The EU Regulation on preventing the dissemination of terrorist content online entered into force on 7 June 2021 and became applicable on 7 June 2022. The implications for certain online platforms, both in and outside of the EU, are extensive. Among other things, they are now obliged to remove terrorist content within an hour of receiving a removal order from a national competent authority.
Fighting terrorism, especially through preventing radicalisation on- and offline, is a priority for the EU Commission. The Terrorist Content Regulation aims to create a legal framework that prevents terrorists from spreading propaganda on the internet. At the same time, it considers fundamental rights (i.e., freedom of expression) by implementing safeguards, such as transparency and information obligations, complaint mechanisms, and a right to an effective remedy.
Who is affected by the new content regulation?
The regulation applies to all hosting service providers (HSPs) offering services in the EU, irrespective of their main place of establishment, insofar as they disseminate information to the public. A hosting service provider is defined as a provider of information society services, consisting of the storage of information provided by and at the request of a content provider. Content providers in this sense are essentially the users of the service.
An HSP disseminates information to the public when it makes that information available to a potentially unlimited number of persons at the request of a content provider. This extensive scope includes social media platforms and video, image and audio sharing services. Interpersonal communication services such as emails or private messaging services are not typically impacted because they do not disseminate information to the public.
What qualifies as terrorist content?
The definition of terrorist content within the meaning of the Terrorist Content Regulation is aligned with the definition of terrorist offences set out in Article 3 of the directive on combating terrorism ((EU) 2017/541). It applies, among other things, to material that solicits someone to commit or contribute to terrorist offences or to participate in the activities of a terrorist group; incites or advocates terrorist offences, including the glorification of terrorist acts; or provides instruction on how to conduct attacks. The material can take various forms, including sound recordings, videos, and live transmissions of terrorist offences. Content distributed for educational, journalistic, artistic or research purposes is excluded.
Obligations for hosting service providers
Under the new regulation, HSPs must comply with several removal, information, and transparency obligations.
One-hour rule – removal obligation: Terrorist content is most harmful in the hours immediately following its initial appearance. Thus, the regulation obligates online platforms to stop its dissemination as quickly as possible. In any event, the HSP shall remove terrorist content (or disable access to such content) in all EU member states within one hour, upon receipt of a removal order by a competent authority. If an HSP has never received a removal order before, the competent authority will provide it with information on the applicable procedures and deadlines at least 12 hours before issuing the removal order, except in duly justified cases of emergency. Removal orders must include a rationale for why material is considered terrorist content and information on how to challenge the order legally. HSPs, as well as content providers, have the right to challenge a removal order in a court of the respective member state.
Establish a contact point: Each HSP shall designate or establish a contact point for the electronic receipt of removal orders and ensure the prompt processing of these orders. Information on the contact point must be made publicly available.
Designate a legal representative: If an HSP does not have its main establishment in the EU, it must designate a natural or legal person as its legal representative in the EU for receipt, compliance enforcement of removal orders and decisions issued by the competent authorities. This legal representative may be held liable for infringements of this regulation, yet liability and legal action against the HSP itself remain unaffected.
Information obligations: The HSP must inform the competent authority, without undue delay, of the removal or disabling of access to terrorist content. The same applies if it is unable to comply with a removal order. When HSPs become aware of terrorist content involving an imminent threat to life, they must promptly provide this information to the competent criminal prosecution authority. Content providers (i.e. users) whose content has been removed or had its access disabled must be provided with information on these measures.
Establish a complaint mechanism: The provider must establish a complaint mechanism allowing content providers to appeal the removal or blocking of their content.
Publish a transparency report: When an HSP has taken action to address the dissemination of terrorist content or has been required to take action, they must publish a transparency report for that year. The HSP should preserve terrorist content that has been removed or blocked, and clearly state their policy for addressing the dissemination of terrorist content in their terms and conditions.
“Specific measures” for HSPs exposed to terrorist content
Some HSPs who are "exposed to terrorist content" must take specific additional measures to protect their services against the dissemination of terrorist content to the public. An HSP is "exposed to terrorist content" when the competent authority has made that decision based on objective factors and has notified the HSP concerned about their decision.
The specific measures HSPs should take are not specified in the regulation. The HSP itself must decide on the measures and report to the authority about how and when it will respond. These measures could be of a technical and operational nature, but there is no obligation for the use of automated tools to identify or remove content. If an HSP uses such technical measures, it must implement appropriate and adequate safeguards, including human oversight and verification.
Enforcement and conflicting obligations
Member states must adopt rules on penalties for HSP non-compliance with the regulation and decide on the level of those sanctions, which must be effective, proportionate and dissuasive. Hence, the penalties will differ from one member state to another. If an HSP persistently or systematically fails to comply with obligations to remove terrorist content as soon as possible (the one-hour rule), the member state shall sanction that HSP with financial penalties of up to 4 per cent of its global turnover the preceding business year.
Companies, therefore, must assess whether and how they are affected by the new Terrorist Content Regulation and which measures should be implemented. When complying with the regulation, every step of the process (which may also impact non-terrorist content) should also be GDPR-compliant. A significant challenge for HSPs will be to protect fundamental rights like freedom of expression, the right to information, and the right to privacy on the internet while complying with this regulation. To what extent the member states' authorities will use their power to issue removal orders, and what impact this will have in practice, remains to be seen.