book, user manual or user guide of the equipment, which warns, in accessible, inclusive and appropriate language for all ages, of the risks to health, moral and physical development derived from access to harmful content. They will also provide information on data protection measures and risks related to privacy and security; the recommended time of use of the products and services, appropriate to the age of the user; parental control systems; the risks to cognitive and emotional development and the effect on sleep quality of prolonged use of such services.
We consider the obligations outlined in this section to provide information on packaging to be disproportionate; this will require modification of the box designs for all EU countries due to a national requirement. Also, it could generate that, according to the consumer protection laws of other countries, this information is considered relevant and should be translated into other languages, generating unintelligible packaging in some cases. In other cases, the dimensions of the product would not allow this information to be indicated. Moreover, these requirements are outside the scope of the standard's objective for the protection of minors and conflict with other European regulations[3].
In any case, the adaptation of language and visual and audiovisual elements to the needs of people with disabilities and people with autism spectrum disorders will be taken into account. Obligations that are already established through European legislation and will cause inconsistencies in Spain[4]. On the other hand, since parental control is not a key feature of a product, it should not be necessary on the packaging or on the product itself.
We ask that the necessary indication for referring consumers to the marking in the manual be harmonized by referring to the channel and document which is deemed more appropriate by the manufacturer, including electronically like an official website, intended for this purpose. The environmental impact of these requirements considering 1 page of the instruction manual (11.5 million smartphone sales per year, 3 million televisions) would generate 14 million pages of paper for these two categories alone, something unjustified when it has been shown that other countries with the same type of regulation have not required this amount of information on paper with its associated environmental impact. Also, printed materials do not take into account the needs of people with disabilities who can access more easily to electronic equivalent. It should be allowed to provide the information either in the instruction manual or a link to the website where all the information on risks associated with the use of the device is found and do not depend on the decision of the manufacturers. Products under the scope of this regulation have access to the internet; Therefore, it would be appropriate providing information on parental control and a link where all this information is complemented by the authorities based on the risks demonstrated and associated with all manufacturers, it would be more effective and with less impact on the environment and more appropriate for people with accessibility needs. Therefore, in the event that Spain continues to prefer to continue with the obligations of Article 4, it could be aligned with the French regulation where terminal manufacturers make information available to end users in an easily accessible and understandable way regardless of the medium[5].
Finally, the Preliminary Draft contemplates a period of six months from the entry into force of the obligations foreseen. A completely unacceptable period considering that product modifications are proposed (packaging and manual) in order to guarantee the implementation of the changes that affect the products put back on the market from a certain date, at least 18 months are necessary
Article 5
Article 5 of the Preliminary Draft establishes a regulation of access to and activation of random reward mechanisms, which prohibits access to random reward mechanisms or their activation by minors. This regulation fragments the single market, creating disparities that affect both consumers and the video game industry. Consumers may find certain games unavailable or with altered gameplay compared to other European countries. This fragmentation also harms the industry, impacting game developers, investors, and retailers in Spain –specially small businesses– who now have to navigate a national regulatory silo separate from the rest of the EU. This situation may discourage investment and stifle innovation within the Spanish and the European market, negatively impacting the competitiveness of the Spanish gaming industry.
Firstly, it will affect the availability of certain games for Spanish and non Spanish users, whether or not they are minors, as it will affect matchmaking policies. Online games are played across borders and often in groups. Spanish players will not have the same access to their own detriment, but also that of the other players. This law will also affect users whether or not they are minors; to the gaming experience; the future evolution of the industry, both the Spanish industry, including small and medium-sized developers, and the one that has been investing on Spain; and the competitive neutrality between video game operators that market titles with loot boxes – and within them those located in Spain and the EU and the rest – and the rest of the operators.
Additionally, the initiative is inconsistent with the evolution of the issue at EU level, where there has been a commitment to address this issue from a joint European prism.
Already in 2013, the European Commission and the CPC network investigated in-app purchases in games and established a common position on the matter. The European Commission's 2021 Guide defines criteria for how video game companies should offer paid loot boxes. In recent years it has been clarified that the approach to payment boxes already falls on consumer protection policy and regulations, which falls under the EU scope to avoid market fragmentation. Precisely, in its desired to avoid market fragmentation and prioritise the protection of consumers, especially vulnerable people and minors, the European Commission recently published the results of the Digital Fairness Fitness Check, in the context of the analysis of additional actions to ensure an equal level of fairness online and offline in which it addresses virtual objects and in-app currencies, including loot boxes.
In this context, the European Commission recognises that the sale of virtual items and the use of intermediate currencies within applications are permitted by EU consumer law and loot boxes and other virtual items with uncertainty-based rewards are also not prohibited as such. The conclusions of the Digital Fairness Fitness Check report will serve to consolidate consumer protection at the European level in the Digital Fairness Act.
Instead of individual countries creating their own regulations, it's time to let the European Commission (EC) take the lead. In their new mandate, the EC can thoroughly assess the situation and propose solutions that protect consumers while maintaining a unified internal market. This approach ensures consistency and avoids fragmentation across Europe.
- Overall conclusions and requests
In conclusion, to avoid fragmentation of the digital market, European policymakers need to adopt an EU-wide approach to children's safety online, including ecosystem-wide initiatives related to parental controls. It is essential that any EU-wide approach builds on existing solutions, rather than discarding existing parental control tools, but focuses on integrating and improving them. To do this, the following should be considered:
- The existence of different levels of risk is associated with the various services, so there is no single solution that fits all scenarios in the digital environment. Given the wide variety of services and individual providers in the digital space, we believe it is important to identify real risks, so that organizations can introduce child protection solutions that work in each case.
- The introduction of new country-specific requirements, such as the requirements included in the Draft Organic Law for the protection of minors in digital environments, will lead to a patchwork of regulations and different approaches to child protection in the digital environment, so that the focus will be lost on the objective of raising the standards of child protection in Europe. We urge the European Commission to consider the opposite impact that such a law poses on the objective of protecting children and minors in Europe.
- The need to maintain a level playing field between physical and online retail channels should be considered and take into account the existence of sectoral laws, which provide well-established frameworks that already mitigate risks at the product level; and also take into account the harmonization required by the DSA.
It is also worth noting that the European Commission is also actively working to improve children's online safety through several initiatives:
- Better Internet for Kids (BIK+) Strategy:[6] Launched in 2022, this strategy aims to make online services age-appropriate and ensure that children are protected, empowered and respected online.
- Guidelines for Article 28 of the Digital Services Act[7]: The Commission launched a call for evidence to gather comments on its Guidelines on the Protection of Children Online, which, once adopted, aim to advise on how online platforms should implement high levels of privacy, safety and protection for children online, as required by the Digital Services Act. The test call closed at the end of September 2024 and the Guidelines will be ready in May 2025.
- Working Group on Age Verification[8] and call for tenders for a new age verification application[9]: The Commission set up a Working Group on Age Verification, which includes the national coordinators of digital services, the European Regulators Group for Audiovisual Media Services (ERGA) and the European Data Protection Board (EDPB), which is working to develop an EU-wide approach to age assurance. including age verification and age estimation technologies. The Commission also announced funding for a new age verification app that will allow users to prove their age by filing an electronic declaration in a privacy-preserving way to access age-restricted content. The app will be built in accordance with the EUDI Wallet technical specifications so that it can connect to the EU eIDAS Regulation from 2026.
That is why we argue that national legislative proposals, such as the current draft of Spain, endanger the European single market. While Member States may feel the need to take additional measures, any national legislation should respect the harmonising effect of the Digital Services Act and uphold the country of origin principle. This is crucial to maintaining a coherent and integrated Digital Single Market. In addition, given the global nature of the internet, a unified approach to child safety online is crucial. Member States should actively participate in and support the European Commission's ongoing initiatives, rather than implementing contradictory national laws. This collaborative approach is essential to effectively protecting children online.
To address these concerns and ensure effective child safety online within the EU, it is essential that the European Commission ensures an effective Single Market and the general competences of the Digital Services Act and in particular:
- Align with existing EU initiatives: Rather than creating separate legislation, Spain should actively participate in the EU's ongoing efforts to ensure the online safety of minors. These include the Commission's Better Internet for Kids (BIK+) strategy, the guidelines for Article 28 of the Digital Services Act and the Working Group on Age Verification. These initiatives are working towards a coherent and effective approach at EU level.
- Respect the country of origin principle: any national measure must respect the established principle that service providers are primarily subject to the law of their home Member State. This is essential to maintain a healthy and integrated digital single market.
- Take an ecosystem-wide approach to age assurance and parental controls: Requirements for age assurance and parental controls should be built on existing solutions, rather than focusing on a few parts within the ecosystem (device manufacturers and operating system providers). In that regard, we support ecosystem-wide initiatives that recognize the different roles that stakeholders play in the ecosystem.
In conclusion, and following all the arguments presented, we urge the European Commission to formally request the Spanish government to review the notified draft law to ensure its conformity with EU law.
