Terrorist legislation: the EU is on the right track but isn’t there yet

DISCLAIMER: All opinions in this column reflect the views of the author(s), not of EURACTIV Media network.

Promoted content

“New EU terr laws: almost there?”

This article is part of our special report Regulating against radicalisation.

Last autumn, the European Commission’s proposed Regulation to remove and proactively monitor terrorist content online sent shockwaves through Europe’s cloud infrastructure community. Alban Schmutz explains why.

Alban Schmutz is CISPE Chairman and Vice President Strategic Development and Public Affairs at OVH.

When the Commission announced its proposed Regulation on Preventing the dissemination of terrorist content online, one thing was immediately clear: it was targeting the wrong players.

It made no sense to include cloud infrastructure in its scope. Since then, real progress has been made in tightening the wording and scope of the Regulation to ensure it can work as effectively as possible—but more remains to be done, and the clock is ticking.

It is technically impossible for Europe’s cloud infrastructure companies to comply, yet they were covered. Cloud infrastructure services are used for other companies to build and run their business on top of it. As we made crystal clear last year, it is not possible for cloud infrastructure providers to take down a specific piece of content without compromising lawful content and interfering with their customers’ private data.

The legislation is mainly designed for social media platforms and online content sharing services but, unintentionally, captures other hosting service providers.

The organizations represented by CISPE (Cloud Infrastructure Services Providers in Europe) take care of the underlying infrastructure and not the content. We do not remove specific content, we are the processors not the controllers. It’s not what we do.

So while our members do, of course, support the aim of the Regulation, and recognize this is a highly sensitive issue, we believe that cloud infrastructure should not fall under its scope. In addition, issues remain around security, data privacy and fundamental rights related, for example, to filtering obligations. Some provisions are at odds with the e-Commerce Directive.

Since last December, however, we’ve seen encouraging movement in the right direction.

For example, the draft report from the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) recognized that cloud infrastructure services should not be within the scope of the Regulation, as this may lead to a conflict with principles of privacy and undermine the provision on cloud infrastructure services.

As rapporteur Daniel Dalton MEP said in a LIBE committee meeting (04/02/2019), “I don’t think that cloud infrastructure services should be included… I’m not talking here about consumer cloud services such as Dropbox, but more the cloud infrastructure services that are used by businesses to host data that’s used on websites. They don’t control or filter the data, and they have no technical means of removing specific content.”

The IMCO committee (Internal Market and Consumer Protection) elaborated on the exclusion: services at other layers of the Internet infrastructure than the application layer (meaning to address cloud infrastructure services).

Meanwhile, the CULT committee (Culture and Education) clarified the definition of hosting service providers to exclusively cover hosting providers that enable their users to make content available to the public instead of ‘third parties’—which we believe is helpful.

So progress has been made. We’re almost there but it’s not quite enough. Key clarifications and improvements are still required to make the Regulation as clear and unambiguous as it needs to be.

As a result, we are calling on MEPs to introduce a properly robust definition of cloud infrastructure in Article 2 of the Regulation and explicitly exclude such services.

Ensuring exclusion within Article 2 of the Regulation will provide consistency across member states in their interpretation of cloud infrastructure services and so avoid loopholes.

It would prevent a situation in which different interpretations co-exist across the EU, with the risk of 28 or more national competent authorities misstepping into imposing automated proactive measures on cloud infrastructure services—or even companies claiming to have cloud infrastructure services when they do not.

We urge legislators to take those last few important steps: to embed the necessary exclusions in a legally binding Article rather than in a non-binding Recital, and so make this Regulation fit for purpose.

CISPE’s original press release on the proposed EU Regulation on Terrorist Content Online is available here

The CISPE position paper on the proposed EU Regulation on Terrorist Content Online is available here


CISPE is the leading European trade association representing cloud infrastructure providers, supported by a majority of European SMEs and small-cap companies, working with business, consumers and EU institutions to address key industry issues and promote best practice in cloud provision, data protection and consumer choice. With more than 100 cloud services already declared under the CISPE GDPR Code of Conduct, its 30+ members provide services to many thousands of organizations and for millions of customers across the region. CISPE is open to all companies provided they declare at least one service under the CISPE Code of Conduct. Please get in touch – cispe.cloud

Subscribe to our newsletters