On 7 June 2022, a new EU-wide regime to ensure the swift take-down of online terrorist content within one hour – on pain of civil fine – entered into force. This insight will discuss what EU Regulation 2021/784 (Regulation) means for hosting service providers (HSPs) in the EU and Ireland, that includes many technology companies, social media platforms and other clients in the Technology sector, and the actions HSP’s should take to be ready to respond to an order to remove terrorist content issued by a competent authority.
What is terrorist content?
Terrorist content includes material that solicits someone to commit or to contribute to terrorist offences, to participate in activities of a terrorist group, incites or advocates terrorist offences, or provides instruction on how to conduct attacks. The definition is wide and includes any text, images, sound recordings and videos, as well as live transmissions of terrorist offences that cause a danger of further such offences being committed. The emergence of recent terrorist attacks both in the EU and overseas illustrates how terrorists use online content to recruit fanatics, radicalise individuals and encourage ‘lone wolves’ to engage in similarly devastating terrorist activity.
What online players are caught by the Regulation?
The Regulation will apply to online HSPs. Many businesses may fall within the scope of the HSP definition if they store and publicly disseminate information and material provided by a user on request, irrespective of whether the storing or dissemination is of a mere technical, automatic and passive nature. For instance, social media platforms, video streaming services and video, image and audio sharing platforms all fall within the definition of an HSP. Notably, terrorists have used not only large social media platforms, but smaller providers offering other types of hosting services, to publish terrorist content and highlight terrorist activities.
The Regulation applies to HSPs offering services in the EU irrespective of the HSP’s place of main establishment. HSPs will be deemed to offer services in the EU if the HSP enables persons in one or more Member States to use the services of a HSP which has a substantial connection to that Member State(s). A HSP will have a substantial connection to a Member State if it is established there, or if it has a factual connection such as a significant number of users in that Member State.
What do HSPs need to do to comply with their new obligations?
The Regulation imposes obligations on HSPs to construct and manage internal and external channels of communication to ensure compliance with the Regulation.
A removal order requires HSPs to remove terrorist content or to disable access to terrorist content in all Member States. A removal order may be issued by the competent authority in any Member State and must be addressed to the main establishment of the HSP or to its legal representative. Once received, a HSP must take action to comply with a removal order within one hour. However, there is a caveat to the one hour requirement: where a competent authority has not previously issued a removal order to that HSP, it must provide it with information on the applicable procedures and deadline, at least twelve hours before issuing the removal order.
The Regulation provides a mechanism for national authorities to designate a HSP where it is regarded as “exposed” to terrorist content. Where designated, the HSP must take additional technical and organisation measures (like staffing and establishing means to identify and expeditiously remove terrorist content), and ensure it has mechanisms to report or flag alleged terrorist content and encourage user moderation.
Other general obligations
HSPs are also required to:
- Preserve terrorist content subject to a removal order for up to six months.
- Detail in applicable terms and conditions its policy for implementing the Regulation.
- Publish an annual transparency report to explain any action taken under the Regulation.
- Establish an effective and accessible complaint mechanism for users.
- Provide information to users where a HSP removes terrorist content, including the reason for removal and right to challenge.
- Inform authorities in a Member State where the HSP becomes aware of terrorist content involving an imminent threat to life – although there is no obligation on a HSP to actively screen for terrorist content.
- Establish a contact point for the receipt of removal orders by electronic means.
- Where not based in the EU, designate a legal representative in the EU to receive removal orders.
Do HSPs face penalties for non-compliance with the Regulation?
Yes. The Regulation requires Ireland, and other EU Member States, to impose penalties, on HSPs who fail to comply with the Regulation. In particular, the systematic or persistent failure to comply with obligations under the Regulation may result in financial penalties of up to 4% of the HSP’s global turnover in the last financial year. Ireland has yet to issue any rules or guidance on its approach to penalties and sanctions under the Regulation.
What will the overall impact of the Regulation be on HSPs in Ireland?
Ireland has designated An Garda Síochána (the national police) as its competent authority. Notably, many Member States, including Austria, Poland, the Netherlands and Finland, have yet to do so. Given that Ireland is home to many of the world’s social media and technology companies, An Garda Síochána may yet play a significant role in implementing the Regulation. With the first transparency reports to be published in 2023, we expect to have better visibility on the number of removal orders issued, and further detail on the challenges involved for online businesses in complying with the new regime.
For now, we are working with clients in the Technology sector to take proactive steps and devise appropriate internal systems to comply with the Regulation. Please get in touch with Darach Connolly or Emer McEntaggart should you have any questions.