The hot topic in the field of online safety in Italy is currently age verification and the way it is carried out. In addition to the rules set out in the EU Digital Service Act, a Bill is currently pending in the Italian Parliament upper chamber that would require all providers of ‘information society services’ to verify the age of users, according to the modalities laid down in a regulation to be adopted by the Italian media regulator (AGCom). The latter has in turn recently adopted a regulation called ‘Regulation on the technical and process modalities for ascertaining the age of majority of users’ (the Age Verification Technical Rules) which provides for an innovative way of verifying age with regard to access to pornographic websites. This regulation is currently being examined by the European Commission in the context of the TRIS procedure pursuant to Directive (EU) 2015/1535 on notification of draft technical regulation. The standstill period provided for by this procedure is expected to end on 17 February 2025.
The background to and framework of the Age Verification Technical Rules
In reaction to a terrible crime that was brought to light in August 2023 (involving two underage girls repeatedly raped by a group of young men and minors in the run-down suburbs of a large Italian city), the Italian Government issued Legislative Decree No. 123 of 15 September 2023 (the “Caivano” Decree, named after the location where the facts occurred), attempting to introduce measures to protect minors from risks including questionable content in the cyber space. In this context, Article 13-bis of the Caivano Decree prohibits allowing minors access to pornographic content (as it “undermines the respect for their dignity and compromises their physical and mental well-being, constituting a public health problem”) and requires online providers of this content to verify the age of majority of users, in order to prevent minors from accessing the content.
The Caivano Decree also required the Italian media regulator AGCom (in consultation with the Italian Data Protection Authority, the Garante) to identify the technical means to be adopted in the industry for ascertaining the age of majority of users, in compliance with the principle of minimisation of personal data collected for the purpose. Following a consultation process with stakeholders’ started by Resolution No. 61/24/CONS and the favourable opinion of the Garante, on 7 October 2024, AGCom announced that the Age Verification Technical Rules had been filed with the EU Commission for TRIS verification.
How the Age Verification Technical Rules work
The Age Verification Technical Rules are based on a ‘double anonymity’ model, to prevent the providers of age verification tools from knowing the service for which the verification process is being carried out, in order to ensure users’ privacy. For this purpose, AGCom has designed a system composed of two different steps: identification and authentication.
As a first step, ‘proof of age’ – in the form of a digital certificate – is issued by a service provider specialising in the provision of ‘digital identity’ and accredited by AGCom, so independent from any content provider. This identification is carried out based on the proof of age submitted by the user (e.g. ID card). In the authentication step, the user is required to share this digital ‘proof of age’ issued by the certifying entity with the content provider (the ‘proof of age’/digital certificate may e.g. be downloaded directly by the user via the website of the certifying entity and then sent to the site or platform to be visited). Based on the submitted ‘proof of age’, the content provider grants access to the requested content.
AGCom leaves room to use different age verification systems based on apps installed on users’ own devices, allowing them to authenticate themselves by providing the proof of age directly through the app (e.g. digital identity wallet apps). Pursuant to the Age Verification Technical Rules, these apps can be used as age verification systems to the extent they comply with the GDPR rules on protection of personal data (with particular reference to data minimisation), are secure from cyber-attacks and accurate in terms of providing information to content providers on the users’ age, among other requirements.
Stand by for the new rules
The Age Verification Technical Rules will enter into force immediately after the end of the TRIS suspension period in February 2025. Although currently limited to providers who distribute pornographic content that can be accessed in Italy, it is possible (or even likely) that the Age Verification Technical Rules will at some point be extended in Italy to other providers of information society services (regardless of the nature of the content published), for example on the basis of the Bill currently being discussed in the Italian Parliament. This aims to impose the obligation on all information society service providers to verify the age of users in a manner to be determined by AGCom (and by the time it becomes law, AGCom will have already elaborated on the Age Verification Technical Rules for this purpose), or as a benchmark to assess the adequacy and proportionality of the measures taken by intermediaries in Italy to ensure a sufficient level of protection and security for minors as required by the Digital Services Act. Stay tuned.