Lorna Woods, Professor Emerita, University of Essex
This recent
CJEU judgment has been flagged in some quarters as upholding the French
rules requiring age verification for porn sites. In others, it has been seen as
stripping intermediary immunity from social media sites. Based on the
e-Commerce Directive, however, is this just a transient discussion, fading away
as the Digital
Services Act (DSA) becomes the relevant law?
The Facts
The national cases in Case
C-188/24 concern French rules requiring porn operators to implement technical
age verification mechanisms to prevent minors from accessing those sites. The companies were
each the subject of a formal notice pursuant to Decree No 2021/1306
implementing Law No 2020-936 and Article 227-24 of the Criminal Code which
prohibits any person from broadcasting a pornographic message likely to be seen
by a minor. The rules in Coyote System concern the restriction on
the broadcasting of information to drivers about roadside checks (eg in
relation to speed or drunk driving). The relevant implementing measures were
also derived from the French criminal code. These measures were subject to
judicial challenge before the French Conseil d’État.
The companies in question were not established in France and questioned the
applicability of the French rules.
The Issues
The first question the CJEU had
to address was whether the measures fell within the coordinated field of
the e-Commerce
Directive (Directive 2000/31) and would
therefore be caught by Article 3, which provides for the country of
origin principle (COOP). Recital 22 which states that ‘information
society services should be supervised at the source of the activity’. This
means that services in general comply with the domestic law of the State in
which they are established and do not have to comply with the laws of the
States in which their services are capable of being accessed. Article 3(3) excludes certain areas
from the coordinated field and Article 3(4) et seq provide for limited grounds
of derogation from the COOP and provide conditions with which the receiving
State must comply to access the derogation.
The COOP applies only to laws falling within
the coordinated field. Here the relevant laws were not sector specific measures
targeting information society services in particular, but the general criminal
law. The referring court questioned whether the provisions in issue fell within
the coordinated field and referred the issue
to the CJEU.
The ban on transmission in Coyote
System was, according to the applicant, contravening the prohibition on
general monitoring found in Article 15 e-Commerce Directive. This application
of this article is dependent on the information society services in question
falling within one of the categories of service found in Articles 12-14
e-Commerce Directive (mere conduit, caching services or hosting services
respectively). The Court thus then had to consider whether the service in
Coyote System was a hosting service within the meaning of Article 14 e-Commerce
Directive. Article 14(1) provides:
Where an
information society service is provided that consists of the storage of
information provided by a recipient of the service, Member States shall ensure
that the service provider is not liable for the information stored at the
request of a recipient of the service, on condition that:
(a) the
provider does not have actual knowledge of illegal activity or information and,
as regards claims for damages, is not aware of facts or circumstances from
which the illegal activity or information is apparent; or
(b) the
provider, upon obtaining such knowledge or awareness, acts expeditiously to
remove or to disable access to the information.
Judgment
The Coordinated Field
The Court emphasised that the
coordinated field
covers all
requirements laid down by the legal systems of the Member States relating to
the taking up or pursuit of the activity of an information society service, …
that definition does not make the coordinated field subject to the condition
that only matters harmonised by that directive are covered. [para 52]
Following the Advocate General
(at para 56 of his Opinion), it remarked that Article 3 is of particular
importance precisely for the areas of law not harmonised. The mere fact that
the laws apply generally cannot remove them from the coordinated field.
Moreover, the Directive excludes certain areas from the scope of the Directive,
so the question of exclusion had been taken into account in the Directive.
Taking a different approach would undermine the purpose of the Directive.
The Court confirmed that
requiring age verification sets the conditions for access to the information
society services and is a requirement concerning the pursuit of an activity
within Article 2(h)(i) (see Case
C-649/18 A (Advertising and sale of medicinal products online)). For
the roadside broadcasts, the Court took the view that the prohibition
constituted a requirement relating to the content of the service. Both sets of
measures therefore fall within the coordinated field.
The COOP and Derogation
The key question for the
application of the COOP was whether the measures restricted the free movement
of the services. This question the Court answered in the affirmative before
considering whether the derogation in Article 3(4) could be used.
The derogation has substantive
and procedural conditions. Substantively, the measure must be necessary in the
interests of one of more of: public policy; protection of public health; public
security; or protection of consumers. Further, those measures should be taken
against an information society service which actually prejudices those objectives
or presents a serious and grave risk to those objectives. Finally, the measures
must be proportionate to the objectives. In procedural terms, the recipient
Member State must first have issued an unsuccessful request to the host Member
State to fix the issue and, secondly, notified the Commission. A failure to comply renders the obligations
unenforceable (Case
C-390/18 Airbnb Ireland – following long established case law).
General rules applying without
distinction do not satisfy the second of the substantive conditions. The rules,
however, provided for the issuing of individual notices which satisfy this
requirement [para 90]. The third substantive element – that of proportionality
– was satisfied in relation to the protection of human dignity and the rights
of the child as regards the broadcasting of pornography [para 94] and, without
much elaboration, the prohibition on rebroadcasting is also proportionate [para
96].
So in principle, the national
rules could meet the substantive criteria but it was for the referring court to
determine whether the procedural rules were satisfied.
General Monitoring
Hosting
As noted above, the possibility
of relying on Article 15 depends on whether the service in issue – here the
service in Coyote System - is a host within the scope of Article 14 [see
para 105]. The Court noted that the definition of hosting did not automatically
preclude a service which also has elements of broadcasting from being a host,
referring to long-standing caselaw as well as more recent (Case
C-360/10 SABAM; Case
C-682/18 YouTube and Cyanado and Case
C-401/19 Poland v Parliament and Council). Conversely, just because
a service includes the storage of information does it mean that the service is
a host for the purposes of Article 14. The Court reiterated the limitations
arising from Recital 42 – that the services should be of a mere technical,
automatic and passive nature. This implies, according to the Court’s case law (Case
C-324/09 L’Oréal and Case
C-682/18 YouTube and Cyanado), “the information society service
provider has neither knowledge of nor control over the information which is
transmitted or stored” [para 108]. The
Court underlined that “those two conditions requiring knowledge and control
should be understood as being alternative to and independent of each other”
[para 110]. The Court then held that
if, beyond
the mere categorisation and indexation of information for the purpose of
improving its accessibility, the algorithm used determines, in the interest of
the operator or its service, under what conditions, how and in which order of
priority that information is or is not be broadcast, that operator exercises
control over that information, with the result that the service it offers
cannot be classified as an ‘information society service … that consists of the
storage of information provided by a recipient of the service’ [para 112].
Impact on Article 14(3) and
Article 15
If a service exercises control
over content, it does not fall within Article 14 and therefore the restrictions
imposed on Member States by Article 15 are not applicable to such are service.
The questions were for the national court to determine.
On the assumption that the
service were found to be neutral, the national court must decide whether the
prohibition on rebroadcasting the information on roadside checks is permitted
by Article 14(3) which concerns orders requiring a neutral host to terminate
any infringement on the part of the recipient of the service due to, inter
alia, the presence of illegal information stored on its website or on its
platform by removing or blocking access to that information.
Considering Article 15, the Court
referred to Recital 47 e-Commerce Directive, which clarifies that Article 15
does not apply to monitoring in specific cases. Referring to the test laid down
in Glawischnig-Piesczek (Case
C-18/18), paras 46 and 47, the Court noted in this case that the
information targeted by the prohibitions “is circumscribed in such a way that
its rebroadcasting may be automatically prevented by the operator concerned”
[para 121].
Comment
Coordinated Field and COOP
The
Court has taken a typical approach here, a broad approach to the areas covered:
criminal law rules and public policy rules can fall within the scope of the
directive, provided they impose requirements on the access or conduct of an
information society service. Furthermore, none of the criminal law in general,
public policy and public security measures appear on any of the exclusions from
the scope of the directive. The Court’s ruling makes explicit that this absence
from the exclusions is deliberate. This position is in the interests of
ensuring that a service is not subject to multiple regulation, but it can lead
to unevenness and gaps in protection from the viewpoint of a person expecting
the rules of the member state in which they reside to apply to services
providers providing services in that self-same Member State. This is especially
the case when the aspect potentially taking the national rule outside the
derogation regime is about its form, not its substance. The COOP principle has long given rise to
concerns about forum shopping and a race to the bottom (as can be seen also in
the broadcasting sector and the Audiovisual Media Services Directive) but has
been re-affirmed as a central tenet of the EU regime (see eg Case C-769/22 Commission
v Hungary (Values of the European Union)).
It is
also worth noting that the Court in principle accepted that both sets of rules
in the cases referred were aimed at achieving legitimate aims and were
proportionate. The Court drew on the fact that the AVMSD requires age
verification in relation to pornography to reach this latter assessment. In so
doing, the Court engaged in a joining up the dots activity between different
piece of EU digital legislation.
In
this ruling, the Court underlined both the importance of the right to human
dignity and the rights of the child.
Impact on Article 14
The headline news from this
ruling is the impact on Article 14 and the test for neutral intermediary. The
hosting safe harbour in Article 14 was always meant for neutral, passive
intermediaries – entities whose activity is “purely technical, automatic and
passive”, implying that the provider “has no knowledge of or control over” the
information stored (Recital 42 e-Commerce Directive). This has been the
standard position since the early case law – for example L’Oreal. What this means, and in particular the impact
of automated tools, has been the subject of some discussion. In a different
context (copyright infringement), the Court even if an operator automatically
indexes infringing content to recommended videos based on each users’ use did
not necessarily mean that the host had specific knowledge of the infringing
content, and the Court determined that this sort of specific knowledge was what
was required. This could be seen as quite a generous view towards the hosting
services and the scope of immunity. It might almost be said that there was an
assumption that platforms would benefit from Article 14 (provided they
responded to notices). In Coyote there is a shift of focus.
The first point to note is the
Court’s statement that hosting services do not automatically benefit from
Article 14. While this is not new – and, indeed, can be seen the Court’s
previous jurisprudence – the reminder feels significant, especially in the light
of the rest of the ruling. The Court here confirmed that a service has to
satisfy both the knowledge and the control tests, a point not laboured in
previous judgments. The Court (at para 110) makes this really clear: if a
service exercises control, even if it has no knowledge, it will fall outside
the intermediary immunity provision.
Whereas Cyanado dealt with
knowledge, System Coyote looks at control. Significantly, the Court held
that algorithmic curation constitutes “control”. The Court (following its Advocate General)
held (para 111):
it is, inter
alia, by means of the algorithm used that such an operator exercises control
over the information stored. So long as it has predetermined, by means of that
algorithm, the conditions under which such information may or may not be
broadcast, it is irrelevant that that operator does not itself carry out
additional interventions which have the effect of promoting, modifying or
deleting information stored with a view to it being broadcast.
In other words, when a service
which stores information uses an algorithm to determine – in its own interest
or that of its service – under what conditions, in what manner, and in what
order of priority information is or is not disseminated it has control (see
para 112). It does not matter that this is automatic. So creating the
algorithmic system is exercising control.
In focussing on control, the Court avoids outright conflict with its
earlier position (for example in Cyanado), but it certainly signals a
change in emphasis and (in line with thinking underpinning parts of the DSA) a
recognition that the algorithm is not necessarily neutral.
Not all categorisation or
prioritising satisfies the control test. Simple categorisation and indexing of
information to improve its accessibility do not on their own constitute
control. Essentially, the Court is trying to draw the line between a neutral
index, or chronological feed, and something more editorial (and it is telling
to remember that the services themselves have claimed first amendment rights –
is relating to their speech – in relation to how results are provided).
Nonetheless, this ruling will
affect a wide range of services based on curating user generated content, from
social networks, video-sharing services and – of course – services that
rebroadcast user reports (eg about police checks), as well as recommended
products on a marketplace. The judgment could be read as stripping most (if not
all) of the large social media platforms of their immunity (though this does
not mean they will automatically be liable in all cases – that will depend on
national law and the facts in individual cases). It could also be said to
follow a similar path to the Russmedia decision (Case
C-492/23), discussed here,
which also took a narrow view of immunity (hosting defence does not apply to
liability under the GDPR).
Impact on Article 15
The prohibition on general
monitoring only relates to those services covered by intermediary immunity.
Although this follows the language of Article 15(1) there had been some dispute
as to who could claim the protection of Article 15. The answer is now clear:
fall outside Article 14 (or 12 or 13) and Article 15 does not apply.
The Court also reiterates its
position on the distinction between general and specific monitoring and
highlighting the possibility of using automated techniques to identify
particular types of content. This could be relevant for Member States’ ability
to impose monitoring or filtering obligations (in services of some public
interest) – these (in relation to copyright infringements, e.g. SABAM,
above) had been thought problematic in the relatively early days of the
e-Commerce Directive, and platforms have often challenged such obligations as
constituting general monitoring. The Court’s discussion here is focussed
tightly on content; it does not discuss behavioural monitoring or profiling
(which might be techniques by services to reduce the incidence of illegal
content or behaviour across their services). It will be interesting to see how
this line of case law joins up with the jurisprudence under the e-Privacy
directive on collection of metadata and intrusions into communications privacy
(see eg Case
C-746/18 Prokurator).
Impact on DSA
Article 6
DSA, which replaces Article 14 e-Commerce Directive, provides that hosting
providers are not liable for information stored at the request of a recipient
of the service, provided that they do not have actual knowledge of illegal
activity or content, unless the recipient acts under the authority “or control” of the provider. It has been
assumed given the similarity in the text, that the case law on Article 14 is
relevant for understanding Article 6 DSA, including as regards the threshold
condition of neutral. The wording of the relevant recitals in the DSA differ,
however, from the text in the e-Commerce Directive (noted above) – and the
Court has relied heavily on that text in its interpretation of Article 14. Indeed, Article 14 itself does not refer to
control. Recital 22 DSA specifies:
[i]n order to
benefit from the exemption from liability for hosting services, the provider
should, upon obtaining actual knowledge or awareness of illegal activities or
illegal content, act expeditiously to remove or to disable access to that
content. … The provider can obtain such actual knowledge or awareness of the
illegal nature of the content, inter alia, through its own-initiative
investigations or through notices submitted to it by individuals or entities in
accordance with this Regulation in so far as such notices are sufficiently
substantiated to allow a diligent economic operator to reasonably identify,
assess and, where appropriate, act against the illegal content. However, such
actual knowledge or awareness cannot be considered to be obtained solely on the
ground that the provider is aware, in a general sense, of the fact that its
service is also used to store illegal content. Furthermore, the fact that the
provider automatically indexes information uploaded to its service, that it has
a search function or that it recommends information on the basis of profiles
or preferences of the recipients of the service is not a sufficient ground
for considering that provider to have ‘specific’ knowledge of illegal
activities carried out on that platform or of illegal content stored on it.
[emphasis added]
At first glance, the recital
seems to contradict the ruling in Coyote System. The wording of the
recital seems to follow the approach the Court adopted in Cyanado and
like that judgment deals with the question of knowledge. We have noted earlier,
the Court’s sidestep in this case, to talk about control. The recital says
nothing about control and is therefore not inconsistent with the approach in Coyote
System. Of course, this means that
there is no reference to “control” in the text of the DSA because Article 6,
like its predecessor Article 14, is silent on the point. It is far from clear,
however, that the change in wording in the recital was intended to mark a
change in meaning from Article 14 resulting in an expansion of the scope of
immunity. Rather it seems an intention to align the DSA with the case law on
Article 14 e-Commerce Directive. Presumably, there will be much litigation on
this point as well as the linked question as to where the boundary between
control and “mere categorisation and indexation of information” [para 112].
