The Country of Origin Principle: How Far Does Protection Extend for Online Service Providers?
Published on 28th Jun 2024
The CJEU reiterates its stance on the invalidity of additional requirements imposed on an online provider by a Member State where it is not established. Where does the limit lie?
The CJEU has once again ruled on e-commerce, addressing the prohibition against imposing additional obligations on online intermediation service providers established in another Member State. In these cases, the CJEU evaluates a series of obligations imposed by Italian national law to ensure the proper application of European Regulation 2019/1150, which -we recall- aims to establish fairness and transparency obligations for online intermediation service platforms.
Specifically, the Italian law required online intermediation service providers, including those established in other Member States, to register with the Italian regulator, provide the regulator with certain information about their structure and activities, and pay an administrative fee to cover the costs of registration and the regulator's supervisory activities.
Why does the CJEU in this case conclude that additional obligations cannot be imposed on online intermediation service providers established in other Member States?
The CJEU acknowledges the application of the country-of-origin principle established in Directive 2000/31 on e-commerce. Under this principle, although Member States can take measures to ensure that European regulations are effective within their territory, the measures adopted cannot impose any additional barriers on information society service providers.
One of the main reasons why the Directive 2000/31/EC adopted this principle was the need to promote the growth of ecommerce in the context of the single market (information society services) within the Union, given that they were in their early stages. Thus, other host Member States must allow providers established in other Member States to offer services in their territories without imposing additional measures, based on the presumption that the home Member State adequately protects the principles listed in Article 3 of the Directive (i.e., public policy, public health and safety, and consumer and investor protection). This principle is reinforced by the approval and entry into force of the Digital Services Act (DSA) for operators qualifying as online intermediation service providers.
Under what conditions can additional obligations be imposed on providers established in other Member States?
Generally, we can distinguish three scenarios in which providers established in other Member States might be subject to additional obligations beyond those imposed by their home Member State.
Specific measures against a particular provider under Directive 2000/31
Directive 2000/31 includes an exceptional mechanism allowing a host Member State to impose additional requirements on a provider. To activate this mechanism, several conditions must be met simultaneously:
- The additional requirements must be necessary to protect public order, public health/safety, and/or consumers/investors.
- The authorities of the host Member State must notify the measures they intend to adopt to the European Commission and the home Member State.
- The home Member State, once notified, must not have taken sufficient measures to address the potential violation of principles.
- The additional requirements must be adopted against a specific provider.
It is crucial to note that this mechanism is not only exceptional—i.e., host States can only apply it when all other measures have been exhausted—but the additional requirements imposed by the host State must also be proportional. Host States can only adopt measures strictly necessary to address the situation of rights protection. Thus, it is not enough for the measures to be effective in ceasing the situation of non-protection, but they must also be the least intrusive possible for the provider's online activity.
As an example, if restricting access to certain specific content infringing the applicable regulations is sufficient to ceasing the infringing activity, it would be disproportionate for a host State to completely suspend the provision of services in its territory.
Obligations Related to Special Regimes of Online Providers
Where online providers operate in areas such as audiovisual, telecommunications, transport, or accommodation, among others, the general provisions of Directive 2000/31 and the DSA would yield to the provisions of the respective special regulation. However, it is important to note that these special regulations often include provisions incorporating the country-of-origin principle, so, for example, a video-sharing service provider would be subject to audiovisual regulation in the home State. If the authorities of the host State intended to adopt additional measures, they would have to resort to the exceptional mechanism of Directive 2000/31 explained above.
Regarding online service providers related to transport and accommodation, it will be essential to determine whether they act as intermediaries or as providers of these services. In this regard, the CJEU has already consolidated its criteria, establishing that an intermediary is one who merely intends to connect its users without being part of the creation and offering of the underlying service. This reasoning led the CJEU to rule that Airbnb is an intermediary service provider since its core service offering is connecting hosts and guests, not providing a guest accommodation service. This reasoning has led the CJEU to deny the status of intermediary to providers who, in addition to connecting users, also participate in market creation by, for example, setting prices or other basic conditions for service provision.
Obligations Applicable to Services Offered Through Intermediary Services
Notwithstanding the above, it is important to remember that services offered through online intermediary service providers will be fully subject, mainly but not exclusively, to other regulations concerning data protection, consumer protection, intellectual property, labour regime, or cybersecurity. This can have a direct impact on online providers not only concerning their activities (e.g., accommodation intermediary platforms must examine their role regarding personal data processing, such as those covered under Royal Decree 933/2021, known as the Guest Decree) but also concerning the activities carried out by their users (e.g., detecting infringing content to remove such content, under Book Four of Royal Legislative Decree 24/2021, which implements Directive 2019/790 on online copyright).
The removal of intellectual property-protected content could be particularly relevant in the field of online AI systems (e.g., large language models embedded in web applications), where intermediary providers could receive claims for both the training of the model with protected content carried out by the system provider and the content that users may "provide" to the model.
Osborne Clarke Comment
The country-of-origin principle in the laws regarding information society services has remained unchanged since its introduction and is acknowledged by the courts unless the restrictions imposed by the host State authorities meet the conditions outlined above. Consequently, providers established in another Member State should be able to offer their services across the Union without additional barriers, provided they comply with the regulations of their home State.