Blogs | Privacy and data protection | Data protection standards | Privacy and confidentiality

FRA and EDPS: Terrorist Content Regulation requires improvement for fundamental rights

By EDRi · February 20, 2019

On 12 February 2019, the European Union Agency for Fundamental Rights (FRA) published an Opinion regarding the Regulation on preventing the dissemination of terrorist content online. In the same day, the European Data Protection Supervisor (EDPS) submitted its comments on the topic to the responsible committee in the European Parliament. These two texts complement EDRi’s analysis and the previous Report prepared by three UN Special Rapporteurs on the proposal.

FRA: Substantial threats for freedom of expression

In its Opinion, FRA structures its criticism around four main areas.

First, it calls to improve the definition of “terrorist content”. The Opinion highlights the need to add to this definition the concept of “incitement” or giving specific instructions to commit terrorist offences. The definition of such instructions should be aligned with the Terrorism Directive and specific actions such as “providing specific instructions on how to prepare explosives or firearms”. Further, the text calls to limit the proposal to content disseminated to the public and to exclude from the Regulation’s scope certain forms of expression, such as content that relates to educational, journalistic, artistic or research purposes.

Second, FRA calls to ensure that fundamental rights safeguards are in place through “effective judicial supervision”. Currently, there is no mention in the proposal of any “independent judicial authority in the adoption or prior to the execution of the removal order”. FRA also reminds of the need to avoid a disproportionate impact on the freedom to conduct a business when having to react to notices for removals of terrorist content in a very short time-frame (up to one hour in the original proposal). FRA suggests instead a reaction time of 24 hours from the receipt of the removal order. Regarding safeguards in cross-border removal orders, the Opinion calls to ensure that the authorities of the Member State where the content is hosted are “empowered to review the removal order in cases where there are reasonable grounds to believe that fundamental rights are impacted within its own jurisdiction.” FRA thus encourages the EU legislator to require a notification by the issuing Member State to the host Member State – in addition to the notification to the hosting service provider – when the removal order is issued.

Third, FRA states that the proposal “does not sufficiently justify the necessity of introducing the mechanism of referrals”, and suggests to distinguish between content needing a removal order and content requiring a referral.

Fourth, the Opinion states that the proposed proactive measures of the Regulation come very close to a general monitoring obligation. This is not only prohibited by Article 14 of the EU’s eCommerce Directive, but also generally incompatible with individuals’ right to freedom of expression under Article 11 of the Charter of Fundamental Rights in the European Union. Thus, FRA proposes to delete from the Regulation text the obligation for Hosting Service Providers’ (HSPs) to introduce proactive measures.

EDPS: Concerns for the Regulation’s data retention and GDPR compliance

While the EDPS issued similar concerns regarding the definition of terrorist content and the “one hour rule”, it also issued some targeted comments on the concerns surrounding potentially privacy intrusive elements of the Regulation proposal.

In the Regulation proposal, Hosting Service Providers’ have obligations to retain data of supposed terrorist content that they delete or disable access to on their platform. The EDPS presents substantive doubts whether such obligations would be compliant with case law of the Court of Justice of the European Union (CJEU). This opinion was based on the assessment that the proposed measures, in similarity to the Data Retention Directive that was struck down by the CJEU in 2014, do not lay down specific criteria regarding the time period and access and use limitations for the retained data. The EDPS is further not convinced of the overall usefulness of data retention measures in the Terrorist Content Regulation, given that the text obliges HSPs to promptly inform the competent law enforcement authorities of any evidence regarding terrorist offences.

On the proposal’s foreseen proactive measures, the EDPS stated that automated tools for recognising and removing content would likely fall under Article 22 of the General Data Protection Regulation (GDPR), which regulates citizens’ rights in automated decision making and profiling activities. This would, in turn, require more substantive safeguards than the ones provided in the Commission’s proposal, including case-specific information to the data subject, understandable information about how the decision was reached, and the right to obtain human intervention in any case.

The observations of the EU’s most important fundamental rights institutions feed into a steady stream of criticism of the proposal. These represent noteworthy positions for policy makers in the legislator institutions, particularly in the European Parliament’s LIBE, CULT and IMCO committees that are currently adopting their positions. It is now more evident than ever that the proposed Terrorist Content Regulation needs substantive reform to live up to the Union’s values, and to safeguard the fundamental rights and freedoms of its citizens.

Read more:

EDRi Recommendations for the European Parliament’s Draft Report on the Regulation on preventing the dissemination of terrorist content online (December 2018)

All Cops Are Blind? Context in terrorist content online (13.02.2019)

Terrorist Content: LIBE Rapporteur’s Draft Report lacks ambition (25.01.2019)

CULT: Fundamental rights missing in the Terrorist Content Regulation (21.01.2019)

Terrorist Content: IMCO draft Opinion sets the stage right for EP (18.01.2019)

(Contribution by Diego Naranjo and Yannic Blaschke)