Hosting providers in the crosshair of the EU’s fight against terrorism

Written on 12 Apr 2019

The European Parliament is soon to vote on a proposal published by the European Commission in September 2018 to regulate the prevention of the dissemination of terrorist content online (the "Terrorist Content Regulation"). This Regulation aims to be the European Commission's answer to the vast increase in online dissemination of terrorist content and the radicalisation that often comes with it.

The need for a legislative approach

Over the last few decades, several European Member States have been victim to atrocious terrorist attacks. The subsequent criminal investigations demonstrated that terrorists often misuse internet platforms to groom and recruit supporters, to prepare and facilitate terrorist activity, to glorify their atrocities, to urge others to follow suit, and to instil fear in the general public.

As these criminal investigations demonstrated the importance of the internet in the radicalisation of individuals and the emergence of terrorism, certain European Member States have imposed national laws for the removal of illegal online content.

However, as such national legislative initiatives might constitute a barrier to the intra-EU provision of services, the European Commission felt compelled to launch its own initiative by proposing the Terrorist Content Regulation.

Who needs to comply with the Regulation?

Contrary to what one might assume, the Terrorist Content Regulation is not only addressed to major social network operators or major search engines. The Regulation applies to “hosting services providers” (“HSPs“) who offer their services in the European Union.

An HSP is defined as “a provider of information society services consisting in the storage of information provided by and at the request of the content provider and in making the information stored available to third parties” (Article 2). Consequently, the Regulation is addressed to all hosting services providers, regardless of their size.

Moreover, the Regulation would not only apply to hosting services providers who have an establishment in the European Union. Under Article 1 (2) of the Regulation, it would also apply to “any hosting provider” offering its services in the European Union, irrespective of where such service provider is established.

What are the key obligations under the Regulation?

The Terrorist Content Regulation revolves around the following key principles:

  • A duty of care for HSPs.
  • A duty to remove content within one hour.
  • The implementation of “proactive measures” such as content filters.

Duty of care under the Regulation

In order to tackle the online dissemination of terrorist content, the European Commission calls upon the social responsibility of hosting services providers. It therefore imposes a “duty of care” upon such HSPs.

Such duty of care means that HSPs are obliged to implement “appropriate reasonable and proportionate measures” against the dissemination of terrorist content (Article 3). HSPs will also be required to include in their terms and conditions provisions which would prevent the dissemination of terrorist content.

Removal orders

The proposed Regulation obliges HSPs to comply with removal orders from the competent authorities. Article 4 (1) of the proposed Regulation requires HSPs to delete terrorist content within one hour of receipt of such an order from a competent authority.

To enable transparency towards the individual who uploaded the terrorist content, Article 10 of the Regulation requires HSPs to implement a complaint procedure for contesting the removal actions it has taken. Moreover, HSPs should promptly examine every complaint on its merits and, should the complaint be founded, the content must be reinstated without undue delay.

Proactive measures

The proposed Terrorist Content Regulation obliges HSPs to implement so-called “proactive measures” (Article 6). However, it fails to provide further clarification of what this requires. Although it is not expressly stated, such proactive measures could essentially imply that HSPs would be required to implement content filters on their systems as to prevent the dissemination of “terrorist content” via their platform.

When implementing such proactive content filters, the HSP should ensure that such filters are effective and strike a fair balance between the risk and level of exposure of terrorist content on the one hand and the fundamental rights of the users on the other hand.

If the HSP uses automated means to filter terrorist content, it should, amongst other things:

  •  provide a  meaningful explanation of how such automated tool operates (Article 8 (1) of the Regulation);
  • provide annual transparency reports on actions taken against the dissemination of terrorist content (Article 8 (2)  of the Regulation); and
  • ensure that such decisions are well-founded and that there will be human oversight and verification to determine whether or not content constitutes terrorist content (Article 9 of the Regulation).

Compliance with removal orders within one hour

In addition to the duty of care and the obligation to implement proactive measures, the Regulation also obliges HSPs to comply with removal requests from competent authorities within one hour following its receipt.

Debates over the Regulation

Although the Terrorist Content Regulation could be a valuable legal instrument in the fight against terrorism, there has also been debate over the legality and logistics of its implementation.

Terrorist content vs freedom of expression

At its core, the Terrorist Content Regulation aims to prevent the dissemination of “terrorist content”. Such terrorist content is defined (under Article 2) as information:

  •  inciting or advocating, including by glorifying, the commission of terrorist offences, thereby causing a danger that such acts be committed;
  • encouraging the contribution to terrorist offences;
  • promoting the activities of a terrorist group, in particular by encouraging the participation in or support to a terrorist group within the meaning of the Terrorism Directive (Directive (EU) 2017/541); or
  • instructing on methods or techniques for the purpose of committing terrorist offences.

By imposing an obligation to prevent the dissemination of terrorist content and terrorist opinions, critics of the Regulation have pointed out that it could impose a restriction on the “freedom of expression” as safeguarded by Article 10 of the European Convention on Human Rights. Although the glorification of terrorism is deplorable, critics argue that a prohibition on the dissemination of content, be it terrorist content or otherwise, is a dangerous precedent in light of the freedom of expression.

The first question relates to the notions of “terrorist content” and “terrorist offences”. Under Article 2 (b) of the Regulation, any information “encouraging terrorist offences” is to be considered as “terrorist content”. As the notion of “terrorist offences” is very broadly defined in Article 3 of the Terrorism Directive, it could imply that legitimate actions or protests would erroneously be considered “terrorist offences”.

Further to Article 3 (1) (e) and 3 (2) (c) of the Terrorism Directive, “a threat to seize means of public goods or transport with the aim of seriously destabilising the economic or social structures of a country”, could be considered a terrorist offence. Consider the example of labour unions who encourage their members to go on strike and to block public transport facilities such as railways and airports with the aim of improving social conditions. This could theoretically qualify as committing a “terrorist offence” and their call for action could arguably in those circumstances be considered as the “dissemination of terrorist content”.

This example illustrates the fine line between “terrorist content” and legitimate content and highlights the tensions in the debate around safeguarding freedom of expression while developing effective legislation for the fight against terrorism.

An HSP’s duty of care and the proactive measures

Under the Regulation, HSPs have a general duty of care and the obligation to implement proactive measures (i.e. content filters) to prevent the dissemination of terrorist content. Given the broad notion of “terrorist content” and “terrorist offences”, the Regulation essentially imposes an obligation on HSPs to determine which content is to be considered “terrorist content.”. This obligation potentially challenges pan-EU legal conventions that rely on competent local courts to be the arbiters of defining hate speech, defamatory content and terrorist content. The Regulation shifts responsibility from the courts to private individuals, namely employees of hosting service providers. Moreover, because non-compliance brings with it the threat of criminal sanctions, HSPs may choose to mitigate their regulatory risk by (over)compensating with preventative censorship.

Article 9 (2) of the Regulation attempts to curb unnecessary preventative censorship by obliging HSPs to implement human oversight  when assessing whether or not content should be considered “terrorist content”. Although this approach is intended to safeguard the right to freedom of expression, its practical feasibility has been a point of debate. As mentioned above, HSPs need to be capable of removing terrorist content within one hour. In reality, it will be a challenge for HSPs to provide policies and trainings that will adequately prepare their staff for this task. Critics have pointed out that employees would need to not only make nuanced and informed decisions under the pressure of time, but also to have the adequate linguistic skills to properly monitor content in different languages.

The HSP’s duty of care and proactive measures in light of the E-Commerce Directive

One of the founding principles of the E-Commerce Directive ((EC) 2000/31)[1] is that providers of information society services who only have a passive and technical role, such as HSPs, are not expected to police the internet. Thus the E-Commerce Directive expressly provides that information society service providers do not have a general obligation to monitor nor to actively look for facts or circumstances indicating illegal activity (Article 15 E-Commerce Directive).  This prohibition was expressly confirmed by the European Court of Justice in the infamous Scarlett vs Sabam judgment (Case C-70/10).

Although the Terrorist Content Regulation does not clarify what is specifically meant by “proactive measures”, it does imply that HSPs are expected to implement “content filters”. Such an obligation would be contradictory to Article 15 of the E-Commerce Directive and introduces further regulatory confusion for businesses and their employees.

Legal concerns regarding the removal obligation – extraterritorial jurisdiction

Article 15 (3) of the proposed Regulation provides that the competent authorities of Member States other than the Member State in which the HSP is established can order an HSP to remove content. This Article also provides that, should the HSP fail to comply with such request, it can be criminally sanctioned under the laws of the requesting Member State:

“Where an authority of another Member State has issued a removal order according to Article 4(1), that Member State has jurisdiction to take coercive measures according to its national law in order to enforce the removal order.”

This element of the Regulation introduces further challenges for businesses as the right to freedom of expression is interpreted differently in several European Member States. For example, in Belgium, the online dissemination of inappropriate opinions could be considered a press offence (“drukpersmisdrijf” / “délit de presse“). Unless such a press offence relates to the dissemination of a racist or xenophobic opinion, these offences are to be exclusively tried by a jury in accordance with Article 150 of the Belgian Constitution. Moreover, further to Article 25 of the Belgian Constitution, a person disseminating inappropriate opinions as part of a press offence cannot be convicted if the author of such inappropriate opinion (i.e. terrorist content) is known and has their domicile in Belgium. Consequently, Article 15 (3) of the proposed Regulation would force HSPs to become vulnerable to prosecution from a foreign Member State while abiding by the constitutional restraints of Belgium.

The operational implications for businesses

Aside from the legal concerns, there are significant operational concerns. As the proposed Regulation permits competent authorities of different Member States to exercise jurisdiction over an HSP, it implies that an HSP must subject itself to the laws of all 27 Member States.

(i)            Multiplication of legal risks and operational and legal costs

The requirement creates a significant operational burden for HSPs as it implies that an HSP would need to understand the legal ramifications for its compliance or non-compliance with a removal order issued by a foreign state under a foreign law. To create and implement a legal and operational framework for compliance with all 27 Member States would generate a significant increase in costs for HSPs and would make it more difficult for them to offer efficient service throughout the European Union.

(ii)           Absence of a clear definition of the competent authorities

Further to Article 17 of the Regulation, each Member State should designate its own national authorities that are competent to issue removal orders. However, as Article 17 allows Member States to appoint several competent authorities and as there is no streamlined approach as to which authority should be competent, HSPs will inevitably be confronted with requests from several competent authorities in each of the 27 Member States. This requirement once again makes it far more difficult for an HSP to determine whether or not an enforcing authority in a specific Member State is indeed authorised to impose a given removal order.

(iii)          Compliance within the hour

Aside from the aforementioned issues, the obligation to remove content also requires HSPs, regardless of their size, to implement operational capabilities to comply within one hour with removal requests. This deadline is extremely short and does not allow the HSP to make an measured assessment as to whether or not the request for removal is legal.

Moreover, the Regulation does not even allow an HSP to make such an ex ante assessment as it provides in Article 4 (4) that an HSP should comply with the removal order regardless of the HSPs (legal) objections thereto. Further to Article 4 (7) – (8) of the Regulation, an HSP is only excused from complying with an order if: (i) it is prevented from doing so so due to force majeure, (ii) compliance is de facto impossible or (iii) the order contains manifest errors.

Conclusion

In tackling the demanding work of eliminating terrorist content on the internet, the Regulation also invites criticism about its compatibility with other European rights and regulations and brings with it increased challenges for businesses to be in full compliance. While HSPs were traditionally perceived under the e-Commerce Directive as mere operators facilitating the dissemination of content, they are now required to play an active role in the fight against terrorism. Although HSPs may be willing to contribute to the fight against terrorism, the expectations and obligations imposed upon them by the Regulation will, for some, likely overextend their financial, legal and operational capabilities. One possible solution to mitigate these obligations would be to transfer some of the responsibilities of defining terrorist content to the competent authorities. This would relieve the HSPs of the burden of balancing their regulatory obligations against broader questions of free speech. Moreover, if businesses were only responsible to one Member State (for example, based on the place of establishment), HSPs would enjoy more legal certainty and could offer their services without any excessive legal, operational and financial burden.

Hopefully the European legislator will consider these challenges as it moves forward with ambitious legislation to combat terrorist content on the internet. In the meantime, businesses and their employees will need to be prepared for the possibility of increased legal and operational demands.