The EU Approach to Safeguard Children’s Rights on Video‐Sharing Platforms: Jigsaw or Maze?

Children are keen consumers of audiovisual media content. Video‐sharing platforms (VSPs), such as YouTube and TikTok, offer a wealth of child‐friendly or child‐appropriate content but also content which—depending on the age of the child— might be considered inappropriate or potentially harmful. Moreover, such VSPs often deploy algorithmic recommender systems to personalise the content that children are exposed to (e.g., through auto‐play features), leading to concerns about diversity of content or spirals of content related to, for instance, eating disorders or self‐harm. This article explores the responsibilities of VSPs with respect to children that are imposed by existing, recently adopted, and proposed EU leg‐ islation. Instruments that we investigate include the Audiovisual Media Services Directive, the General Data Protection Regulation, the Digital Services Act, and the proposal for an Artificial Intelligence Act. Based on a legal study of policy docu‐ ments, legislation, and scholarship, this contribution investigates to what extent this legislative framework sets obligations for VSPs to safeguard children’s rights and discusses how these obligations align across different legislative instruments.


Introduction
Children devote a significant amount of time to consuming diverse types of audiovisual media content on different devices (European Schoolnet, 2022).They navigate through multiple channels, including television broadcasts, video-on-demand services (e.g., Netflix, Disney+), and the internet, to access their favourite programmes, series, films, and short videos.Online audiovisual content is available to them via websites, gaming platforms, and video-sharing platforms (VSPs).YouTube and TikTok are two of the most popular VSPs among children (Ofcom, 2023a;Smahel et al., 2020).Some of the most-liked YouTube channels are aimed at children, and content creators have learned that videos on topics that appeal to children attract a lot of views.Recent research found that YouTube is the most-used VSP among children, with numbers ranging from 88% of 3-17-year-olds in the UK (Ofcom, 2023a), and 86% of 6-12-year-olds and 96% of 13-18-year-olds in Flanders (Vanwynsberghe et al., 2022).TikTok is used by more than 50% of children, with numbers climbing to 86% for the older ones (Ofcom, 2023a;Vanwynsberghe et al., 2022).Similar findings also emerged from an EU-wide consultation with children on their use of technologies.Respondents reported that they used VSPs-among other things-to watch sports, instruction videos, funny videos, or even culinary content (European Schoolnet, 2022).While VSPs offer a wealth of child-friendly and child-appropriate content, other types of content might not necessarily be age-appropriate, but might still appeal to children.Recent research by Ofcom, for instance, demonstrated that young viewers gravitate to what they call "dramatic videos" concerning "gossip, conflict, controversy, extreme challenges and high stakes" (Ofcom, 2023b).Additionally, there is content available that may be deemed potentially harmful (e.g., videos relating to eating disorders or self-harm) or even illegal, such as child sexual abuse material.
These platforms have become the gatekeepers of online content, regulating information flows on the internet through their own terms of use in which they set community standards and employ automated means for ranking, prioritising, and filtering content (Laidlaw, 2012).Algorithms analyse user data, including viewing history, search queries, and user behaviour, to recommend videos that users may be interested in watching next.In addition, artificial intelligence (AI)-based systems are used for content moderation, detecting and removing content that violates the platform's policies.
The increasing significance of platforms, including VSPs, and their gatekeeping role, has caught policymakers' attention in recent years.In the EU, this has led to a plethora of legislative initiatives that impose various obligations on platforms in relation to the content they offer, the personal data they process, the measures they take to protect children, and the AI-based systems they deploy.These obligations have been adopted (or are still in the process of being adopted) at different points in time, and are included in different types of regulatory instruments with differing scopes and requiring different types of measures to be taken.The fragmented nature of these developments has led to a complex legal landscape, which is challenging to grasp for platform providers, regulators, and citizens.Whereas earlier research has focused on the relevance of specific legislative instruments (Kuklis, 2021;Veale & Borgesius, 2021;Woods, 2018), also in relation to children (Lievens & Verdoodt, 2018), a comprehensive analysis of the regulation of VSPs is lacking.It is, therefore, the purpose of this article to map the various legislative obligations which are applicable to VSPs and affect children and to evaluate these obligations from a children's rights perspective.The combination of different legal instruments as they apply to a specific actor and their examination from the perspective of the UN Convention on the Rights of the Child (UNCRC) offers a timely and novel contribution to this complex field.

Theoretical Framework
The activities that children engage in on VSPs are closely tied to the rights conferred on them under the international children's rights framework.The UNCRC attributes an array of fundamental rights to children-defined by Article 1 of the UNCRC as every human being below the age of 18 years-and imposes obligations on states parties to help realise these rights (UNCRC, 1989).VSPs present both opportunities and risks for children's rights.
Concerning the former, Article 13 of the UNCRC mandates that children have the right to seek, receive, and impart information through any medium of their choosing (UNCRC, 1989).In this regard, VSPs offer children a platform to express their own ideas and creations, as well as an abundance of information and entertainment.Related to this is Article 31, which enshrines the right to "leisure, to engage in play and recreational activities appropriate to the age of the child and to participate freely in cultural life and the arts" (UNCRC, 1989).By giving them access to a wide choice of leisure activities, including watching videos on their favourite subjects and discovering new artistic content, VSPs allow children to exercise these rights.Linked to these opportunities for children, Article 17 of the UNCRC recognises the important function of the mass media-which VSPs are-and requires states to ensure that the child has access to "information and material from a diversity of national and international sources, especially those aimed at the promotion of his or her social, spiritual and moral wellbeing and physical and mental health" (UNCRC, 1989).
Yet, VSPs also host content that might be inappropriate or harmful to children.In that regard, in accordance with Article 17 of the UNCRC, states must encourage "the development of appropriate guidelines for the protection of the child from information and material injurious to his or her well-being, bearing in mind the provisions of Articles 13 [freedom of expression] and 18 [parental responsibilities]" (UNCRC, 1989).While certain content is clearly illegal (e.g., online child sexual abuse material), it has been widely acknowledged in media effect studies that early exposure to certain other types of content-such as violent or sexual contentmay pose risks to a child's development (O'Neill, 2023;Sparks, 2006).For such potentially harmful types of content, specific rules regarding publication and distribution (e.g., watersheds, ratings, and classifications) have been incorporated into media law (Lievens, 2017).These rules have been primarily targeted at traditional mass media content such as television broadcasts and films in cinemas.Considering the changing consumption of audiovisual content by children (away from traditional media towards VSPs), Article 17 of the UNCRC (1989) requires states to take these developments into account and adopt tailored measures that specifically address the challenges related to harmful content on VSPs.The same is true for addressing the risks that VSPs might entail for children's right to privacy (UNCRC, 1989, Article 16) and their right to protection from economic exploitation (UNCRC, 1989, Article 32).
This has also been acknowledged by the UNCRC in its General Comment no. 25 on the rights of the child in relation to the digital environment (UNCRC, 2021).The Committee reiterates that states have obligations to guarantee that businesses in the digital sector take up their responsibilities for children's rights by taking all necessary measures including the adoption of legislation, and the development, monitoring, and enforcement of policy.Hence, subjecting VSPs to appropriate regulation is crucial to ensure that children's access to and use of VSPs is respectful of their rights and conducive to their well-being.Although the EU is not a state party to the UNCRC, member states have granted the EU certain competences to act, and the EU itself regularly stresses its commitment to the UNCRC (European Commission, 2021a).A strong link between the EU legal framework and the UNCRC is embedded in Article 24 of the Charter of Fundamental Rights of the EU ([CFREU], 2012), which adopts language that is very similar to that of the UNCRC, for instance, by referring to the child's best interests as a primary consideration in all actions relating to children (UNCRC, 1989, Article 3).This substantiates the added value of analysing the EU legislative framework that is applicable to VSPs from a children's rights perspective.

Method
This article examines the responsibilities of VSPs towards children under existing, recently adopted, and proposed legislation in the EU.The four legal instruments explored through a children's rights lens are: To conduct this research, a doctrinal legal approach was adopted, involving the analysis of (proposed) legislation, interpretive policy documents, and legal doctrine.Firstly, the scope of these instruments was addressed with regard to VSPs and provisions with specific relevance to VSPs were identified in each of the instruments, particularly those that could offer protection for children against harmful content.Secondly, these relevant provisions were outlined and analysed within the theoretical framework of children's rights, as presented in Section 4. Thirdly, overarching topics, measures, or regulatory approaches were identified, and their implications for children's rights were examined in Section 5. Finally, the key findings were succinctly summarised in Section 6.

Navigating the EU Legal Maze: The Transforming Role and Responsibilities of Video-Sharing Platforms
The role of providers of VSPs is multifaceted, encompassing various responsibilities that arise from their engagement with users, content, personal data, and AI.They provide a platform that hosts audiovisual media content created by third parties and facilitate access to this content by children.Moreover, VSP providers collect and process personal data from users, for instance, to feed into recommender systems, thereby assuming the role of a data controller.These recommender systems are often powered by AI, leading VSPs to be classed as users (or even providers) of AI systems.Each of these roles is subject to distinct EU legislative instruments (see Figure 1), which entail obligations for protecting children from harmful or illegal content, protecting their personal data, and protecting them from adverse consequences of AI-based systems.

Adapting to the Digital Age: The Inclusion of "Video-Sharing Platforms" in EU Media Law
The first instrument that forms an important part of the EU regulatory framework is the AVMSD.From its inception as the Television Without Frontiers Directive, this instrument has been a critical component of the EU's regulatory framework that aims to protect children from harmful content, initially on traditional broadcast television.However, with the increasing popularity of new forms of audiovisual content, particularly among children and young people, calls for safeguarding children from harmful content on on-demand services (e.g., Netflix) and VSPs were answered by consecutive revisions of the rules in 2010 and 2018 (Cappello, 2015).By introducing a new category of services in the AVMSDi.e., "video-sharing platform services"-the EU legislator aimed to ensure that VSPs enact specific measures to protect minors from harmful content, and to create checks and balances through supervision by independent media regulators (Valcke et al., 2019).VSP services are, according to Article 1(1)(aa) (EU Directive of 14 November, 2018), services where the principal purpose or a dissociable section thereof or an essential functionality of the service is devoted to providing programmes, usergenerated videos, or both, to the general public, for which the VSP provider does not have editorial responsibility, in order to inform, entertain, or educate, by means of electronic communications networks and the organisation of which is determined by the VSP provider, including by automatic means or algorithms in particular by displaying, tagging, and sequencing.
Traditionally, the allocation of responsibilities to audiovisual media service providers relied on the criterion of "editorial responsibility."Rather than having editorial responsibility (i.e., full control over the content they produce and distribute, like traditional broadcasters and media publishers), VSPs determine the organisation of the stored content, including by automated means, such as displaying, tagging, and sequencing videos.Consequently, the accompanying obligations in the revised AVMSD relate to the organisation of the content uploaded by third parties on their platforms and not the content itself (EU Directive of 14 November, 2018, Recital 48; Valcke et al., 2019).Social media platforms may also qualify as VSPs if the provision of programmes and user-generated videos constitutes an "essential functionality" of that service (EU Directive of 14 November, 2018, Recital 5).The European Commission ( 2020 ).However, these requirements only apply to those audiovisual commercial communications that are marketed, sold, or arranged by the VSP provider itself.In contrast, for those that are not (for instance vlogging advertising by an influencer; Verdoodt, 2020), the AVMSD requires that VSP providers take "appropriate measures" to comply with the requirements set out in Article 9(1), recognising the limited control exercised by VSP providers over such commercials (EU Directive of 14 November, 2018).
The selection of appropriate measures to protect minors requires VSP providers to consider the nature of the content in question, the harm it may cause, and the characteristics of the category of persons to be protected.Moreover, it entails balancing the various rights and legitimate interests at stake (Recital 51 of the AVMSD).This includes, on the one hand, the rights of child users of the VSP under the children's rights framework (CFREU, 2012, Article 24; UNCRC, 1989), including their right to protection from harmful content (UNCRC, 1989, Article 17), and, on the other hand, the VSP's own commercial interests, as well as the interests and rights of the adult users of the VSP (e.g., viewers, content creators, and advertisers), such as their freedom of expression and information (CFREU, 2012, Article 11) and freedom to conduct a business (CFREU, 2012, Article 16).The AVMSD also specifies that the measures must be practicable and proportionate, in light of the actual size of the VSP and the nature of the service (EU Directive of 14 November, 2018, Article 28b[3]).Examples included in the Directive are flagging, rating, age verification, parental control, complaint handling, and media literacy tools, but member states are also allowed to develop a higher degree of protection for content which may impair the physical, mental, or moral development of minors (EU Directive of 14 November, 2018, Recital 20 and Article 28b[6]).
How effectively children are protected by the safeguards laid down in the AVMSD strongly depends on the transposition into national legislation as well as the enforcement of the adopted rules at the national level.With regard to the implementation of the measures, AVMSD's Article 28b(4) explicitly puts forward co-regulation, giving a clear signal that there should be a national legal framework that provides for the obligation to introduce appropriate measures, which may be operationalised by the VSPs (i.e., through self-regulation) but can be enforced by the national media regulators (EU Directive of 14 November, 2018, Article 28b[5]).Most member states have stayed very close to the wording of the AVMSD in their national legislation, without adding further specification to the obligations laid down in Article 28b, with only some states imposing certain specific measures from the list, adopting stricter rules or setting up co-regulatory frameworks (European Audiovisual Observatory, 2022).This means that, in many member states, the choice regarding which measures are "appropriate" is left to the VSPs (Cole & Etteldorf, 2022).Regarding enforcement, Ireland is considered a key member state due to being the jurisdiction where the most popular VSPs, such as TikTok and YouTube, are located, yet also the last member state to adopt its national implementation law (the Online Safety and Media Regulation Act only entered into force in March 2023).All eyes are now on the newly appointed regulatory authority, the Media Commission, for its role in overseeing the implementation of these new rules for VSPs.Also, the European Regulators Group for Audiovisual Media Services (ERGA)-the body which unites representatives from national media regulators-may play a significant role in exchanging experiences and best practices to ensure consistent implementation across member states.
Finally, concerning positive measures for children's rights, one of the potential steps for VSPs, as listed by the AVMSD, is to ensure effective media literacy measures and tools and raise users' awareness of those measures and tools (EU Directive of 14 November, 2018, Article 28b[3][j]).The majority of member states have incorporated this measure into national law without specifications, while some have specified the role and responsibility of national regulatory authorities or relevant ministries in relation to media literacy, autonomously and/or as an auditor of self-regulatory measures taken by the VSPs (European Audiovisual Observatory, 2022).Other positive measures in the AVMSD, such as the requirement to promote European works, are only applicable to traditional broadcasters and video-on-demand services (e.g., Netflix).Yet, such measures and obligations could contribute to the realisation of children's right to have access to a wide variety of national and international sources, as required by the UNCRC, Article 17 (1989).

Video-Sharing Platforms as Data Controllers Under the General Data Protection Regulation
VSPs collect different types of personal data from the users of their platforms, for instance when accounts are being set up.However, without an account, a service such as YouTube collects information regarding individual preferences which are stored with unique identifiers (YouTube, 2023a).A VSP that collects and processes personal data will be classed as a data controller under the GDPR.This entails numerous obligations, ranging from respecting the general data protection principles (such as fairness, lawfulness, transparency, purpose limitation, and data minimisation), to allowing data subjects to exercise certain rights, to demonstrating accountability through taking technical and organisational measures throughout processing activities.GDPR's Recital 38 stipulates that the personal data of children merits specific protection.There are both child-specific and general obligations for data controllers in the GDPR that might provide particular protection for children's data, including those related to consent and legitimate interests (Articles 6 and 8), child-friendly information (Article 12), the implementation of data protection by design and default (Article 25) and conducting data protection impact assessments (DPIAs) where processing activities are likely to result in a high risk to the rights and freedoms of individuals (Article 35).It has been argued before that conducting a DPIA is a good practice whenever the personal data of children is processed (Lievens & Verdoodt, 2018).When conducting a DPIA, the impact on the full range of rights of (child) data subjects must be considered, and mitigation measures must be adopted.Finally, the GDPR sets up a framework to use codes of conduct to make certain obligations to protect children's data more concrete (Article 40).While this range of GDPR provisions sets up a strong framework with much potential for safeguarding children's rights to data protection, the actual level of protection depends on accurate implementation by data controllers, strong enforcement by supervisory authorities, and guidance by the European Data Protection Board (EDPB).Composed of representatives of the national supervisory authorities and the European Data Protection Supervisor, the EDPB is tasked with ensuring consistent application of the GDPR throughout the EU (EU Regulation of 27 April, 2016, Articles 68-70).
VSPs increasingly are or have been the subject of investigations and decisions by Data Protection Authorities, including Instagram (Meta) and TikTok regarding their handling of children's personal data (Data Protection Commission, 2021, 2022).However, investigations are often slow, and decisions are still few and far between.Moreover, regarding VSPs, the burden of enforcement largely rests on the Irish Data Protection Commission, as most of the large ones have a (main) establishment in the EU in Dublin.Criticism has been voiced, for instance by the European Parliament ([EP] 2021), that the Irish Data Protection Commission needs to step up its enforcement efforts.
Interestingly, there also is a link between the AVMSD and the GDPR regarding children's personal data.AVMSD's Article 28b(3) explicitly emphasises that personal data of minors which is collected or otherwise generated by VSPs pursuant to the implementation of age verification and parental control measures cannot be processed for commercial purposes, such as direct marketing, profiling, and behaviourally targeted advertising.The GDPR itself does not explicitly prohibit the profiling of children, although Recital 38 emphasises that the specific protection relates in particular to "the use of personal data of children for the purposes of marketing or creating personality or user profiles."After the adoption of the GDPR, the Article Working Party (the predecessor of the EDPB established by Directive 95/46/EC, which was the predecessor of the GDPR) specified in its Guidelines on Automated Individual Decision-Making and Profiling that "organisations should, in general, refrain from profiling [children] for marketing purposes" even though this is not specifically stated in the GDPR (Article 29 Working Party, 2018, p. 29).In any case, for VSPs, the AVMSD now explicitly codifies such a prohibition, at least for data obtained in this context.A question that arises in this regard is which authority will be competent to enforce this obligation.The most natural choice might be the data protection authorities, but AVMSD's Article 28b(5) requires member states to entrust the assessment of the measures that VSPs take to protect children to national media regulators.In our view, the inclusion of this prohibition underscores the need for coordination and collaboration among these regulatory authorities to which increasingly interrelated competences are attributed.

From "Video-Sharing Platforms" to "Very Large Online Platforms" Under the Digital Services Act
A third instrument that applies to VSPs is the DSA, which was adopted in October 2022.This act aims to ensure a safe, predictable, and trusted online environment by imposing certain due diligence obligations on online platforms.The obligations cover moderation of illegal and harmful content, transparency of recommender systems, design of online interfaces, and the identification and mitigation of systemic risks.Online platforms are "providers of a hosting service which, at the request of a recipient of the service, stores and disseminates to the public information" (EU Regulation of 19 October, 2022, Article 2[h]).VSPs are one example of such services.Within the category of online platforms, specific rules are laid down for very large online platforms (VLOPs) and very large online search engines with more than 45 million consumers in Europe (EU Regulation of 19 October, 2022, Recital 76).Such specific rules are warranted because VLOPs may cause societal risks that are different in scope and impact from those caused by smaller platforms.Platforms had to publish the number of average monthly active recipients of the service in the EU by 17 February 2023.In April 2023, the Commission adopted its first designation decisions under the DSA, designating 17 VLOPs, including TikTok and YouTube (European Commission, 2023b).Nonetheless, there still remain online platforms that have either failed to provide user numbers altogether or stated that they do not meet the designation thresholds (European Commission, 2023a).
DSA's Recital 71 emphasises that the protection of minors is an important policy objective of the EU.Throughout the DSA, there are references to children and minors (without further clarification as to which term is used in particular recitals or articles), and specific due diligence obligations are imposed on (very large) online platforms to protect this group.First, Article 28(1) formulates extensive obligations for online platforms "accessible to minors."Such platforms must put in place "appropriate and proportionate measures to ensure a high level of privacy, safety, and security of minors, on their service."It might be challenging for platforms to decide what are appropriate and proportionate measures in this regard, also considering that different age groups have different privacy and safety needs.In this regard, Recital 71 refers to standards, codes of conduct, and best practices and Article 28(4) indicates that the Commission (after consulting the European Board for Digital Services), may formulate guidelines to support providers of online platforms.In its Better Internet for Kids+ Strategy, the European Commission (2022, p. 9) already announced that it will "facilitate a comprehensive EU code of conduct on age-appropriate design, building on the new rules in the DSA and in line with the AVMSD and GDPR."Next, Article 28(2) contains a prohibition on targeting advertisements based on profiling "when they are aware with reasonable certainty that the recipient of the service is a minor."Whereas this seems to codify the call by the Article 29 Working Party not to profile children for marketing purposes, it may be wondered whether the prohibition should not have been extended to profiling children for other (potentially) harmful purposes, including commercial purposes other than targeted advertising.A broader prohibition would be more in line with the UNCRC's (2021) call in General Comment no. 25 to "prohibit by law the profiling or targeting of children of any age for commercial purposes.''Second, VLOPs need to comply with risk assessment and mitigation obligations.Article 34 requires VLOPs and very large online search engines to undertake an assessment of the systemic risks in the EU "stemming from the design or functioning of their service and its related systems, including algorithmic systems, or from the use made of their services."Four categories of risks are listed, of which three might be particularly relevant for children: "(a) the dissemination of illegal content; (b) any actual or foreseeable negative effects for the exercise of fundamental rights, [such as] the rights of the child…(d) any actual or foreseeable negative effects in relation to…the protection of…minors."Once the systemic risks are identified, VLOPs need to establish reasonable, proportionate, and effective mitigation measures, tailored to the risks.Such measures may include adapting the design of their services, testing and adapting their algorithmic systems (including recommender systems) or taking targeted measures to protect the rights of the child, including age verification and parental control tools.At least once a year, the VLOPs must subject themselves to an independent audit to assess compliance with the due diligence obligations (Department of Enterprise, Trade and Employment, 2022, Article 37).
Finally, the DSA also puts in place obligations that are not child-specific but which may have a significant impact on children.Article 25, for instance, prohibits dark patterns in the design, organisation, or operation of online interfaces of platforms.Such dark patterns are practices that can be used by platforms to persuade users to engage in unwanted behaviours or make undesired decisions which have negative consequences for them (Recital 67).Examples are making the procedure of cancelling a service significantly more cumbersome than signing up for it or making certain choices more difficult or time-consuming than others (Recital 67).Children in particular might be vulnerable to such practices (Lupiáñez-Villanueva et al., 2022).In addition, Article 27 puts in place transparency obligations for recommender systems, entailing that platforms must clearly explain the main parameters that they use, and how to modify or influence those parameters.VLOPs that use recommender systems also need to offer at least one option for each recommender system which is not based on profiling (Article 38); this could, for instance, be a chronological feed.
The obligations of VSPs under the DSA are arguably very promising for the protection of children's rights, depending on the actual implementation and enforcement by the national Digital Service Coordinators, the European Board for Digital Services, and the Commission.One challenging question that these regulators, but also VSPs, might face is about the exact interplay between the DSA and other instruments.The DSA states that it is without prejudice to the rules in other EU legislation regulating other aspects of the provision of intermediary services or specifying and complementing the DSA.This explicitly includes the GDPR and the AVMSD (EU Directive of 14 November, 2018, Article 2[4]).As we have demonstrated above, VSPs will likely be covered by all three instruments.In practice, this means that the obligations of AVMSD's Article 28b(2) regarding appropriate measures to protect minors from harmful content will coexist with the obligation in DSA's Article 28(1) to ensure a high level of privacy, safety, and security of minors on their services.Some of these measures might overlap; others might have a different purpose, but use the same techniques.Age verification is a good example.Age verification is included in the list in AVMSD's Article 28b(2) but might also be a potential mechanism to comply with DSA's Article 28 or DSA's Article 35(1)(j) on risk mitigation measures for VLOPs.At the same time, DSA's Article 28(3) states that compliance with the obligations set out in DSA's Article 28 "shall not oblige providers of online platforms to process additional personal data in order to assess whether the recipient of the service is a minor," although the question has been raised how measures to protect minors can be effective if it is not known whether recipients are minors.The "clarification" in Article 28(3) could be seen as an expression of the data minimisation principle from the GDPR, establishing another link between the different instruments.
Although each instrument has its own purpose, scope, and approach, bringing them together might raise issues in practice that regulators will need to shed light on.

Proposal for an AI Act: VSPs' Role as Users or Providers of AI Systems
Finally, the proposal for an AI Act, which was put forward by the European Commission in April 2021, is also relevant in the context of VSPs.This proposal aims to ensure a high level of protection of fundamental rights in general and a positive impact on the rights of certain groups-including children-through a risk-based approach and by imposing proportionate obligations on the different participants in the value chain (European Commission, 2021b).First, the AI Act introduces a definition of AI, namely software that is developed with machine learning, logic-, and knowledge-based, and or statistical approaches, including search and optimisation methods, and can, for a given set of human-defined objectives, generate outputs such as content, predictions, recommendations, or decisions influencing the environments they interact with (European Commission, 2021b, Article 3[1] and Annex 1).As mentioned, VSPs rely heavily on AI and machine learning algorithms to deliver and moderate content and to personalise the user experience.This raises the question of whether VSPs using AI for content personalisation or moderation should take into account any new obligations with an impact on children's rights under the act.
If VSPs are deemed to meet the criteria for qualification as either providers or users of AI systems under the proposed AI Act, they would be required to comply with requirements commensurate with the level of risks posed by their systems, ranging from minimal to unacceptable.Currently, there is no consensus on the extent to which algorithms employed by VSPs for content moderation and recommendation would fall within the scope of the proposal.Regarding children, the Commission's proposal prohibits "practices that exploit vulnerabilities of specific vulnerable groups such as children or persons with disabilities in order to materially distort their behaviour in a manner that is likely to cause them or another person psychological or physical harm," on the grounds that such systems contradict EU values, for example by violating fundamental rights (European Commission, 2021b).Children's rights advocates have argued that platforms' autoplay features which aim to increase users' engagement time and can be said to affect children's sleep and education-and ultimately their health and well-being-could fall under this prohibition (5 Rights Foundation, 2021).Research shows that, while autoplay features reduce children's autonomy and the likelihood that they will self-regulate their media consumption, leading to longer video-viewing times, they are particularly appealing to children (Hiniker et al., 2018).Other risks of recommender systems for children that have been identified are lack of diversity and exposure to harmful content (Gómez et al., 2021).However, the prohibition has also been criticised for its limitations by various stakeholders, who argue that the harms do not include harms fundamental rights (EESC, 2021); psychological harm is difficult to prove or may accumulate over time (Veale & Borgesius, 2021), and there needs to be a malicious intent to cause harm (BEUC, 2021).These elements would arguably make the provision unenforceable in practice, and both the EP and the Council have proposed changes to it.Apart from the category of prohibited practices, others have argued that few recommender systems used by VSPs would qualify as high-risk AI systems under the Commission's proposal (Bogucki et al., 2022).However, the situation would be different if the changes to the high-risk categories as proposed by the EP are included in the final text, in particular, the inclusion of AI systems intended to be used in recommender systems of social media platforms that have been designated (under the DSA) as VLOPs (European Commission, 2021b, Annex III, para 1, °8 a b; EP, 2023).This would result in VSPs having to ensure compliance with the obligations for either "providers" of high-risk AI systems, which includes having to set up a risk management system and giving specific consideration to whether the system is likely to be accessed by or have an impact on children (European Commission, 2021b, Article 9[8]; European Commission, 2021b); or "users" (or in the EP amendments "deployers") of highrisk AI systems, which under the proposal entail using the system in conjunction with the providers' "instructions of use," ensuring data quality, and monitoring of the system (European Commission, 2021b, Article 29).Users would have no obligation to undertake any further measures to analyse the potential impact on fun-damental rights, consult with affected groups, or take active steps to mitigate potential harm.In relation to this, both civil society actors and members of the EP have called for the inclusion of minimum obligations, including a requirement to conduct and publish fundamental rights impact assessments, and this is also proposed by the EP (European Commission, 2021b, Article 29a;EP, 2023).The Commission's proposal also sets up a framework for the creation of codes of conduct, encouraging providers of non-high-risk AI systems to voluntarily apply the mandatory requirements for high-risk AI systems (European Commission, 2021b, Article 69).
Regarding the implementation and supervision of the act, the proposal provides that there will be (one or more) national competent authorities and that a European AI Board will be established to deliver opinions and guidance on matters related to implementation.Academics have raised notable criticism regarding the proposed act, emphasising that its effective implementation will largely rely on self-assessment, considering the conformity assessment obligation imposed on providers of high-risk AI systems before placing their systems on the EU market.Moreover, consumer protection groups have expressed their concerns about the absence of individual enforcement rights in the proposal (BEUC, 2021).Unlike the GDPR, where robust rights are granted to individuals affected by unlawful data processing, the proposal fails to provide strong rights for individuals whose rights have been infringed.

A Children's Rights Proof EU Framework for Video-Sharing Platforms?
The recent shifts in audiovisual consumption-from television to on-demand services to VSPs-have been followed, albeit at a slower pace, by a remarkable shift in regulation in the EU.The approach of the EU legislator has swung from reliance on self-regulation to the establishment of a legal framework with a variety of strong obligations for VSPs (Lievens, 2016).In Section 4, we have mapped the patchwork of different instruments that are applicable to VSPs, with varying scopes, approaches, measures, and enforcement mechanisms.From a children's rights perspective, it is clear that the different instruments have quite some potential to better protect children's rights on VSPs.However, several important questions remain.
First, all instruments require VSPs as private companies to take measures that balance children's rights and interests against their own freedom to conduct business and commercial interests and the commercial interests and rights of their adult users and advertisers.Not only is this a difficult endeavour in itself, but as VSPs operate on the basis of advertising-funded business models, for them commercial interests might easily outweigh other interests, especially those of children (van der Hof et al., 2020).From a children's rights perspective, however, the best interests of the child must be the primary consideration when undertaking this balancing exercise (UNCRC, 1989, Article 3;CFREU, 2012, Article 24).According to the UNCRC (2013), this means that when trying to resolve a conflict between the best interests of children and others, greater weight must be attached to what serves the child best.It can be noted that, even for those companies who want to put children's interests first, more guidance on how to conduct this balancing exercise would be welcome.The balancing exercise is strongly linked to the obligation that VSPs face across the various legislative instruments to conduct different types of assessments through which children's rights may be considered.These assessmentsincluding the assessment of appropriate measures under AVMSD's Article 28b(3), DPIAs under the GDPR, systemic risk assessments under the DSA, and potentially a fundamental rights impact assessment under the proposed AI Act if amendments along these lines are supportedcould be an important means of ensuring that risks to children's rights are identified and mitigated at an early stage and throughout the design and deployment of these platforms.At the same time, the implementation will vary depending on the legislative instrument in question and the specific obligations that it outlines, raising several questions.One important question concerns the methodologies for conducting the assessments.In that regard, methodologies that have been developed to conduct Children's Rights Impact Assessments could be helpful for companies (Mukherjee et al., 2021), in order to ensure that the impact on the full range of children's rights is considered.Children's Rights Impact Assessments methodologies also, crucially, require the involvement of children in the assessment, which is conducive to realising their right to be heard (UNCRC, 1989, Article 12).A further question relates to how the different enforcement bodies of the respective instruments will evaluate the assessments.In some member states, enforcement powers might be attributed to the same body-for instance, the Irish Media Commission will also function as the national Digital Service Coordinators (Department of Enterprise, Trade and Employment, 2023)-whereas in other member states they will be exercised by separate authorities.In the latter scenario, it might not only be fruitful but necessary to cooperate and exchange ideas and best practices.
More generally in this regard, merely establishing a framework for protecting children on VSPs is insufficient to ensure that their rights are effectively realised.It is essential to enforce these measures and responsibilities in practice.All of the legislative instruments analysed in this article establish enforcement mechanisms, consisting of a regulatory authority at the national level holding primary enforcement responsibilities and an entity at the EU level providing guidance and support (see Figure 1).In other words, this regulatory framework has led and will lead to the emergence of several new regulatory bodies or the expansion of the competences of existing bodies.It is vital that these national regulators have sufficient financial and human resources and the necessary powers to fulfil their tasks (ERGA, 2022).To ensure effective enforcement, the regulator(s) must actively monitor the VSPs' policies, practices, compliance (ERGA, 2019), and use of AI systems, rather than relying solely on user complaints.Again, in that respect, collaboration and coordination are essential to achieve the shared goal of protecting children on VSPs throughout the EU.Bodies such as ERGA, the EDPB, the European Board for Digital Services, and the European AI Board (see Figure 1) will also play a crucial role in ensuring coordination and providing guidance on cross-cutting issues.Such collaboration could be extended to other authorities, including consumer protection authorities.Although in this article we have focused on legislation specifically relevant to VSPs as hosting services, data controllers, and users/providers of AI, the broader consumer protection framework remains relevant to their activities as well.
Second, although legislative obligations are imposed on VSPs by means of the various instruments, they all still leave room for action by the companies themselves by emphasising co-regulatory measures, including codes of conduct which are set up by companies (or their associations) but need to be approved by supervisory bodies.Although codes of conduct have not yet been the holy grail under the GDPR (Vander Maelen, 2021), the creation of an Age-Appropriate Design Code under the DSA, as announced by the European Commission, might provide an opportunity to develop an evidence-based and concrete set of rules that platforms, including VSPs, can commit to.From a children's rights perspective, the process of creating such a code should involve children and give due weight to their views.Additionally, it should not solely focus on protection but should also consider positive measures that might benefit children.As the framework stands now, it is still very much focused on risk and harm, rather than benefits and opportunities.
Our research has attempted to map and unpack the different legislative obligations that VSPs will need to comply with when offering their services.Currently, VSPs might still feel as if they have to find their way through a maze of different legislative instruments in order to respect children's rights in their services.From a practical perspective, they will need to adopt a streamlined approach to putting in place measures that benefit children, and coordinate and review implementation regularly.Investing in staff with children's rights expertise might be valuable in that regard.Consulting children in this process might be challenging but is essential.The same is true for regulators.Whereas we have seen in the past that children are sometimes not considered a priority in enforcement, having specific staff and procedures in place aiming to coordinate actions that affect children will inevitably become increasingly important, considering the growing complexity of the legal landscape.If both VSPs and regulators take up their responsibilities, over time the EU framework could hopefully come to be considered a jigsaw rather than a maze: A jigsaw with smoothly aligned obligations, enforcement, and cooperation between authorities which leads to the actual realisation of children's rights in the digital environment.

Conclusion
Children have important rights to have access to diverse and high-quality information and to be protected from harmful content, including on VSPs.The rising prominence of these platforms within the audiovisual landscape has prompted significant changes in the EU regulatory framework.Providers of VSPs are now bound by substantial legal obligations that have the potential to enhance the protection of children's rights on these platforms.However, the effectiveness of these obligations will rely on their actual implementation and enforcement.It will be crucial for the various regulatory authorities involved to engage in coordination and collaboration to ensure cohesive implementation in the EU member states.Additionally, further research is needed to explore the interplay, potential synergies, and gaps between these various legal instruments, to maximise the realisation of children's rights in the digital environment.Whereas this article has solely focused on VSPs, there are other platforms that children use extensively-such as gaming platforms and social media networks-for which a similar analysis would be equally fruitful.Moreover, our study focused on a specific selection of legislative instruments.Future research could also investigate the interplay between these instruments and the consumer protection framework, which could also prove useful in addressing certain risks that children encounter on platforms, such as the deployment of dark patterns that may encourage overspending or handing over more personal data than intended.
(a) the Audiovisual Media Services Directive (AVMSD), (b) the General Data Protection Regulation (GDPR), (c) the Digital Services Act (DSA), and (d) the proposal for an AI Act.The main research questions that this article aims to answer are: RQ1: To what extent does this legislative framework help safeguard children's rights?RQ2: How do the obligations for VSPs across different legislative instruments align?