07/10/2026 | Press release | Archived content
The President of the Personal Data Protection Office appreciates the fact that the Ministry of Digital Affairs has taken into account some of his comments, but he maintains the rest of his postulates. Currently, the government draft has been submitted to the Sejm committee. It remains necessary to expand the list of offences to which the procedure for the prompt removal of content can be applied, to introduce the possibility of immediate enforcement of such a decision in the most serious cases, and to strengthen the protection of privacy, especially in the context of deepfakes.
The draft amendment to the Act on the provision of electronic services was submitted on 17 June 2026 to the Committee on Digitization, Innovation and Modern Technologies of the Sejm (lower chamber of the Polish Parliament) of the Republic of Poland. The aim of the project is to enable the application of the provisions of the Digital Services Act (DSA) in Poland, in particular by introducing a procedure for blocking illegal content, as well as ordering the restoration of access to content removed unjustifiably by the service provider. The idea raises a lot of controversy, as on the one hand the need to remove illegal materials on the Internet is becoming more and more pressing, on the other hand, such regulations always raise concerns and accusations of censorship.
The Ministry of Digital Affairs conducted a wide public consultation, in which the Personal Data Protection Office also participated. The comments of the Office were partly taken into account in the subsequent version of the draft. They concerned clarifying the way in which the data of persons participating in the examination of applications in the procedure for issuing an order to take action against illegal content will be processed, and indicating that personal data will not be included in decisions on these issues published on the websites of the office (in this case, the Office of Electronic Communications and the National Broadcasting Council).
Content violating data protection rules must be removed
Nevertheless, a large part of the comments of the Personal Data Protection Office has not been included in the draft. As they concern issues fundamental to the protection of privacy and personal data, President of the Office, Mirosław Wróblewski sent another letter in this matter to the Ministry of Digital Affairs. It was also necessary to send a similar letter to the Sejm Committee on Digitization, Innovation and Modern Technologies. The first observation concerns the need to extend the scope of the rules, the infringement of which will make it possible to consider content illegal and to trigger a procedure for its removal.
Currently, the scope of the offences to which the provisions apply is strictly defined by law. They were selected on the basis of the three criteria indicated in the explanatory memorandum of the draft. Firstly, it must be an 'online crime', i.e., committed with the use of Internet network, and secondly, it must involve the dissemination of content that can be considered illegal. However, thirdly, restricting access to this content must not have negative consequences for civic discourse and electoral processes.
It is necessary to take into account offences related to the processing of pornographic content involving minors or their image (as defined in Article 202 § 3-4c of the Criminal Code) and to enable the immediate blocking of such illegal content. The inability to remove it, in a prompt manner, can lead to irreversible consequences for victims - including suicides among children and adolescents.
According to the President of the Personal Data Protection Office, the list of these offences provided for in the draft should be supplemented by Article 107 of the Act on the protection of personal data and Article 54 of the Act on the protection of personal data processed in connection with the prevention and combating of crime. They provide for the punishability of the processing of personal data when it is prohibited or the processor does not have the power to do so. In this case, it would refer to the sharing of such data (e.g., publishing data stolen as part of a cyber-attack, or disclosing information about the aggrieved persons or potential perpetrator of the crime).
The proposed amendment would allow for prompt removal of such content from the Internet. As the President of the Personal Data Protection Office pointed out in his letter: 'Both of these offences may entail a serious risk that the perpetrator may use the acquired data of a natural person and further process them unlawfully, including making them public or disseminating them via the Internet.' According to Mirosław Wróblewski, both offences meet the criteria set out in the draft.
Immediate removal of content and combating deepfakes
The second postulate is to introduce the possibility of making decisions on the removal of certain content immediately enforceable. Currently, the draft does not provide for such a possibility, which is to ensure proper judicial review of the procedure and to minimise the risks it may pose to freedom of expression. However, in the opinion of the President of the Personal data Protection Office, it should be possible to immediately enforce such a decision to remove content. It should be limited to 'high profile threats in cyberspace, including those affecting children and youth, in particular sexual exploitation and sexual abuse'.
Indeed, as stated in the Personal Data Protection Office's observations: "In many situations, this can lead to irreversible consequences for the victim of the crime (including even serious psychological and suicidal crises of persons whose data is disclosed by criminals, e.g., by children whose nude photos, extorted or fabricated with deepfake technology, are disseminated via the Internet and social media)."
The omission of recommended provisions may therefore become a source of risk for persons whose personal data will be deprived of the protection under the Digital Services Act (DSA). Leaving the provisions in their current form will mean that they could not be used, for example, to remove from the Internet - illegally published - information identifying the victim of rape or paedophile acts (including their address).
Finally, the last postulate of the President of the Personal Data Protection Office is to ensure that the proposed regulations are consistent with the solutions adopted in other acts concerning new technologies and cyberspace. In particular, the provisions are intended to contribute to combating illegal deepfakes, as well as other risks related to privacy violations or unlawful processing of Internet users' personal data, in particular those of minors.
Opportunity to introduce comprehensive regulation
In his letter to the Ministry of Digital Affairs, Mirosław Wróblewski stressed that he understands the urgent need to implement the provisions to ensure the application of the Digital Services Act in Poland. At the same time, he stressed that it is the best opportunity to introduce in the Polish legal order institutions that will counteract the phenomena especially dangerous to vulnerable individuals. These threats, due to rapid technical progress, are growing every day.
The President of the Personal Data Protection Office inquired the Sejm Committee on Digitisation, Innovation and Modern Technologies to consider supplementing the Act in the above-mentioned scope. The changes proposed by the Office also do not require a fundamental reconstruction of the project. In addition, the provisions on judicial review will prevent possible abuse of the mechanism in situations where no criminal offence has been committed.
So far, the solutions proposed by the President of the Personal Data Protection Office related to the possibility of granting immediate enforceability to decisions have been supported by the Ministry of Education. The introduction of the changes proposed by the President of the Office will contribute to ensuring effective protection of natural persons - in particular minors - against breaches of their personal data and privacy.