Italy

[IT] AGCOM public consultation on the methods of verification of the age of majority by website managers and video-sharing platform suppliers

IRIS 2024-4:1/6

Francesco Di Giorgi

Autorità per le garanzie nelle comunicazioni (AGCOM)

The Italitan Communications Authority, AGCOM, has launched a public consultation on the specifications and requirements of the age assurance system, which will have to be implemented by providers of video-sharing platforms that disseminate images, videos and services for adult users in Italy.

This is a new measure provided for by a national law (Legislative Decree 123/23 converted into Law 159/23) which is added to other instruments aimed at protecting minors on the Internet. In fact, in November 2023, guidelines came into force (Resolution No. 9/23/CONS) for operators both on smartphones and on websites; these guidelines provide for the implementation of parental control systems in contracts agreed between consumers and operators. 

The text (61/24/CONS) put out for consultation was prepared by AGCOM following the preliminary opinion of the Guarantor for the Protection of Personal Data.

The objective of the provision is to ensure a level of security appropriate to the risk, minimising the personal data collected and respecting its confidentiality as much as possible.

The approach proposed by the authority is technologically neutral, extendable to all content that requires age verification, leaving the subjects responsible for carrying out age guarantee processes reasonable freedom of evaluation and choice, in compliance with certain general requirements.

Among the main requirements established by the authority is, first and foremost, "proportionality" on the basis of which it is established that the person responsible for implementing the age guarantee system for access to content must use a tool that is as non-invasive as possible.

Likewise, the "protection of personal data" is fundamental for AGCOM; therefore, the age verification system must comply with the data protection rules and principles established by the GDPR Regulation (data minimisation, accuracy, storage limitation, etc.).

As regards age verification, AGCOM deems it appropriate that sites and platforms subject to the age guarantee obligation do not carry out age verification operations directly, but rely on solutions from "independent third parties", who will provide the required proof of age to the web service provider (such as a bank, a telephone operator, a public body or private entity). Likewise, it is envisaged that at the request of the user, the third party will provide the latter with "proof of age" in a certified manner and that the user will subsequently send said proof to the site or platform he or she wishes to access.

With specific reference to "security", AGCOM has provided that the age verification system must take into account possible cyber attacks with respect to which it must provide sufficient IT security measures to mitigate the risks and avoid attempts at circumvention.

Regarding "functionality", the text put out for consultation provides that age verification systems are easy to use and are not an obstacle to accessing content on the Internet.

Finally, AGCOM has stipulated that the service provider must provide a channel to receive and "manage complaints" promptly, in the event of incorrect decisions on age.