In response to significant concerns around the misuse of the Internet by terrorists, in April 2021 the EU adopted controversial Regulation (EU) 2021/784 which lays down uniform rules to address the misuse of hosting services for the dissemination of terrorist content (Regulation). Amongst other things, service providers can now be required to remove flagged terrorist content from their platforms across the entire EU within one hour. Under this landmark legislation, which has direct effect across the EU from 7 June 2022, Ireland will have pan-EU regulatory responsibility for many well-known online platforms.
The Regulation applies to all hosting service providers (HSPs) having a ‘substantial connection’ to the EU regardless of their place of establishment or their size.
The definition of HSP covers a wide range of online services including:
- Social media platforms
- Video, image and audio-sharing services
- File-sharing services, and other cloud services,
insofar as they make content available to the public at the request of the content provider. This excludes interpersonal communications services, such as emails and private messaging services, but includes video-sharing platform services which are also covered by the revised Audiovisual Media Services Directive.
The definition of ‘terrorist content’ is consistent with the definitions of terrorist offences under Directive (EU) 2017/541. In summary, it is material which incites or solicits an individual or a group of people to commit a terrorist act, or which provides instruction on making weapons or on other methods or techniques for use in a terrorist attack. It does, however, exclude material disseminated for educational, journalistic, artistic, research or awareness-raising purposes.
By 7 June 2022, each Member State must designate at least one competent authority (CA), which can be an administrative, law enforcement or judicial body, for the purposes of the Regulation. CAs must be independent and have the necessary powers and sufficient resources to carry out their tasks, which they must do in an objective and non-discriminatory manner while fully respecting fundamental rights.
As a general rule, the CA in the Member State in which a HSP has its ‘main establishment’, or, where appropriate, designated ‘legal representative’, (the Home CA) will have regulatory jurisdiction under the Regulation.
However, all CAs (not just Home CAs) will have the power to issue removal orders, using a standardised template, requiring HSPs to remove or disable access to terrorist content across the entire EU within one hour. Although, a Home CA can, albeit within tight time periods, challenge the legality of cross-border removal orders, either on its own initiative or upon request.
Also, upon deciding that a HSP is ‘exposed to terrorist content’ based on objective factors such as receipt of previous removal orders, a Home CA can require the HSP to take proactive measures, referred to in the Regulation as ‘specific measures’, to mitigate that exposure. The Home CA must assess the adequacy of measures taken and can direct that more adequate measures be taken.
The most notable obligations for HSPs under the Regulation are clearly those concerning compliance with removal orders and the taking of specific measures.
In relation to specific measures, whilst the decision on what measures to take ultimately rests with the HSP, measures taken must be effective, targeted and proportionate, take full account of user rights and legitimate interests and be applied in a diligent and non-discriminatory manner. HSPs are free to use automated tools but, where used, there should be appropriate safeguards such as human oversight and verification. HSPs must also establish an effective and accessible internal complaints mechanism for content providers, whereas complaints must be addressed within two weeks.
Other notable obligations include:
- Reporting obligations
- Provision of certain information to content providers
- The preservation of impacted content and related data
- Transparency obligations
- The reinstatement of content, and
- Promptly notifying national police forces
Member States are also required to ensure that HSPs and content providers have a right to an effective remedy before the national courts against removal orders and other decisions of CAs.
Only Home CAs can impose penalties for infringement of the Regulation, whereas Member States must provide for penalties which are effective, proportionate and dissuasive. For systemic or persistent failures to comply with removal orders within one hour, “particularly severe penalties” should be imposed, and it must be possible to impose a penalty of up to 4% of global turnover.
During the long legislative procedure, the draft Regulation received significant criticism from rights groups, law makers and the European Data Protection Supervisor, highlighting the threat posed to various rights and freedoms and even the rule of law. However, some prominent concerns remained unaddressed in the final Regulation, including the lack of prior judicial review of removal orders and the strong incentive for HSPs to use automated tools.
Member States now have until 7 June 2022 to notify the European Commission of their designated CAs and their rules on penalties. Also, from that date, HSPs of all sizes will be required to comply with removal orders issued by CAs from anywhere in the EU. Needless to say, compliance with removal orders will be a significant challenge for all HSPs and particularly those with more limited resources.
If you would like to discuss any related queries, please contact a member of our Media & Telecoms team.
The content of this article is provided for information purposes only and does not constitute legal or other advice.