The Terrorist Content Regulation – far-reaching obligations for all host providers

Introduction

On 7 June 2022, the Regulation on preventing the dissemination of terrorist content online ("Terrorist Content Regulation") has entered in force. With this Terrorist Content Regulation, the EU legislator is pursuing the goal of curbing the spread of terrorist content and thus strengthening public security in the European Union. The Terrorist Content Regulation is directly applicable in all EU member states and contains far-reaching obligations for host providers both inside and outside the European Union.

Scope

The Terrorist Content Regulation has an extremely broad scope of application. It applies to all hosting service providers, i.e. all providers of information society services consisting of the storage of information provided by and at the request of a content provider. Therefore, providers of social media services, sharing services, and certain cloud services are covered. The place of establishment is irrelevant as long as services are provided to users in the EU – thus, also non-EU providers are covered. However, some regulations apply only to providers who are "exposed to terrorist content". This status is determined by the competent authority and requires a decision on the basis of objective factors and a notification of the authority to the provider.

Obligations for hosting service providers

Hosting service providers are faced with a wide range of obligations:

Removal obligations

The most important obligation of hosting providers in this respect is the duty to remove terrorist content as soon as possible, but in any case, within one hour after having received a removal order by the competent authority (of each Member State). However, if the provider concerned has never received such an order before, an official notice about the applicable procedures and deadlines will be issued at least 12 hours before the order is issued, except in cases of special urgency. The providers have to establish a contact point for removal orders to be received electronically and processed without delay. The information about this contact point shall also be made publicly available.

Information requirements

In addition, hosting service providers are subject to a whole range of notification obligations.

• First of all, the provider is obliged to inform the competent authority without delay about the removal or blocking of terrorist content as a result of a removal order.
• In addition, there is an obligation for providers to provide the content provider, i.e. a user that has provided information that is, or that has been, stored and disseminated to the public by a hosting service provider, with information about the removal or blocking.
• Furthermore, there is an obligation to provide information to the competent criminal prosecution authority in cases where providers obtain knowledge of terrorist content that poses an immediate threat to life.
• Finally, providers which are exposed to terrorist content must report to the competent authority on the specific measures it has taken and intends to take to prevent terrorist content from being disseminated via its services (see below)

Measures to prevent the dissemination of terrorist content

The hosting service providers exposed to terrorist content must also take certain "specific measures". The provider itself may decide on the measures to be taken, but the regulation states that they may include:

• appropriate technical and operational measures or capabilities, such as adequate staffing or technical resources, to identify and promptly remove or block access to terrorist content;
• easily accessible and user-friendly mechanisms through which users can report or flag suspected terrorist content to the hosting service provider;
• further mechanisms to increase awareness of terrorist content in its services, such as user moderation services;
• any other measure that the hosting service provider deems appropriate to address the availability of terrorist content on its services.

However, two things still need to be noted: First, the obligation to take specific action does not go hand in hand with an obligation to use an automated process. Secondly, it is not accompanied by a general obligation to monitor the information stored or transmitted by the provider or to actively search for facts or circumstances indicating illegal activities.

Transparency obligations/amendment of user terms

• Hosting service providers are required to clearly state in their terms of use their strategy for combating the dissemination of terrorist content.
• Additionally, hosting service providers exposed to terrorist content should, where appropriate, include provisions in their terms of use to address the misuse of their service for the public dissemination of terrorist content.
• Hosting service providers are also required to retain terrorist content that has been removed or blocked as a result of a removal order or specific measures to document the dissemination of the terrorist content. The retention period is generally 6 months - however, the competent court or authority may order an extension under certain circumstances.
• Furthermore, the providers must publish yearly transparency reports on various activities related to terrorist content.

Complaint mechanisms

In addition, hosting service providers must establish an effective and accessible mechanism that allows content providers whose content has been blocked or removed to appeal the removal or blocking and request the restoration or unblocking of the content.

Legal representative

Lastly, hosting service providers that are not established in the European Union but offering their services to the EU must appoint a legal representative the European Union. This representative is designated to receive, comply with and enforce removal orders and decisions of the competent authority. The legal representative may potentially be held liable for violations of the Terrorist Content Regulation by the hosting service provider, which is a novelty. Not appointing an EU representative shall trigger the sanctioning regime of the Terrorist Content Regulation.

Sanctions

Specific sanctions may vary from EU member state to member state However, the sanctions must be effective, proportionate and dissuasive. In the event of a systematic or persistent breach of the obligation to remove terrorist content as quickly as possible, financial penalties of up to 4% of the provider's annual global revenue generated in the previous financial year shall be imposed.

Co-Autor: Hannes Bastians