The EU Digital Services Act and the Article 6 hosting exemption

Isaac Bedi and David Varney consider the relationship between the exemptions from liability for ISPs and the notification requirements under the new DSA

22 November 2022

Why have the E-Commerce Directive exemptions from ISP liability been restated in the DSA Chapter II provisions (setting out the liability of providers of intermediary services)?

The current E-Commerce Directive 2000/31/EC (the EU E-Commerce Directive), implemented in the UK by the Electronic Commerce (EC Directive) Regulations 2002, SI 2002/2013, provides information society service providers (ISP) relief from liability for any user-generated information or content which is hosted or transmitted on that ISP’s platform. This applies in the following circumstances:

  • where an ISP simply transmits the information provided by a recipient or provides access to a communications network, provided the ISP is only acting as a ‘mere conduit’ and does not modify the information, select where it is going or coming from, or store the information for longer than is necessary;
  • where ISPs simply cache information, provided that this is solely for the purpose of increasing the efficiency for other users accessing that information and provided the ISP does not modify the information, complies with the rules on access and updating the information, does not interfere with the use of technology to obtain data regarding the utilisation of the information and acts expeditiously to remove or disable access to the information where notified; and
  • where providers simply store or host the information provided (see further below).

These exemptions were introduced to address the concerns from ISPs that they may be found liable for information or content that is stored or accessed by their users without the ISP’s knowledge and outside of the ISP’s control. The concern was that, for most ISPs, it would be impossible and impractical to monitor all of the information on their platforms. This is highlighted by Article 15 of the E-Commerce Directive (restated in the DSA), which notes that there is no general obligation on ISPs to monitor the information that they transmit or store, or actively seek facts or circumstances indicating illegal activity.

Similarly, despite Terms of Use in place on ISPs’ platforms, there is often no direct formal contract between the ISPs and the end user that would allow ISPs to pass through any losses incurred by them to the end users who are responsible for the illegal or infringing content.

The intention on the enactment of the DSA was that the provisions setting out exemptions from liability within the E-Commerce Directive be passed directly into the DSA, which will now govern the liability of ISPs going forward. These have been intentionally preserved as a direct restatement within the DSA without amendment. Subsequently, it can be interpreted that the case law and guidance applicable to the exemptions as stated in the E-Commerce Directive would also be directly applicable to the exemptions in the DSA.

Recital 16 to the DSA highlights the divergences to date regarding the transposition and application of the exemptions under the E-Commerce Directive. The DSA seeks to provide clarity and coherence by incorporating the original framework within the Regulation. It further seeks to ‘clarify certain elements of that framework, having regard to the case law of the Court of Justice of the European Union’, and in particular, the interpretation of sufficient notification as addressed in Article 16 of the DSA (see below).

What does the DSA Article 6 hosting exemption say?

As above, the hosting exemption for ISPs has been carried through from the E-Commerce Directive to the DSA, providing an exemption from liability for any information from recipients that the ISP stores, provided that:

  • the ISP ‘does not have actual knowledge of illegal activity or illegal content and, as regards claims for damages, is not aware of the facts or circumstances from which the illegal activity or illegal content is apparent’; or
  • upon obtaining such knowledge or awareness, acts expeditiously to remove or to disable access to the illegal content

The rationale behind this exemption from liability is again that it may be deemed unfair for ISPs to be liable for information stored by users which ISPs have no knowledge of.

The only amendment to the original wording from the E-Commerce Directive that is set out in the DSA is to carve out from the exemption an ISP’s liability under consumer protection law where ISPs present items of information, services or products in a way which may lead consumers to believe that it is the ISP themselves providing the item in question (Article 6(3) of the DSA).

What is the relevance of the wording ‘as regards claims for damages’ in the second limb of the Article 6(1)(a) condition? Does the second limb only apply in the case of civil claims due to the reference to damages?

The wording within this hosting exemption was carefully drafted within the E-Commerce Directive to ensure that ISPs’ liability was excluded for both civil and criminal proceedings, given that ISPs may be liable under criminal law for illegal information or content that is hosted on their platforms, but also vulnerable to claims through civil proceedings where information or content may be defamatory, infringe third parties’ intellectual property rights or copyright, or cause harm to another individual for which they may seek damages.

ISPs’ liability under criminal law would normally be judged by whether they had actual knowledge, both of the information’s existence and of its illegality. However, a lower standard applies to ISPs’ liability in respect of civil claims for damages, being whether the ISP may have had constructive knowledge of the information. Subsequently, where the court deems that the illegality of the information should have been reasonably apparent to the ISP on the facts and circumstances available to it, this exemption from liability will be lost. The wording under the E-Commerce Directive was actually amended in the UK’s implementation of it under the Electronic Commerce (EC Directive) Regulations 2002 (the EC Regulations), SI 2002/2013, which amended the wording to apply where an ISP, ‘where a claim for damage is made, is not aware of facts or circumstances from which it would have been apparent to the service provider that the activity or information was unlawful’ (EC Regulations, SI 2002/2013, reg 19).

This standard has been considered in a number of cases by both the UK courts and the Court of Justice. The guiding authority on this standard was set in L’Oreal v Ebay, Case C-324/09, which saw the Court of Justice opine on this issue, stating that the test applied to awareness would be whether ‘a diligent economic operator would have identified the illegality and acted expeditiously’ on the facts and circumstances surrounding the content (para 52).

The Court of Justice also noted that it may be apparent to the service provider that the content is illegal where the operator receives a notification of such activity. This aligns with the E-Commerce Directive and DSA’s removal of any obligation on ISPs to monitor information which they transmit or store, meaning consideration of whether the ISP had actual or constructive knowledge of the information will usually only be triggered through the notification requirements contained in Article 16 (see below).

Subsequently, the wording ‘as regards to damages’ serves two functions, firstly to note that the exemption applies to ISPs’ liability under civil proceedings as well as criminal, but also to ensure this liability is confined solely to civil claims for damages. This is because ISPs’ will not be exempt from any non-pecuniary civil proceedings, such as in respect of injunctions to remove the information from its platform.

How does Article 16(3) work with Article 6?

Article 16 of the DSA imposes an obligation on providers of hosting services to put in place mechanisms which allow users to notify those providers of information on their platform which that user considers illegal. Providers must ensure that these mechanisms allow users to submit sufficiently substantiated and clear explanations of the information and why they allege it is illegal, which should in theory allow the provider to properly assess whether the information is in fact illegal and should be removed.

Article 16(3) directly integrates this notification mechanism with the exemptions from liability provisions elsewhere in the DSA, noting that where a provider of hosting services receives a notification that information may be considered illegal, this will amount to ‘actual knowledge or awareness for the purposes of Article 6 in respect of the specific item of information concerned where the notification allows a diligent provider of hosting services to identify the illegality of the relevant activity or information without a detailed legal examination’.

This acts as a direct codification of the L’Oreal v eBay judgement and inserts wording which was previously absent in the E-Commerce Directive but present in the Court of Justice’s interpretation of its provisions. Subsequently, where hosting providers receive a sufficient notification under Article 16, this will rebut the presumption of excluded liability under Article 6, creating an obligation on the ISP to assess and remove the information if it is deemed illegal and be liable for any failure to do so (both under criminal law and civil proceedings).

The consistent theme running through the wording of the DSA is that the Article 16 notices themselves must be sufficiently clear enough and contain enough information to allow the ISP to properly assess whether the information is, in fact, illegal. While ISPs’ liability under criminal law will be in relation to actual knowledge, the question as to whether the information’s illegality should have been apparent enough for a diligent provider to identify it as such will be one for the courts to determine in respect of any civil claims for damages that are brought. This position is confirmed in recital 22 of the DSA, which notes that, in respect of the Article 6 hosting exemption, ‘the provider can obtain such actual knowledge or awareness of the illegal nature of the content, inter alia through its own-initiative investigations or through notices submitted to it by individuals or entities in accordance with this Regulation in so far as such notices are sufficiently precise and adequately substantiated to allow a diligent economic operator to reasonably identify, assess and, where appropriate, act against the allegedly illegal content’.

This wording appears to directly contradict the newly introduced own-initiative investigation exemption under Article 7 of the DSA, which notes that ISPs shall not be deemed ineligible for the exemptions from liability ‘because they in good faith and in a diligent manner, carry out voluntary own-initiative investigations into…illegal content’. This new exemption was presumably introduced in order to remove any deterrent to ISPs for investigating content, as previously any investigations conducted carried the inherent risk that the ISP may discover illegal content, which may subsequently risk it losing the protection of the exemptions from liability should it fail to act accordingly.

However, recital 22 appears to remove any incentive ISPs may have had under Article 7 to conduct their own-initiate investigations, given that they may still be deemed to fall outside the scope of the exemptions should they not properly address illegal content they discover as a result of their own-initiative investigations.

How are the courts likely to interpret the Article 16(3) requirements for sufficiency?

Where an Article 16 notice meets the sufficiency requirements of Article 16(3), Article 6 will operate to give the hosting provider relief from proceedings which may be brought against them by an individual or enforcement authority.

To that extent, the standard in Article 16(3) is intended to be a standard for the courts to determine as to whether a diligent provider, once notified, could assess the content as illegal without having to conduct extensive investigations. This will fall each time on the facts, and courts will have to approach it on a case by case basis, assessing information provided to the hosting provider at the time.

Subsequently, this standard will evidently vary depending on the facts (and be difficult to ascertain in some cases and very clear in others).

The requirement that the notice should allow the hosting provider to identify the illegality of the information without a detailed legal analysis is a purposefully high bar due the public policy considerations outlined above (and the general position that it would be unfair for ISPs to be held liable for content posted by other users).

The aim of the hosting exemption is to ensure that civil proceedings remain between the affected user and the generator of the content, not the ISP. The ISP is likely to be a particularly attractive prospect in civil proceedings as regards damages, given that claimants may have a better chance of recovery against ISPs and subsequently would rather pursue them than the user generating the illegal content.

The implementation of the exemptions from liability (through case law and now through the DSA) has been done so that they will only be dis-applied in the clearest of cases (providing ISPs relief from liability for unclear cases). To do otherwise would definitely ‘open the floodgates’ to claims against ISPs from complainants who feel content may be illegal.

If an intermediary service provider fails to comply with Tier 2–4 obligations (as may be applicable to it) under the remaining chapters of the DSA, it may be subject to sanctions as set out in the Act, but will it also automatically lose the benefit of the exemptions from liability as set out at Articles 4–6?

The exemptions from liability under Articles 4–6 relate to an ISPs’ liability for transmitting, caching or hosting information generated by its users. The purpose of the exemptions is to ensure ISPs are not liable for illegal information or content for which its users are responsible (such as defamatory statements, infringement of third party intellectual property or copyright, or criminal statements such as incitements of violence or terrorism).

The remaining provisions within the DSA relate to an intermediary service provider’s own obligations, which are separate from any actions undertaken by its users. The purpose of the exemptions from liability is to protect ISPs for actions undertaken by third parties which are outside of their control. The Tier 2–4 obligations, which are obligations placed on the intermediary service providers and are directly within their own control.

Subsequently, these operate as two separate regimes. The purpose of the exemptions is not to relieve the ISPs of liability from the obligations the DSA places on them, but rather insulate ISPs from claims against them for which they may not be at fault.

There are sanctions for non-compliance under the DSA, organisations can be fined up to 6% of its total worldwide annual turnover (Article 74(1)). The fines for this are separate from the Article 4–6 exemption regime, where failure for non-compliance will not incur penalties under the DSA, but rather damages under any civil proceedings brought or fines / prosecutions under any criminal proceedings issued.

In conclusion, has the DSA fulfilled its objective of clarifying the E-Commerce Directive? Are the provisions of the EU DSA sufficiently clear or will this be an area where it is likely that the Court of Justice will have to clarify certain concepts?

The DSA has neither clarified nor enhanced the exemptions outlined in the E-Commerce Directive, but rather transposed them through into its drafting without amendment. Given the intention is for the exemption regime within the E-Commerce Directive to now be governed by the DSA, it makes sense that this drafting has been directly carried across. However, the enactment of the DSA could have been used as an opportunity to provide some greater clarity as to how these provisions operate in practice.

While the test of a ‘diligent provider’ outlined in the L’Oreal v eBay case has been directly incorporated into Article 16(3), this may still require some further examination from the courts as to what extent ISP’s may remain liable under the exemptions.

This article was written by David Varney and Isaac Bedi and first published on Lexis®PSL on 16 November 2022.

Key contact

A photo of David Varney

David Varney Partner

  • Data Protection and Cybersecurity
  • Technology and Communications
  • Outsourcing
 

Subscribe to news and insight

Burges Salmon careers

We work hard to make sure Burges Salmon is a great place to work.
Find out more