1

If somebody came up today with the idea of laying down in law a provision exempting online service providers such as Facebook, YouTube and Twitter from liability for the user content that they store and disseminate, the idea would likely not be well received. These online giants are subject to increasingly critical public and political scrutiny, both in the European Union (EU) and the United States (US). The controversy surrounding the decisions by Twitter and Facebook to suspend (then) US President Trump’s account for inciting violence in early 2021 [1] is only the latest example of a long-standing and broader debate about the responsibilities of such service providers. The criticism mostly turns around the perception that users, competitors and society at large are not sufficiently protected against the downsides of their ways of doing business and the power they exercise – not that the service providers themselves need protection. Yet, in both the EU and the US, there are rules in place that do precisely that: protecting the service providers concerned. For over two decades now, in both jurisdictions laws ensure that they are exempted from liability relating to the content that they store for their users, provided they do not have knowledge of the content’s illegality and act expeditiously to remove the content once they obtain such knowledge. In the EU, the rule applies to all kinds of illegal content and has been laid down in Article 14 of the e-Commerce Directive (ECD), adopted in 2000.  [2]The rule was inspired by a comparable rule of US law applicable specifically in relation to copyright-infringing user content, laid down in Section 512(c) of the 1998 Digital Millennium Copyright Act (DMCA). [3]

2

What is more, in its proposal for a new Digital Services Act [4] (DSA), tabled in December 2020, the European Commission (‘the Commission’) suggests leaving the aforementioned rule essentially unaltered. It stated that the current liability regime is “by now established as a foundation of the digital economy”. [5] As will be seen below, whilst the DSA proposal provides for a range of new measures, it largely reproduces Article 14 ECD. [6] That implies that the basic principle would remain that of knowledge-based liability. Indeed, it appears that the Commission never even seriously questioned the continued validity of the principle; an in-depth analysis of its pros and cons is not provided for. [7] In the US, the laws in question are under review, too. A study of Section 512 DMCA by the US Copyright Office was critical on several points, but recommended some fine-tuning rather than any wholesale change. [8] But it is the second cornerstone of US liability law applicable to online service providers – Section 230 of the Communication Decency Act (CDA), [9] adopted in 1996 – that tends to be criticised most broadly and strongly. [10] This law unconditionally exempts such providers from most forms of liability for user content. [11] That means that – unlike under Article 14 ECD and Section 512(c) DMCA – the liability exemption is available also where the providers had been notified and nonetheless decided not to act against illegal content. [12] For now, it is uncertain whether, when and how Section 230 CDA will be reformed. It may be widely criticised, but this is done on different grounds. [13] Still, a common suggestion is to align the law with Section 512(c) DMCA and thus to make knowledge-based liability the basic principle. [14]

3

It thus appears that the principle of knowledge-based liability for online service providers in respect of the content that they store for their users is – and in all likelihood will continue to be – a key component of the liability regimes of both the EU and the US. Already for this reason it is important to properly understand this approach and especially its main strengths and shortcomings. That holds true all the more so precisely because in both jurisdictions the relevant regimes are now under review and additional measures are being considered. Given that such possible additional measures are generally not meant to replace, but rather to come on top of the current rules, the former should be designed to build on the latter’s strengths and address their shortcomings. In other words, when new proposals are tabled it may be tempting to jump straight to the novel parts, such as the diligence obligations or reinforced enforcement powers set out in the DSA proposal. Yet in many respects those parts cannot properly function – and cannot be properly understood – without having regard to the foundation that the principle of knowledge-based liability provides. Developments in this field are often said to entail an evolution ‘from liability to responsibility’. [15] Noteworthy as that evolution may be, a more accurate description might be ‘liability and responsibility’. [16] The latter complements but does not replace the former.

4

That being so, this article aims to assess the continued relevance and identify the main strengths and shortcomings of the principle of knowledge-based liability as applied in the context of efforts aimed at tackling illegal content that online service providers store and often disseminate for their users. That also requires tracing the principle’s origins and identifying its rationale. In doing so, the article seeks to contribute to the understanding, and allowing for the assessment, of EU law developments in this regard – most notably, the transition from the system currently laid down in Article 14 ECD to the one to be contained in the DSA. While this article accordingly mainly focuses on EU law, an account is also taken of developments in the US. That is done for several reasons. First, the US is the country where the knowledge-based liability model, as codified in law and applied in this particular context, originates. Second, many large online service providers active in the EU originate and continue to be based in the US. Their behaviour is therefore shaped by the country’s legal set-up. [17] Third, in the US much experience has been gained in applying the model in practice, which offers valuable insights also for the EU’s efforts to update it legal framework.

5

The remainder of this article is structured as follows. First a brief overview is given of the EU’s legal framework, in particular the liability exemption for hosting service providers as currently laid down in Article 14 ECD (section 2). Next, the rationale of the knowledge-based liability model is explained (section 3). Attention then turns to the developments – both in practice and in law – that have taken place since the principle of knowledge-based liability was enshrined in EU law about two decades ago (sections 4 and 5). The following two sections focus on the shortcomings associated with this regime. A distinction is made between shortcomings relating to the aim of tackling illegal user content on the one hand and those relating to the protection of users on the other hand (sections 6 and 7). Lastly, against the background of the foregoing the relevant parts of the DSA proposal are assessed (section 8), before terminating with a brief conclusion (section 9).

6

As mentioned, in the EU, the principle of knowledge-based liability is currently enshrined in Article 14 ECD. In essence, the article states that providers of so-called ‘hosting’ services cannot be held liable for the content that they store for their users, unless they obtain knowledge of the illegality of the content and fail to act expeditiously by removing the content. [18] It is disputed precisely which sorts of services qualify as ‘hosting’ within the meaning of this provision. In itself, it is clear that the concept of ‘hosting’ refers to the storage by a service provider of content provided by and stored at the request of users of the service in question. [19] A broad range of services could therefore, in principle, qualify. The case law captures the activities undertaken by social media companies such as Facebook, by online marketplaces such as eBay and by video-sharing platforms such as YouTube. [20] Yet a broad range of other activities, such as those performed by cloud storage providers and consumer review sites, should normally be able to qualify as well. The concept is therefore considerably broader than traditional website hosting. [21]

7

The Court of Justice of the EU (‘Court of Justice’ or ‘Court’) has specified that, for the hosting activities to be covered by Article 14 ECD, the service providers concerned must not “play an active role of such as kind as to give them knowledge of, or control over” the user content in question. [22] This serves as a reminder that the liability exemption at issue here is not available where the content potentially giving rise to liability is the provider’s ‘own’ content. [23] Yet the Court’s criterion is broader. It also relates to content in respect of which the provider departed from the neutral position that it is expected to retain as an intermediary. [24] In the context of the activities of an online marketplace the Court has clarified that the service provider retains a neutral position where it “stores offers for sale on its server, sets the terms of its service, is remunerated for that service and provides general information to its customers”. By contrast, the service provider is considered not to have retained such a neutral position where it “provided assistance which entails, in particular, optimising the presentation of the offers for sale in question or promoting those offers”. [25]

8

A degree of uncertainty exists as to where the line should be drawn precisely, however. [26] That is so especially because many service providers do not merely store user content, but also conduct certain additional activities in relation thereto. For instance, organising the user content by indexing it, making it searchable or recommending it to other users. Arguably, many of such activities are needed to enable users to have meaningful access to the large quantities of user content that many service providers store. [27] Importantly, the aforementioned criterion articulated by the Court of Justice does not require absolute passivity [28] – it implies that the service provider can be active to some extent, provided its involvement is not such as to give it knowledge of or control over the user content concerned. The recent judgment by the Court of Justice in the YouTube case provided some further guidance in this respect, at least in situations involving allegedly copyright-infringing user content stored on video-sharing and file-sharing platforms. [29] The judgment implies that the mere fact that the service providers concerned conduct the aforementioned kinds of activities does not mean that they are, necessarily and a priori, excluded from the scope of Article 14 ECD for being ‘too active’. The Court appeared to assess the matter rather under the conditions on the providers acting expeditiously upon obtaining knowledge. At the same time, the judgment still leaves uncertainty. That is so especially in relation to the question identified therein whether the service providers contribute, ‘beyond merely making the platform available’, to giving the public access to the stored user content in breach of copyright. The main conclusion therefore appears to be that there are few bright-line rules. Rather, a case-by-case assessment is required to determine whether the provider’s role is a neutral one.

9

When it comes to the types of liability stemming from illegal user content covered by the liability exemption, the scope of the protection offered by Article 14 ECD is wide. Although the Court of Justice has to date not expressly confirmed this, it is generally believed that the term ‘liability’ refers to liability regardless of whether it is civil, administrative or criminal in nature. [30] The liability exemption is ‘horizontal’ also in another sense: it applies irrespective of the field of law at issue. Consequently, covered is possible liability under laws on, inter alia, intellectual property, defamation, privacy, anti-terrorism, child pornography and hate speech. [31]

10

It is important to underline that we are dealing here with an exemption from liability. The rules potentially establishing the liability of the service providers are in principle to be found in the laws of the Member States (and, occasionally, EU law). [32] Therefore, where a hosting service provider fails to meet the conditions of the liability exemption of Article 14 ECD – in particular, expeditiously removing the item of illegal content upon obtaining knowledge thereof – this does not necessarily mean it is liable for the user content in question. Rather, it means that the hosting service provider is not a priori shielded from such liability. One ‘type’ of liability is carved out from the liability exemption, however. National courts or administrative authorities can, in accordance with the applicable rules of national law, require a hosting service provider to “terminate or prevent an infringement”, irrespective of whether or not the conditions of the liability exemption are met. [33] In other words, injunctive relief is excluded from the scope of the liability exemption.

11

Under Article 14 ECD, the knowledge of the illegality of items of stored user content, which in turn triggers the expectation for hosting service providers to expeditiously remove such content (if they want to benefit from the liability exemption, that is), can be obtained in several manners. [34] The knowledge will frequently be obtained through the reception of a notice – that is, a message sent by a third party informing the service provider of the presence of allegedly illegal content on its service. As such, the liability exemption provides the basis for a system of ‘notice and takedown’, also known as ‘notice and action’. [35] The resulting notice-and-action system is and remains in many respects the “most popular internet enforcement mechanism”. [36] However, this does not mean that the service providers concerned cannot obtain knowledge of illegal user content on their services in other manners. That can occur, most notably, through investigations carried out on their own initiative. Large service providers, in particular, are increasingly proactive in scanning and moderating the content that they store for their users. [37]

12

Why is that providers of hosting services should be allowed to benefit from a conditional liability exemption of the type outlined above? Why not make them subject, for instance, to specific rules imposing strict liability for the content that they store and often disseminate for their users? These questions can be approached from two viewpoints: that of the hosting service providers themselves, and that of the other parties involved.

13

Starting with the former, there are two main elements that together argue against holding hosting service providers strictly liable. The first element is that, as was touched upon above, the content in question is by definition not their ‘own’. The service providers do not create or submit the content themselves and they normally do not have knowledge of or control over the content either, at least initially. It seems natural to apply stricter liability standards only to parties that know of or exercise control over certain illegal material or conduct – or that are at least reasonably capable of obtaining such knowledge or exercising such control. For example, as a general rule, producers are strictly liable for their products and employers are strictly liable for the acts of their employees. [38]

14

The second main element that argues against holding hosting service providers strictly liable for user content relates to the large quantities of such user content that they tend to intermediate. This point is probably best exemplified by the ruling by an US court in Netcom, the case that lay the groundwork for Section 512(c) DMCA’s notice and action mechanism, which in turn was a source of inspiration for the EU regime. [39] The case arose in 1995, in the early days of the popular internet. The court held that “billions of bits of data flow through the Internet and are necessarily stored on servers throughout the network” and that it is “practically impossible to screen out infringing bits from non-infringing bits”. [40] It therefore refused to hold the online services providers concerned primarily liable for the infringements in question, but did not rule out secondary liability. Likewise, the “staggering” amounts of user content at issue also played an important role in Zeran, the case that decisively shaped the broad manner in which Section 230 CDA’s liability exemption is construed in the US. [41] This does not appear to be fundamentally different when it comes to Article 14 ECD. [42] In fairness, the quantities of user content involved do not, in themselves, necessarily rule out the service providers having knowledge of or control over the content. It rather means that they would have to take quite far-going measures to obtain such knowledge or control. In this regard, a comparison can be drawn with distributors of third-party materials in the offline world, such as postal service providers or bookshops. These parties could theoretically be required to examine all such materials that they transmit or sell, with a view to screening out illegal materials. Yet it would be, as the US Supreme Court put it, “altogether unreasonable to demand so near an approach to omniscience” from these intermediaries. [43]

15

That leads us to the second perspective: that of the other parties involved. Apart from the service providers, there are two such other parties in a typical situation: the users of the services and the parties aggrieved by the illegal content stored. Starting with the users, the key point is that the service provider’s burden resulting from the imposition of strict liability may well become the public’s burden, to again echo the US Supreme Court. [44] The measures that the service providers may feel obliged to take in order to avoid being held strictly liable will have adverse consequences for the users, too. The consequences could be economic in nature, such as higher costs for the use of the services. They could also consist of invasion of the users’ privacy resulting from extensive and intrusive monitoring. What is more, the consequences could consist of reduced possibilities for users to express themselves and to receive information. That could occur for several reasons, including for example: because the measures taken by the service providers are inaccurate and block or remove user content wrongly thought to be illegal; because the service providers decide to no longer provide certain services in view of the liability risks; or because such measures deter users from uploading content in the first place. All this underlines the instrumental nature of the knowledge-based liability exemption. It serves not only to protect the service providers, but also – and arguably even primarily – the users.

16

In addition, one should take account of the interests of the aggrieved parties, such as the persons who hold the intellectual property right that is infringed or who are defamed by the user content. These parties would generally benefit from the imposition of strict liability, because that would strongly incentivise the service providers to take the aforementioned measures aimed at tackling the user content that infringes their rights. However, as noted, that approach would have significant downsides not only for the service providers, but also for their users. If, conversely, the service providers were to be broadly or even completely exempted from any form of liability, the aggrieved parties would likely encounter serious difficulties in enforcing their rights. This is one of the main reasons why the broad and unconditional liability exemption of Section 230 CDA is criticised. [45] True, aggrieved parties could then still have redress against the users who provided the content. However, this possibility may well be remote or even largely meaningless in practice, considering how difficult it tends to be to identify those users and hold them accountable. [46] Put differently, by excluding aggrieved parties’ redress against the service provider involved, one thwarts their possibilities to obtain effective redress. That would occur despite the fact that the service providers are typically in a good position to terminate the violation of the aggrieved parties’ rights and limit the negative consequences thereof. Indeed, their position as “single point of control” and their “superior ability to avoid harm” [47] is the main reason to involve them in efforts aimed at tackling illegal online content in the first place. [48]

17

The knowledge-based liability model thus aims to strike a middle-way. It avoids the negative consequences of stricter forms of liability that would impact not only the service providers themselves, but also their users. At the same time, it does not completely preclude the possibility for aggrieved parties to have recourse to the service provider concerned where their rights are at stake. Indeed, given that submitting a takedown notice typically requires relatively little effort and expense from aggrieved parties and may lead to swift results, [49] the principle normally provides these parties with a realistic prospect of redress.

18

There are obvious changes – especially in the online world – since laws such as the ECD in the EU and Sections 230 CDA and 512 DMCA in the US were adopted over two decades ago. That was a time when judges still felt the need to explain in judgments relating to online matters what the internet actually was. [50] Back then, internet users worldwide numbered in the tens of millions, not the billions of today. [51] It is true that some of the services involved already existed in embryonic form. Social networks can trace their origins to bulletin boards, for example. Nonetheless, such services are hardly comparable, both in terms of their key features and the manner in and extent to which they are used. Most of today’s well-known service providers such as YouTube, Facebook, Twitter, Instagram and TikTok did not yet exist at the time. Bandwidth has also grown exponentially. That has greatly facilitated the possibilities to transmit user content, both of the legal and the illegal kind. The introduction of smart phones means that many people are almost continuously online.

19

While highly significant in many ways, in and of themselves, those changes tell us little about the continued relevance and suitability of the legal framework sketched above, however. In order to establish that, the following three points should be considered in particular.

20

To begin with, the quantities of content that some hosting service providers store for their users are nowadays larger than ever before. To illustrate the point: reportedly YouTube’s over two billion monthly active users upload around 500 hours of video per minute and that Twitter’s 330 million monthly active users send around 500 million tweets a day. [52] In line with what was said above, these staggering numbers arguably reinforce the need for limiting the liability of the service providers to only user content that they know (or should know) to be illegal. However, there is also another noteworthy development: the typically increased ability of service providers to obtain knowledge of or control over the content that they store. The best-known example is probably YouTube’s Content ID tool, which automatically checks uploaded user content and allows for the blocking of content that matches with copyright-protected works. YouTube is by no means alone in using such tools. Many large hosting service providers do so, not only in respect of copyright-infringing content but also of content depicting nudity, self-harm, terrorist content and hate speech, among other things. [53] As already touched upon above, they also tend to be increasingly active in relation to the user content stored, especially by improving accessibility and moderating the content. In addition, they apply increasingly sophisticated means that allow them to specifically target advertising as well as gather and process large amounts of data relating to their users. In this light, the commercial internet has said to have developed into “the most surveilled zone of human activity in history”. [54] Although the proactive tackling of illegal user content certainly involves challenges, [55] the argument that services providers cannot reasonably be required to do more in this respect than ‘just’ reacting to notices (and, occasionally, injunctions) thus no longer seems entirely convincing.

21

What was said in the previous paragraph comes with an important qualifier, however, which is the second point to be noted. The foregoing may hold true for a comparatively limited number of large hosting services providers, which have very considerable technological, human and financial means at their disposal. However, it does not – or at least not to the same extent – hold true for many other, smaller hosting service providers. In the EU, there are estimated to be over 10,000 hosting service providers, 85% of which are either micro or small enterprises. [56] The rise of ‘mega-platforms’ such as Facebook and YouTube raises all kinds of concerns, including competition-related ones, which largely fall outside the scope of this article. [57] Nonetheless, it is a widely shared concern that imposing on hosting service providers increased obligations to tackle illegal user content would reinforce the position of the incumbents. [58] The latter generally have the means to take the necessary measures to meet such obligations, even if they involve considerable investments. YouTube’s Content ID tool, for instance, costs an estimated total of 100 million USD to develop and operate, [59] whilst Facebook employs tens of thousands human content moderators. [60] Their smaller competitors, including new entrants and start-ups, may not have the means to meet such obligations. The pockets of the ‘mega-platforms’ may also be deep enough for them not to be overly fearful of damages claims for any illegal content that their users may upload. For many others, however, the decision not to remove potentially illegal content can boil down to ‘betting the company’ [61] – something that they are understandably not very inclined to do. Therefore, whilst the knowledge-based liability exemption may not solely be about protecting hosting service providers, many of them still need the protection afforded to them. The protection is arguably needed now even more than before if smaller providers are to stand a chance to compete with the large incumbents.

22

As a third point, the generally large – and sometimes enormous – quantities of user content stored illustrate how broadly hosting services are used for all kinds of economic, social, recreational, cultural and political purposes. Whether you want to buy or sell a second-hand product, listen to music, stay in touch with friends, rent a holiday home or check out consumer reviews before booking a restaurant – all of these activities will in many cases involve the use of hosting service providers. It has been said that, fundamentally, “there is not a single online service or activity that does not involve the activity of one or more hosting service providers”. [62] The online sphere is also an important battlefield in any modern political campaign, just as the services at issue here are widely used for people to organise themselves for all kinds of other purposes, stay informed and exchange information. Many of these activities are of course perfectly legitimate and even socially beneficial. Yet, there is no denying that the services are also widely used for all kinds of illegal purposes. This is not new; the liability exemptions of the ECD and its US counterparts were drafted in part with the aim of combatting illegal activities conducted online. [63] Nonetheless, difficult as this may be to quantify, it seems safe to say that the scale of the problem has increased. In relation to child sexual abuse material it has been observed, for instance, that “[t]echnology has generated a paradigm shift in both the victims’ online exposure and the offenders’ ability to share [such material] securely and interact anonymously with children and other offenders online”. [64] The head of the EU Fundamental Rights Agency has called online hate speech “a plague of our times”, adding that “things are getting worse”. [65] A US judge observed that “[r]ecent news reports suggest that many social media sites have been slow to remove the plethora of terrorist and extremist accounts populating their platforms, and that such efforts, when they occur, are often underinclusive”. [66]

23

In conclusion, whilst not unidirectional, the developments outlined above confirm and broadly reinforce the need for a ‘middle way’ approach like the one embodied in the knowledge-based liability model. In essence, that is because for all parties involved – and, by extension, for society as a whole – the stakes have increased. That goes for persons negatively affected by, for example, copyright infringement, defamation or privacy violations occurring online, in view of the broad reach of many of services in question and the internet’s inability to ‘forget’. [67] At the same time, the stakes for users who may be wrongly targeted by, or who may otherwise suffer adverse consequences of, service providers’ measures to tackle illegal online content appear to have increased as well. For instance, having your account or the entire service provision suspended can significantly limit your ability to express yourself, obtain information or engage in social interactions and legitimate commercial activities online. Furthermore, if even some of your most intimate and sensitive communications take place online, it becomes all the more important that they remain private. As to the service providers themselves, whilst the relatively few large ones could reasonably be made subject to further-going requirements, it appears that for many others the current liability exemptions are as important today as they were two decades ago.

24

The continued and reinforced need for a ‘middle way’ approach in relation to the liability of online service providers for the user content that they store and often disseminate comes to the fore even more when another evolution, which is not factual but legal in nature, is taken into account. Namely, the rise of the fundamental rights dichotomy in the EU legal order. To be sure, fundamental rights-related concerns emerging in the present context are not new, either. The ECD highlights in its recitals the importance of the fundamental right to freedom of expression, for instance. [68] Yet it seems clear that, especially in the EU, the issue at stake is increasingly framed in terms of fundamental rights. A few examples include: rightsholders confronted with online copyright infringement are not merely suffering economic damage, but may have their fundamental right to protection of intellectual property violated; [69] persons affected by online defamation may act to protect not only their reputation, but also their fundamental right to a private and family life; [70] the dissemination of child sexual abuse material is not only problematic in and of itself, but can involve violations of several fundamental rights, notably the prohibition of inhumane and degrading treatment, the right to respect for private and family life, and the rights of the child; [71] requirements imposed on online service providers to tackle illegal user content are not merely burdensome, but can call into question their fundamental right to freedom to conduct a business; [72] and filtering and blocking measures taken by service providers can be not only annoying for their users, but may negatively affect their fundamental rights to privacy, protection of personal data and freedom of information. [73]

25

All this reflects in part the increased use and importance of the services in question, described earlier. However, it also reflects the fact that EU fundamental rights law itself has evolved significantly over the past two decades. To start, it was not until 2009 that the Charter of Fundamental Rights of the EU (‘the Charter’) became legally binding. [74] Although fundamental rights were already protected beforehand (as general principles of EU law), this development has undoubtedly increased the visibility and importance of fundamental rights protection in the EU. This results not only from their codification as such, but also from the fact that the Charter expressly recognises several relatively novel rights, such as protection of personal data, the freedom to conduct a business, protection of intellectual property and the rights of the child. [75] As indicated in the previous paragraph, these rights may well be at issue in cases arising in the present context.

26

Furthermore, the requirement to strike a ‘fair balance’ in situations where several conflicting fundamental rights are at stake is by now well established under the case law of the Court of Justice. As such, it constitutes a cornerstone of the EU fundamental rights regime. Yet the requirement was only first clearly articulated in 2008. [76] That is well after the adoption of the ECD. Tellingly, the ECD frames the issue in terms of balancing the conflicting interests. [77] It appears that, at the time, the EU legislator primarily had economic interests in mind, such as ensuring the affordability of access to online services and stimulating the development of electronic commerce. [78] Under said case law, these interests have since been ‘upgraded’ to conflicting fundamental rights that are to be balanced.

27

To this should be added the emerging – and still very much developing – case law of the Court of Justice on three other fundamental rights doctrines. [79] First, a main driver behind the developments in the US in this area is the risk that imposing liability for user content that online service providers intermediate may have a ‘chilling effect’ on freedom of expression. [80] This term refers to the indirect negative effect that such liability may have on the dissemination and reception of legitimate expressions online. [81] Without having expressly used the term thus far, the Court has acknowledged that such a chilling effect must be avoided also as a matter of EU fundamental rights law. [82] This reinforces the argument against imposing overly strict forms of liability on hosting service providers.

28

In addition, there is the doctrine on the ‘horizontal direct effect’ of the Charter. [83] This refers to the obligations on private parties to respect the rights enshrined in the Charter in their relationship with other private parties. To date, the Court of Justice has recognised such a horizontal direct effect only in respect to some of those rights, [84] whilst it is for now uncertain what this entails concretely. [85] Those rights include, however, the prohibition of discrimination and the right to an effective remedy [86] – fundamental rights that may well be of relevance in the present context. The Court has also indicated that providers of certain online services themselves (as imposed to the public authorities concerned) are under certain circumstances to ensure the aforementioned fair balance between conflicting fundamental rights. [87] It is not inconceivable, therefore, that hosting service providers have certain obligations directly under EU fundamental rights law. Possible obligations could include being particularly attentive when it comes to racist and xenophobic expressions or ensuring that aggrieved parties can effectively address stored illegal content. Rather than making secondary law redundant, this development may well create uncertainty that is best addressed through adopting acts of secondary EU law that give concrete expression to any such obligations.

29

Lastly, the Court of Justice has acknowledged even more recently the existence of ‘positive obligations’ resulting from the Charter. [88] That means that relevant public authorities should not only ensure that they do not violate fundamental rights, but also take active steps to safeguard those rights. Again, this probably does not hold true for all Charter rights and it remains to be seen what this means in operational terms. [89] The implications for the present purposes could nonetheless be considerable. For instance, it has long been argued that to adequately protect the rights of all parties involved, the EU legislator should lay down binding rules on notice-and-action procedures. [90] Such arguments are (even) more convincing now that they can potentially rely on this recent line of case law. The case law of the European Court of Human Rights [91] suggests that one could, depending on the circumstances, also think of positive obligations to establish a legal framework through which: anonymous perpetrators can be identified and prosecuted; [92] infringements of intellectual property rights do not go unsanctioned; [93] and safeguards against abuse are provided for and access to a remedy before a court is ensured. [94]

30

In summary, the fundamental rights landscape has evolved quite drastically. The above jurisprudential developments are not specific to matters relating to the liability of hosting service providers. Nonetheless, they have important implications for the present purposes, especially since the issues emerging in this context so often involve the exercise of (conflicting) fundamental rights. More specifically, the increased emphasis on fundamental rights suggests that the EU legislator’s discretion may be limited in several respects. [95] For one thing, its discretion not to regulate relevant issues in any detail may have been reduced. [96] For another thing, especially in view of the requirement of fair balance, its discretion to opt for stricter forms of liability than knowledge-based liability might be limited too. That holds even more true when the case law of the European Court of Human Rights is taken into account. That case law suggests that a ‘rigid’, strict liability approach might not be feasible from a fundamental rights viewpoint, since it “effectively precludes the balancing between the competing rights”. [97] In contrast, a knowledge-based (and, more specifically, a notice-based) liability model can “function in many cases as an appropriate tool for balancing the rights and interests of all those involved”, [98] although the imposition of stricter requirements can be acceptable in certain cases. [99] It thus appears that the ‘middle way’ approach embodied in the knowledge-based liability model is generally well suited to achieve the fair balance that EU fundamental rights law requires. [100]

31

None of the aforementioned arguments should be taken to mean that the knowledge-based liability model does not having certain shortcomings. The shortcomings fall into two broad categories. The first one relates to the objective of effectively tackling illegal user content. It has already been seen that this objective continues to be highly relevant, considering the broad use made of the services in question to store and spread illegal content of all kinds.

32

The current EU system of knowledge-based liability leaves room for improvement in this regard because, first of all, it is ultimately voluntary. Any hosting service provider is free, legally speaking, to ignore a notice received, no matter how manifest the notified illegality and how precise and well-substantiated the notice may be. To be sure, national notice-and-action schemes may impose certain procedural requirements and most service providers will generally not ignore such notices because it would deny them the benefit of the liability exemption of Article 14 ECD. However, rogue operators – which do not even feel the need to give the appearance of being bona fide economic actors – may have little incentive to act upon such notices, especially if they are established outside the EU. In fact, the ECD, and therefore also its Article 14, only applies to online service providers established in the EU. [101] Providers based in third countries therefore cannot benefit from the liability exemption, no matter how expeditiously they act upon the notices that they may receive. The fact that such providers are established outside the EU can also make it difficult in practice to apply and enforce national liability rules. Thus, the paradoxical effect is that under the current system hosting service providers that facilitate the most damaging and blatantly illegal conduct of their users may be the least incentivised to act against such conduct. [102]

33

Second, the EU system, like any system that mostly relies on notices for service providers to obtain knowledge of and act against illegal content, is inherently dependent on notifying parties. The system will therefore only function well if there are parties that are willing and able to first detect and then notify (alleged) illegal content to the hosting service providers that store it (and take judicial action if need be). For most content causing ‘private’ harm that will generally not be an insurmountable problem. The monetary, reputational or emotional harm inflicted by intellectual property right infringements, defamation or invasions of privacy, as examples, means that the persons concerned generally have every interest in actively trying to have the content taken down. That is often different, however, for content causing ‘public’ harm – that is, illegal content that primarily affects certain groups or society as a whole, rather than specific individuals. Think of terrorist content, child sexual abuse material or certain forms of racist or xenophobic speech. Of course, under the EU system any user remains free to notify such content when he or she encounters it, and some users certainly do so. However, ordinary users will generally not make an elaborate effort to this effect and their notifications are not always very helpful. [103] Other parties have stepped in to try to close the resulting ‘enforcement gap’. Think, for instance, of non-governmental organisations dedicated to tackling child sexual abuse material by notifying it to service providers. However, whilst the activities of such organisations are undoubtedly important, their means are often limited and not evenly distributed. [104] Europol and certain national law enforcement authorities essentially do the same thing in relation to terrorist content online. However, such activities are not uncontested and may not be sufficient. [105] All this means that some of the worst and most harmful types of illegal user content may not be tackled in a sufficiently effective manner.

34

Third, the type of redress available in the context of the notice-and-action system for which the knowledge-based liability exemption provides the basis is limited to the removal of (or the disabling of access to) illegal user content. Removal is obviously helpful in addressing the immediate problem. However, in practice, the content in question may already have been spread further, or the same or other users may simply re-upload the removed content. [106] That naturally reduces the practical effectiveness of the removal. As the ECD stands, hosting service providers are not legally incentivised – let alone obliged – to try to prevent such further spreading or re-uploading of illegal content from happening. In other words, there is no ‘notice-and-staydown’ mechanism. More generally, the system established by the ECD does not encourage or oblige hosting service providers to make any structured effort to address the problem of illegal content provided by their users. [107] At EU level no provision has been made either for measures aiming to hold users who provide illegal content accountable, such as rules requiring hosting service providers to provide, upon justified requests, information about those users, or to bar those users from using their services. [108] The current EU system is, one could say, purely focused on combatting the symptoms (illegal content) rather than addressing those at the root of the problem (users providing illegal content).

35

In many ways, the shortcomings outlined above are related to the knowledge-based liability system’s origin and nature. As pointed out earlier, the EU system was inspired by the US system laid down in Section 512(c) DMCA. The First Amendment to the US Constitution leaves the US legislature relatively little scope to regulate speech-related matters. This is one of the reasons why when enacting the DMCA, the US legislature decided to encourage but not legally require the tackling of illegal content, by offering the services providers concerned that meet certain conditions a ‘safe harbour’ (namely, the liability exemption). [109] From a European viewpoint, this is a somewhat unusual legislative technique. Normally, the EU legislator lays down certain legal requirements which are then enforced principally under the administrative (or criminal) law of the Member States. [110] In addition, as also noted earlier, the DMCA is focused solely on copyright-infringing content. Copyright is principally an ‘individual’ right. It is, moreover, a right that can represent a considerable monetary value. That means that a ‘supply’ of notifying parties (and, by extension, parties that may bring actions for injunctions or damages if their notices are not acted upon) is virtually ensured. As has been seen, that cannot be taken for granted in relation to other types of illegal content that the EU system – unlike the DMCA – also covers, especially not where it concerns illegal content causing ‘public’ harm.

36

More fundamentally, the notice-and-action model is meant as a sort of ‘first aid’: [111] a quick, inexpensive and uncomplicated (as compared to judicial proceedings) way of getting rid of illegal user content. [112] In many respects the model achieves that objective fairly well. As noted earlier, submitting a notice is generally easy and inexpensive, and it can lead to swift removal. However, precisely because of the emphasis on informality, affordability and speed – and most of all the absence of a truly objective and impartial arbiter – the type of redress available is limited. That holds true especially for the current EU system, which is purely focused on removal. The DMCA, in contrast, provides for complementary requirements, including for the service providers concerned to disclose information on users allegedly involved in unlawful activities upon request and to operate a repeat infringer policy. [113] Experience in the US shows that the imposition of such requirements in the context of a system of simplified and ‘privatised’ enforcement tend to raise complex questions, both of principle and practical implementation. [114] This is unlikely to be different in the EU. Think of challenges in terms of ensuring compliance with the requirements resulting from the Charter and from secondary EU law, such as the General Data Protection Regulation [115] (GDPR) and the prohibition of general monitoring or active fact-finding obligations of the ECD. [116] While important to ensure that illegal content is effectively tackled, it is doubtful whether other remedies should be provided for systems such as the ones at issue here. Arguably, such complex questions cannot be properly dealt with by means of ‘first aid’, but rather call for the involvement of a specialist – that is, a court or an independent administrative authority.

37

The second category of shortcomings of the EU’s current knowledge-based liability system consists of the risks it creates for the rights and interests of the users of hosting services. The risks referred to here relate not to the dissemination of illegal content, but rather to the measures that hosting service providers may take to tackle such content. The ‘bias towards takedown’ [117] that is inherent in any system of this kind is of particular importance in this regard. The bias results from the unequal incentives for service providers when they have to decide whether or not to remove user content when its legality has been called into question. As touched upon earlier, the decision not to remove such content can have serious legal consequences. Most notably, it may lead to damages claims, but potentially also liability under criminal law. The decision to remove the content in question, by contrast, tends to have only limited consequences for hosting service providers. The legal risks relating to such a decision are generally limited. That is because the monetary value at stake will often be modest. The users concerned are therefore unlikely to sue and, even if they do, they might struggle to prove that they suffered serious and quantifiable damage. In addition, hosting service providers tend to contractually limit or exclude their liability towards their users for these kinds of decisions. [118]

38

It is true that non-legal considerations should also be taken into account. Removal decisions that are unjustified (or perceived as unjustified) can result in angry users and negative publicity, for example. The latter seems an especially relevant consideration for many hosting service providers. This could make them hesitant to remove user content. Nonetheless, such considerations are counter-balanced by certain other non-legal factors. Think of the ‘stickiness’ of many of the services in question (resulting from the effort involved in migrating to another service), the network effects benefitting many of the service providers and the lack of transparency as to their content removal policies and decisions. The chances of users leaving on a significant scale over contested content removal decisions may therefore be rather limited. In view of the often large quantities of user content stored, the attractiveness and profitability of hosting services is generally unlikely to suffer too much from the removal of a few – or even quite a few – individual items of allegedly illegal user content. [119]

39

Furthermore, other than in cases of manifest illegality, hosting service providers may well struggle when seeking to determine the legality of specific items of user content that they store. To be able to do so, one generally needs to know the relevant factual context. For example, whether a certain allegation is true (in cases of possible defamation), or whether certain material is disseminated with the consent of the persons involved (in cases of possible violations of privacy or intellectual property rights). This can be hard for the providers to determine. Moreover, the legal assessment is often not straightforward either. For example, it can be challenging to determine whether a given item of user content not just reports on certain terrorist activities but glorifies them, or whether a statement is not just offensive or ironic but instead constitutes a prohibited racial slur. Extra complexity is added by the fact that the laws of the Member States still tend to differ considerably despite being harmonised in some fields and to some extent. [120] Even determining which law applies in the first place may not be straightforward in the online sphere. Working all this out tends to be complex and (therefore) costly for service providers. It is often not only legally safer, but also easier and cheaper for them simply to remove user content that could, potentially, be illegal.

40

Thus, hosting service providers may well decide to remove the user content in question, especially in ‘grey area’ cases – of which there are many in practice. That means that it is unavoidable that user content that is not actually illegal is removed as well. This naturally has a negative effect on users’ possibilities to lawfully express themselves and gather information online. In this connection, it should be recalled that a system relying on the submission of notices offers aggrieved parties a low-threshold manner to enforce their rights. The threshold is so low, in fact, that risks of mistakes and abuse exist. While hard to assess and quantify (largely due to the lack of transparency), research conducted in the US indicates that these risks are real and should be taken seriously. [121] Some unjustified removals result from honest mistakes, which may be hard to avoid. Yet, it appears that grossly erroneous or outright abusive notices, for instance to supress criticism or disadvantage competitors, are not uncommon.

41

There are of course certain relevant differences between the legal systems in the EU and the US. For example, unlike in the US, punitive or statutory damages are not commonly provided for in the EU. That means that the financial risks associated with a provider’s decision not to remove user content – in view of the risk of damages claims – may be more limited. On the other hand, in the EU it is in principle possible for anyone to submit a notice that might lead to knowledge on the side of the hosting service provider. [122] In the US, this possibility is reserved for what will generally be more or less professionally operating actors (namely, copyright holders), who are legally required to state their good faith belief that the use of the content in question is not authorised. [123] Furthermore, the fact that, unlike in the US, there are at present no binding EU rules on notice and action enlarges the uncertainty and thus the ‘grey area’ referred to above, in which service providers may well remove allegedly-yet-not-manifestly illegal content just to be on the safe side. As importantly, the absence of EU rules on notice and action means that the availability of the principal safeguard of the US system to protect users’ rights and interests – the so-called counter-notice procedure [124] – is not legally guaranteed. Such counter-notice procedures allow affected users to contest the claims of infringement made in relation to the content that they provided. It is true that the US counter-notice procedure is little used in practice. [125] That is likely due in part to the design of the procedure. [126] In any event, this fact does not alter the principal point that it is important to afford users a realistic opportunity to defend their interests if not before, then at least immediately after the removal of their content.

42

In addition, it has increasingly become clear over the past years that risks to the rights and interests of users also result from the content moderation measures that hosting service providers take to tackle content that may not be illegal, but that is against their terms of service. Providers’ terms and conditions are often stricter than the law. [127] They may preclude, for instance, the provision of content containing nudity, offensive expressions or controversial political views. The decisions by Facebook and Twitter to suspend (then) President Trump’s account, referred to earlier, illustrate both how powerful some of these providers are and how controversial their decisions can be. [128] In principle, providers are free to set and enforce such contractual rules, even in respect of content that may be perfectly legal, as an exercise of their freedom of contract that is part of the freedom to conduct a business. [129] Nonetheless, this development implies that the challenge is not only to ensure that ‘what is illegal offline is also illegal online’, as the adage has long been. [130] The challenge is also, and increasingly, to ensure that, conversely, what is not illegal offline is not ‘illegal’ (contractually prohibited) online either. Not, at least, where the contractual prohibitions unduly restrict users’ freedom of expression and information or where the manners in which those prohibitions are enforced are arbitrary, excessive or not transparent.

56

In 1996 – that is, a few years before tabling the proposal for the ECD – the Commission stated that it sought to assist “host[ing] service providers, whose primary business is to provide a service to customers, to steer a path between accusations of censorship and exposure to liability”. [204] A lot may have changed in the 25 years that followed, but the essence of the challenge remains unaltered. It is evident from the DSA proposal that the Commission considers that this path should continue to be founded on the knowledge-based liability model. This article has shown that that decision is understandable and perhaps even unavoidable. This finding constitutes, however, no more than a starting point for discussions on that proposal. Indeed, whilst the foundations of the proposed approach may be sound, room remains for diverging views on a range of matters relating to the liability of hosting service providers for stored user content. Especially if recent experiences are any guide, one can expect interesting and perhaps intense debates as to whether or not the measures that the Commission has put forward to refine and complement the existing model succeed in the ambition to steer a path for the next 25 years.

* Folkert Wilman, Member of the Legal Service of the European Commission.

The views expressed in this article are personal and cannot be attributed to the author’s employer. The article is in part based on research carried out for the author’s recent book: F Wilman, The responsibility of online intermediaries for illegal user content in the EU and the US (Edward Elgar 2020). All online sources cited were last visited on 13 June 2020. The author thanks Irene Roche Laguna and Miquel Peguera Poch for their comments on earlier drafts of the article