Member States can impose certain targeted obligations on online services, CJEU says
In WebGroup Czech Republic and NKL Associates and Coyote System, the Court of Justice clarified the reach of the country-of-origin principle under the E-Commerce Directive. The Grand Chamber confirmed that the Directive’s “coordinated field” is not limited to matters expressly harmonized by the Directive. It may also cover national criminal-law rules and measures pursuing public policy, public security, or public safety where they regulate the taking up or provision of an information society service.
The judgment concerns two French regimes. The first addresses access by minors to online pornographic content. The Court found that a general and abstract criminal prohibition cannot itself be applied to online service providers established in another Member State where it restricts cross-border services. However, France may adopt individualized measures requiring a specific provider to implement effective age verification where that provider has not taken appropriate protective measures under the Audiovisual Media Services Directive.
Such individual measures must satisfy Article 3(4) of the E-Commerce Directive. In particular, they must be necessary, proportionate, and directed at a given information society service that causes, or presents a serious and grave risk of causing, harm to a protected objective. The Member State must generally first request action by the provider’s Member State of establishment and notify both that State and the Commission. Those procedural requirements are essential; a non-notified restrictive measure cannot be enforced against individuals. The Court linked this analysis to the protection of human dignity and children’s best interests under Articles 1 and 24 of the Charter.
The second regime allowed French authorities to temporarily prohibit driving-assistance and navigation services from rebroadcasting user reports about specified roadside checks. The Court held that targeted prohibitions may be justified by public policy, security, or safety, provided the Article 3(4) conditions are met. Urgent measures remain possible under Article 3(5), subject to prompt notification and reasons for urgency.
Finally, the Court addressed intermediary liability. A provider does not benefit from the hosting regime in Article 14 where, through its algorithm, it determines in its own interest how, when, and in what priority user information is broadcast. Such control removes the service from the Article 14 hosting safe harbor, meaning that the prohibition on general monitoring under Article 15 does not apply. Even for a neutral host, a focused prohibition on rebroadcasting clearly defined roadside-check information does not amount to prohibited general monitoring.