On May 13, the European Commission released draft guidelines for Article 28 of the Digital Services Act (DSA), aimed at enhancing online protection for minors. CDT Europe has reviewed these guidelines and offered feedback, highlighting areas needing clarification to ensure effective implementation across the EU.
The guidelines introduce several initiatives, particularly around safety-by-design principles and user empowerment tools. These proposals align with CDT Europe's previous research and suggestions. However, two critical areas require attention: the risk review framework and age assurance requirements.
The proposed risk review system is intended to help platforms assess potential harms to minors. However, CDT Europe notes that the framework lacks clarity for consistent implementation. The guidelines reference various methodologies, such as the Dutch Ministry’s Child Rights Impact Assessment (CRIA) and UNICEF’s assessment tools but do not explain how platforms should choose between them. This could lead to inconsistent compliance across platforms and member states.
Furthermore, the guidelines categorize risks into low, medium, and high levels to determine necessary age assurance measures. Without proper definitions for these categories, there could be disparities in implementation and challenges in enforcing the law. CDT Europe suggests adopting a child rights-based approach using established CRIA methodologies with clear visual guides linking risk levels to specific age assurance requirements.
The approach to age assurance also needs clarification. The current framework proposes different methods based on risk level but simultaneously allows medium-risk platforms to opt for more robust verification methods. This creates confusion as many existing age estimation technologies are neither accurate nor privacy-preserving.
CDT Europe foresees that many platforms might default to the European Commission’s digital wallet solution due to inaccuracies in other methods. However, this raises accessibility concerns as digital identity wallets may not be available to all users, such as refugees or migrants.
To address these issues, CDT Europe calls for clear alternatives for low-risk platforms that don't involve complex age assurance technologies. The guidelines should differentiate between using existing user data for age estimation and requiring third-party vendors.
Current ambiguities pose challenges for enforcement without clear benchmarks for accuracy or reliability. Different interpretations by national regulators could lead to fragmented enforcement across member states.
CDT Europe advocates for improvements in risk review frameworks and age assurance requirements within the DSA Article 28 guidelines. Clearer guidance would help achieve consistent compliance while protecting minors' rights across Europe.
"Achieving consistent and effective compliance for minors across Europe requires guidelines that platforms can implement clearly and regulators can enforce fairly," CDT Europe stated in its feedback submission.