EU – The end of the hosting defence as we know it

Author: Peter Church

A core tenet of internet regulation is protection from intermediary liability – essentially the idea that online platforms should not generally be liable for the content posted by their users.

There are compelling reasons for this. The volume of user-generated content on most platforms is so large that there is no way a platform can realistically review or thoroughly moderate it all before publication. If those platforms were to be held responsible for that content, they would either need to apply aggressive automated moderation (with the risk of overkill) or accept significant risk.

However, the CJEU has now largely swept away the so-called “hosting defence” – the key protection from intermediary liability in the EU (see Joined Cases C-188/24 and C-190/24). Where a platform determines by means of an algorithm how, and in which order of priority, content is or is not seen, this defence will likely be removed.

Two ambitious claims

The judgment arises from two separate joined cases:

• The first relates to a claim from a widely used pornographic website based in the Czech Republic. It objected to a notification from the French regulator, ARCOM, requiring it to carry out age verification – i.e. prohibit access by minors to its websites.
• The second relates to a driving information service that included messaging services that allowed users to message each other about potential police stops (e.g. areas in which the police were carrying out drug or alcohol tests). The provider of the service objected to a decree prohibiting the sharing of this information.

Given the strong public policy reasons to prevent children accessing pornography and stopping drivers evading police checks, neither was an especially promising case.

Findings on the “co-ordinated field”

The main thrust of both cases was the little-known concept of the “co-ordinated field” in the eCommerce Directive (2000/31/EC). This essentially applies a country-of-origin principle to the regulation of websites (and other information society services) in order to ensure the effective exercise of the freedom to provide services across the EU.

The CJEU decision is broadly supportive of the protection afforded under the “co-ordinated field” concept. In summary:

• The scope of the “coordinated field” is broad and is widely applicable, save for the specific exceptions in the eCommerce Directive. (Those exceptions include things such as obligations under the GDPR, gambling activities and tax issues).
• The relevant provisions in the eCommerce prevent Member States from applying general and abstract obligations in relation to matters falling within the co-ordinated field. For example, they would not allow a general and abstract obligation on pornographic websites to apply age verification.
• However, Member States can derogate from these provisions where there is a specific public interest, the action is taken against a specific entity and that action is proportionate. This is typically dependent on first asking the “home” supervisory authority to take action and notifying the Commission, though not where action is urgent.

Here specific notices had been given to the operators of the pornographic websites and driving app. The CJEU indicated there was a clear public interest in preventing children accessing pornography and stopping illegal or intoxicated drivers evading police checks, and these measures were likely to be proportionate (albeit these are matters for the national court to verify).

The end of the hosting defence as we know it

The operator of the driving information service further claimed that the requirement to stop sharing details of police stops and similar information imposed a “general obligation to monitor” and so was in breach of Article 15 of the eCommerce Directive.

Even though the reference from the French courts did not specifically ask about the hosting defence under Article 14 of the eCommerce Directive, the CJEU seized the opportunity to address it on the basis it was the premise for the question under Article 15.

The CJEU’s conclusions suggest the hosting defence under Article 14 will be largely nugatory for many modern online platforms. In particular:

• This only applies where the operator is neutral, that is to say, whether its conduct is purely technical, automatic and passive, involving a lack of knowledge of or control over the content it stores.
• The two conditions of “knowledge” and “control” are alternative and independent of one another. Accordingly, an information society service provider that exercises “control” loses the benefit of the hosting exemption even if they have no knowledge of the content (due to its automatic processing).
• The fact that control may be exercised via an algorithm does not matter. If the information society service provider has predetermined, by means of that algorithm, the conditions under which such information is or is not disseminated, it is irrelevant if they do not carry out further interventions.
• Beyond the mere categorisation and indexing of information to improve its accessibility, the use of an algorithm, in the interests of the information society service provider, to determine in what manner and in what order of priority such information is disseminated or not, means the hosting exemption will not apply.

In blunt terms, this may mean that any use of an automatic recommender or moderation system will see the hosting defence fall away. The extent to which some activities might be classified as mere categorisation and indexing, which would not result in the loss of the hosting defence, remains to be seen.

Finally, the obligation to stop sharing details of police stops and similar information did not involve general monitoring for the purpose of Article 15 of the eCommerce Directive given the specific nature of the order.

Implications for the Digital Services Act

This decision is based on the eCommerce Directive, and the relevant intermediary liability provisions have been repealed and replaced by equivalent provisions in the EU Digital Services Act.

It is not obvious that this would lead to a different outcome. For example, recital 18 states:

“The exemptions from liability established in this Regulation should not apply where, instead of confining itself to providing the services neutrally by a merely technical and automatic processing of the information provided by the recipient of the service, the provider of intermediary services plays an active role of such a kind as to give it knowledge of, or control over, that information.”

This again appears to suggest that either knowledge or control is sufficient to result in the loss of the hosting defence. Of course, as a quid pro quo for protection from intermediary liability the EU Digital Services Act imposes a whole host of new obligations. In the case of VLOPs this includes obligations to conduct systematic risk assessment and mitigation exercises. This could tempt the CJEU to take a different course should the scope of the hosting defence in the Digital Services Act come before it.

The focus on primary liability and deep pockets

Without the benefit of the hosting defence, the focus is then on questions of primary liability. For example, if someone makes a defamatory posting on social media, the platform can no longer rely on blanket protection from the hosting defence. However, that does not mean the platform is necessarily liable for it. That will likely depend on questions such as whether the platform is a “publisher” of that content in the relevant jurisdiction.

Working out when this is the case is likely to be difficult and complex, and may well vary from Member State. In some cases, this may well resurrect difficult questions that have been held in abeyance while the hosting defence had primacy.

Another problem for online platforms is that they are easy to contact and have deep pockets. Put differently, if a defamatory posting is made by user mystery_person_99@hotmail.com there may be significant jurisdictional advantages to bringing the claim against the social media provider (if possible), and a better chance of getting paid if the claim is successful.

What about GDPR claims following Russmedia?

This decision supplements the CJEU’s earlier decision in Russmedia (C‑492/23), discussed here. In that case the CJEU concluded that the hosting defence does not apply to liability under the GDPR and an online marketplace operator will generally be “joint controller” in relation to personal data appearing in advertisements alongside the person posting the advertisement.

In light of these findings, the CJEU decided that an online marketplace operator may need to review advertisements prior to publication and prevent unauthorised reproduction. It was not clear if these requirements apply to user generated content more generally, but the recent decisions are unwelcome mood music.

Conclusions

The decision to remove the hosting defence in all but the most limited situations, potentially opens the floodgates to all sorts of claims for user generated content. They may well acquire liability “in an indeterminate amount for an indeterminate time to an indeterminate class” for content they cannot realistically be expected to moderate or take responsibility for.

Whether the CJEU was sensible to open Pandora’s box by removing this cornerstone of internet regulation, and how online platforms will respond, remains to be seen.

The CJEU’s judgment in WebGroup Czech Republic and Coyote System (Joined Cases C-188/24 and C-190/24) is available here.