The draft amendment to the Act on the provision of services by electronic means requires changes

Mirosław Wróblewski, President of the Personal Data Protection Office, in a letter to Dariusz Standerski, Secretary of State at the Ministry of Digital Affairs, presented his comments on one of the draft amendments to the Act of 18 July 2002 on the provision of services by electronic means, aimed at ensuring the application of the Digital Services Act[1]. Taking into account the comments contained in the letter during the legislative process will contribute to increasing the level of personal data protection and privacy on the Internet.

One of the challenges facing our country is to ensure effective legal protection for Internet users against illegal content and to reduce the phenomenon of illegal processing of personal data online, including on social media. To this end, it is necessary to introduce practical regulations allowing for an effective fight against cyber threats, which also involve the use of personal data and lead to privacy breaches. It is also important to prevent and deter the use of technology that exploits data and information about individuals to commit prohibited acts that often infringe on the most fundamental human rights and freedoms. Particular attention should be paid to behaviors affecting children, young people, and vulnerable individuals, including sexual exploitation.

The President of the Personal Data Protection Office, noting a number of phenomena related to the processing of personal data on the Internet that threaten Internet users, is particularly concerned about the effects of the misuse of deepfake technology. Technological advances mean that such materials are often indistinguishable from the real thing, and the availability and easy use of the tools involved mean that almost anyone can create or publish materials containing false data and information. The use of deepfake technology in the context of a prohibited act can often be disastrous for the life and health of the people whose image or voice has been used. It is therefore necessary to implement systemic solutions, including the adoption of regulations to counteract the harmful use of deepfake technology.

The President of the Personal Data Protection Office calls for the synchronisation of the solutions being developed with other legislative projects that may contribute to combating illegal deepfakes and other threats related to the processing of personal data on the Internet. The President of the Personal Data Protection Office has repeatedly drawn attention to the dangers associated with the illegal use of personal data, including images.The threats identified are also of great importance in view of the spread of disinformation, which poses a challenge in terms of ensuring protection against attacks by entities hostile to the Republic of Poland.

The President of the Personal Data Protection Office also requested that the list of prohibited acts specified in the Act on the provision of services by electronic means be extended, the prosecution of which will involve the use of a mechanism enabling the initiation of proceedings to enforce an order to take action against illegal content, consisting in preventing access to it.

In the opinion of the President of the Personal Data Protection Office, a serious gap is the absence in the proposed catalog of prohibited acts of illegal processing of personal data (Article 107 of the Act of 10 May 2018 on the Protection of Personal Data) and unacceptable or unauthorised processing of personal data (Article 54 of the Act of 14 December 2018 on the protection of personal data processed in connection with preventing and combating crime). It should be noted that these acts may involve a serious risk of the perpetrator using the data obtained from a natural person and further processing it illegally, including making it public or transmitting it via the Internet. At the same time, with regard to both of the above-mentioned criminal provisions, in the opinion of the President of the Personal Data Protection Office, law enforcement authorities conducting proceedings should therefore be able to request the application of a procedure enabling action to be taken against illegal content and resulting in the prevention of access to it.

Guided by concern for victims of crime, the President of the Personal Data Protection Office also proposed that in the case of the most serious threats in cyberspace, including those affecting children and young people—especially those involving sexual exploitation and sexual abuse— , the drafters should consider introducing a separate procedure in the procedure being developed and the possibility of immediately blocking illegal content. He pointed out that in the case of such prohibited acts, overly long procedures could lead to irreversible consequences for the minor victim of the crime.

At the same time, the President of the Personal Data Protection Office emphasised that the provisions on the basis of which the data will be processed must ensure adequate and specific measures to protect the fundamental rights and interests of data subjects. The procedure created by the proposed provisions will involve the large-scale processing of personal data of data subjects who are natural persons, whose data will be processed in connection with procedures for monitoring and removing illegal content from the Internet. This will include both so-called ordinary data, which may, however, relate to issues that are particularly sensitive in terms of privacy and important in life, in connection with prosecutorial proceedings and court cases, as well as data explicitly defined in the law as special categories of data, e.g., data concerning political opinions, philosophical data, health data, biometric data (data obtained as part of the verification of persons participating in the examination of applications and the adoption of decisions in the proposed procedure, photographs attached to applications, data of crime victims processed in the proposed procedure).

At the same time, the proposed changes—in connection with the processing of data on potential offenders—will, by their very nature, involve the large-scale processing of information subject to enhanced protection within the meaning of Article 10 of the GDPR (data relating to convictions and offenses or related security measures). At the same time, in addition to the above-mentioned data, the proposed law will also allow for the processing of data covered by legally protected secrets, the processing of which is subject to enhanced legal protection.

The processing of these data must therefore comply with the standards and principles for the processing of personal data set out in Article 5 of the GDPR, but also be subject to a privacy test and a data protection impact assessment (Articles 25 and 35(1) and (10) of the GDPR). The drafters should assess whether the proposed solutions in the Act should be expanded to fully implement the principles of personal data protection and include solutions that guarantee measures to protect the rights and freedoms of data subjects.

DPNT.401.41.2026

[1] REGULATION (EU) 2022/2065 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 19 October 2022 on a Single Market For Digital Services and amending Directive 2000/31/EC (Digital Services Act)