On the 9th of November 2023 the CJEU ruled that an EU Member State cannot impose general and abstract obligations on providers of communication platforms which are established in another Member State. According to the judges, general abstract measures, such as the Austrian law in question, violate EU law. This judgement has a significance that goes beyond the actual content. At its core, it also affects the ability to regulate illegal content, such as hate speech on the internet.
- The Austrian KoPl-G and the E-Commerce Directive
The judgement arose from a notice by the Austrian Communications Authority, which had the «Austrian Communications Platforms Act» (KoPl-G) as its legal basis. The act determined that it also applies to communication platform providers based in other Member State (in this case: Ireland). The KoPI-G came into force in 2021 and stipulates, among other things, the establishment of notification and review procedures for allegedly illegal content on communication platforms. This was also accompanied by the obligation to publish transparency reports on such notifications and to appoint a commissioner. The aim of this act was to curb the spread of hate speech on the internet. In the event of non-compliance, the Austrian Communications authority could impose fines.
The companies of Google Ireland Limited, Meta Platforms Ireland Limited and TikTok Technology Limited took legal action against the notice, whereupon the Austrian Administrative Court initiated a referral for a preliminary ruling before the CJEU. The communication platform providers argued, among other things, that the Austrian law violated the «principle of control in the Member State of origin» of the E-Commerce Directive. The CJEU has now confirmed this in its judgement.
- The reasoning aligned with the principle of control in the Member State of origin
The principle of control in the Member State of origin, which is reflected in the E-Commerce Directive, states that communication platform providers are subject to the legal system of the Member State in which they are established, meaning that no further-reaching obligations may be imposed on those by other Member States. Art. 3 (4) of the E-Commerce Directive provides exceptions to this principle. According to this, other Member States than the one of origin of the provider may exceptionally take actual measures, provided that these measures are focused on specific services. Furthermore, those measures must meet the further requirements of Art. 3 (4) E-Commerce Directive (e.g., ensure public order, the protection of public health, public safety or the protection of consumers).
In its request for a preliminary ruling, the Austrian Administrative Court basically posed the question of whether also general abstract measures (such as the KoPI-G) are covered by the exception designated in Art. 3 (4) of the E-Commerce Directive. Thereby a Member State would restrict the free movement of information society services, without specifying the measures to an individual case of a named platform.
The CJEU negated that general abstract measures which relate to generally defined categories of certain services of communication platform providers, without these measures being taken in relation to a specific individual case, constitute an exception to the principle of control in the Member State of origin within the Art. 3 (4) of the E-Commerce Directive. The KoPl-G, therefore, contradicts the principle of control in the Member State of origin and thus the E-Commerce Directive. In its reasoning, the Court largely referred to the opinion of Advocate General Maciej Szpunar from June 2023. Szpunar emphasized that general abstract exceptions to the principle of control in the Member State of origin would cause fragmentation of the law of the internal market. This is precisely why the exception in Art. 3 (4) of the E-Commerce Directive must be interpreted narrowly. The CJEU also emphasized that such fragmentation contradicts the actual objective of the Directive, as it is aimed at creating a standardization of regulations in order to guarantee the free movement of information society services. Finally, the CJEU also emphasised that disregarding the principle of control in the Member State of origin «undermines mutual trust between the Member States» which is seen problematic particularly concerning the principle of mutual recognition.
- The ruling’s impact on platform regulation
There is much more behind this judgement than just the examination of compatibility with EU law. At its core, it is more about the question of how and from whom platforms will be regulated in the EU. In the case of the KoPl-G, it is primarily the regulation of combating illegal content on communication platforms. However, Austria is not the only member state with a regulatory approach on that topic. The German «Network Enforcement Act» (NetzDG) will be equally affected by the CJEU’s ruling. And finally, but most importantly, the current developments of the «Digital Service Act» (DSA) must be taken into account while analysing this ruling.
The DSA aims to regulate online platforms and digital services on an EU level, especially issues such as combating hate speech and illegal content. As stated in Art. 2 (3) of the DSA, the E-Commerce Directive remains unaffected by the new regulations of the DSA.
The interaction of these two regulations creates a clear limitation of the Member States’ regulatory options. While Member States must implement EU regulations such as the DSA, they can adopt more stringent rules if needed. However, if a Member State desires those stricter regulations (for example like the efforts in the KoPl-G or the German NetzDG), it then again faces the E-Commerce Directive’s principle of control in the Member State of origin, as just affirmed by the CJEU.
Ultimately, the Member States’ scope for more far-reaching regulation is therefore severely restricted. We must now bear in mind that (according to this judgement) this only applies to general abstract measures. If the conditions of the exception in Art. 2 (4) E-Commerce Directive are met, a regulation of a non-origin Member State would be possible.
If we analyse the interaction of all these regulations, the following findings emerge: On the one hand, the question arises as to whether the principle of control in the Member State of origin is still appropriate in light of current developments. After all, digital communication platforms are not only becoming increasingly relevant and influential in everyday life, but also bring with them the very special phenomenon of crossing borders. The fact that only the Member State of origin can regulate this seems to be based on considerations from a different time. On the other hand, the DSA and other recent EU regulations in this field seem to have created the possibility of sufficient remedies for this problem. This is also because the EU’s efforts to regulate communication platforms at an European level are aiming to avoid disparities in regulations across member states for issues that transcend national borders. This approach promotes consistency and addresses the challenges posed by a topic that inherently disregards country boundaries. While navigating potential hurdles, this development can be generally viewed as positive, fostering a cohesive regulatory framework that aligns with the interconnected nature of the digital landscape. Ultimately, the effect of the DSA when coming to its full validity in February 2024 remains to be seen in order to make a final assessment of the scope of its regulations.
To summarise, this ruling is an interesting milestone in the development of platform regulation. It brings a consolidation and harmonisation of EU law and clarifies under which (narrow) conditions the individual non-origin Member State can make individual regulations in this field. As a result of this ruling, Google & co. may not have to implement the regulations of the KoPl-G to combat hate speech, but after all they will be subject to comparable regulations under the DSA. It remains to be seen whether there will still be a need for more far-reaching regulations for some Member States even after the DSA showed its impact and how those then will be implemented.
 European Union, Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (‘E-Commerce Directive’), 2000 O.J. L 178/1.
 Id., margin number 53.
 The NetzDG is from October of 2017 and is a German law designed to combat illegal content, particularly hate speech and misinformation, on social media platforms be requiring operators to promptly remove such content and implement complaint procedures.
 Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a single market for Digital Services and amending Directive 2000/31/EC (Digital Service Act). 2022 O.J. L 277/1.
 Id., Art. 2 (3) DSA.
 And also a bit arbitrary, because implemented pull-factors can easily decide which Member States gets chosen from providers and therefore who is in charge of further regulation.
 Such as the Digital Market Act (DMA), the Audiovisual Media Service Directive (AVMSD), the Terrorist Content Online Regulation (TCO), the Child Sexual Abuse Material proposal (CSAM), but also even the GDPR and the Copyright Directive. All these regulations illustrate the EU’s efforts to harmonize and simplify the legal landscape regarding platform regulation.
 As can be seen in Art. 1, 9, 10 or 11 of the DSA (and many more), the DSA relies on a complex network of close cooperation between the EU institutions and the institutions of the Member States in order to realise its objectives.
 After all, the final ruling of the Austrian Administrative Court still has to happen.