Regulation (EU) 2021/784 of the European Parliament and of the Council of 29 April 2021 on addressing the dissemination of terrorist content online (Text with EEA relevance)

THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 114 thereof,

Having regard to the proposal from the European Commission,

After transmission of the draft legislative act to the national parliaments,

Having regard to the opinion of the European Economic and Social Committee (1),

Acting in accordance with the ordinary legislative procedure (2),

Whereas:

(1) This Regulation aims to ensure the smooth functioning of the digital single market in an open and democratic society, by addressing the misuse of hosting services for terrorist purposes and contributing to public security across the Union. The functioning of the digital single market should be improved by reinforcing legal certainty for hosting service providers and users’ trust in the online environment, as well as by strengthening safeguards to the freedom of expression, including the freedom to receive and impart information and ideas in an open and democratic society and the freedom and pluralism of the media.

(2) Regulatory measures to address the dissemination of terrorist content online should be complemented by Member State strategies to address terrorism, including the strengthening of media literacy and critical thinking, the development of alternative and counter narratives, and other initiatives to reduce the impact of and vulnerability to terrorist content online, as well as investment in social work, deradicalisation initiatives and engagement with affected communities, in order to achieve the sustained prevention of radicalisation in society.

(3) Addressing terrorist content online, which is part of a broader problem of illegal content online, requires a combination of legislative, non-legislative and voluntary measures based on collaboration between authorities and hosting service providers, in a manner that fully respects fundamental rights.

(4) Hosting service providers active on the internet play an essential role in the digital economy by connecting business and citizens and by facilitating public debate and the distribution and receipt of information, opinions and ideas, contributing significantly to innovation, economic growth and job creation in the Union. However, the services of hosting service providers are in certain cases abused by third parties for the purpose of carrying out illegal activities online. Of particular concern is the misuse of those services by terrorist groups and their supporters to disseminate terrorist content online in order to spread their message, to radicalise and recruit followers, and to facilitate and direct terrorist activity.

(5) While not the only factor, the presence of terrorist content online has proven to be a catalyst for the radicalisation of individuals which can lead to terrorist acts, and therefore has serious negative consequences for users, citizens and society at large as well as for the online service providers hosting such content, since it undermines the trust of their users and damages their business models. In light of their central role and the technological means and capabilities associated with the services they provide, hosting service providers have particular societal responsibilities to protect their services from misuse by terrorists and to help address terrorist content disseminated through their services online, while taking into account the fundamental importance of the freedom of expression, including the freedom to receive and impart information and ideas in an open and democratic society.

(6) Efforts at Union level to counter terrorist content online commenced in 2015 through a framework of voluntary cooperation between Member States and hosting service providers. Those efforts need to be complemented by a clear legislative framework in order to further reduce the accessibility of terrorist content online and adequately address a rapidly evolving problem. The legislative framework seeks to build on voluntary efforts, which were reinforced by Commission Recommendation (EU) 2018/334 (3), and responds to calls made by the European Parliament to strengthen measures to address illegal and harmful content online in line with the horizontal framework established by Directive 2000/31/EC of the European Parliament and of the Council (4), as well as by the European Council to improve the detection and removal of content online that incites terrorist acts.

(7) This Regulation should not affect the application of Directive 2000/31/EC. In particular, any measures taken by a hosting service provider in compliance with this Regulation, including any specific measures, should not in themselves lead to that hosting service provider losing the benefit of the liability exemption provided for in that Directive. Moreover, this Regulation does not affect the powers of national authorities and courts to establish the liability of hosting service providers where the conditions set out in that Directive for liability exemption are not met.

(8) In the event of a conflict between this Regulation and Directive 2010/13/EU of the European Parliament and of the Council (5) in relation to provisions governing audiovisual media services as defined in point (a) of Article 1(1) of that Directive, Directive 2010/13/EU should prevail. This should leave the obligations under this Regulation, in particular with regard to video-sharing platform providers, unaffected.

(9) This Regulation should set out rules to address the misuse of hosting services for the dissemination of terrorist content online in order to guarantee the smooth functioning of the internal market. Those rules should fully respect the fundamental rights protected in the Union and, in particular, those guaranteed by the Charter of Fundamental Rights of the European Union (the ‘Charter’).

(10) This Regulation seeks to contribute to the protection of public security while establishing appropriate and robust safeguards to ensure the protection of fundamental rights, including the right to respect for private life, to the protection of personal data, to freedom of expression, including the freedom to receive and impart information, the freedom to conduct a business, and to an effective remedy. Moreover, any discrimination is prohibited. Competent authorities and hosting service providers should only adopt measures which are necessary, appropriate and proportionate within a democratic society, taking into account the particular importance accorded to the freedom of expression and information and the freedom and pluralism of the media, which constitute the essential foundations of a pluralist and democratic society and are values on which the Union is founded. Measures affecting the freedom of expression and information should be strictly targeted to address the dissemination of terrorist content online, while respecting the right to lawfully receive and impart information, taking into account the central role of hosting service providers in facilitating public debate and the distribution and receipt of facts, opinions and ideas, in accordance with the law. Effective online measures to address terrorist content online and the protection of freedom of expression and information are not conflicting but complementary and mutually reinforcing goals.

(11) In order to provide clarity about the actions that both hosting service providers and competent authorities are to take to address the dissemination of terrorist content online, this Regulation should establish a definition of ‘terrorist content’ for preventative purposes, consistent with the definitions of relevant offences under Directive (EU) 2017/541 of the European Parliament and of the Council (6). Given the need to address the most harmful terrorist propaganda online, that definition should cover material that incites or solicits someone to commit, or to contribute to the commission of, terrorist offences, solicits someone to participate in activities of a terrorist group, or glorifies terrorist activities including by disseminating material depicting a terrorist attack. The definition should also include material that provides instruction on the making or use of explosives, firearms or other weapons or noxious or hazardous substances, as well as chemical, biological, radiological and nuclear (CBRN) substances, or on other specific methods or techniques, including the selection of targets, for the purpose of committing or contributing to the commission of terrorist offences. Such material includes text, images, sound recordings and videos, as well as live transmissions of terrorist offences, that cause a danger of further such offences being committed. When assessing whether material constitutes terrorist content within the meaning of this Regulation, competent authorities and hosting service providers should take into account factors such as the nature and wording of statements, the context in which the statements were made and their potential to lead to harmful consequences in respect of the security and safety of persons. The fact that the material was produced by, is attributable to or is disseminated on behalf of a person, group or entity included in the Union list of persons, groups and entities involved in terrorist acts and subject to restrictive measures should constitute an important factor in the assessment.

(12) Material disseminated for educational, journalistic, artistic or research purposes or for awareness-raising purposes against terrorist activity should not be considered to be terrorist content. When determining whether the material provided by a content provider constitutes ‘terrorist content’ as defined in this Regulation, account should be taken, in particular, of the right to freedom of expression and information, including the freedom and pluralism of the media, and the freedom of the arts and sciences. Especially in cases where the content provider holds editorial responsibility, any decision as to the removal of the disseminated material should take into account the journalistic standards established by press or media regulation in accordance with Union law, including the Charter. Furthermore, the expression of radical, polemic or controversial views in the public debate on sensitive political questions should not be considered to be terrorist content.

(13) In order to effectively address the dissemination of terrorist content online, while ensuring respect for the private life of individuals, this Regulation should apply to providers of information society services which store and disseminate to the public information and material provided by a user of the service on request, irrespective of whether the storing and dissemination to the public of such information and material is of a mere technical, automatic and passive nature. The concept of ‘storage’ should be understood as holding data in the memory of a physical or virtual server. Providers of ‘mere conduit’ or ‘caching’ services, as well as of other services provided in other layers of the internet infrastructure, which do not involve storage, such as registries and registrars, as well as providers of domain name systems (DNS), payment or distributed denial of service (DdoS) protection services, should therefore fall outside the scope of this Regulation.

(14) The concept of ‘dissemination to the public’ should entail the making available of information to a potentially unlimited number of persons, namely making the information easily accessible to users in general, without requiring further action by the content provider, irrespective of whether those persons actually access the information in question. Accordingly, where access to information requires registration or admittance to a group of users, that information should be considered to be disseminated to the public only where users seeking to access the information are automatically registered or admitted without a human decision or selection of whom to grant access. Interpersonal communication services, as defined in point (5) of Article 2 of Directive (EU) 2018/1972 of the European Parliament and of the Council (7), such as emails or private messaging services, should fall outside the scope of this Regulation. Information should be considered to be stored and disseminated to the public within the meaning of this Regulation only where such activities are performed upon direct request of the content provider. Consequently, providers of services, such as cloud infrastructure, which are provided at the request of parties other than the content providers and only indirectly benefit the latter, should not be covered by this Regulation. This Regulation should cover, for example, providers of social media, video, image and audio-sharing services, as well as file-sharing services and other cloud services, insofar as those services are used to make the stored information available to the public at the direct request of the content provider. Where a hosting service provider offers several services, this Regulation should apply only to the services that fall within its scope.

(15) Terrorist content is often disseminated to the public through services provided by hosting service providers established in third countries. In order to protect users in the Union and to ensure that all hosting service providers operating in the digital single market are subject to the same requirements, this Regulation should apply to all providers of relevant services offered in the Union, irrespective of the country of their main establishment. A hosting service provider should be considered offering services in the Union if it enables natural or legal persons in one or more Member States to use its services and has a substantial connection to that Member State or those Member States.

(16) A substantial connection to the Union should exist where the hosting service provider has an establishment in the Union, its services are used by a significant number of users in one or more Member States, or its activities are targeted towards one or more Member States. The targeting of activities towards one or more Member States should be determined on the basis of all relevant circumstances, including factors such as the use of a language or a currency generally used in the Member State concerned, or the possibility of ordering goods or services from such Member State. Such targeting could also be derived from the availability of an application in the relevant national application store, from providing local advertising or advertising in a language generally used in the Member State concerned, or from the handling of customer relations such as by providing customer service in a language generally used in that Member State. A substantial connection should also be assumed where a hosting service provider directs its activities towards one or more Member States as set out in point (c) of Article 17(1) of Regulation (EU) No 1215/2012 of the European Parliament and of the Council (8). The mere accessibility of a hosting service provider’s website, of an email address or of other contact details in one or more Member States, taken in isolation, should not be sufficient to constitute a substantial connection. Moreover, the provision of a service with a view to mere compliance with the prohibition of discrimination laid down in Regulation (EU) 2018/302 of the European Parliament and of the Council (9) should not, on that ground alone, be considered to constitute a substantial connection to the Union.

(17) The procedure and obligations resulting from removal orders requiring hosting service providers to remove or disable access to terrorist content, following an assessment by the competent authorities, should be harmonised. Given the speed at which terrorist content is disseminated across online services, an obligation should be imposed on hosting service providers to ensure that the terrorist content identified in the removal order is removed or access to it is disabled in all Member States within one hour of receipt of the removal order. Except for in duly justified cases of emergency, the competent authority should provide the hosting service provider with information on procedures and applicable deadlines at least 12 hours in advance of issuing for the first time a removal order to that hosting service provider. Duly justified cases of emergency occur where the removal of or disabling of access to the terrorist content later than one hour after receipt of the removal order would result in serious harm, such as in situations of an imminent threat to the life or physical integrity of a person, or when such content depicts ongoing events resulting in harm to the life or physical integrity of a person. The competent authority should determine whether cases constitute emergency cases and duly justify its decision in the removal order. Where the hosting service provider cannot comply with the removal order within one hour of its receipt, on grounds of force majeure or de facto impossibility, including for objectively justifiable technical or operational reasons, it should inform the issuing competent authority as soon as possible and comply with the removal order as soon as the situation is resolved.

(18) The removal order should contain a statement of reasons qualifying the material to be removed or access to which is to be disabled as terrorist content and provide sufficient information for the location of that content, by indicating the exact URL and, where necessary, any other additional information, such as a screenshot of the content in question. That statement of reasons should allow the hosting service provider and, ultimately, the content provider to effectively exercise their right to judicial redress. The reasons provided should not imply the disclosure of sensitive information which could jeopardise ongoing investigations.

(19) The competent authority should submit the removal order directly to the contact point designated or established by the hosting service provider for the purposes of this Regulation by any electronic means capable of producing a written record under conditions that allow the hosting service provider to establish the authenticity of the order, including the accuracy of the date and the time of sending and receipt thereof, such as by secured email or platforms or other secured channels, including those made available by the hosting service provider, in accordance with Union law on the protection of personal data. It should be possible for that requirement to be met through the use of, inter alia, qualified electronic registered delivery services as provided for by Regulation (EU) No 910/2014 of the European Parliament and of the Council (10). Where the hosting service provider’s main establishment is or its legal representative resides or is established in a Member State other than that of the issuing competent authority, a copy of the removal order should be submitted simultaneously to the competent authority of that Member State.