The European Commission is proposing new legislation to get terrorist content off the web including an order to remove propaganda within one hour.
Rapid detection and removal of terrorist content online is crucial to prevent further dissemination across other platforms. In January 2018 alone, almost 700 new pieces of Islamic State group propaganda were disseminated online, representing a very real risk to society. The ability to spread this type of propaganda rapidly across platforms demands an equally rapid response.
While positive results have been achieved from voluntary initiatives, including under the EU Internet Forum, terrorist propaganda continues to be easily accessible online and the level and pace of response continues to vary. In some cases, internet platforms have not engaged in voluntary efforts or did not take sufficiently robust action to reduce access to terrorist content online. In addition, different procedures and in some cases regulatory actions across countries limit the effectiveness and efficiency of cooperation between authorities and hosting service providers.
Many of the recent attacks within the EU have exposed terrorists’ use of the internet to plan attacks, and there is continuing concern about the role of the internet in allowing terrorist organizations to radicalize, recruit, train, facilitate and direct terrorist activity. The European Parliament and the European Council called on the Commission in 2017 and again in 2018 to present proposals to address these issues. These calls were echoed by statements issued by the leaders of the G7 and G20 in 2017 as part of the shared effort to tackle terrorism both offline and online.
The new legislative proposal takes into account the particular urgency of stopping the dissemination of terrorist content online and aims to put in place uniform measures that address this type of especially harmful content posing an imminent security risk to Europeans.
The one-hour timeframe
Terrorist content is most harmful in the first hours of its appearance because of the speed at which it can spread. For instance, research has found that one-third of all links to Islamic State propaganda disseminates within an hour of release.
Once uploaded, terrorist content is not always immediately detected and is able to move quickly from one platform to another. Furthermore, it is not always quickly removed even when referred to the companies by law enforcement authorities. The short timeframe for removal is therefore considered necessary to reduce the volume of terrorist content, as well as the number of viewers who can access it.
The EU defines online terrorist content as material and information that incites, encourages or advocates terrorist offenses, provides instructions on how to commit such crimes or promotes participation in activities of a terrorist group. Such material might include texts, images, sound recordings and videos.
The new rules introduce binding removal orders. The orders, issued by national authorities and requesting hosting service providers to remove terrorist content online or disable access to it, must be carried out within one hour. As things stand, hosting service providers follow diverging rules concerning removal orders sent by some nations, while other countries refer material on a voluntary basis either directly to companies or via Europol, and have little or no power to ensure its subsequent removal. Under the new rules, failure to comply with a removal order may result in financial penalties.
In the event of systematic failures to remove such content within one hour following removal orders, a service provider could face financial penalties of up to 4 percent of its global turnover for the last business year.
The new rules require hosting service providers to take proactive measures including the deployment of automated detection tools where appropriate and when they are exposed to the risk of hosting terrorist content. This will ensure that affected service providers do not depend only on the authorities or third parties flagging terrorist content, but take proactive measures to prevent their services from being exploited by terrorists. Service providers should also report on the proactive measures put in place after having received a removal order.
Hosting service providers will be required to put in place effective safeguards to ensure full respect of fundamental rights, such as freedom of expression and information. In addition to possibilities of judicial redress, such safeguards will include the possibility for hosting service providers and content providers to contest a removal order as well as effective complaint mechanisms for content providers where hosting service providers have taken down content unjustifiably.
Hosting service providers will also be obliged to nominate points of contact to facilitate the swift handling of removal orders and referrals. A hosting service provider’s point of contact does not have to be located in the EU but should be available 24/7 to ensure that terrorist content is removed, or access to it is disabled, within one hour of receiving a removal order.
Companies and European Member States will be required to report on their efforts and the Commission will establish a detailed program for monitoring the results and impact of the new rules. To enhance transparency and accountability towards their users, online platforms will also publish annual transparency reports explaining how they address terrorist content on their services.
The new rules will apply to all hosting service providers offering services in the EU, irrespective of their size or where they are based. Today, the hosting service providers that are most exposed to terrorist content are in fact based outside the EU. These service providers, which do not have their headquarters in any EU member state but that do offer services within the union, are being asked to designate a legal representative within the EU in order to facilitate compliance with the new rules. They will then fall under the jurisdiction of the member state where the legal representative or their company seat is located.
Hosting service providers, who provide information services, including storing of information shared by users and making information available to third parties, will also be bound by the new rules. Examples include social media platforms, video streaming services, video, image and audio sharing services, file sharing and other cloud services, websites where users can make comments or post reviews.
Since terrorist content increasingly affects smaller service providers, the new rules do not exclude companies on account of their size, but instead provide targeted measures depending on the level of risk while also taking into account their economic capabilities.
Taking account of possible financial and technological burdens, there are mechanisms that small enterprises can benefit from. For example, the EU Internet Forum offers a space for cooperation and exchange between all relevant actors including companies, member states and Europol. Furthermore, numerous small and medium enterprises have already benefitted from shared tools they adapted to their content policy.
Both hosting service providers and content providers will have the possibility to contest a removal order issued by a national authority. In addition, where hosting service providers take a decision to remove content – following a referral or on their own initiative – content providers can ask for a review. For that purpose, the hosting service providers are asked to set up user-friendly complaint mechanisms and ensure transparency and swift follow-up.
The new rules take into account the fact that removal of some of the terrorist content could influence ongoing or future criminal investigations and effective prosecution. Member states may therefore request that removed content is retained for such purposes. For that reason, companies are requested to retain removed content and related data for six months.
The new rules also stipulate that where hosting service providers become aware of material that is evidence of a terrorist offense, they should promptly inform the relevant authorities. This will help ensure that law enforcement and security partners have the best possible chance to take action.