Protecting Minors Online – The New Polish Draft Law on Harmful Content

The Internet is undoubtedly a groundbreaking invention, comparable to electricity or the steam engine – things that have changed the world. Since the beginning of the 21st century, the Internet has increasingly shaped our reality, gradually providing us with tools to facilitate communication, work, and entertainment. However, along with numerous benefits, it has also brought threats – especially to children, who are exposed to them from an early age. Social media trends, “pathostreams” (live streams featuring violence or vulgarity), adult content, and deepfakes are factors that may have a negative impact on a child’s development. These online threats have not gone unnoticed by governments, which are beginning to introduce legal measures to protect minors.

The “Teenagers 3.0” study by NASK (Scientific and Academic Computer Network – National Research Institute) revealed that young people spend an average of 5 hours and 36 minutes online daily – a number that has steadily increased over the years. On average, children start using the Internet or smartphones independently at 7 years and 9 months, and receive their first Internet-connected computer at around 8 years and 10 months. The study also showed that one in four teenagers watches so-called “pathostreams”, and one in six cannot identify whether the content they watch meets the definition of a pathostream. Another NASK report on the consumption of adult content by school-aged children and youth found that the average age at which children first encounter adult content is just under 11.

These findings, along with similar studies in other countries, have prompted legislative action in Poland, France, Spain, and the EU.

Draft Law on the Protection of Minors from Harmful Online Content

On February 24, the Polish Government Legislation Centre published a draft law to protect minors more effectively from harmful content online. The proposed legislation requires service providers to implement age verification mechanisms for users accessing websites containing such harmful material. A special registry of domain names offering access to adult content without age verification will also be created and maintained by NASK. The supervisory authority will be the President of the Office of Electronic Communications (UKE).

According to the draft:

• Digital service providers will be obligated to:

• • Conduct and document a risk analysis every 24 months related to the risk of minors accessing harmful content on their platforms (Art. 3). Notably, this obligation does not apply to providers of adult content.

• • Implement age verification mechanisms that prevent minors from accessing harmful content (Art. 4), with specific standards to be defined by the Minister of Digital Affairs in consultation with the UKE President.

These obligations will apply to all digital service providers operating in Poland, regardless of where their business is registered.

• Internet access providers will be required to:

• • Block access to websites using domain names listed in the official registry;

• • Redirect connections to the UKE website when a blocked domain is accessed;

• • Unblock domains removed from the registry.

Sanctions

If digital service providers fail to implement age verification mechanisms, their domains will be blocked and entered into the official registry maintained by NASK. In turn, ISPs must block access to the listed domains.

Additionally, financial penalties may be imposed on digital service providers and ISPs for non-compliance (Art. 21). For failure to conduct risk assessments or implement age verification, fines may reach up to PLN 1,000,000 (EUR 230,000).

The draft law also introduces a right to appeal a domain’s entry into the registry. A domain owner may object to the UKE President’s decision (Art. 12), and if the objection is denied, they may file a complaint with an administrative court.

Objections from the Ombudsman and the Data Protection Authority

In an official opinion dated April 3, 2025, the Polish Ombudsman criticized the lack of a clear definition of “harmful content” and the absence of detailed guidelines regarding age verification. According to the Ombudsman, this lack of clarity opens the door to excessive interference in the privacy of those subjected to age verification.

The President of the Personal Data Protection Office (UODO) echoed this concern, pointing to the risk of overprocessing personal data or profiling users during verification.

Summary

Legislation efforts to better protect minors online are undoubtedly welcome. Existing safeguards – such as parental controls or self-declared age – are ineffective, and so-called harmful content remains easily accessible to minors. However, the current version of the draft law is incomplete, particularly in its most crucial aspect: it does not define how age verification should be carried out and leaves the notion of “harmful content” vague – a flaw pointed out by both the Ombudsman and the UODO.

In terms of verification mechanisms, the law delegates responsibility to future guidelines from the Minister of Digital Affairs and the UKE President, which will be issued after the bill is passed. These guidelines will not be binding, and service providers can tailor the verification method to their technical capabilities. This creates the risk that age verification mechanisms will be superficial or ineffective and could infringe on users’ privacy.

Incorporating feedback from oversight bodies may help improve the draft and create a safer online environment for minors.