The EU Digital Services Act: What it is and Why it Shouldn’t Happen

Ursula von der Leyen, the president-elect of the European Commission, has recently published political guidelines for 2019-2024. Those who have been careful enough to read the document would have noticed that “a Europe fit for the digital age” is one of the six political goals the president-elect wants to achieve. Among various statements populating the section on digital Europe, the following is found:

A new Digital Services Act will upgrade our liability and safety rules for digital platforms, services and products, and complete our Digital Single Market.

The words should have claimed the attention of professionals and businesses alike. They are remarkable not only for their terseness but also for naming the act, thus indicating that preparations are well underway.

Just a few days later a document leak confirmed that DSM Steering Group is engaged in drafting the the EU Digital Services Act that would serve as a basis for:

• REFIT of the E-Commerce Directive (ECD)
• new rules on platforms

The two ideas signalled here are interesting each in their own right.

The E-Commerce Directive, dating to 2001, and based on the ideas from the late 90s, has served remarkably well. Similar to the Clinton/Magaziner approach in the US, the directive is based on the ‘no-regulation-for-regulation’s sake’ principle and on the laissez faire approach of regulating only where there was a specific need. The two main ideas it is based on are home country control (the idea that information society services (ISSs) should be regulated in the home country only) and the heavy insulation of bona fide ISSs from liability. The reasons for the Directive’s relative longevity can be found both in its flexible character and in the political difficulties which its potential revision would initiate. As a framework instrument for the entire e-commerce regulatory ‘silo’, the Directive had been designed to last.

But, that some of the fundamental principles the Directive is based on would eventually have to be revisited became all too apparent already in the 2015 when the Digital Single Market Strategy had been published. There, the Commission indicated that

It is not always easy to define the limits on what intermediaries can do with the content that they transmit, store or host before losing the possibility to benefit from the exemptions from liability set out in the e-Commerce Directive.

Crucially, the Commission shifted the focus from ISSs to platforms.¹ Soon thereafter, the language in the many policy documents on platforms changed. Platforms, the Commission claimed, need to act “responsibly” if they are to continue to benefit from insulation. In its highly controversial Copyright in the DSM Directive the Commission suggests that even ISSs falling under Article 14 ECD need to have effective protective technologies and that they cannot rely on the article if they do not. ‘Active’ providers cannot rely on the protection as they are not responsible enough in the Commission’s mind.

When the two ideas are joined, the picture becomes to emerge: the Commission would like the ECD REFIT exercise – which seems to be overdue – to result in a more nuanced approach, recognising that only responsible platforms can be protected and revising the insulation regime.

What does the preparatory document reveal about the Commission’s ambition and the scope of the potential intervention?

Five problems are listed:

• a) divergent rules for online services in Member States. This item signals the existence of divergent rules in Member States, some of which have already engaged in regulated issues as diverse as hate speech, advertising or social networks.
• b) outdated rules and regulatory gaps. The second item indicates that the ECD rules no longer “adequately reflect the technical, social and economic reality of today’s services“. In particular the concepts of active and passive providers are labelled as being out of date. Furthermore, the document claims that some online intermediaries simply do not know what regime they are under.
• c) insufficient incentives to tackle online harms and protect legal content. Here the claim is that platforms are disincentivized to act proactively and that small and medium platforms face regulatory risk as a result.
• d) ineffective public oversight. This item indicates that there is no dedicated “platform” regulator which would exercise oversight in “content moderation or advertising transparency”
• e) high entry barriers for innovative services. The last item talks of “no legally binding, controlled way for regulatory experimentation with innovative services” currently in existence.

The document is clear in proposing the scope of application to include “all digital services, and in particular online platforms.” For each of the crucial ECD components, something new is proposed.

1. It is proposed that home country control be kept and its scope extended. This would now include “consumer protection, commercial communications and contract laws” but also services established in the third countries. Finally, it is also proposed that any exceptions be narrowly interpreted. This is a problem as consumers and contract laws are largely outside the scope of the “coordinated filed”. It is not clear whether Member States would accept such a dramatic expansion of the operation of the article. It is even less clear why the extension is suggested as home country control generated little to no case law and even less problems in practice.
2. The documents names ISSs as still relevant. It suggests, however, that there are “grey areas” and names them as “ISPs, cloud services, content delivery networks, domain name services, social media services, search engines, collaborative economy platforms, online advertising services, and digital services built on electronic contracts and distributed ledgers.” This is a remarkable claim as the list includes almost all intermediaries in operation today, which amounts to a claim that the concept of information society services is inadequate. This claim is not substantiated. The mention of the European Electronic Communications Code (EECC) is a nod to convergence.It is suggested that future ISS services here may be defined “on the basis of a large or significant market status, complementing the competition threshold of dominance”. This effectively brings in the ad hoc sector-specific regulation of the kind applied to telecommunications services. This approach would require that digital service providers be classified as having the correct market status or power before regulation would be applied to them. Ex ante regulation is only imposed on those with the required market power. There are numerous problems with this idea but two are particularly significant. First, the ad hoc regime in the telecoms sector has always been a temporary measure going toward full application fo competition law. In e-commerce law, competition rules are already fully functional and little to nothing would be gained by this exercise. Second, the market analysis process would inevitably have to be conducted by various national authorities designated for the purpose which would, in turn lead to insurmountable practical problems and divergence, thus eliminating any positive effects achieved.
3. The liability provisions of ECD would be updated. The “harmonised graduated and conditional exemption” approach is suggested kept but with additions. First, the case-law would be used to update the present issues in Articles 12-15. Second, new rules or clarifications of the principles to “collaborative economy services, cloud services, content delivery networks, domain name services, etc.” would be needed. The notions of “active” and “passive” hosts would be replaced with notions of “editorial functions, actual knowledge and the degree of control”. Finally, an exemption for proactive measures would be introduced.The changes suggested here essentially fall into two categories. The non-problematic ones result from CJEU’s case-law on intermediaries. While that case-law is not without problems in itself,² it has largely followed the contours of Articles 12-15. The more problematic are specific rules on platforms. It is not clear which of these “special” categories would need special rules and what these would aim to achieve. It is even less clear what liability regime would be imposed on them and if the disastrous Copyright in the DSM proactive filtering would find its way here too. It seems that it would, as it is not clear how it would be possible to proactively and “responsibly” catch alleged illegalities without expensive (and potentially unreliable) AI solutions. Even more worryingly, no suggestion is made here (as it was in DSM Directive) that smaller platforms would be exempt.

   It seems that the drafters of the document operate with the false assumption that active/passive dichotomy is the basis of EU case law on intermediaries. It is not. While there are cases where this approach (otherwise originating in the USA) is used, the CJEU cases are more nuanced and speak of levels and types of engagement, precisely in line with that the document otherwise demands.

4. The document pays lip service to the prohibition of general monitoring of Article 15. However, it suggests that “algorithms for automated filtering technologies” should be considered for better “transparency and accountability”. Filtering, in principle, may be specific and general. The CJEU case law suggests that general filtering is prohibited while specific is allowed. The problem is that the document goes beyond specific filtering and suggest that AI technologies essentially playing the role of general monitoring are OK. One cannot have both. Either the prohibition on general monitoring is maintained OR AI and filtering solutions are allowed. They cannot coexist.
5. Tailored and EU-wide notice-and-action rules are suggested. These are have already been introduced in the Illegal Content Communication. Binding transparency obligations are suggested as are options for “algorithmic recommendation systems of public relevance”.
6. New regulatory structure is suggested with “a central regulator, a decentralised system, or an extension of powers of existing regulatory authorities” all being considered. Any of the three solutions would be problematic. Centralised regulators are difficult or impossible to achieve in any area of shared competence. The decades of experience the EU gained in the telecoms sector is a testimony to this. The decentralised system is possible but would require a prior harmonisation of competences which is politically just marginally easier to achieve than a central authority. Finally, extending the powers of the existing authorities may be viable but would not serve the Single Market purposes proclaimed in this document and elsewhere.

While there may be a number of problems with various suggestions made in the document, the main criticism can be summarised as follows:

• no convincing reasons are given for abandoning the approach based on information society services (ISSs) and moving to platforms. While it is certainly true that confusion exists (both in terms of fully digital and composite services) as to what is or is not an ISS, any move needs to be justified. Platforms are ill-defined and fluid (both in the EU and elsewhere) and vary from one-man blogs to multi-billion dollar global conglomerates. There are no convincing reasons to use them as replacement for ISSs. The confusion is compounded by the insistence on keeping the ISSs as regulatory units while insisting that almost everything on the Web today is a “grey area” and needs a different treatment.
• the liability regime in Articles 12-15 has proven adequate as have various kinds of relief (including injunctive). The CJEU case-law adequately managed to deal with different aspects of ISS liability and managed to apply Articles 12-15 to modern phenomena. Any change to this regime must be based on throughly-researched and very specific suggestions. While it is good that the drafters seek to incorporate the CJEU cases, their suggestions as to the liability in other situations are superficial at best. Equally worrying is their refusal to address the criticism already directed at filtering solutions in the DSM proposal. While few would disagree with the claim that the Facebook and others need to act “more responsibly”, this does not extend to the claim that all platforms need to nor does it equal the obligation to filter. That the drafters know this is confirmed in their problematic suggestion that market status should determine the scope of regulatory burden.
• the document demonstrates the lack of understanding (and even lack of interest in) the modern phenomena such as blockchain technologies or AI. The former are mentioned with a vague suggestion that some regulation may be needed but without any conviction as to what the policy goals should be.
• The bundling of such diverse problems as copyright infringement, illegal speech, hate speech, advertising, etc. under one umbrella is a mistake. Experience has taught us that the difference between them justify differences in the regulatory approach. While convergence in real life suggests that regulatory convergence may also be necessary, this is neither the declared nor the actual aim of the potential Digital Services Act. On the contrary, the document is actively averse to convergence problems and suggests that current regulatory silos be kept.
• Finally, the suggestion that single regulator should be possible is politically naive

The reform of the ECD, more than any other issue, needs to address two issues, if it is to be successful.

The first is the effect of convergence on regulation. In other words, we need to know how are converged services to be regulated. The present document is as far from solving this problem as can be possible. The proposal is just a reform of the E-Commerce silo that maintains that very silo. Telecoms, audio-video and e-commerce have each their own regulatory circles, often with separate regulators. No attempt has been made to address this, either in the EECC or here.

The second is: what types of regulatory approaches (including soft-law, standardisation, etc.) should be used for governing modern digital services in order to stimulate innovation while protecting the categories of population that need to be protected. Again, the present document makes no attempt to solve this question as it sticks to old-fashioned black-letter law. Modern digital services are inherently disruptive and may require completely different governance structures. The Commission seems to be confused, mixing soft and hard law, general and subject-specific, new and legacy, often in the same documents, sometimes even in the same sentence.

1. On why this may be problematic in itself, see my article https://www.sciencedirect.com/science/article/pii/S0267364918303145?via%3Dihub ↩
2. See Martin Husovec, Injunctions Against Intermediaries in the European Union, CUP 2017. ↩

Why Advocate General Szpunar is Right to Suggest Facebook can be Ordered to Remove Material Worldwide

In March 2018, Oberster Gerichtshof of Austria submitted a request for a preliminary ruling based on a case generated when a disparaging comment about an Austrian politician was published on Facebook. When Facebook refused to remove the comment, a request was submitted to Austrian court, requesting that an injunction be issued essentially demanding that Facebook deletes the content. Advocate General Szpunar’s Opinion in the case was published on June 4.

The question originally referred to CJEU was if Article 15 of the E-Commerce Directive precludes an injunction requesting the removal of allegedly illegal content, and whether such an injunction can have a worldwide effect. In other words, the question is not only if Article 15 (prohibition of general monitoring) precludes injunctions such as the one at hand but also, if it does not, should such injunctions be issued with Member State-only or worldwide effect.

While it may, at first sight, appear odd that the referring court is asking about Article 15 (monitoring) as opposed to Article 14 (hosting), the logic behind the request, however, should not be too difficult to follow. Article 14 only provides immunity to bona fide intermediaries, i.e. those who are not aware of the infringing content and who expeditiously remove. On the other hand, those who are made aware of it, and subsequently refused to remove, lose the liability insulation. Since Facebook explicitly refused the request to remove, the question revolves around the legality of an injunction (assuming the post itself is, indeed, illegal).

Since the injunction would impose an obligation to monitor the content (in order to identify what needs to removed), the framing of the question makes sense. On the other hand, the AG does point out that an injunction imposing the general obligation to monitor content of a certain type (in other to identify the offending content), would have the effect of removing the protection provided by Article 14. In other words, general obligation to monitor is illegal under Article 15. For the sake of clarity, nothing in AG Szpunar’s Opinion suggests that general obligation to monitor is either desirable or, indeed, lawful.

Moving on to specific obligation to monitor, the AG points out that specific monitoring is explicitly allowed in Recital 47 of the E-Commerce Directive. Articles 14(3) and 18, furthermore, explicitly recognize that prevention is an important aim in the Directive and no prevention would be possible without some degree of monitoring. Crucially,

in order not to result in the imposition of a general obligation, a monitoring obligation must, as seems to follow from the judgment in L’Oréal and Others, satisfy additional requirements, namely it must concern infringements of the same nature by the same recipient of the same rights.

It is not allowed to issue an injunction requesting that the provider monitor for infringements that are like the one at hand, are inspired by it or, indeed, are perpetrated by different users. All of this would be general monitoring. The AG’s reading of the Directive and case-law, put simply, is that monitoring targeting a specific infringement is allowed, whereas general monitoring is not. This position is firmly embedded in the E-Commerce Directive.

The referring court, importantly, also asked if information identical to that being requested should also be removed. In AG’s words, a social network platform can be ordered to seek and identify, among all the information disseminated by users of that platform, “the information identical to the information that was characterised as illegal by a court that has issued that injunction.” The answer to this is equally clear. When doing so, the social network can only be required to monitor the information disseminated by the user who disseminated the original info.

In respect of the territorial scope of the obligation, the Advocate General makes two crucial observations. The first is that the obligation in question (defamation) is not based on EU law. Second, Article 15 of the E-Commerce Directive does not regulate the territorial effect of injunctions. In case of the first, had the obligation been based on EU law, that law would determine its own territorial scope – extraterritorial or otherwise. In case of the second, had Article 15, or indeed the E-Commerce Directive, something to say about its scope of application, that could be used to determine the territorial scope of the injunctions. Further to that, although Brussels I (Recast) regulation regulates jurisdiction in cases of defamation, and allows preliminary measures, it does not say anything about the territorial scope of these measures. Put simply, since the EU law says nothing about the territorial scope of the injunction, it remains for the national (Austrian) law to resolve this issue.

As it stands, it is difficult to argue against Advocate General’s reasoning. A different conclusion would mean that a national court’s order to remove the illegal content would simply be circumvented by using the Article 15 argument and claiming that any action to identify the content would amount to “monitoring”. That could not have been the intention of the drafters. The monitoring that Facebook is obliged to engage in is limited to the specific post and equivalent comments from the same user. This is still very different from a general obligation to monitor which would require that all content be monitored to identify various real and potential infringements of a particular kind.

Article 15 prohibits general monitoring in respect of information society services covered in Articles 12-14 of the Directive. Where these articles do not apply, neither does the obligation to general monitoring. As Martin Husovec observes, however,¹ the CJEU had the prohibition of general monitoring transplanted into copyright enforcement in the Scarlet Extended judgement. But, while this may indicate that CJEU believes general monitoring to be invasive, it says nothing about specific measures. The case law is remarkably clear and consistent in terms of specific monitoring. The Scarlet Extended case is precise in what constitutes illegal general monitoring in relation to filtering but says nothing of specific measures. The only outstanding question can be whether a particular form of action demanded in a court order amounts to general or specific monitoring. On the other hand, that specific measures of monitoring are allowed has been clearly confirmed in the UPC case. Finally, as AG Szpunar himself argued in McFadden case, and as he repeats in this Opinion, in order for the specific monitoring to be legal, it has to be limited in terms of subject and duration.

If there is something that needs clarification then it is the nature of the “similar” measures and the effort that must be made to make sure that specific monitoring is, indeed, limited in time and scope. In terms of the former, the present Opinion suggest that “equivalent” comments from the “same user” can be covered but nothing else. This is somewhat in line with the Court’s cases law to date. In terms of the latter, Member States already seem to take different approaches to injunctions with some (notably Germany) being markedly broader in their attempts to impose monitoring obligations. While one could possibly wish that clearer guidelines come form the Court, the Facebook judgement introduces nothing new in terms of the existing law. It is true that distinguishing between general and specific monitoring may be a difficult issue to resolve in specific cases. It is also possible to take issue with the EU policy on monitoring and to argue in favor or against the general/specific method. But, until that provision is modified, the Court should follow the AG’s opinion.

1. Martin Husovec, Injunctions Against Intermediaries in the European Union (CUP 2017), p. 118 ↩

The European Electronic Communications Code – Where are We Now, Where Are We Going?

After a lengthy process lasting over two years, the new European Electronic Communications Code (EECC) had been adopted on December 18, 2018. The Directive proposing the EECC had been first published in 2016 as part of wider attempts to reform EU digital laws on the content and carrier layers, which had been promised in the 2015 Digital Single Market Strategy. The EECC is now in force and would need to be implemented by the end of 2020. This short post is an attempt to summarise the biggest changes that the new regulatory framework brings and to highlight some of its weaknesses.

The 2015 DSM Strategy, analysing the need for improvements in telecoms, points out that the sector suffers from “isolated national markets, a lack of regulatory consistency and predictability across the EU, particularly for radio spectrum, and lack of sufficient investment notably in rural areas”. In order to remedy the situation, and in particular “deliver access to high-performance fixed and wireless broadband infrastructure“, reform was needed. A casual reader of the less-than-2-page-long part of the Strategy dedicated to telecoms would be left confused. Other than a call for a better spectrum policy and more investment in high-speed networks (both of which had also been repeatedly called for in earlier papers and are, therefore, not particularly new), such a reader would not be able to see whether the present EU regulatory framework is functional and what the EU’s position is in comparison to other developed economies. To that reader, the fact that EU lags behind rivals in high-speed broadband deployment and take-up and is also behind on 5G development would not be apparent.

In order to understand the importance of the EECC and see if it can answer these challenges, it is necessary to give an overview of the most important features of the (still applicable) 2009 regulatory framework. Three elements, in particular, are of notice:

• First, the EU regulatory framework is based on competition law principles (significant market power, potential abuse, remedies, etc.) but is, in reality, a separate (sector-specific) system of rules which applies in parallel with regular competition rules. While the ultimate (declared) aim is for competition law only to apply, the EU is not at that stage yet. The main reason why sector-specific rules are needed is that competition law remedies problems ex post, after they arise, while intervention is needed ex ante, before distortions appear.
• Second, the main regulatory method is ex ante application of remedies to market actors with significant market power (SMP). This type of regulation is asymmetric by definition as it applies only to SMP undertakings. In practice, the regulatory effort had concentrated on the incumbents – former state-owned telecoms companies which have been opened up for competition in the 80s.
• Third, the EU approach is primarily a service-based competition model where the regulator encourages entrants to offer competitive services through access imposed through ex ante regulation on the incumbents. Contrary to that, in an infrastructure-based competition model, competitors are incentivised to build their own infrastructure.

The 2009 regulatory framework is largely based on 2002 one, with significant elements dating from even earlier laws. Since it is important to understand the extent to which EECC brings novelties, the following can be stated:

• The EECC is a codification measure which puts the four main directives making the 2009 framework (Framework, Authorisation, Access and Universal Service directives)¹ from the 2002 and 2009 frameworks into one package.² While this potentially removes the confusion which arises from many amendments which have accumulated over the years, it does not bring an entirely new text.
• The EECC is fundamentally based on the same ideas and principles the 2002 and 2009 frameworks are based on. The changes are frequently minor and often only cosmetic and the articles have largely been replicated. More importantly, still, the fundamental regulatory ideas are the same as those in the previous frameworks. The EECC is fundamentally still a sector-specific, ex ante and asymmetric system which targets enterprises with significant market power. Although the number of regulated markets has gradually been reduced over the years to the effect that only the wholesale side is properly regulated, full competition does not exist.

Although one may wish to debate the prudence of extending the present regulatory model to future telecoms, it may be worth stating that not all changes are purely cosmetic. Other than the codification/simplification, the EECC introduces some changes which are geared towards improving investment.

• In particular, attempts to encourage investment in next-generation networks have been made. The measures essentially attempt to exempt enterprises from SMP regulatory regime in cases where they commit to building new networks. The co-investment provision of Article 76 allows NRAs to accepts commitments from undertakings wishing to allow co-investment (through co-ownership, risk sharing or purchase agreements).
• Significant attempts have been made to harmonise and manage radio spectrum (Articles 28, 35-37, 45-55). Market entry for new players and shared use of the radio spectrum, in particular, should be easier.
• A modest attempt to regulate OTT services has been made. Rather than subsume all such services to the full scope of telecoms rules, only some of them are included and only in a limited number of cases. This is, in principle, a good and measured approach.³

We find that the modestly-framed EECC fails to address the primary challenges the EU telecoms is facing today:

• The EU’s telecommunications capital investments are relatively low and are falling further. Regulatory burden is not the only factor to consider but it seems that it certainly plays a role. Telecoms expenditure is lower for EU27 than for either the USA or some Asian countries. The modest changes that the EECC brings are not structural and not overtly pro-investment.
• There are reasons to believe that the model based on access and price controls which the EU has chosen may deliver better broadband products in the short to medium term but does not deliver next-generation networks (there is good empirical evidence for this too). The problem of how to reach acceptable NGA deployment and take-up rates remains unaddressed.
• Overall, the industry still seems over-regulated.
• The value of EU telecoms companies has halved from 2012 to 2018 while that of the US and Asian companies increased. The cost of rolling-out full fibre and 5G is estimated at €500 billion and is likely to be significantly more. Few incentives are given in the EECC to EU telecoms companies to do this. The EU is investing less in telecoms than anywhere else and, unless more fundamental changes are made, the EU companies will move more into retail.

1. The ePrivacy Directive is subject to a separate proposal, see here. ↩
2. For the codified version of the 2009 framework see here. ↩
3. It should be noted, however, that the proposed ePrivacy Regulation calls for much more comprehensive coverage of OTTs. ↩

EU Proposal for a Regulation Preventing the Dissemination of Terrorist Content Online: An Overview

The Commission announced yesterday a proposal for the Regulation Preventing the Dissemination of Terrorist Content Online. Somebody not following the developments closely might get an impression that this is a stand-alone initiative. In reality, the Proposal follows both a broader drive to regulate platforms, announced in the 2015 DSM Strategy, followed up in the 2016 Communication on platforms, and further elaborated in ‘soft law’ 2017 Communication and 2018 Recommendation on illegal content online.

The desire to regulate “platforms” is, in itself, problematic. Platforms are neither natural subjects for IT regulators (unlike telecoms networks & services or information society services), nor sufficiently clearly defined to lend themselves to straightforward regulation. They differ in size, scope, type and impact and use a vast plethora of business models. The EU’s continuous drive to regulate them without exploring deeper implications of such approach is worrying.

The present Proposal aims to “prevent the misuse of hosting services for the dissemination of terrorist content online”. It imposes duties of care on hosting services to prevent dissemination of terrorist content and measures on Member States to identify the content and remove it. The Proposal has the same wide scope as GDPR, applying to all hosting providers targeting services in the Union, irrespective of their place of establishment.

The definition of terrorist offences is taken from the 2017 Directive on terrorism. Terrorist content, which is the Proposal’s main target, is defined as inciting, advocating, encouraging, promoting or instructing on terrorist offences so defined in the 2017 Directive. Hosting service providers are obliged to take action against dissemination and include provisions to that effect in their terms and conditions.

The interesting (and controversial) part of the Proposal appears in the form of “removal orders” of Article 4. These are non-voluntary demands issued by competent authorities and directed at hosting service providers. National authorities are allowed to require providers to remove content and disable access to it and the latter would be required to do so “within one hour from receipt of the removal order”. This obligation seems to be applicable irrespective of the size of the site or the hours under which it is manned. A statement of reasons is available but only upon request from the provider and cannot, in any case, delay the removal order. If the hosting provider disagrees with the order due to “manifest errors” or because it needs “clarification”, the removal is postponed until such clarification is provided. In addition to the removal orders, the authorities may send voluntary requests called “referrals” (Article 5) which providers are free to assess against their own terms and conditions but need not remove.

Another controversial feature are “proactive measures” that Article 6 demands hosting providers make. The providers need to take “effective and proportionate” measures, “where appropriate”, while assessing risks and taking fundamental rights into consideration. Once a removal order of Article 4 has been issued, though, special proactive measures that relate to the hosting provider which has been the subject of such order kick in, demanding that they submit annual reports about prevention of re-upload and detection, removal and disabling of content. Where deemed insufficient, further proactive measures may be required and imposed forcefully.

Article 8 demands transparency from hosting providers, including the use of terms and conditions while Article 9 requests human oversight of automated removal measures. The rest of the Proposal contains detailed measures on complaints, cooperation, implementation and enforcement.

Particularly interesting is the status of hosting providers located outside the EU. They are, under Article 16, required to designate a legal representative for the purposes of compliance. Under Article 15, where a provider does not have a place of establishment in the EU, it is the place of residence or establishment of the legal representative that is the place relevant for enforcement purposes.

The penalties set out in Article 18 are for Member States to determine but are obliged to punish systematic failures by 4% of the hosting provider’s global turnover.
There are, in my view, three main problems with the proposal:

• first, the Proposal derogates specifically (Recital 19) from the obligation not to monitor, set out in Article 15 of the E-Commerce Directive. This is a dangerous and poorly justified precedent. Although the recital does speak of “balancing” in such cases, it seems as if a mere fact that a label “terrorist” had been stuck on particular content, at a particular provider, would trigger a derogation the effect and duration of which is unknown and not justified or considered by Article 15.
• second, complying with obligations in the Proposal, and in particular Article 6, will require the use of filters, since relying on human moderators would be disproportionately expensive. Filtering technology works sporadically and tends to ‘catch’ legitimate content, often opening more problems than it solves.
• third, the cost-benefit side of the question is obscure in the proposal. Terrorist content tends to appear and disappear quickly and is rarely simply placed on platforms, for them to conveniently remove. It tends to shift from one account to another and from one platform to another. Burdening the hosts with 24/7 removal and monitoring obligations may look justified but is unlikely to give desired results and may, in worst cases, lead to governmental abuse. It is further unclear whether non-EU providers would simply withdraw from the EU (as some did as a result of GDPR’s extraterritorial reach).

In summary, the problem is more complex than the regulator would like to believe and may require creative thinking, the use of co-regulation and technical solutions of the next generation rather than heavy-handed removal and penalty system.

A comment on the JURI Committee Report on Article 13 of the Copyright Proposal and everything that is wrong with it

Silke von Lewinski published today a comment on the JURI Committee Report of the Copyright Proposal. I am reposting here what I posted as a comment to her original post and should be read as such.  I believe that it is important to keep the momentum going as we approach further debate in the Parliament.

First, that platforms are legitimate targets of regulation is by no means a foregone conclusion. That the proposal targets “platforms” rather than “information society services”, and makes a number of assumptions on the way, is a problem of enormous proportions, not just in terms of how well the proposal communicates with the E-Commerce Directive, but also in terms of is relation to other EU IT laws. In short, one cannot just wave a magic wand, assume that all UGC cites are “platforms”, and then happily continue discussing whether such platforms engage in communication to the public, as if this move had no consequences, all of this in almost complete absence of an official EU policy on platforms. This is an issue I discuss in a forthcoming article, (2018) 6 CLSR.

Second, the Proposal simply states that “active” online platforms perform a communication to the public. What an “active” site is has been debated ad nauseam for over two decades now, but is still not a point which has been adequately resolved in CJEU case law, which is obscure and can often only be read in its particular context. One cannot equate TV sets in hotel rooms with streaming services or cloud depositories. Neither can one use Pirate Bay – an openly and proudly illegal distributor – as a comparison point for a streaming/distribution platform, no matter how active the latter might be. This problem is about communication to the public of a bona fide platform, and Pirate Bay case is of limited to no use here.

Third, the main problem in this issue is not whether a “platform” (for what this term is worth) can technically be deemed to fit within various bits and pieces of law on communication to the public but whether it makes sense to dump all online distributors into the same category and burden them with regulation and filtering obligations in almost complete absence of harmony with the spirit and letter of ECD Articles 12-15. The ISP liability regime has been designed with a very specific idea of avoiding indiscriminate filtering and cannot be changed by simply labelling all online distributors as active – a presumption of huge consequence.

Fourth, while there is no doubt that Article 14 was never meant to protect knowledgeable providers or primary infringers, the Voss proposal sharpens the already muddled Preamble 38 by making what is essentially an irrebuttable presumption of knowledge for all UGC ISPs. Whereas the original Proposal talks of communication only where there are activities “beyond the mere provision of physical facilities”, the Voss text simply states that all online content sharing providers are communicators. Why would they be so and, even where they are, why would they exercise prior rather than subsequent restraint? I will not even begin on the subject of how broad the definition of 37a really is. This subjects a vast and ill-defined category to a poorly designed and heavily-lobbied-for set of expensive filtering. Surely, this cannot have been the intention of the original drafters of InfoSoc Directive?

Fifth, the main problem of the both the original Proposal and the Voss text is that indiscriminate and expensive filtering of the kind only Google can pay for is demanded. All this in complete contradiction to SABAM case which is very clear on this (but is not discussed in the article above).

Finally, the Proposal is incredibly badly harmonised with the spirit and letter of the E-Commerce Directive. I am afraid that no amount of careful interpretation of the communication to the public will resolve this. The Commission has been told, a vast number of times, by very many people that this is a problem of gigantic proportions. It has so far chosen to ignore it, which fortunately led to its defeat in the early summer. Let us hope that the Proposal will be defeated once and for all in September so that we can begin a serious and much-needed discussion on the reform of EU copyright law.

The Commission’s Proposal on Fairness and Transparency for Business Users of Platforms – Online Platforms to Be More Transparent, Disclose Ranking Criteria

On April 26, the Commission published a proposal for a Regulation on promoting fairness and transparency on platforms. This proposal follows the 2015 EU Digital Single Market Strategy promise to look into platforms and a Communication on Online Platforms the Commission published in 2016. While these documents did not promise an overarching law on platforms (covering both the B2C and B2B situations), they signalled the Commission’s willingness to look at a set of targeted issues and introduce legislation if and where necessary. The present proposal aims to improve transparency in B2B relations involving platforms on one side and businesses which otherwise provide services to other businesses and consumers through such platforms on the other. The main idea is that platforms act as “gatekeepers” of the online world, effectively bringing dependency for many businesses. The present proposal brings extra requirements for clarity and transparency in situations where platforms could abuse their dominance. It seems that the choice of transparency (rather than blacklisting certain practices) as the Commission’s main tool is meant to fulfil proportionality and subsidiarity criteria, leaving further action to Member States and/or competition and marketing laws. The Proposal is not meant to be full harmonisation.

The regulation would apply to online intermediaries and search engines (hereafter “platforms”) providing services to business users with a place of establishment in the EU and offering goods and services to EU consumers. It is irrelevant for the purposes of the Proposal if platforms themselves have a place of business or residence in the EU, as long as business users they offer services to have such a place and target EU consumers.

An intermediation service, which is in the Proposal placed under transparency and fairness obligations, is defined as a) an information society service (ISS) within the meaning of the E-Commerce Directive, b) that facilitates direct transactions between business users and consumers and c) which are provided to business users on the basis of an underlying relationship between online platforms and others (businesses and consumers). A provider can either be a natural or a legal person. Online search engines are defined simply as digital services allowing users to perform search. The definition of ISSs seems very broad as these are, in reality, all electronic services provided at distance and with remuneration (the latter not necessarily in the form of a payment). Additionally, the majority of ISSs do facilitate B2C transactions.

The obligations to be introduced can be summarised as follows:

• Article 3 requires that platforms increase transparency of their unilaterally drafted terms and conditions, and in particular any modifications made to them.
• Article 4 requires that any suspension and termination of platform services be accompanied by a statement of reasons.
• Article 5 brings potentially the most significant changes. Online platforms would be required to set out in their terms and conditions the main parameters determining ranking and the reasons for their relative importance. Additionally, where businesses have an opportunity to pay to influence ranking, such possibility would also have to be disclosed. Online platforms are not required to disclose any trade secrets as defined in EU Trade Secrets Directive.
• Article 6 obliges intermediaries to disclose in their terms and conditions any preferences given to goods and services they themselves (or businesses they control) offer. This covers situations where platforms offer and promote their own prducts, as was the case with Google comparative shopping.
• Article 7 requires the disclosure (description) in terms and conditions of any use of data that business users and consumers disclose to platforms.
• Article 8 requires that platforms that prohibit provision of same good and services through other means than through platforms to disclose such restrictions. This covers situations where platforms demand exclusivity from their business customers.
• Article 9 introduces an internal system for complaint-handling.
• Articles 10-11 introduce the possibility of using mediation.
• Article 12 allows organisations with a legitimate interest representing business users and public bodies in Member States to take action to stop or prohibit non-compliance. Organisations in question need to be non-profit.

While transparency requirements in some of the articles seem superficially reasonable, I see two major problems with the proposal.

The first is its extent. While there is some agreement as to what constitutes a search engine,¹ the same cannot be said of intermediaries. Even if one assumes that most intermediaries that fall under the E-commerce Directive would also fall under the Proposal, there is still scope for questioning the reasonableness of such proposal.

The second problem is the potentially very wide scope of Article 5. Ranking criteria are not determined on a whim but are a result of algorithms which are a business asset and a trade secret. While the proposed Article does not require disclosure of anything that the Trade Secrets Directive itself does not consider a trade secret,² it seems to be impossible to release meaningful information on search ranking criteria without also releasing trade secrets.

It remains to be seen whether the proposal will move smoothly through the legislative procedure. This seems very unlikely, as heavy lobbying is expected from a variety of platforms. This brings into question the meaningfulness of the Commission’s exercise. Under the circumstances, a more vigorous application of competition law would have probably achieved the same result.

1. Although no full agreement. Is Facebook (also) a search engine? Instagram? ↩
2. Secret and not generally known, with a commercial value and subject to controller’s reasonable steps to keep it secret. ↩

Bad Reporting of EU Tech Policy and Regulation in the Media: How to Recognise it and How to Get the Real Picture

While there can be no doubt that EU tech policy cannot be considered the sexiest topic on the planet, it is nevertheless covered very frequently in the media. In the era of privacy leaks, government surveillance, AI and streaming, to name but a few, it is also very relevant. It is not surprising, therefore, that reputable newspapers often cover real and imagined EU activities with vigour. A careful reader would, however, find that articles written by experienced journalists often carry sensationalist titles. Even more surprisingly, such a reader would have difficulties confirming the article’s claims on EU’s own portals. The reporting is often incoherent, confuses different policy areas and rarely quotes original sources or points the reader in the wrong direction. This was particularly obvious in the recent wave of coverage of global platforms such as Google and Facebook. Here are some of the examples:

On March 14, 2018, Reuters carried a story with a bombastic title: “Google, Apple face EU law on business practices”. The article claims that the EU is “drafting a new regulation”, that this regulation will be “specifically targeting online platforms” and that it will ask companies to be more transparent on how they rank search results. The same story was subsequently carried, almost verbatim, by a number of newspapers and online portals, including the Financial Times, the EU Bulletin and Business Review. Anybody being even vaguely familiar with the EU’s Digital Single Market project would be surprised at such statements. This is more so since the Commission’s own 2016 Communication on Platforms states that no new directive or regulation on platforms is forthcoming nor does it list search engine ranking algorithms as being under scrutiny. While the Commission is not organised in the way it presents its activities, it rarely acts without proper announcement.

What is the origin of the story, then? The mystery is not very deep. A careful reader would notice that a new EU package on consumer law appeared on April 11. Part of that package is a proposed Directive updating a bunch of EU consumer laws (informed, among other things by a behavioural study on transparency in online platforms), including the 2005 Unfair Commercial Practices Directive. Suggested as one of the changes is the new Article 6a, applying to online marketplaces. It says that “the main parameters determining ranking of offers presented to the consumer as result of his search query on the online marketplace” must be disclosed to consumers or the practice would be considered an unfair one. More interesting, however, is the Commission’s work on fairness in platforms-to-business relations. As part of the 2015 Strategy’s promise to look at platforms, the Commission promised to look at transparency of trading practices of online platforms. The inception impact assessment, published in late 2017, looks at three legislative options: soft law, targeted EU instrument coupled with industry-led action or detailed EU principles. Whoever wrote the original Reuters article would have seen the work on the consumer package and/or seen the transparency document on fairness in platform-to-business relations and may have also seen a draft document as an outcome of one of the three options. They then constructed the story which, while containing elements of truth, is still considerably off the mark. It is also worth noting that even modestly controversial EU proposals get significantly modified and are occasionally withdrawn where the Council and the Parliament cannot reach an agreement. What will happen, at best, is that a proposal will be tabled and discussed at length.

Another article appeared in Financial Times on April 17. It claimed that EU is “to give judges power to seize terror suspect emails and texts”. It begins with the familiar “Brussels is planning” words and goes on to say that judges will get “the power to seize emails and text messages of terror suspects” and that the Commission “will propose giving national judges the extraterritorial power to order companies to hand over ‘e-evidence’ held in servers in another EU country or outside of the bloc.” While this sounds both dramatic and controversial, readers would be hard pressed to understand which regulatory platform this proposal falls under, which DGs might be involved, where to find the policy document, how to follow the developments or how this proposal fits in the broader Digital Single Market Strategy. A much more coherent (albeit shorter) account of the affair is to be found on Politico’s website. There, it is clarified that the proposal is part of the Commission’s drive to improve taking of e-evidence and outlines its main features as well as differences from the current regime. Crucially, the article identifies that this is part of the effort to achieve a “common judicial area” and that it only applies to serous crime. A casual look at the Commission’s website on taking cross-border evidence would reveal that this is indeed part of an ongoing effort in cross-border judicial cooperation, that “European Investigation Order” is already in force and that work continues on the “European Production Order”. While the FT article is not entirely wrong in its reporting, the value it adds to the debate is minimal.

Similar stories are to be found all over the Internet. It is usually easy to recognise them as they are rarely specific and are usually framed in the clichéd “Brussels plans” or “EU threatens” style. How is the reader to find out what is really behind the story?

The first step is to identify the area the tech policy belongs to. Very roughly, three regulatory circles exist in the EU’s Digital Single Market effort. Information society services are regulated under the e-commerce framework (here also including copyright, privacy, speech regulation, etc.) Telecoms regulatory framework covers telecoms networks and services. Finally, media under editorial control are subject to Audio-Video Media Services Directive (AVSMD). The circles, although distinct, overlap. Privacy, for example, is subject both to e-commerce rules (GDPR) and telecoms rules (ePrivacy regulation) which means that a full picture can only be obtained by looking at both.

The second step is to identify the general EU policy in the area in question. The 2015 Digital Single Market Strategy should always be consulted as should any other statements that further clarify the political EU position of a particular issue. For platforms, for example, there exists the Communication (mentioned above), but also the 2017 Communication and the 2018 Recommendation on Illegal Content online. The formation of a potential proposal is always followed by various studies the Commission publishes (usually outsourced to think tanks) as well as stakeholder consultations, speeches and announcements on web sites. The platform law above, for instance, is preceded by the already-mentioned inception study and the behavioural study on transparency.

The third step is to check whether any policy ideas identified in steps 1 and 2 have been transformed into legislative proposals. Privacy, consumer protection, cybersecurity, copyright, telecoms, AVMS services and e-commerce all have their own websites (sometimes multiple ones at different institutions). These not only summarise present laws but explain policies and plans for future regulation. Further to that, stakeholders are often engaged in commenting on relevant proposals, both officially (as part of the Commission’s fact-finding exercise) and in their own reports, blogs, etc. Such documents are invaluable for gauging public and professional opinion. The final step would be to confirm that proposals are about to become laws. Existing proposals can be traced through the Legislative Observatory.

While the above may seem banal, it is rarely followed, which results in confusing and messy reporting. Although it may sometimes seem that proposals come “out of the blue”, this is in reality almost never the case as significant preparatory work is needed and the Commission launches initiatives based on plans announced in strategy documents. In other words, the Commission maintains a certain degree of transparency for political and budgetary reasons and has no political mandate to randomly tackle issues not otherwise announced as part of a wider political agenda. In such circumstances, it becomes very important to place the news in their proper context.