E-commerce rules
In case C-188/24, the Court examined French rules requiring publishers of pornographic websites to implement age verification systems to prevent minors from accessing such content. In C-190/24, the Court addressed rules permitting authorities to prohibit operators of electronic driving assistance and geolocation navigation services from rebroadcasting user-reported information about certain roadside checks (such as speed or sobriety controls).
Online platforms
In the first case, the CJEU found that these rules may be justified to protect minors, if they are proportionate and procedural safeguards are respected. In the second case, the Court found that targeted prohibitions (by France) on specific services can be compatible with EU law, especially where they are limited in scope and duration, and they do not impose a general monitoring obligation.
Obligations for service providers
It follows from both cases that EU member states cannot impose general and abstract obligations on providers of online platforms, also weighing in the right to access information. However, targeted, service-specific measures, may be allowed under circumstances, provided they meet strict conditions under the E-Commerce directive (necessity, proportionality, and procedural compliance).
Platform liability and “algorithmic control”
The most significant aspect of the judgment, and the one most likely to have a significant impact on the platform economy, is the Court's clarification of the hosting safe harbour under article 14 of the E-Commerce directive.
Under Article 14 of the Directive, a service provider is exempt from liability for information stored at the request of a user on its platform if: (a) it does not have actual knowledge of illegal activity or information and, in the case of damages claims, is not aware of facts or circumstances from which such illegality is apparent; or (b) upon obtaining such knowledge or awareness, it acts expeditiously to remove the information or disable access to it. Under art. 15, there is no general obligation on providers to monitor the information which they transmit or store, nor a general obligation actively to seek facts or circumstances indicating illegal activity.
These exemptions apply only where the activity of the service provider is limited to the technical process of operating and giving access to a communication network – and that activity must be of a "mere technical, automatic and passive nature" – implying that the provider has neither knowledge of nor control over the information which is transmitted or stored.
CJEU’s judgment on the use of algorithms
In earlier judgments, the concept of "mere technical, automatic and passive nature" was interpreted with some flexibility. However, the Court now rules that a service provider may lose safe harbour protection where it exercises “control” over content, for example through algorithms. This may be the case:
- if the operator of a service exercises control over stored in formation where, through an algorithm, it determines the conditions under which that information is disseminated;
- if the algorithm goes beyond mere technical categorization or indexing and instead determines whether, how, and in what order information is promoted, modified or deleted, in which case the provider may not be regarded as merely passive.
Thus, according to the Court, where “by means of an algorithm, the operator of an information society service consisting, inter alia, in the storage of information provided by a recipient of the service determines, in its own interest or that of its service, under what conditions, how and in which order of priority that information is or is not broadcast as part of that service, it exercises control over that information”.
In such situations, in which the conduct is not merely technical, automatic and passive, the service does not qualify as a “hosting” service within the meaning of art. 14, because the provider is no longer neutral, and may not be exempt from liability.
Digital Services Act (DSA)
As a result of this judgment, “algorithmic control” may disqualify platforms from safe harbour protection. This is also relevant under the Digital Services Act (DSA). Art. 6 provides that hosting providers are not liable for information stored at the request of a recipient of the service, provided that they do not have actual knowledge of illegal activity or content, unless the recipient acts under the authority “or control” of the provider. In the meantime, after the aforementioned cases were started, art. 6 of the DSA has replaced art. 14 of the E-Commerce directive in (nearly) identical wording.
Conclusion
This judgment is particularly relevant in the era of algorithm-driven platforms, reinforcing a functional approach to service provider liability. Such a provider is considered to exercise “control” over stored information where it uses an algorithm to determine the conditions under which that information is made available to users.
If such service providers, which may also include (publishers of) e-commerce platforms, exercise control over information through the use of algorithms, they may no longer be classified (merely) as providers. They may therefore be held liable for information stored or provided.
In examining whether such liability exists, courts must determine the effects of the algorithms used, for instance if and whether content is shown, how it is presented, the order in which it appears or how information is displayed. It is up to the courts to decide if and to what extent such liability may be assumed. Platforms that rely on art. 6 DSA should therefore at least assess whether their recommender, ranking and moderation systems using algorithms remain within a neutral hosting role or not.
