The proposed DSA – Part 3: The liability exemptions and the 'notice and action' mechanism
In the first part of our DSA blog series posts, we provided a general overview of the proposed Digital Services Act (DSA). In the second part, we addressed more specifically the DSA's scope.
In this piece, we will examine the liability exemptions and 'notice and action' mechanism in more detail
Scope of the e-Commerce Directive
Today, the e-Commerce Directive contains three liability exemptions for providers of information society service (ISS) when they act as intermediaries: the 'mere conduit', 'caching' and 'hosting' exemptions.
Under the 'mere conduit' exemption, ISS providers are not liable for the information transmitted of their communication network, if the provider:
Under the 'mere conduit' exemption, ISS providers are not liable for the information transmitted of their communication network, if the provider:
- Does not initiate the transmission;
- Does not select the receiver of the transmission; and
- Does not select or modify the information contained in the transmission.
The 'caching' exemption exempts an ISS provider from liability for the automatic, intermediate and temporary storage of information provided by a recipient of the ISS, performed for the sole purpose of making more efficient the information's onward transmission to other recipients upon their request, if the provider:
- Does not modify the information transmitted;
- Complies with conditions on access to the information;
- Complies with industry best practice rules regarding the updating of the information,
- Does not interfere with the industry best practice lawful use of technology to obtain data on the use of the information;
- Act expeditiously to remove or disable access to the information it has stored upon obtaining knowledge of the fact that a court has ordered the removal or disablement of the information.
Finally, under the 'hosting' exemption, an ISS provider is exempt from liability for the information it stores at the request of the recipient of the service, if it:
- Does not have actual knowledge of illegal activity or information; The Recitals clarify that this implies that the ISS provider plays a merely technical and passive role with regard to the hosted information.
- Acts expeditiously upon obtaining such knowledge to remove or to disable access to the information.
In addition to these three exemptions, the e-Commerce Directive specifies that Member States are not allowed to impose a general obligation on ISS providers to monitor or actively seek for illegal activity.
New proposed scope of the DSA
Although the DSA does not intend to replace the e-Commerce Directive, the European Commission does propose to move the lability exemptions into the DSA to maximize harmonisation.
This would be a welcome change as the way in which the liability exemptions have been implemented in the Member States varies greatly. Despite the CJEU case law in this area, fragmentation and legal uncertainty on the interpretation of the conditions remain, especially with regard to the 'hosting' exemption.
'mere conduit' and 'caching' exemptions and general monitoring obligation prohibition
As far as the 'mere conduit' and 'caching' exemption regimes are concerned, no material changes are proposed in the DSA. The main change lays in the fact that those exemptions would apply in the same manner throughout the EU and that there would not be any room for fragmentation resulting from transposition of these rules into Member State law.
Similarly, the DSA proposes to keep the general principles that providers of intermediary services should not be subject to a general monitoring obligation.
'hosting' exemption
With regard to the hosting exemption, the principle remains broadly the same: ISS providers are exempt from liability for the information they host at the request of the recipient of the service, provided they (i) don't have actual knowledge of the illegal activity and illegal content and (ii) act expeditiously to remove that illegal activity or illegal content when they become aware of it.
However, the European Commission proposes a number of substantial clarifications to improve legal certainty.
This would be a welcome change as the way in which the liability exemptions have been implemented in the Member States varies greatly. Despite the CJEU case law in this area, fragmentation and legal uncertainty on the interpretation of the conditions remain, especially with regard to the 'hosting' exemption.
'mere conduit' and 'caching' exemptions and general monitoring obligation prohibition
As far as the 'mere conduit' and 'caching' exemption regimes are concerned, no material changes are proposed in the DSA. The main change lays in the fact that those exemptions would apply in the same manner throughout the EU and that there would not be any room for fragmentation resulting from transposition of these rules into Member State law.
Similarly, the DSA proposes to keep the general principles that providers of intermediary services should not be subject to a general monitoring obligation.
'hosting' exemption
With regard to the hosting exemption, the principle remains broadly the same: ISS providers are exempt from liability for the information they host at the request of the recipient of the service, provided they (i) don't have actual knowledge of the illegal activity and illegal content and (ii) act expeditiously to remove that illegal activity or illegal content when they become aware of it.
However, the European Commission proposes a number of substantial clarifications to improve legal certainty.
- Whereas the e-Commerce Directive only referred to 'illegal activity', a term which it did not define, the DSA proposes to add the term 'illegal content', which it defines as "any information that does not comply with Union law or the law of a Member State". It would cover information that is illegal by its nature, such as illegal hate speech or terrorist content, but also information that relates to illegal activities, such as sharing images that depict child sexual abuse or sharing revenge porn or the use of content infringing IP rights.
- Although it has been much debated in the past few years, the DSA does not contain any provisions around 'harmful content' (e.g. bullying, fake news). The main reason for keeping it outside of the DSA's scope seems to be the difficulties of reconciling this notion with the fundamental right to freedom of expression. However, the debate on how to effectively address the issues of disinformation and 'fake news' continues and it therefore remains possible that the concept is included in the DSA in one way or another.
- It is also proposed that the hosting exemption does not apply to online platforms that present the illegal content in such a way that an average and reasonably well-informed consumer is lead to believe that it is provided by the online platform itself, rather than by the actual trader. This new provision will oblige online marketplaces to distinguish better between the services and goods they sell themselves, as opposed to the services and products that are sold by independent traders, using their marketplace.
Voluntary own-initiative investigations
One of the contentious topics under the e-Commerce Directive was the question whether ISS providers must remain entirely passive in order to benefit from the 'hosting' exemption or whether they may implement measures to try and detect illegal activity on their platform. In view of settling this debate, the proposed DSA now expressly indicates that proactive investigations conducted by the ISS provider do not result in the latter losing the protection of the hosting exemption.
In other words, ISS providers are allowed to carry out investigations aimed at detecting, identifying and removing illegal access from their platforms, without losing the benefit of the liability exemption.
'Notice and action' mechanism
The DSA also proposes to harmonise the notice and action' mechanism, which had been implemented in a very fragmented manner under the e-Commerce Directive.
First, the proposed DSA obliges providers of intermediary services to act upon orders received from national judicial or administrative authorities to taken down illegal content. The DSA contains a series of procedural safeguards that national authorities must comply with to ensure that the mechanism is relied upon consistently throughout the EU, taking due process of law into account.
Second, the DSA introduces a series of detailed obligations, which only apply to hosting service providers (including online platforms). They are also required to take action when a private individual or entity notifies them of the presence of illegal content on their service.
Hosting service providers will be required to implement an easy to access, user-friendly mechanism which allows users to submit such notices electronically. The hosting service provider must ensure that the mechanism facilitates the submission of a series of detailed information regarding the alleged illegal content, such as an explanation of the reasons why the person considers the information to be illegal, contact details of the person submitting the notice and a statement in which the person confirms it is acting in good faith. These information requirements seem intended to avoid frivolous claims being made.
When a hosting provider receives such a notice, it must:
- Promptly acknowledge receipt of the notice to the individual or entity that submitted it.
- Process the notice in a timely, diligent and objective manner.
- Once the decision is taken, it must inform the person who submitted the notice, without undue delay, of the decision it has taken with (i.e. did it take down the alleged illegal content or not). This second communication must contain information on the redress possibilities with regard to the decision taken by the hosting service provider.
- More importantly, it must also inform the person who provided the information of the reasons why the information is being taken down. This statement of reasons must be provided at the latest at the time when the information is taken down and must contain detailed and specific information as laid down in the DSA, e.g. on the territorial scope of the disabling of access to the information, the facts and circumstances relied upon to take the decision, whether automated means where used to take the decision, information on the redress possibilities, etc.
- Finally, in order to increase transparency, the DSA would require hosting service providers to also publish the decisions and statements of reasons in a publicly accessible database, which will be managed by the European Commission.
While it is still unclear how these liability exemptions and notice and action mechanisms will look once the final version of the DSA will be adopted, ISS providers, and hosting service providers in particular, are advised to start assessing the implications of these future rules on their business operations.