Structure of Coimisiún na Meán and focus for year one: Commissioner Hodnett

Coimisiún na Meán (the “Commission”) was established on 15 March 2023 and replaced the Broadcasting Authority of Ireland. It is made up of a college of Commissioners; an Executive Chairperson; a Broadcasting Commissioner; a Media Development Commissioner; and an Online Safety Commissioner. The Commission will be joined by a Digital Services Coordinator Commissioner who will be responsible for overseeing the Digital Services Act (Regulation (EU) 2022/2065) (“DSA”).

The Online Safety Commissioner (“OSC”) is primarily responsible for overseeing the Online Safety and Media Regulation Act 2022 (“OSMRA”) and establishing the building blocks for the regulation of online safety in Ireland. The OSC will also have a role in relation to the proposed EU CSAM Regulation (to prevent and combat child sexual abuse) if and when that is enacted, and the EU Terrorist Content Online Regulation (Regulation (EU) 2021/784).

In tandem with a hiring drive to recruit 120 staff for the Commission to perform its functions efficiently, the work plan for the OSC for year one includes designating services for regulation under the OSMRA and consulting on the first Online Safety Code that can be applied to the video-sharing online platform services (“Code”). The designations will focus on video-sharing platform services initially, as this is mandatory under the OSMRA. The OSC will consult on the other main services for regulation under the OSMRA after the initial designations. The Code will mainly focus on the ‘shalls’ in the OSMRA, i.e. its mandatory provisions and the provisions it is required to address under Article 28b of the Audiovisual Media Services Directive ((EU) 2018/1808) (“AVMD”). The Code will be made available for public consultation before finalisation as a binding legal instrument.

The Online Safety Code: Commissioner Hodnett

Harmful online content as defined in the OSMRA (in section 139A) is one of two kinds; online content that falls within one of the 42 Scheduled Offence-Specific categories of online (and additional categories of content as specified by order under section 139B); and content consisting of bullying and humiliation, promoting eating disorders, promoting suicide, or promoting self-harm, or making available knowledge of methods of self-harm or suicide, all of which are subject to a risk test. The OSMRA also has regard to age-inappropriate content defined (in section 139D) as content that is not appropriate for children, having regard to their capabilities, their development, and their rights and interests, including in particular content consisting of pornography, or realistic representations of, or of the effects of, gross or gratuitous violence or acts of cruelty.

The OSC is seeking to address these harmful online contents in the Code, also having regard to Article 28b of the AVMD. Article 28b requires that video-sharing platform providers take appropriate measures for the protection of minors; the protection of the public as regards incitement to hatred or violence; the protection of the public from content that constitutes an activity which is a criminal offence under Union law such as provocation to commit terrorist offences, child pornography, racism, and xenophobia. The Code will also contain provisions as regards commercial communications, removing illegal content online where it is criminal in the EU and a complaint handling approach.

Hiring of staff by a Regulator: Commissioner Dixon

Further to Niamh Hodnett’s comments about hiring 120 staff and in response to Rob’s query about the challenge that can present, Helen Dixon, the Data Protection Commissioner (“DPC”) relayed that there is an initiative underway between the grouping of ‘so-called’ digital regulators: the Media Commission, Data Protection Commission, Commission for Communications Regulation, Competition and Consumer Protection Commission. The group has gone out to tender to conduct a study around the type of skills that are needed for regulators now and into the future, and what kind of market conditions we are competing in. The DPC hopes this will encourage the Department of Public Expenditure NDP Delivery and Reform to relax the restrictions that they recruit under currently.

Digital Services Coordinator Commissioner interaction with Online Safety Commissioner: Commissioner Hodnett

Niamh Hodnett explained that Coimisiún na Meán has given a lot of thought to how it will regulate in an effective way. In terms of the interaction between Commissioners, it will make decisions as a college of Commissioners to ensure joined-up thinking.

She explained that the OSMRA is concerned about online content and taking down harmful online content and the DSA deals more with the systemic risks and in particular those risks as they apply to very large online platforms (“VLOPs”) and very large online search engines (“VLOSEs”). The Commissioners will identify between them which tools should be used for which matter to ensure maximum efficiency. While there will be differences between the two regimes, there will also be overlap, i.e., content classified as harmful, could be illegal as well, and content that is illegal could also be harmful. The OSC will be working hand in glove with the European Commission. The Digital Services Coordinator Commissioner will be applying the General Scheme of the Digital Services Bill 2023 when enacted, as regards enforcement of the DSA in Ireland. (The DSA comes into full force and effect on 17 February 2024, save for entities that have already been designated as VLOPs or VLOSEs who will be subject to the legislation from the earlier date of 25 August 2023.)

Lessons from the past 5 years: Commissioner Dixon

In response to a question raised by Rob Corbet about learnings from the central role that Ireland has had under the EU data protection regime, the DPC pointed to the difficulty that stems from the form of a one-stop-shop mechanism in the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”). The GDPR contains an in-built co-decision-making process, that is formalised with consensus-building steps, which presents challenges. She commented that the form of cooperation under the DSA appears to be looser and would not be constricted by the formal legal co-decision-making complexities that we see in the GDPR.

The second learning she imparted is that with any kind of central role that affects interests in the EU, members of the public, as well as other stakeholders, as Ireland has in data protection terms under the EU regime, we need a presence in Brussels. The Data Protection Commission will place a senior member of staff permanently in an office in Brussels to improve communications. Even though DG Connect under the DSA has exclusive competence for certain of the provisions in relation to VLOPs and VLOSEs, the DPC commented that it is very clear under the DSA that where the European Commission hasn’t initiated proceedings in relation to the large platforms, then it falls in a form of one-stop-shop where the Media Commission will be in the frame. Her learning here is that to the extent that Ireland is going to play a central role with regard to the DSA, being present in Brussels is very important.

Implications for the Data Protection Commission arising from the new regime: Commissioner Dixon

The DPC does not expect the volume of complaints to the Data Protection Commission to lessen as a result of the new online safety regime. It operates under an obligatory complaint-handling system. She commented that when a complaint arises, there is a variety of reasons why the online platforms would push back on this, arguing that the issue does not fall foul of the GDPR, or their community standards. In the context of resolving complaints, the DPC advised that an important part of the DSA and the online safety regime is going to be around expectation setting.

Overall, she said, what the DSA is seeking to do is to look much more systemically at some of these online harms, including dark patterns, misinformation, and illegal content. Clearly, under the GDPR she said, we are trying to do two things: we are trying to solve systemic problems with platforms with a law that was created as a technology-neutral principles-based law, with no hard-edge rules that apply explicitly to platforms. Now she said, we have a scenario where the DSA and DMA in particular, look at and target these kinds of services where the harms are arising. The DPC commented that the systemic approach is very interesting. There will be some complaint handling under the DSA, but it is much more focused on trying to look at harm ex-ante. Overall, the DPC thinks the online safety regime will have a positive impact, although she is not sure if it is going to hit exactly the areas of complaint that the Data Protection Commission has seen. Those are two separate regimes.

Interplay between the DSA and Online Safety Code: Commissioner Hodnett

Niamh Hodnett reminded the audience that the Online Safety Code will be binding and principles based and that the DSA deals with systemic regulation. Under the DSA, VLOPs and VLOSEs will be required to look at their risk assessments and what steps they can take to mitigate those risks. For example, some of those steps to mitigate risks can involve age verification. If we are not sure of the age of users she said, then age-inappropriate content will appear on a platform. However, she advised that while the systemic regulation in the DSA will seek to reduce the illegal content online, and the binding Online Safety Code will also seek to do that, there will remain individual items of content online that will be upsetting for a particular person, notwithstanding the systemic regulation that is taking place.

For that reason, next year after the Code is in place, the OSC will be moving to enforcement and monitoring of compliance, as with DG Connect from August of this year, and will try to gauge whether there are any systemic issues remaining. The OSC referred to some of the measures that can be taken to address systemic risks, including safety by design, privacy by design and adopting a child-centric approach as envisaged under Article 24 of the Charter of Fundamental Rights of the European Union (the Rights of the Child) and Article 3 of the United Nations Convention on the Rights of the Child.

The OSC will be looking to establish a complaints mechanism in due course and will be monitoring compliance with the Code. As part of the Online Safety Code, the OSC mentioned that the office will be looking at the complaint handling turnaround of platforms currently and whether they are effective.

Dealing with areas of common concern, taking the topic of children for example: Commissioner Dixon

The protection of children is a key area of concern for all regulators. There are areas of common concern between the OSC and DPC, and the starting point is around how do you identify children, particularly in mixed content platforms where it is hard to discern who the content is generated for. There is no silver bullet technical solution that allows the identification of the age of people currently. One of the key things that the DPC identified as occurring more generally beyond children in relation to the DSA, DMA, and the GDPR is that a lot of what will be required ostensibly under these new laws could have data protection implications.  This is a big area of discussion. For example, imposing hard age verification has data protection implications: she posed the question of whether there are there potential security risks if cross-use of data and combining of data, is not permitted. All these areas are interconnected and complex: what we are going to see in terms of risk assessments she said, is the difficulty of joining some of this up in practical terms.

In response to a more specific question about children and complaints, the DPC commented that we need to tackle the EU Commission’s drive for a policy for a better internet for kids and their pursuit of a code of conduct that is going to address some of these issues such as age assurance and age verification. The Data Protection Commission is trying to connect to that because they are trying to draw some of the platforms that are here into signing up and developing a code of conduct around children and data protection and higher standards. The Data Protection Commission does not want that to be in conflict in any way with the ‘better internet for kids’ initiative and anything prescribed under the DSA. It is trying to connect with stakeholders to see whether they can come up with a common solution to this potential cross-over.

Consulting children: Commissioner Hodnett

Niamh Hodnett provided the final remarks in the panel discussion. With respect to the topic of age verification, she commented that the scarier the content is, the more important it is that the age verification tool is effective. The OSC will be establishing a Youth Advisory Committee within the year of establishment as required under section 19 OSMRA. She made the point that it is very important that we discuss these issues with the children themselves and ask them about their perspectives.