On 23 April 2022, the European Commission and the Council announced a political agreement on the Digital Services Act (DSA). At the time of writing this editorial, the final text has not yet been made available. Whatever its final language ends up being, the DSA will establish a remarkable set of duties of care and transparency obligations for internet intermediaries, heavily shaping, in particular, the way in which online platforms conduct their activities and how users may interact with them and with other parties. This major overhaul is, however, deliberately incomplete as it keeps unaffected a long list of obligations already established in other norms, ranging from Directive 2019/790 on Copyright in the Digital Single Market, to the amended Directive 2010/13 on Audiovisual Media Services, or to Regulation 2021/784 on the dissemination of terrorist content online, to name just a few. Internet intermediaries will face potentially huge fines if they fail to comply with the new legal framework.

While the DSA does introduce a whole new legal regime, a cornerstone of this legal framework continues to be the long-established system of liability exemptions or safe harbours for intermediaries laid down in Directive 2000/31 (E-Commerce Directive, ECD) more than 20 years ago. Under those rules, providers of intermediary services of mere conduit, caching and hosting are exempted from any liability for the third-party content they transmit or store, provided that they fulfil certain conditions, which are specific for each type of service. The technological, business and social landscape has dramatically changed since the 1990s, when these exemptions were originally devised. Nonetheless, the core tenets of that system are deemed to be still valid today – with just a few adjustments and clarifications. Chief among those adjustments is the need to ensure a uniform application throughout the Union. To that end, the provisions laying down the liability exemptions (Arts. 12, 13 and 14 ECD), along with the prohibition of general monitoring obligations (Art. 15 ECD), are now deleted from the ECD and enshrined in the DSA instead. Being a regulation, the direct applicability of the DSA is expected to help overcome the divergences between national transpositions of the ECD.

In addition to importing the liability exemptions – mostly verbatim, but with a few relevant tweaks – the DSA introduces a sort of a “Good Samaritan” provision to it make clear that intermediaries are allowed to carry out good faith voluntary investigations or other activities aimed at detecting and removing illegal content without risking being ineligible for the exemptions solely because of that. At the same time, especially through recitals, the DSA seeks to address some of the uncertainties and difficulties the application of this regime has raised so far.

A crucial point in this regard is the prerequisite of neutrality that, under the case law of the Court of Justice of the European Union (CJEU), service providers must meet to come within the scope of the exemptions, including the hosting exemption. In this regard, the Court already held in Google France (C-236/08 to C-238/08, EU:C:2010:159) that a hosting provider must play a neutral role, meaning that “its conduct is merely technical, automatic and passive, pointing to a lack of knowledge or control of the data which it stores” (para. 114). For this holding, the Court relied particularly on recital 42 of the ECD, which states that the exemptions will cover only activities which are “of a mere technical, automatic and passive nature, which implies that the information society service provider has neither knowledge of nor control over the information which is transmitted or stored.” However, as rightly pointed out by Advocate General Jääskinen in his opinion in L’Oréal/eBay (C-324/09, EU:C:2010:757), and convincingly shown many times in the literature, that particular recital was not meant to deal with the exemption for hosting, but only with those for mere conduit and caching, covered in Arts. 12 and 13 ECD. Shortly thereafter, the CJEU in its L’Oréal/eBay judgment (EU:C:2011:474) confirmed the prerequisite of neutrality, although avoiding any reference to the recital. Noting that the hosting exemption must be interpreted in light of its context and the objectives of the Directive, which entail that the provider must be an actual intermediary, the Court held that this is not the case where “the service provider, instead of confining itself to providing that service neutrally by a merely technical and automatic processing of the data provided by its customers, plays an active role of such a kind as to give it knowledge of, or control over, those data” (para. 113). It further held that if eBay – the platform at stake in that case – provides assistance which entails, in particular, optimising the presentation of specific offers for sale or promoting them, it would be playing an active role, and could not benefit from the exemption with regard to those offers (para. 116). In subsequent rulings, the Court confirmed those holdings, explicitly relying again on recital 42 ECD. This is also the case in the more recent judgment in YouTube and Cyando (C-682/18 and C-683/18, EU:C:2021:503), where the CJEU added that, nonetheless, the implementation by the provider of technological measures to detect infringing content does not mean that it plays an active role giving it knowledge of and control over the content – anticipating in this way the “Good Samaritan” provision the DSA would eventually adopt.

The issue of a platform’s neutrality is not an easy one, and its importance cannot be overlooked, as neutrality is established as a prerequisite for the exemptions to come into play – that is, even before considering whether the specific conditions for the relevant exemption are met. The line between a mere intermediary and an actual content provider for which a liability exemption would be unwarranted is difficult to draw, especially in view of the variety of services involving the storage of users’ content. The distinction has been sometimes framed in terms of being either passive or active – merely providing a tool or rather becoming too involved with the creation or promotion of the content.

It is for the CJEU, and ultimately for national courts, to come up with practical tests to draw the line. However, a test consisting of whether the activity gives the provider knowledge of or control over the hosted information seems ill-suited to that effect. This is so because a hosting provider generally does have the means to acquire knowledge concerning the information it hosts, and also – at minimum – some basic form of control over it, as it provides the storage and has the means to remove or block the information. In fact, as noted, such a test was not devised in the ECD as a threshold condition for the applicability of the hosting exemption, and it arguably introduces more confusion than clarity. Furthermore, it is contradictory with the admission that the provider may take proactive voluntary actions of investigation, moderation and removal of information and still come within the scope of the exemptions, as the CJEU held in YouTube and Cyando and as the DSA provides for with its “Good Samaritan” rule. It is also inconsistent with the moderation duties increasingly imposed on hosting providers, either by means of legislation or co-regulation. Moreover, it is particularly at odds with the fact that under the hosting exemption a provider is only supposed to lose protection when it obtains knowledge regarding the illicit nature of a specific piece of information and fails to expeditiously remove or block access to it. All in all, that threshold test of knowledge/control seems liable to increase legal uncertainty regarding the liability exemption for hosting service providers.

Unfortunately, the DSA has chosen to codify such a test in a recital (proposed recital 18) – clearly intending to cover hosting as well, unlike the ECD – by adopting the very holding from L’Oréal/eBay already quoted above, hence denying the applicability of all the exemptions where the provider that plays “an active role of such a kind as to give it knowledge of, or control over”, the information. To be sure, recitals are not binding, but the CJEU’s case law shows they may be crucial for a ruling’s outcome as they reflect the context and the objectives of a Directive or a Regulation.

The hosting exemption, both in Art. 14 ECD and in its implementation in the DSA, already excludes from its scope situations where the provider does not act as an intermediary, by establishing that the exemption will not apply where the recipient of the service – the user who uploads the content – “is acting under the authority or the control of the provider”. That is a sensible rule to exclude situations where the hosting provider is in fact playing the role of a content provider, as the information provided by someone acting under the authority or control of the provider can hardly be seen as truly third-party content. Other tests put forward by the CJEU regarding the provider’s involvement in the creation, optimization or promotion of the information may also be useful to determine whether it plays the role of a content provider regarding that information. To be sure, the same recital of the DSA that establishes the knowledge/control criterion suggests, as an example of playing an active role, the case where the information has been developed under the editorial responsibility of the provider. However, the recital’s general criterion goes beyond that exemplary case and thus the problem remains.

All the above is said without prejudice to checking out the language which is eventually enacted, but if the uneasy knowledge/control test in determining a lack of neutrality is maintained, the DSA would have arguably lost an opportunity to shed some much-needed light and legal certainty on this issue.