On 9 November 2023, the Court of Justice of the European Union (CJEU) held that an EU Member State may not subject an information society service provider (ISSP) established in another EU Member State to general and abstract regulatory measures that deviate from measures of the Member State in which the ISSP is established (C‑376/22). In doing so, it declared the Austrian Communication Platforms Act and, by implication, many other national online platform regulations, inapplicable for Ireland-based ISSPs.
Austria had adopted far-reaching content moderation legislation, the Communication Platforms Act, in December 2020, with the specific aim of regulating large online platforms established in other EU Member States. In light of a highly critical assessment of the European Commission concerning the compatibility of the legislation with EU law, a number of ISSPs, including Google1, requested declaratory decisions from the Austrian regulatory authority on the applicability of the legislation. When the authority confirmed its applicability, these decisions were appealed through the courts up to the Austrian Administrative Supreme Court who referred the matter to the CJEU for a preliminary ruling.
The question referred to the CJEU
Under the EU E-Commerce Directive, the freedom to provide online services from one Member State to all other Member States is protected by the “country of origin”-principle which states that one EU Member State may not restrict the freedom to provide information society services from another Member State – unless very specific requirements are met.
Any “measure” that interferes with the country of origin principle must, among other requirements, be taken against “a given information society service” (Article 3(4) E-Commerce Directive).
Considering that the Austrian Communication Platforms Act broadly applied to large online platforms facilitating user-to-user communication, the Austrian Administrative Supreme Court referred the question to the CJEU whether general and abstract measures aimed at a category of information society services described in general terms fall within the concept of “measures” taken against a “given information society service” within the meaning of the E-Commerce Directive.
CJEU rules in favor of the freedom to provide online services and upholds the country of origin principle
The CJEU ruled that measures taken against a “given information society service” do not include general and abstract measures aimed at an entire category of given information society services described in general terms and applying without distinction to any provider of that category of services.
In doing so, it established for the first time that legislation that applies to an entire category of ISSPs cannot, in any case, justify a derogation from the country of origin principle.
The CJEU based its judgment on the following considerations:
- The country of origin principle results in a division of regulatory powers between the Member State of origin of an ISSP and the Member State in which the service concerned is provided, i.e. the Member State of destination. If Member States of destination were allowed to adopt general and abstract measures, the regulatory powers of the Member State of origin would be encroached on and ISSPs would be subjected to the legislation of both the Member State of origin and the Member State(s) of destination (see paras. 48-49 of the judgment).
- The E-Commerce Directive’s country of origin principle provides for the supervision of ISSPs in the Member State of origin with the threefold objective of (i) ensuring effective protection of public interest objectives, (ii) improving mutual trust between Member States and (iii) effectively guaranteeing freedom to provide services and legal certainty for suppliers and their recipients. Allowing a Member State of destination to interfere with the country of origin principle through the adoption of general and abstract measures would undermine these objectives (see para. 50-51, 53 of the judgment).
- As an interference with the country of origin principle, general and abstract measures are therefore not justified even where the Member State of destination claims to act in pursuit of important public policy goals, such as public safety or the protection of consumers (see para. 52 of the judgment).
- The E-Commerce Directive seeks to eliminate legal obstacles to the proper functioning of the internal market, namely obstacles arising from divergences in legislation and from the legal uncertainty as to which national rules apply to such services (see para. 55 of the judgment).
- Allowing a Member State of destination to interfere with the country of origin principle by adopting general and abstract measures would ultimately amount to subjecting ISSPs to different laws in different Member States and, consequently, reintroducing the legal obstacles to the freedom to provide services which the E-Commerce Directive seeks to eliminate (see para. 56 of the judgment).
Protecting the integrity of the European digital single market against the threat of fragmentation
With its judgment, the CJEU has taken a critically important step for the protection of the integrity of the European digital single market from the increasing trend of legal fragmentation in EU Member States. Such fragmentation would undo the constructive developments that have occurred over the last decades, culminating in the Digital Services Act (DSA).
Notable examples of this emerging threat have been (i) Hungarian legislative efforts to restrict the accessibility of LGBTQ+ content, (ii) the German Network Enforcement Act, (iii) the Statute on the Regulation of Media Intermediaries pursuant to § 96 of the German State Media Treaty, (iv) the Danish Act on Social Media Regulation, (v) the French Law aimed at combating hate content on the Internet (“Loi Avia”), (vi) the Irish Online Safety and Media Regulation Act and various other content regulations.
The direct effect of the country of origin principle
What makes this judgment of the CJEU particularly impactful is that the relevant provisions of the E-Commerce Directive have direct effect and, due to the principle of supremacy of EU law, automatically render any contravening national legislation inapplicable. This direct effect of the E-Commerce Directive’s country of origin principle was previously established by the CJEU (C‑390/18).
Thus, the CJEU’s conclusion that Member States of destination are not, as a matter of principle, authorized to adopt general and abstract measures (falling within the coordinated field) means that any such measures adopted nonetheless are automatically rendered inapplicable for ISSPs established in other Member States. This even applies to measures adopted before the E-Commerce Directive’s transposition deadline expired in 2002 (cf. C‑390/18).
The broad scope of the country of origin principle
The country of origin principle applies to all legal requirements under Member State law that ISSPs have to comply with in respect of (i) the taking up of the activity of an information society service or (ii) the pursuit of the activity of an information society service (Article 2(h) E-Commerce Directive).
This almost all-encompassing scope covers for example requirements concerning qualifications of the ISSP, authorizations to be obtained or notifications to be performed prior to providing the service, requirements concerning the behavior of the ISSP, the quality or content of the service, or the mandatory disclosure of user data.
The most significant exceptions are (i) taxation, data protection, cartel law, and gambling/betting (exempt from the E-Commerce Directive altogether under its Article 1(5); see recently C‑674/20); as well as (ii) copyright and neighboring rights, contractual obligations concerning consumer contacts, and the permissibility of unsolicited commercial communications (Annex of the E-Commerce Directive).
The advantages of being an ISSP established in the EU
The E-Commerce Directive and its country of origin principle only apply to ISSPs established in the EU. ISSPs are defined broadly as providers of any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services. This covers not only online platforms, online search engines and other intermediaries as defined in the DSA but also content providers.
However, such providers only benefit from the country of origin principle if that country of origin is an EU Member State. ISSPs based outside of the EU will therefore have to reassess the advantages and disadvantages of creating a subsidiary in the EU and have that subsidiary act as the ISSP for EU-based users.
The end of the Austrian Communication Platforms Act
The Austrian Communication Platforms Act that gave rise to this CJEU judgment was therefore never applicable in the first place for ISSPs established in other Member States than Austria. The Austrian Administrative Supreme Court which had referred the case to the CJEU is therefore expected to hold that the Communication Platforms Act is not and never was applicable to ISSPs established in Ireland. Any contributions to the Austrian regulator’s budget that were paid by ISSPs in compliance with the Communication Platforms Act are then potentially subject to a mandatory refund under the EU principle of state liability.
Summary and outlook
For the first time, the CJEU has established that the country of origin principle under the E-Commerce Directive broadly bars Member States from regulating ISSPs established in other Member States. Due to the supremacy of EU law, the country of origin principle, as now interpreted by the highest European court, automatically renders contravening national legislation inapplicable.
While this judgment will hopefully curtail Member States’ appetite to regulate online service providers and thereby fragment the European digital single market, it may also prompt new litigation concerning the boundaries of the ever more important country of origin principle.
1Disclosure: Baker McKenzie acted for Google in this matter.