On 12 February 2019, the European Data Supervisor (EDPS) tabled “formal comments” on the Commission proposal for a regulation on preventing the dissemination of terrorist content online (see eucrim 2/2018, 97-98 and the article by G. Robinson, eucrim 4/2018, p. 234).

The EDPS generally supports the proposal’s objective to set up binding, harmonised rules for host service providers (HSPs), who offer services within the territory of the Union, in order to prevent the dissemination of terrorist content through their platforms and to ensure its swift removal. The EDPS, however, sees several possible improvements that could reduce conflicts over the fundamental rights to privacy and to the protection of personal data.

The EDPS calls on the legislator to clearly describe allactions to be taken by HSPs pursuant to the proposal and to ensure adequate oversight by clearly identified, competent public authorities. The EDPS feels that this precision would help address concerns about the “privatisation” of law enforcement and be in keeping with the principles of quality of law and economic certainty.

The legislator should hence be as specific as possible as regards the information in the removal order issued by law enforcement authorities.

Beyond these general remarks, the EDPS specifically recommends that the definitions “terrorist content,” “dissemination of terrorist content,” and “host service providers” should be made more consistent and be aligned with existing EU law, e.g., Directive 2017/541 on combating terrorism.

As regards the obligation for HSPs to carry out a takedown decision within one hour after receipt of a removal order from the competent authorities, the EDPS points out that this could be especially challenging for small- and medium-sized companies. It may deprive HSPs from carrying out a meaningful check on the removal order.

One focus of the EDPS’ comments is on the obligation for HSPs to take proactive measures. EU rules must take into account the principles of necessity and proportionality. This can be achieved by introducing two obligations when HSPs put in place proactive measures, i.e., HSPs should do the following:

(1) “perform and make public a risk assessment on the level of exposure to terrorism content (also based on the number of removal orders and referrals received)”

(2) “draw up a remedial action plan to tackle terrorist content proportionate to the level of risk identified.”

The EDPS eyes the elements of the proposal that include use of automated tools in the context of proactive measures. He stresses that EU legislation cannot lead to “automated individual decision-making” (prohibited by the GDPR). Therefore, removals based on automated tools must always be subject to human oversight and verification where appropriate. Reporting obligations for HSPs also need to be introduced in order to ensure that automated tools do not produce discriminatory, untargeted, unspecific, or unjustified results.

Furthermore, the EDPS recommends reconsidering the rules on mandatory preservation of terrorist content and “related data” since they are not compatible with the CJEU’s case law on data retention.

Ultimately, the EDPS takes issue with the envisaged complaint mechanism within the HSPs. Though welcome, EU legislation should introduce deadlines for HSPs by which a decision on a complaint must be taken.