EU Policy Update - May 2020
In a nutshell: Ten EU Member States expressed their views on the upcoming Digital Services Act. The own-initiative Draft Report on the Digital Services Act by the European Parliament’s Committee on the Internal Market and Consumer Protection (IMCO) received more than 900 amendments, together with another Draft Opinion from the Legal Affairs Committee. European Parliament’s think tanks published a series of studies on the current legislative framework around intermediary liability online, including further suggestions for the Digital Services Act. The European Data Protection Board published its annual report for 2019. The European Commission has coordinated a screening of fraudulent websites related to COVID-19, in cooperation with the EU consumer protection authorities.
Ten EU Member States expressed their views on the Digital Services Act
Digital ministers of the so-called D9+ (Belgium, Czech Republic, Denmark, Estonia, Finland, Ireland, Luxembourg, the Netherlands, Poland, Sweden) revealed their “non-paper” on the creation of a modern regulatory framework for the provision of online services in the EU, in light of plans for the upcoming Digital Services Act (DSA). The D9+ ministers responsible for the digital area have called for the revision of the e-Commerce Directive based on evidence and a “thorough impact assessment in consultations with different stakeholders encompassing civil society and the private sector”. The D+ call for maintaining core principles of the e-Commerce Directive in a modernised and targeted way, taking into account “the emergence of new types of online intermediaries”. The ministers have also called for “introduction of a framework for notice and action mechanisms across the EU, with measures that are proportionate to the nature and impact of the harm committed”. Other measures called for in the document: to include a mechanism “for preservation of the removed content” when necessary for the prevention, detection, investigation and prosecution of a criminal offence, and to encourage “internet intermediaries to take a more proactive approach to content on a voluntary basis”.
JURI opinion on the Digital Services Act for IMCO
Following the surge of European Parliamentary activity on the DSA (as reported last month), another Draft Opinion was published by the Committee on Legal Affairs (JURI) for the Committee on the Internal Market and Consumer Protection (IMCO). The Draft Opinion notes that the Digital Services Act should “explicitly prohibit any obligation on hosting service providers or other technical intermediaries to use automated tools for content moderation, and refrain from imposing notice-and-stay-down mechanisms”. The Draft Report also stresses that the responsibility for “deciding on the legality of online activities and ordering hosting service providers to remove or disable access to illegal content as soon as possible should rest with independent judicial authorities”.
IMCO Draft Report received more than 900 amendments
Since the publication of the IMCO Draft Report on the DSA in the last week of April, over 900 amendments (here, here, and here) to the draft report were filed by the Members of the European Parliament by mid May. Many amendments support the initial call by the Rapporteur for the Commission to clarify to what extent “new digital services”, such as domain name services fall within the scope of the Digital Services Act. A majority of the amendments also support the inclusion of the “Know Your Business Customer” principle, with a slight variety in approaches: to be applicable to solely hosting providers; for business users of online market places; to all digital services under the scope of the DSA; or “in the case where providers of online intermediation services use an information society service as means to sell or communicate with consumers”.
European Parliament's studies call for revision of EU intermediary liability framework
A series of studies have been published at the request of the European Parliament to give legislative and political background to the on-going discussions on the Digital Services Act. In particular, the studies are looking into revision of the e-Commerce Directive that is the cornerstone of the currently valid EU legislative framework of intermediary liability. Some interesting excerpts for technical operators are identified below:
- New aspects and challenges in consumer protection - Digital services and artificial intelligence: One of the key findings of the study is to revisit the liability regimes of the e-Commerce Directive by maintaining human judgment when different kinds of unlawful and inappropriate behaviour are detected by the machines. The study acknowledges that currently leading global tech companies have “vast financial and technological resources” and are “often enjoying a quasi-monopoly position”. Thus, “such companies could sustain the financial burdens for effective content moderation”. However, challenges for content moderation by an online intermediary persist in case of defamation or hate speech. In particular, “the intermediary concerned, in taking the decision to terminate or maintain access to the message has to act like a judge between two opposite parties, a judge whose interests are to some extent involved in the case”. Hence, in such contexts, “AI technologies should only operate to improve human oversight”. The study also calls for expanding safe harbour provisions to search engines, online repositories and social networks and for breaking down the distinction between active and passive intermediaries (note: only concerns “hosting service providers”). According to the study, “the idea that merely passive providers are to be covered by such limitations, to the exclusion of those providers who play an active role, should be overcome, since most online platforms today engage in the presentation and access to user generated content”. Therefore, the use of “active” AI tools by a provider — for searching, providing ads, filtering content, etc. — should not, as such, lead to the provider to being excluded from liability limitations.
- Enforcement and cooperation between Member States- E-Commerce and the future Digital Services Act: The study is focused on the enforcement issues of the e-Commerce Directive and key recommendations for the future DSA in the context of “liability gap”. The study claims that the method of regulation in the e-Commerce Directive – “self-regulation alongside liability shield - has proved unfit for purpose”. The study recalls “a vast catalogue of platform misconduct”, with very limited remedies available, none of which “act significantly dissuasive for wealthy private entities to cease undesirable practices”. Furthermore, according to the study, “commercial enterprises should not be in the business of deciding public values”. The only way to make platforms obey the law is to apply it to them without exception: “regulate online as offline”. In terms of existing legislation and its effectiveness for enforcement, the study recommends that the DSA should follow the model of the enforcement regimes of the CPC Regulation and the GDPR. “The preferred model is one that prioritises cooperation through (horizontal) networking across borders and (vertical) networking with a specialised EU regulator that not only has the ability to co-ordinate the network but has ancillary enforcement powers of its own”, according to the study.
- The Functioning of the Internal Market for Digital Services: responsibilities and duties of care of providers of digital services: The study identifies the difficulties in placing the domain providers under currently valid safe harbour provisions under the Article 12 ('mere conduit' - access providers) of the e-Commerce Directive. The domain providers are falling under so-called “sub-group of intermediary service providers playing an “in-between” role between access providers and hosting providers”. No specific EU level provisions for domain providers exist nor definitive case-law on the ECJ level. The study concludes that “the courts will have to determine whether Article 12 E-Commerce Directive (or Article 13 for caching providers or Article 14 for hosting providers) is the correct provision to regulate the respective business” and that “there does not seem to be a pressing need to establish further categories of providers”.
- The Legal Framework for E-commerce in the Internal Market: The authors of the study argue that the DSA should maintain the basic element of “Internal Market clause, which implies that platforms are only subject to the legal regime, including the liability rules, of the Member State where they are established”. According to the study, “a key component for improving the EU liability regimes could be that EU itself spells out in which cases platform operators are liable for damages when they do not perform their obligations”. Consumer protection market standard enforcement on its territory is another problematic area that the EU might to wish to regulate with the DSA. According to the study, “the enforcement actions should be coordinated at EU level”.
- The e-Commerce Directive as the Cornerstone of the Internal Market: The study acknowledges that the e-Commerce Directive has been criticised for “missing out on socially valuable services”, such as domain name authorities, domain registrars, online payment services and autocomplete or autosuggestion services. The study suggests that “it might be worth considering an extension of safe harbours to cover these other services, as that could establish clarity about the models of enforcement against these players”. Furthermore, “because the services generally differ by their proximity to user’s behaviour, on the scale of involvement between hosting and mere conduit services, potential new safe harbours could operationalize these two provisions as models of enforcement for different services”. The prohibition of general monitoring should equally apply to these services, the study suggests.
European Data Protection Board issued its annual report
The European Data Protection Board (EDPB) issued its 2019 Annual Report, summarising its key activities in 2019 and an outlook for 2020. According to the Report, in the course of 2019 the EDPB adopted guidelines on topics such as privacy by design and default and the right to be forgotten. Consistency opinions were issued on the topics of data protection impact assessments, and the interplay between the ePrivacy Directive and the GDPR. At the end of 2019, the EDPB also elected its representative to the Stakeholders Cybersecurity Certification Group under the EU Cybersecurity Act to advise ENISA and the European Commission on cybersecurity certification. In 2020, the EDPB will continue issuing guidelines “to ensure consistent interpretation of the GDPR across the EU”. In 2020, the EDPB will aim “to provide guidance on data controllers and processors, data subject rights and the concept of legitimate interest”.
The Consumer Protection Cooperation Network carried out its 'sweep' to identify scams online
Together with the Consumer Protection Cooperation (CPC) Network, the European Commission has coordinated a screening ('sweep') of websites, with the aim of finding out where EU consumers “are being subjected to content promoting false claims or scam products in the context of the coronavirus”. The results show that, following the Commission's call, “platforms have removed or blocked millions of misleading advertisements or product listings”. The consumer protection authorities of 27 EU countries identified 126 companies who were part of the sweep. In 38 cases, CPC authorities found “a number of dubious offers or adverts concerning products misleadingly promoted in the context of the coronavirus”. The in-depth sweep involved 268 websites, 206 of which were flagged for further investigation for potential breaches of EU consumer law. For the next steps, “the Commission will coordinate cooperation between CPC authorities and domain registers, who can be requested to take down harmful websites”.