Liability exemptions of non-hosting intermediaries: Sideshow in the Digital Services Act?

2.1 The regulatory landscape

According to the Organisation for Economic Co-operation and Development (OECD), ‘Internet intermediaries bring together or facilitate transactions between third parties on the Internet’.⁹ The OECD’s definition goes on to mention the many different intermediary functions, such as ‘to give access to, host, transmit and index content, products and services originated by third parties on the Internet or provide Internet-based services to third parties’. In EU legislation, there exists no corresponding intermediary definition, and the notion of non-hosting intermediary is not used in EU legislation¹⁰ or technical protocols.

Protocols constitute a layer of transnational private regulation as soft law, which complements national and regional regulation (eg EU law). This transnational de facto regulation, even if only soft law, has a strong influence on the architecture and functioning of the internet. Accordingly, the Internet Engineering Task Force (IETF) describes the internet as ‘a loosely-organized international collaboration of autonomous, interconnected networks, [which] supports communication through voluntary adherence to open protocols and procedures defined by Internet Standards’.¹¹ The technical standards and other documentation that are used to make the internet work are published by the IETF, which is a large open international community of network designers, operators, vendors and researchers.¹² The standards are open and created by a procedural commitment to ‘rough consensus and running code’.¹³ Standards from other organisations, for example, the World Wide Web Consortium (W3C), are used for the wide variety of services that use the internet, and proprietary standards are relied on to create new services too. Regarding open standards, the principle of rough consensus and running code implies that software vendors, such as browser developers, are in a strong position when new standards are created. Further examples related to the DNS and Internet Protocol (IP) addresses are the Internet Corporation for Assigned Names and Numbers (ICANN),¹⁴ the Internet Assigned Numbers Authority (IANA),¹⁵ and the Reseaux IP Europeens Network Coordination Centre (RIPE NCC).¹⁶ Open standards are also sometimes established outside these organised settings by private companies.¹⁷ This de facto regulation accompanies legislation related to intermediaries. Without a liability exemption, intermediaries could risk liability for illegal content communicated with their direct or indirect help. For example, an internet access provider (IAP) forwarding internet traffic could potentially be held liable if that traffic included illegal material. In Europe, the liability exemption of online intermediaries is harmonised by the ECD.

The ECD is a relatively technology-neutral regulation, because the functions performed by intermediaries are described in general terms, such as ‘transmission in a communication network of information’.¹⁸ At the same time, this neutrality is limited because the ECD conceptualises intermediary functions based on a particular architecture: it defines the liability exemptions based on certain specific functions, namely, ‘mere conduit’¹⁹ (Article 12 ECD), ‘caching’²⁰ (Article 13 ECD) and hosting (Article 14 ECD).

In some instances, the regulation of intermediaries is also influenced by other EU legislation, and certain functions may be regulated by several frameworks, addressing such issues as competition and consumer protection in electronic communications networks,²¹ network neutrality,²² cybersecurity,²³ data privacy²⁴ or audio-visual media on the internet.²⁵ There may also be sector-specific national legislation, such as in relation to illegal content,²⁶ but this issue is not explored further in this article.

Furthermore, related to but separate from the question of liability is the role of injunctions. Importantly, the liability exemptions in the ECD merely shield from liability; they do not restrict a court or administrative authority to issue an injunction with a view to require the service provider to terminate or prevent an infringement in accordance with the national legal system in the respective Member State (MS).²⁷ Injunctions are of major practical importance and there exists ample case law regarding injunctions, most notably in relation to internet access service providers; however, discussion of these issues is outside the scope of this article.²⁸

2.2 What are ‘non-hosting’ functions?

This article focusses on liability exemptions for ‘non-hosting’ functions of intermediaries. To explain our distinction between hosting and non-hosting, it is necessary to understand the design of European liability exemption rules. We employ a broad understanding of ‘non-hosting’. We simply use this as a categorisation of services other than hosting (akin to the legal delimitation in Article 14 ECD). In the EU context, hosting refers to services where content provided by the recipient of a service is traditionally stored for a prolonged period. An example of such a hosting function relates to (some of) the services offered, for example, by such online platforms as YouTube, Facebook or Twitter. However, note that hosting as a technical concept²⁹ does not necessarily imply that content is stored.

Compared with the liability exemption for hosting functions (Art 14 ECD), the intermediary functions of the two remaining liability exemptions (‘mere conduit’ and ‘caching’, Articles 12 and 13 ECD) have been less prominently featured in recent policy discussions at the European and national levels.³⁰ There exist many technical and legal differences between hosting (read: platforms) on the one hand and ‘mere conduit’ and ‘caching’ on the other. For example, hosting providers can take down content if notified of its illegality. By comparison, an internet access provider—or other non-hosting provider (discussed below)—may not be in a position to take down content. The actions available for non-hosting providers are often limited, and many content-related measures can easily lead to over-blocking. These differences are important to understand with a view to avoiding unintended spill-over effects from regulatory efforts regarding hosting, ie measures that may make sense in the context of intermediaries broadly related to platforms but not in the non-hosting intermediary landscape. Within non-hosting, we do not focus on the provision of internet access but on various other grey areas, which are less explored in the academic literature.³¹ Examples include DNS and Wi-Fi services, cloud processing and content delivery networks (CDNs). These functions raise a number of specific regulatory problems that are easily put in the shadow of internet access service providers on the one hand and hosting providers on the other.

At a fundamental level, the non-hosting notion can be seen as a collection of legal concepts. In legal texts, the complexity of the world often needs to be condensed into legal concepts, which complement rights and obligations. These legal concepts are not ‘norms of conduct’ because they do not directly regulate what actions are obligatory or permitted. However, whether a right or obligation applies in practice depends on whether its conditions are fulfilled, and this is where legal concepts play a role in the logic of the law.³² Intermediary liability is a case in point. Certain functions are exempted from liability if they fulfil the requirements (conditions) of the law, which attempt to capture key aspects of the complex way in which internet communication works. These requirements (for liability exemption) are different from the rules under EU MS law, according to which actors can be held liable. Ultimately, the decision about liability in a concrete case must consider both liability rules and conditions for exemptions. The spectrum of non-hosting services is heterogeneous as it covers a wide range of offerings. These have in common that they, as intermediaries, bring together or facilitate transactions between third parties on the internet.

2.3 Conditions for liability exemptions in the EU framework

The ECD’s horizontal liability exemption regime (ie covering administrative, civil and criminal liability) comes with two general criteria that need to be fulfilled: first, the service provider needs to provide a specific form of an ‘intermediary’ information society service, and second, that information society service provider’s (ISSP’s) activity must qualify as passive. The specific liability exemptions for the three types of intermediary activities then come with certain—graduated—conditions that need to be fulfilled.³³ Importantly, it is only the three functions of ‘mere conduit’ (Article 12 ECD), ‘caching’ (Article 13 ECD) and hosting (Article 14 ECD) that are exempt from liability.

The ECD does not address (internet) intermediaries³⁴ as such; rather, it focusses on the broad,³⁵ EU-specific genus of the ISSP, which is defined as an autonomous concept in Article 1(1)(b) of the Technical Standards Directive.³⁶ According to this definition, such a service first needs to be ‘normally provided for remuneration’. This criterion is of special interest in the non-hosting sphere, where the service is sometimes not paid for by the beneficiary of the service, and it may be unclear who the recipient of various services is (eg registrant paying for the domain name to be accessible or proxy caching being paid for by internet access service providers (IAPs)). Already, in accordance with the Court of Justice of the European Union’s (CJEU’s) case law,³⁷ Recital 18 ECD clarifies that

‘information society services are not solely restricted to services giving rise to on-line contracting but also, in so far as they represent an economic activity, extend to services which are not remunerated by those who receive them, such as those offering on-line information or commercial communications, or those providing tools allowing for search, access and retrieval of data; information society services also include services consisting of the transmission of information via a communication network, in providing access to a communication network or in hosting information provided by a recipient of the service’.

Thus, whereas the service must represent an economic activity, a broad interpretation must be given, and it does not require the service to be paid for directly by those for whom it is performed.³⁸ The service also needs to be provided at a distance, which does not appear to have created issues so far in case law. Furthermore, the definition only covers a service provided by electronic means, which also appears to be unproblematic in the current technological remit.³⁹ The definitions in the ECD and the Technical Standards Directive can be seen as technologically neutral, in the sense that they do not refer to the internet, which is based on the Transfer Control Protocol (TCP)/IP suite. Thus, other potentially evolving forms that might replace TCP/IP could also be encompassed by the rules. Finally, such a service needs to be at the individual request of a recipient. This criterion does not appear to have given rise to concerns but might challenge the applicability of the ECD in relation to some services (eg live-streaming).

According to Recital 42 ECD, as a second prerequisite, ‘this activity is of a mere technical, automatic and passive nature, which implies that the ISSP has neither knowledge of nor control over the information which is transmitted or stored’.⁴⁰ In McFadden, the CJEU stipulated in relation to ‘mere conduit’, for example, that ‘providing access to a communication network must not go beyond the boundaries of such a technical, automatic and passive process for the transmission of the required information’,⁴¹ without providing further guidance on the criterion. Thus, on the flipside, an ‘active’ service provider cannot benefit from the liability exemptions in the ECD. The distinction between active and passive is not as clear as it seems, as the situation both conceptually and technically is regularly more nuanced than ‘just active’ or ‘just passive’.⁴² The active/passive dichotomy is increasingly challenging to apply in practice because it is in the nature of a service that it involves some degree of activity.⁴³ Thus, the provider is active in some respects and passive in others. However, a closer reading of the above-mentioned recital shows that the ultimately decisive factors should be knowledge and control over the information. Further clarifications might be needed.

Questions arise, especially when an intermediary offers functions in combination with hosting. These could be seen as separate services or functions, with the consequence that some are covered by a liability exemption while related functions may not be. The intermediary could then still be held liable for the non-exempted function but not for hosting. In a sense, such related functions could be considered non-hosting, and the question arises of whether there would exist good arguments for exempting them. Alternatively, the combined service, consisting of several functions, could also be seen as a unity. In that case, the question arises of whether the related function could be of such character that it voids the passivity requirement with the consequence that the service qualifies as active and falls outside the scope of application of the liability exemption.⁴⁴ Alternatively, we may ask whether the combined service would deserve an exemption de lege ferenda.

2.4 Considerations de lege ferenda

When going forward with an update of intermediary liability rules, the European lawmaker needs to strike a fair balance between the various stakeholder interests, emphasising fundamental rights.⁴⁵ Both risk management and proportionality are relevant reference points for an updated framework. There is a trade-off between mitigating content risks and ensuring that measures against illegal content remain proportional.

The communication of illegal content or information implies a risk to some stakeholders’ rights and interests. For example, children are at risk when child sexual abuse material (CSAM) is produced and disseminated. Economic literature emphasises that risk should be allocated to the actor who is best suited to avoid it,⁴⁶ and intermediaries can influence the communication of illicit content. However, the context of intermediary liability is complex and involves a variety of actors and stakeholders, so a simple risk allocation is unfeasible. Intermediary service providers differ in their ability to manage content risks, partly because they vary in their proximity to the illegal content. This parameter (proximity to unlawful content) could play a role in allocating risk. Arguments for liability could include near business relations with the originator of illicit content or a close technical connection to the material.⁴⁷ Based on a simple risk allocation rationale, intermediaries with proximity to illegal content risk should bear these risks. However, such a risk assignment would also create incentives for mitigating risks by taking down content, which is not without consequences.

The key problem is that taking down content also affects other stakeholders, such as internet users and society at large. Therefore, fundamental rights ought to constitute an essential starting point for the liability exemption framework. The lawmaker should weigh benefits (the protection from impacts of unlawful content) against costs (the negative effects of protection measures on other fundamental rights). Intermediaries are exempted from liability because they fulfil important societal functions. Their roles in the communications process structurally limit their ability to take proportionate and effective measures to control content-related risks without negative effects on an open and free internet. This is also acknowledged in the case law of the CJEU, which points out that one needs to strike a fair balance between the rights and interests at stake.⁴⁸ Measures imposed on a service provider must balance these rights and be proportionate.

In the non-hosting context, the various service providers differ significantly in their ability to take measures that could potentially affect content-related risks. Therefore, we must ask what technical measures the respective service providers possess and how these affect fundamental rights. Such measures include the taking down of infringing material for hosting providers, but non-hosting service providers typically cannot take down content. Non-hosting providers can influence the availability of content (eg through website blocking), but such options’ effectiveness and precision are critical for avoiding disproportionately detrimental effects on fundamental rights.⁴⁹

The effectiveness and proportionality of available measures should play a role in selecting the actors best placed to tackle illegal content. Some intermediaries (eg domain name registries) may be able to take certain measures against unlawful content. Still, such measures as the taking down of domain names are both less effective and more likely to be disproportionate than those available to other actors (eg hosting providers), who are also more proximate to the content. Therefore, measures against illegal content should be targeted primarily at actors who can take proportional action. In principle, more remote intermediaries should not be targeted, or they should be targeted only as a last resort. We have previously proposed this principle in a study for the Commission. This idea was adopted in Recital 26 of the proposed DSA.⁵⁰

3.1 Intermediary functions related to the DNS

IP addresses and domain names play crucial roles in the functioning of the internet, but the ECD’s intermediary liability provisions do not explicitly cover the addressing and naming functions.⁵¹ Technically, a domain name registration, in which the registries and registrars are involved, includes some minimal element of information storage, which could be relevant for Article 14 ECD. However, this storage only relates to the storage of the domain name as such and the related IP address(es), as well as registrant information in the Whois database; it does not relate to the storage of content, such as a website. A domain name may itself infringe particular laws (eg law on trademarks), for which there would be a safe harbour benefitting the registry or registrar.⁵²

If the problem consists of illegal content accessible via a domain name, a registry or registrar arguably cannot benefit from the liability exemption in Article 14 ECD because it is not storing information.⁵³ The raison d’être of Article 12 ECD might fit best for domain name services in a teleological reading, but it was clearly not drafted with the DNS in mind.⁵⁴ The services of registries and registrars do not consist of the transmission of information in a communication network; these services only provide pointers to such content through globally unique, location-independent names.⁵⁵ Therefore, domain names are sometimes called ‘signposts in cyberspace’,⁵⁶ and internet standards define the DNS as a support system. It may be argued that registries or registrars are too remotely related to infringing content to risk liability for infringing content in accordance with national liability standards. Nevertheless, there exists some inconclusive lower court jurisprudence.⁵⁷

So far, there have been no references to the CJEU regarding the DNS. In the trademark-related case of SNB-REACT,⁵⁸ the Court addressed another question related to the addressing function, namely service related to IP addresses. From the judgment, which was rendered without an Advocate General’s (AG) opinion, it is somewhat unclear exactly what type of service is being considered.⁵⁹ The CJEU rephrased the referring court’s question in paragraph 40, essentially addressing the ‘provider of an IP address rental and registration service’, which allowed the defendant’s ‘customers to use domain names and websites anonymously’ (para 49).⁶⁰ The CJEU held that, in any case, such service can fall under the ECD’s liability exemptions provided that the respective provision’s criteria are fulfilled. In the referring case, the defendant argued that it provided access to an electronic communications network together with an information transmission service. Unfortunately, the CJEU refrained from giving further guidance on whether such service would qualify under Articles 12, 13 or 14 ECD, leaving it for the referring Court to verify and assess the situation (paras 50 and 52).

Regrettably, this case does not contribute to clarifying the question of whether DNS services are exempted de lege lata, and even for a service consisting of the rental of IP addresses, it is likely that neither exemption’s conditions would be fulfilled. De lege ferenda, the question remains whether there ought to be such an exemption.⁶¹ If we consider DNS actors’ proximity to content risks, we need to distinguish, inter alia, between business and technical proximity. Indeed, it is possible that the providers of DNS-related services are in a business relationship with the parties committing an infringement. However, the problem is that registries and registrars are technically removed from infringing content, which they neither store nor transport. As a result, they usually do not know about any illegal content, as they would need to investigate how domain names are used. Moreover, there are significant proportionality issues related to the measures DNS actors can take to manage content risks. Registries or registrars can take various domain name-related measures; however, these would often be disproportionate for two reasons. First, the precision of such measures is low because a suspension affects all content to which a domain name points (eg all of wikipedia.org), which is overly broad. Second, the suspension of the domain name only removes the ‘signpost’, whereas the content will typically still be available on the machine identified by the related domain names. Thus, suspension of a domain name is not a particularly effective measure for combating illegal content or information in the first place.

Historically, technical abuse,⁶² such as the use of malware, has been topical in the DNS space and may be addressed voluntarily by some actors.⁶³ Recently, however, content-related aspects have also become more topical, as witnessed at the Internet Governance Forum 2019. When ICANN sets policies for the internet, there exists no global agreement on content, and ICANN’s mission has been described as unclear but rightly hesitant in relation to content.⁶⁴

Despite the above-mentioned conceptual distance from content, some domain registries have engaged in some form of voluntary self-regulation. There exist, for example, trusted notifier arrangements⁶⁵ both with public authorities (eg ccTLD registry Nominet with the Police Intellectual Property Crime Unit in the United Kingdom) and industry organisations (eg gTLD registries with the Motion Picture Association of America; gTLDs and ccTLDs in the Healthy Domain Initiative), but there is generally scarce information on their workings. Some registries also address content- or technical abuse-related aspects in their terms of service, and there exist examples of notice-and-actions arrangements.⁶⁶ The role of registration data is of special interest. Some ccTLD registries have noted a plausible correlation between domain names that are used for illegal purposes (related to content or technical abuse) and the quality of registration data. In this connection, several registries have introduced some kind of data validation process.⁶⁷ Related to registration behaviour, several DNS actors have responded to such issues as the potentially abusive registrations during the Covid-19 crisis.⁶⁸

3.2 Wi-Fi hotspots

Today, internet cafes, hotels, public places and other establishments regularly offer Wi-Fi hotspots to their customers. Furthermore, citizens sometimes share their internet access with family members, friends or visitors. There are various business models, including the inclusion of advertisement.⁶⁹ The provision of Wi-Fi hotspots has a key function for connectivity and implies significant benefits for society, particularly as a complement to existing wireless offers (eg 4G) and future 5G networks.⁷⁰ This can be illustrated by the fact that the provision of Wi-Fi hotspots and the related intermediary liability question has also been mentioned, for example, in both the public consultation⁷¹ and the Commission’s proposal⁷² which lead to Regulation (EU) 2017/1953 on the promotion of internet connectivity in local communities.

CJEU jurisprudence on Wi-Fi hotspots has its basis in German cases, so we need to present briefly the national legal context, which may differ significantly from the contexts of other Member States. In 2010, the German Federal Court of Justice (Bundesgerichtshof) held that ‘a private person operating a Wi-Fi network with internet access may be regarded as an “interferer” (“Störer”) where he has failed to make his network secure by means of a password and thus enabled a third party to infringe a copyright or related right’.⁷³ This secondary liability⁷⁴ applies to an actor who—without being a perpetrator or participant—contributes in any way, deliberately and adequately causally, to the violation of an ‘absolute right’.⁷⁵ This implies that certain obligations are extended, to some extent, to third parties (‘interferers’) who have not committed the infringing act. Since the secondary liability cannot be extended excessively to third parties that have not carried out the unlawful act themselves, this liability presupposes the violation of an obligation/duty of care.⁷⁶ The extent of that obligation is determined according to what can reasonably be expected from the interferer.⁷⁷ This secondary liability was applied to owners of Wi-Fi access points. The remedy typically included monetary damages, the obligation to cease current and stop future infringements, and enforcement costs. Thus, the remedies combined damages (from which intermediaries are exempted), injunctive relief and certain costs. These costs are significant because they can also have a punitive effect, as discussed below.

According to the case law of the CJEU, it is now settled that the providers of Wi-Fi hotspots benefit from the liability exemption under Article 12 ECD.⁷⁸ However, in many cases, these ‘service providers’ do not offer Wi-Fi-based internet access as their main line of business; instead, they do so in their private capacity or ancillary to other businesses, which makes it challenging to achieve a fair balance of fundamental rights. As illustrated by the case law of the CJEU, problems related to the provision of Wi-Fi hotspots often occur in the context of intellectual property rights infringements committed by users of such hotspots. This includes situations in which the hotspot is unsecured, facilitating the use (and the commission of illegal acts) by potentially anonymous third parties.

What can be expected from Wi-Fi hotspot providers? In the McFadden case, the CJEU discussed the different types of measures that could be expected from the provider of a Wi-Fi hotspot. Monitoring all information transmitted would be contrary to Article 15(1) ECD⁷⁹ and terminating internet connection would infringe freedom to conduct business.⁸⁰ In contrast, requiring password protection strikes a balance in the view of the CJEU: it is sufficiently effective and targeted to protect against further infringements, and it does not damage the essence of the right to freedom to conduct business or freedom of information.⁸¹ Regardless, this raises the question of whether injunctions on ‘mere conduit’ intermediaries should be delimited at the EU level. The objective with injunctions is to require the service provider to terminate or prevent an infringement. This is different from liability, which may serve restitutionary and punitive purposes.

The potential of the punitive effects of injunctions has been of concern.⁸² In the German cases, injunctions were procedurally based on a formal notice (‘Abmahnung’) issued by a lawyer, with costs to be borne by the recipient of the notice. In the leading 2010 Wi-Fi case, the claimed pre-litigation enforcement costs were more than double the claimed damages. In cases where the infringing action—for instance, copyright infringement based on peer-to-peer file sharing—was committed by a third person that could not be identified or targeted (eg a family member, visitor or business customer), the costs related to the injunction were ultimately borne by the Wi-Fi hotspot owner (the intermediary) and could have a punitive effect similar to damages for liability. As pointed out by AG Szpunar in McFadden, especially the punitive effect of pre-litigation costs related to injunctions may be problematic in light of the objective of the liability exemption.⁸³ Although the CJEU did not follow the AG’s argument (to exclude pre-litigation expenses), the subsequently mentioned legislative changes in Germany, where the McFadden case had its origin, illustrate the significance of this point.⁸⁴

‘Mere conduit’ service providers in Germany are no longer required to pay the enforcement costs related to the remedy that can be used to require the blocking of access to information. The advantage of this legislative solution is that it affords the rightsholder a mechanism to ensure the future blocking of information while avoiding the punitive effects of substantial pre-litigation costs. Particularly in the context of Wi-Fi hotspots, where service providers may also include private individuals and small businesses, this relates to the interests and fundamental rights of individuals and entities that offer such ‘services’ in the context of private and family life or simply as an accessory to other business activities. An exhaustive comparative analysis is outside the scope of this article, but if the punitive effects of injunctions targeting Wi-Fi owners are also a problem in other Member States, a harmonised EU approach may be advisable.

Under Article 7 of the Charter of Fundamental Rights of the European Union, persons belonging to the same family may, as such, benefit from special protection allowing them not to be compelled to comply with an obligation requiring them to incriminate one another, where one or another of them is suspected of having committed an illegal act.⁸⁵ However, EU law⁸⁶ precludes national legislation, under which ‘the owner of an internet connection used for copyright infringements through file-sharing cannot be held liable to pay damages if he can name at least one family member who might have had access to that connection, without providing further details as to when and how the internet was used by that family member’.⁸⁷

Although this has not been highlighted in case law, it is not always clear that all providers of Wi-Fi hotspots provide an information society service (ISS). It is questionable, for example, whether private hotspots provided for family members and friends fulfil the economic requirements of ISSP or whether a Wi-Fi service is always supplied ‘at a distance’. While these concepts can be (and often are) defined in a way that includes Wi-Fi hotspots, this also raises the more general question of the usefulness of the ISSP concept for the context of intermediaries (including individuals) facilitating communication in a network.

3.3 CDNs

A CDN is a geographically distributed network of both (traditional) caching and reverse proxy servers and data centres that improves the efficiency of the delivery of content to end users. Practically, CDNs solve the need to maintain a large number of specialised caching proxy servers in data centres all over the world and the need to store large media files, such as video content, on servers either in the same data centres as the caching proxy servers or in similar data centres in close physical proximity to users. The technical setup of CDNs is complex and can vary. Two functions of a CDN service provider can be distinguished for their legal assessment: first, they can provide traditional caching service to benefit IAPs based on content requests from users; second, CDN service providers can act on behalf of content owners by moving some of the reverse proxy functions from the data centre of the origin host (hosting in the sense of Article 14 ECD) to data centres at the edge of the network, where CDN equipment is located. The CDN servers become surrogate hosts and can offer both caching of unencrypted content and temporary content hosting at the edge of the network as a service to the host provider; this can also comprise content adaptation services, including encrypting the content using a digital certificate identifying the content owner.

In addition to traditional caching of potentially illegal information, such functions as surrogate hosting and content adaptation could raise some questions on the applicable conditions of the liability exemption if some part of the content in the CDN is illegal. Below, we concentrate on the CDN service on behalf of a content owner. This aspect relates to the question of how the CDN can be integrated into the communication between a content owner and end users. The use of a reverse proxy enables a CDN to distribute the requests of end users to either the cached or the original content.

In practice, CDNs use the DNS as the mechanism for this function. A simple way of handling this is for the content owner (registrant of a domain name) to use the authoritative DNS name server of the CDN provider. As a result, the reverse proxy used by a CDN is ‘fronting the host’ with an IP address of the CDN. This enables the CDN’s DNS name server to respond with the IP address of the reverse proxy with the shortest distance to the user looking up the IP address of the domain name. One relevant technical consequence of this setup is that the IP addresses of the CDN’s reverse proxy become the IP addresses of the domain name in the lookup. In other words, the IP address(es) of the host is (are) not visible to the end user. This can be compared to the ‘care of’ (℅) or post office box in the analogous world of letter mail, where the sender does not know the address of the recipient, but the item is rerouted to a post office. In relation to this consequence, one prominent CDN service provider, Cloudflare, was included in the Commission’s Counterfeit and Piracy watch list in 2018 because CDNs can ‘provide anonymity to the operators of pirate sites’ and ‘hide the original IP address of the site which actually hosts the content’.⁸⁸

CDN services are often combined with additional related services, such as DNS resolvers, cybersecurity services⁸⁹, hosting or domain registrar services. Today, the use of CDNs is widespread and relied on by a large number of lawful and unlawful services. Given the range of CDN business models consisting of a variety of complex functions, the CDN notion would not be useful as a legal concept. Instead, it is necessary to differentiate between the respective services and functions, which may fall under different liability exemption rules.

Given the increased practical importance of CDNs, it is of interest to assess their role in the intermediary liability regime of the ECD. The availability of liability exemptions has also been identified to be of major business importance to CDN service providers.⁹⁰ Generally, there exists little jurisprudence on CDNs and the related technical functions. However, in 2019 and 2020, Cloudflare was subject to several lower court proceedings in EU Member States in the context of injunctions.⁹¹

A CDN provider can guarantee the availability of a website, even when a customer’s website is temporarily inaccessible. This relates to hosting, which is covered under Article 14 ECD and not further explored here. The traditional caching aspects of CDNs (on behalf of IAPs) qualify for the liability exemption in Article 13 ECD. Only if a CDN performs content adaptation is the availability of a liability privilege uncertain. This uncertainty emerges because of the requirement not to modify the information. Modifications to the representation of information will likely be unproblematic, whereas modifying the content may void the liability exemption.⁹²

When the CDN provides a service to the content owner (ie not the IAP), it functionally becomes a ‘surrogate host’ and can offer both caching of unencrypted content and temporary content hosting at the edge of the network. In addition, the use of a reverse proxy enables a CDN to distribute the requests of end users to either the cached or the original content as load balancing. As a result, the reverse proxy used by a CDN is ‘fronting the host’ with an IP address of the CDN. This enables the CDN’s DNS name server to respond with the IP address of the reverse proxy with the shortest distance to the user looking up the IP address connected to the domain name. This use of a reverse proxy is not covered by Articles 13 or 14 ECD, as it is different from storage (although it could be combined with storage). To be exempted under Article 12, the service would have to consist of transmission in a communication network. However, the reverse proxy is arguably not engaged in the data transmission, but can instead be said to facilitate content delivery by fronting the host with the IP address of the CDN (which is connected to the domain name of the content owner). Even if one conceptualises data transmission broadly, such that it would include reverse proxies, a CDN may engage in the selection of recipients, which would void Article 12. Therefore, it could be argued that no liability exemption is available de lege lata for the reverse proxy mechanism. This could be seen as an unintended consequence, given the significant benefits offered by CDNs and their role as an intermediary between the content owner and the end user. Given that CDNs employ various mechanisms for content delivery, it is possible that the same conclusion would also apply to other technological solutions not addressed here or developed in the future.

To tackle this gap (at least for the use of reverse proxies by CDNs), the lawmaker should consider extending the existing safe harbour provisions, taking into account the degree of control CDNs have over content risks. CDNs have a high business proximity to the content owner because it is most likely a customer of the CDN. The CDN’s reverse proxy function is closely related to the content owner, even when it does not store the content. By distributing user requests to various locations where the content is available, the CDN acts as a ‘surrogate host’. To some extent, the situation of the CDN is similar to the hosting regulated in Article 14 ECD, except that the CDN does not (necessarily) store the data. When a CDN is employed, users viewing the web page www.example.com are sent to the CDN’s IP address, via which the content is delivered or provided. CDNs often also encrypt content using a digital certificate identifying the content owner, thereby increasing the business and technical proximity. At the same time, CDNs are arguably unaware of the possible illegality of the content they distribute. If Article 14 ECD were modified to intermediary services that provide (rather than store) the information, such CDN services would arguably be covered by an amended Article 14. Similarly, Article 13 ECD could be amended to cover the ‘intermediate and temporary provision of content’, which might be more suitable given the temporal dimension. As a consequence, the reverse proxy used by CDNs and similar solutions would be exempted from liability subject to the conditions of either Article 13 or 14 ECD. The consequences of the respective conditions require further analysis. However, two caveats need to be mentioned with respect to this solution. First, a narrow interpretation of the active/passive criterion might inhibit the solution delineated above, so this would require further analysis. Second, the envisaged extension of Article 13 or 14 ECD would also require further scrutiny because it might have unintended side effects for other services that are not considered here.

There is generally limited information on the self-regulation of CDN providers. From anecdotal evidence, it appears that some CDN service providers may also make content- or use-related decisions based on the enforcement of the terms of service (ToS) with customers.⁹³ At the company level, Cloudflare has a trusted reporter programme in place in relation to CSAM.⁹⁴ According to the German Cloudflare case, this also exists with music rights holders.⁹⁵

3.4 Processing in the cloud

Remote processing operations carried out in cloud computing and other contexts imply the possibility that the service provider is involved with processing illegal content.⁹⁶ Similarly, the remote processing of illegal information may also be problematic in other scenarios, such as with respect to content adaptation, for example, in a CDN context. Content adaptation can be divided into two categories that involve either modifying the representation of the content or the content proper.

‘Cloud computing’ is used as a label for a variety of business models that primarily offer the use of resources in data centres. A ‘cloud computing service’ can be defined as a ‘digital service that enables access to a scalable and elastic pool of shareable computing resources’.⁹⁷ Further characteristics include self-service and metered provision, meaning one only pays for the resources one is using.

Within the liability exemptions of the ECD, it is not easy to locate all services offered in a cloud setting. Under Article 14 ECD,⁹⁸ the service provider is not liable for the information stored at the request of a recipient of the service. Storage of information is certainly relevant in cloud settings, but the stored information is often encrypted, which makes notice-and-action challenging.⁹⁹ In addition, the relatively complex cloud business models typically go far beyond the storage of information. Services involving the processing of data (thus going beyond storage) include infrastructure as a service (IaaS), platform as a service (PaaS) and software as a service (SaaS). Cloud-based data processing can have a variety of use cases, including the Internet of Things (IoT) and robotics.

A first question, as mentioned above, is whether cloud processing services can be seen as separate from storage, in the sense that these would be separate actions for which the service provider could be liable. There is no clarity on whether the performance of processing services could be taken as an argument for constituting liability, separate from the argument for the storage of information. It may be argued that the processing is carried out in close relation to the storage function and constitutes some form of ‘enhanced hosting’ with some extra services. In contrast, Article 14 does not explicitly include wording that would include other (eg processing-related) functions in the safe harbour it provides.¹⁰⁰ Thus, one would have to identify a separate liability exemption for such function. This second question depends on an interpretation of Articles 12 and 13 ECD.

None of the specific liability exemptions of the ECD seem directly to encompass remote processing operations. Potentially, it could be envisaged that a protection may nevertheless be found by interpretation of the ECD’s liability exemptions, eg based on a general analogy. Alternatively, a teleological interpretation of some of the aims of the ECD could lead to an expansive interpretation, encompassing services offered that are similar to those covered in Articles 12 to 14, or which are offered in conjunction with such services (in particular, Article 14). However, such general arguments for extending the scope of the liability exemptions, de lege lata, could be difficult because they are based on specific conditions that are closely related to the respective specified function. It would be unclear which conditions would apply to services not explicitly covered currently by the ECD. For example, the requirement that the information cannot be modified clearly appears to be of limited utility in the context of remote processing (including adaptation of the content). Furthermore, such processing is usually not visible to the service provider, particularly if encryption is used and when there are several layers of cloud computing. Concomitantly, we recommend that the European lawmaker address the exemption gap for remote processing operations, as well as the possibility that new business models offer functions that do not fit into the existing limitations.

3.5 Live-streaming

Live-streaming has recently become more topical than it was before, both in a commercial context and in the context of illegal or harmful content. The internet supports multicasting, that is, one-to-many communication by streaming content to a group of receivers in a single transmission. In principle, live-streaming without intermediaries storing the content is technically possible. However, in practice, live-streaming is a service that usually provides simultaneous storing and real-time streaming of an event, and live-streaming will use the same CDNs that are used for streaming stored content. There are many service providers offering a technical platform and hosting service for live-streaming.

Because live-streaming involves an event that is transmitted in real time, the party initiating the streaming will start transmitting when the event starts. This party may decide to publish the recorded event as an ordinary streamed video as soon as the real-time event terminates. Users obtain access to the live stream by requesting to receive the transmission. Live-streaming is also part of the content offered by social media services like Facebook and Twitter, and live-streaming content may be suggested to anyone using these services. Many-to-many live-streaming is also supported by many service providers, and this service is usually called video conferencing.

Live-streaming can be a type of linear audio-visual media service that is regulated in the revised AVMSD. This Directive addresses video-sharing platform services, including both non-linear (on demand) and linear services, which arguably include live-streaming.¹⁰¹ The revised AVMSD (Article 28b) requires providers of video-sharing platforms to take appropriate measures to address incitement to violence and some forms of hatred against individuals or groups. In addition, the providers need to protect the public from content that is illegal under Union law (related to terrorism, child abuse images, racism and xenophobia). The AVMSD explicitly states in Article 28a(5) that Articles 12 to 15 ECD apply to video-sharing platform providers.¹⁰²

In the context of the ECD, live-streaming is difficult to locate, and relevant case law is scarce. Functionally, live-streaming is similar to hosting, but it likely does not qualify as such under Article 14 because the streamed content is not stored before the communication but streamed in a linear manner. Technically, live-streaming involves some element of transmission in a communications network (‘mere conduit’),¹⁰³ but the nature of the service may be different from the one envisaged by Article 12 because of temporal and functional characteristics.¹⁰⁴ The default situation for mere conduit is the instantaneous communication of data in a network, which is over when the data are communicated. Thus, by the time a notice is issued, the communication is already over. In the case of live-streaming, content is continuously streamed for a limited time. This is somewhat comparable to hosting because the live-streaming service ‘hosts’ the live-stream. However, this is not necessarily using a stored file (like in hosting), but a continuous content stream. Thus, notice-and-action may be possible, and certain measures are obligatory under the AVMSD. Live-streaming may also involve a temporary storage of content (Article 13 ECD), but it is uncertain whether the provider does so ‘for the sole purpose of making more efficient the information’s onward transition’.¹⁰⁵ Moreover, an eventual liability might be based not (only) on the temporary storage but on the streaming (the provision of access to the streamed content), for which no dedicated exemption exists.

Underlying this is also the question whether live-streaming falls under the ECD regime in the first place. The ISS definition requires that such a service is ‘at the individual request of a recipient of services’.¹⁰⁶ It could be argued that this criterion is not fulfilled in the case of live-streaming, which resembles broadcasting.¹⁰⁷ At the same time, the criterion could be fulfilled if the streamer (the person initiating the streaming) were seen as the recipient of the service, but this makes it difficult to distinguish between streaming and broadcasting. Moreover, the live-streaming provider can select the viewer of the live stream—that is, the receiver of the communications—for example, based on algorithms that evaluate the users’ interests. This can be the case with respect to existing live-streaming services, such as Facebook and YouTube, but it would arguably void the protection afforded by Article 12(1)(b) ECD. Therefore, under a narrow reading of the ECD, at least some instances of live-streaming may be protected neither under Article 12 or Article 14 ECD.

A future regulation could address the gap, taking into account the control the service provider reasonably has over the content-related risks. A live-streaming services provider has a relatively close proximity to the content compared with typical mere conduit providers. Technically, the live-streaming provider is directly or indirectly connected to the live stream because the streamer is most likely its customer. Moreover, as foreseen in the AVMSD, these providers of video services are in a position to manage some aspects of the live-streaming they organise. At the same time, a service provider cannot be expected to have knowledge of everything happening on its service in real time.

Live-streaming providers might be able to take certain measures. Providers can be notified of an infringing live stream and react to such a live stream (eg take it down), at least while it is still continuing. Providers’ failures to react to notices were among the criticisms voiced after the terrorist attack in Christchurch, New Zealand, in 2019. There is limited systematic information on the self-regulation of live-streaming, although this has substantially increased in importance following the Christchurch attack.¹⁰⁸

It is unclear whether providers might technically be able to engage in ex ante monitoring, which would be problematic from a fundamental rights perspective. If mandated, it would have to comply with the prohibition of ‘general’ monitoring obligations in Article 15 ECD. This temporal aspect is challenging from a regulatory perspective because the service provider needs to act in a timely fashion, and it may be difficult to ascertain whether a certain live-stream contains illegal material. Therefore, a regulation would need to provide possibilities for the service provider to act expeditiously, while at the same time, respecting fundamental rights. It is not clear how this challenge can be resolved going forward.

3.6 Search engines

Search engines,¹⁰⁹ or information location tool services, and hyperlinks¹¹⁰ are other areas of interest related to the delimitation between Articles 12, 13 and 14 ECD. They are also explicitly mentioned in Article 21(2) ECD, a provision in relation to which the Commission was called upon to examine the ‘need for proposals concerning the liability of providers of hyperlinks and location tool services’. A closer examination of this is outside the scope of this article, but it should be noted that several Member States have included specific liability exemptions for these services in their national legislation.¹¹¹ In Austria and Liechtenstein, for example, the liability exemption for search engine services and hyperlinks follows Article 12 ECD. Spain, Portugal and Romania have enacted such liability exemption for search engines and hyperlinks modelled after Article 14 ECD.¹¹² In Google France, the CJEU applied Article 14 ECD in the advertising context of search engines, Adwords.¹¹³ In relation to data protection, the CJEU interpreted Data Protection Directive 95/46/EC to contain a ground for removal—that is, de-indexing—of search results in Google Spain,¹¹⁴ now codified in Article 17 GDPR; however, it did not take a stance on search engines’ position with respect to the ECD. A comprehensive overview of national case law on the matter is outside the scope of this article. Despite stark differences in consequences under Article 12- vis-à-vis Article 14-akin national regimes, the Commission did not see a risk for fragmentation in the internal market in 2003.¹¹⁵ Still, this grey area might be of interest when reviewing the ECD.¹¹⁶