The EU’s proposed Regulation to monitor terrorist content online has many implications, not least for fundamental human rights and freedoms including privacy. But it also asks Europe’s cloud infrastructure providers to do the impossible, writes Alban Schmutz.
Alban Schmutz is the chairman of CISPE and VP Strategic Development & Public Affairs.
We provide the underlying infrastructure for businesses and governments to manage their data and build their own services. It is technically not possible for cloud infrastructure providers to access data and content controlled by our customers. This means we cannot monitor, find, disable and remove a specific piece of content, like a photo or a piece of text.
But that is precisely what EU legislation is asking us to do: the impossible.
The EU is targeting the wrong players
Cloud infrastructure providers must be exempted.
- The Regulation is fitted for online content sharing services e.g. social media and video sharing providers – but not for infrastructure service providers.
- Cloud infrastructure providers are not controlling what content is put up, how that content is made available to the public, or to whom it is made available.
- We provide the underlying IT infrastructure: cloud infrastructure providers are the processors and not controllers, delivering the building blocks for customers in business and government to build and run their own IT systems. This is analogous to power cables in the ground for a city.
Complying with the Regulation is technically not possible for cloud infrastructure service providers:
- Online content sharing services do have control down to the most granular piece of content made available on their platform: they can delete an individual comment and image, or target an individual end user – infrastructure providers cannot do this because they do not have access to the customers’ content.
- Infrastructure as a Service (IaaS) providers cannot even distinguish what is “a piece of content” from what is not “a piece of content”.
- To take down a specific comment, for example, an infrastructure provider may need to take down the entire website in question, closing down access for related services and potentially a large number of other users, or even closing down of service of other customers.
Imposing “automated proactive measures” to monitor and prevent uploads is not technically possible – and would mean snooping on all data that is not made available to the public:
In its current form, the Regulation poses a serious threat to the core assets of cloud infrastructure user organisations – including European industries, services and governments – thereby slowing down their digital transformation and immediately bringing to a halt the protections of the General Data Protection Regulation (GDPR) that only came into force six months ago.
CISPE is urging the legislators to consider rules that are clear, workable and proportionate.
The CISPE press release on the proposed EU Regulation on Terrorist Content Online is available here
The CISPE position paper on the proposed EU Regulation on Terrorist Content Online is available here