02 November 2022

Between preservation and clarification

The evolution of the DSA’s liability rules in light of the CJEU’s case law

The Digital Services Act (DSA) contains remarkable new rules on matters like content moderation, risk assessment and enforcement. Whilst such rules may be the most eye-catching in current discourse, it should not be forgotten that rules on liability remain a key feature of the DSA’s approach to platform regulation.

Recital 16 explains that the DSA seeks to preserve the intermediary liability framework of the e-Commerce Directive (ECD), but also to clarify certain elements, having regard to the case law of the Court of Justice of the EU (CJEU). This essay examines the balance that the EU legislator sought to strike between these two considerations, i.e. preservation and clarification. It does so focusing specifically on the effect given to the CJEU’s case law regarding the ECD’s intermediary liability framework.

When assessing the rules in question, it is evident that the DSA’s emphasis has been on preservation. However, as this essay will show, that does not mean that nothing at all has changed. In fact, a closer look reveals that in some respects a notable evolution has taken place. That holds true, in particular, in relation to the rules relating to the contested issues of how active a service provider can be without disqualifying a priori for the liability exemptions and of ‘Good Samaritan protection’.

Continuity, confirmations and innovations

Articles 4, 5 and 6 of the DSA contain almost literal copies of the conditional liability exemptions found in Articles 12, 13 and 14 ECD for ‘mere conduit’, ‘caching’ and ‘hosting’ services respectively (jointly called ‘intermediary services’ in the DSA). This copy/paste approach is the clearest example of the EU legislator seeking to ensure continuity when it comes to liability rules.

In addition, the DSA contains various provisions that are mainly confirmations of what was already known. Take for instance Recital 17 DSA, which states that the DSA’s rules do not offer a positive basis for liability. Thus, where the conditions of the liability exemptions have not been met, the intermediary service provider concerned is not necessarily liable. Rather, whether such liability exists is to be assessed separately under the applicable rules of EU or national law. This already followed from the CJEU’s 2010 ruling in Google France (see para. 107).

Recital 17 also clarifies that the DSA’s liability exemptions relate to any type of liability and to any type of illegal content. In other words, they apply in principle regardless of the nature (civil, criminal or administrative; direct or indirect), origin (EU or Member State) and specific field (defamation, intellectual property, hate speech, etc.) of the ‘underlying’ law that makes the content in question illegal and subject to liability. Whilst only implicit in the CJEU’s case law available to date, this has never been fundamentally contested (see F. Wilman, The Responsibility of Online Intermediaries for Illegal User Content in the EU and the US, 2020, pp. 20-21; with further references).

Clarifications like the above ones are hardly spectacular. Yet they are still helpful. Including them increases legal certainty and facilitates the practical application of the DSA. They also help ensure continuity in the transition from the ECD to the DSA.

At the other end of the spectrum, the DSA contains some liability-related provisions that are largely new. One could think, in particular, of the special rule of Article 6(3) DSA regarding the liability under consumer protection law of particular type of hosting service providers; namely, online platforms that allow consumers to conclude distance contracts with traders (simply put: B2C online marketplaces). Admittedly, this rule takes account of prior CJEU case law, in particular Wathelet. However, that case did not deal with the ECD’s liability exemptions. Thus, whilst Article 6(3) constitutes a notable innovation, it cannot be said to result from earlier case law. Rather, the provision should be seen as an expression of the EU legislator’s intention to better protect consumers (see Recital 24 and Art. 1(1) DSA).

Service providers’ active role

Neutrality as the core criterion

The first of the rules on which this essay concentrates relates to the scope of the intermediary liability regime. The central issue here is how active a service provider may be in providing its service for that service to still qualify as an intermediary service falling within the scope of that regime. The issue arises especially in relation to the liability exemption for hosting services, contained currently in Article 14 ECD and in the near future in Article 6 DSA.

The CJEU has expressed itself quite extensively on the matter, most notably in Google France (para. 112-114), L’Oréal v. eBay (para. 112-113) and YouTube (para. 105-106; note that this latter judgment dates from after the adoption of the DSA proposal). In this case law, the CJEU formulated the core criterion: to qualify, service providers should take a neutral position in relation to their users’ content. That means that they should not play an active role of such a kind as to give them knowledge of or control over that content. This case law has now been codified in Recital 18 DSA.

The CJEU’s case law is contested, however. It is based on the application of Recital 42 of the ECD regarding the activity in question being “of a mere technical, automatic and passive nature” to hosting services. This is a reading that many consider mistaken (e.g., Peguera, p. 682). Others argue that the business models of many hosting service providers mean that they are not neutral (e.g., Savin, p. 2). That being so, it is unsurprising that not everybody is thrilled with this decision to codify it (see e.g., Buiten, p. 371). Before concluding that this decision was mistaken, it is however worth noting the following three points.

Subtle changes

First, there are a few subtle changes. Most notably, whilst the DSA repeats many of the ECD’s recitals relating to the liability rules, it does not repeat Recital 42 ECD. Specifically, Recital 18 DSA mentions mere technical and automatic processing when giving effect to the core criterion of neutrality, but it does not refer to the controversial requirement of passivity. In other words, the DSA follows the CJEU’s ruling in L’Oreal v. eBay, which does not refer to Recital 42 ECD and passivity either, rather than Google France (and YouTube), which do.

In addition, Recital 19 DSA emphasises the different nature of mere conduit, caching and hosting activities. In doing so, it follows McFadden (para. 61-63). This indicates that the same criterion may be used for all three types of services, but that it should be applied taking account of the differences between them. Furthermore, Recital 21 DSA about the service provider being “in no way involved” with the user’s content remains applicable, like under Recital 43 ECD, only in relation to mere conduit and caching. That suggests that a provider of hosting services can be involved, to some extent, with that information, without necessarily disqualifying itself from the liability exemption.

All this confirms what could already be deduced from the CJEU’s core criterion itself: intermediary service providers – and especially hosting service providers – can play an active role to some extent, provided the role is not such as to give them knowledge of or control over the content that they transmit or store for their users. Thus, passivity is not required and it is inaccurate to cast the discussion about the scope of Article 6 DSA in terms of ‘active or passive’.


Second, it is reasonable to assume that retaining the CJEU’s core criterion also means retaining the elements of its case law that few found problematic. That is, the statements dealing with the actual application of the criterion. Think in particular of the clarifications provided in L’Oréal v. eBay (para. 115-116) that storing offers for sale, setting the terms of service, being remunerated for the service and providing general information to users do not make a hosting service provider (in the case at hand, an online marketplace) ‘too active’.  The ruling also clarifies that this would be different, however, where a provider optimises the presentation of the offers for sale or promotes those offers.

In this regard, it is worth bearing in mind that introducing an entirely new criterion – apart from the question what that criterion should be – might well have led to renewed uncertainty about the application of existent case law. Neutrality may have its shortcomings, such as that it offers little inherent clarity. Yet it does not seem fundamentally unsuited for distinguishing intermediary service providers, which are subject to the DSA’s special rules on liability, from content providers, which are subject to the ‘ordinary’ rules of liability for the content that they provide.

Different context and purpose

Third, the concept of ‘intermediary service provider’ may well change by virtue of its transposition from the ECD to the DSA. Under the ECD, being qualified as such only offers advantages for service providers; especially the availability, in principle, of the liability exemption.

Under the DSA that is different. Said advantages remain, but qualifying as an intermediary service provider also means being subject to a range of due diligence obligations, which are set out in other parts of the DSA (namely, its Chapter III). It is hard to imagine that a service provider could escape the application of those obligations simply by making itself ‘too active’.

This difference may not only affect how keen service providers are on qualifying as an intermediary service provider, it could also alter the interpretation of the concept itself. For it is settled case law that terms of EU law are to be interpreted in the light of not only their wording, but also their context and the objectives pursued. As the latter have changed – see, for instance, the DSA’s aim of protecting fundamental rights, including consumer protection (Article 1(1) DSA)) – this may well affect the CJEU’s interpretation of the concept in future cases brought under the DSA, despite the concept having been worded and explained similarly as under the ECD.

‘Good Samaritan’ protection

What’s not new…

The second rule to be considered here is the ‘Good Samaritan’ clause, laid down in Article 7 DSA. It holds, in short, that intermediary service providers are not to be deemed ineligible for the liability exemptions of Articles 4, 5 and 6 DSA solely because they either take voluntary own-initiative measures to tackle illegal content, or take measures to comply with EU or national law.

This rule is related to the previous topic: intermediary service providers may be hesitant to take such voluntary measures out of fear of being seen as too actively involved with their users’ content, which, in turn, could mean that they are excluded from the scope of the DSA’s liability exemptions. Article 7 aims to clarify that such fear is unfounded, provided however the intermediary service provider concerned acts in good faith and diligently. As explained in Recital 26 DSA, in this manner the clause seeks to remove a disincentive for the taking of such voluntary measures.

As regards the taking of such voluntary measures, Article 7 corresponds to what the CJEU stated in YouTube (para. 109). In that judgment, The CJEU held that the fact that a service provider voluntarily implements technological measures aimed at detecting certain illegal (in the case at hand, copyright-infringing) content among the content uploaded by its users does not mean that it plays an active role giving it knowledge of and control over the content within the meaning of the abovementioned case law. The European Commission had earlier already made similar statements in non-binding documents, such as its 2018 Recommendation on illegal content online (Recital 26).

As regards the taking of measures to comply with the law, this seems like little more than stating the obvious. That said, some might still find it helpful to be reassured in this manner that compliance with, for instance, the DSA’s due diligence obligations does not lead to the service provider in question becoming ‘too active’. That conclusion would also seem to follow, by the way, from the statement in its Recital 41 that the DSA’s due diligence obligations are independent from the question of liability.

… and what is

However, some elements of Article 7 DSA are new; most notably, the conditions of good faith and diligence. There are good reasons for including these conditions. In particular, voluntary measures taken by intermediary service providers are not socially beneficial per se. Even when sincerely meant to tackle illegal content, they can cause considerable damage if not enacted diligently. For instance, the large-scale removal of content that is wrongly considered illegal comes to mind.

The conditions of good faith and diligence are clearly open norms. That may be hard to avoid, considering the many different situations in which Article 7 could apply. Nonetheless, the resulting flexibility comes at the expense of clarity. It will be principally up to the CJEU to determine, in time, what these conditions entail exactly.

Although therefore not entirely clear, it would be unfair to say that Article 7 simply swaps the uncertainty as to whether such voluntary measures can be taken for uncertainty as to how those measures are to be taken. That is so especially in view of clarifications provided in Recital 26 DSA, for instance as regards service providers taking reasonable measures to ensure that any automated tools used are as reliable as possible. In essence, it seems that respecting the diligence requirements found elsewhere in the DSA, combined with a dose of common sense and reasonableness, should normally go a long way in ensuring that the conditions are met. That holds true all the more so given that setting the bar too high would imply the risk that Article 7 will fail to achieve the abovementioned objective.

Other criticisms

Other criticisms of Article 7 (see e.g. Kuczerawy, 2021) seem less well founded. For instance, there is no reason to consider that the actual success of the voluntary measures taken in tackling illegal content is relevant in this context. That is to say, good faith and diligence quite clearly do not imply a requirement that the measures must have been fully successful. When it comes to tackling illegal content, 100% effectiveness is neither realistic nor necessarily required (cf. UPC Telekabel Wien, para. 58-63).

Furthermore, it is true that Article 7 does not address the possibility that an intermediary service provider may obtain actual knowledge or awareness of illegal content, within the meaning of Article 6 DSA, as a consequence of the voluntary measures that it enacts. But that is for good reason and is unlikely to act as a serious disincentive. For where that occurs, the intermediary service provider has an obvious course of action to avoid losing the benefit of the liability exemption. Namely, expeditiously removing the illegal content in question. In this regard, it should be recalled that a hosting service provider only risks losing said benefit if a specific item of illegal content, of which it obtains knowledge but which it may have failed to remove expeditiously, is clearly illegal, in the sense that the illegality can be established without a detailed legal examination (cf. YouTube, para. 111-116; these parts of the judgment relate to notices, but the same is likely to hold true in relation to own-initiative investigations; see also Article 14(3) DSA).


The DSA retains the key features of the ECD’s intermediary liability regime, but it also contains several clarifications. The latter range from uncontroversial statements to largely new rules, with an interesting group of provisions – notably those on the service providers’ active role and ‘Good Samaritan’ actions – somewhere in between. The clarifications tend to build on existing CJEU case law and will, no doubt, over time generate new case law, fleshing out what they entail precisely. That being so, whilst the DSA’s rules on matters like due diligence, risk assessments and enforcement may be most eye-catching, it would be a mistake to ignore the subtle yet noteworthy evolution that the DSA brings about for liability-related matters.

This essay has been written in a personal capacity and none of the statements made therein can be attributed to the author’s employer.

SUGGESTED CITATION  Wilman, Folkert: Between preservation and clarification: The evolution of the DSA’s liability rules in light of the CJEU’s case law , VerfBlog, 2022/11/02, https://verfassungsblog.de/dsa-preservation-clarification/, DOI: 10.17176/20221102-215655-0.

Leave A Comment


1. We welcome your comments but you do so as our guest. Please note that we will exercise our property rights to make sure that Verfassungsblog remains a safe and attractive place for everyone. Your comment will not appear immediately but will be moderated by us. Just as with posts, we make a choice. That means not all submitted comments will be published.

2. We expect comments to be matter-of-fact, on-topic and free of sarcasm, innuendo and ad personam arguments.

3. Racist, sexist and otherwise discriminatory comments will not be published.

4. Comments under pseudonym are allowed but a valid email address is obligatory. The use of more than one pseudonym is not allowed.

Explore posts related to this:
CJEU, DSA, Digital Services Act, Intermediary Liability, case law

Other posts about this region: