Austria gets new legislation for Internet filters and they are for consumer protection

cc0

Last week, epicenter.works submitted legal analysis on the draft legislation on Consumer Protection Cooperation. This bill introduces a wide range of powers for consumer protection organisations to block websites, seize domains and oblige hosters to delete information that it deems dangerous or illegal under consumer protection law. We see a number of problems with the the idea of internet filters, but the EU obliges Austria to implement these measures. We were vocal about this law (German blogpost) and tried to stop it in the European Parliament. The concrete draft legislation is already following some of our recommendations to limit the danger and potential for abuse, but it still contains some pitfalls. One positive side effect is that there will be a central registry of all blocked websites that at least creates some level of accountability and transparency.

What’s going on?

In December 2017, the EU passed a new regulation on consumer protection cooperation – the CPC-R – which entered into force on 17th January 2020. Accordingly, Austria is adapting its legislation on consumer protection in order to comply with this regulation and flesh out the national details. We were invited by the responsible Social Ministry to give our opinion very early in the process and also participated public consultation. Epicenter.works has identified several areas of concern in the legislative proposal.

What is Consumer Protection Cooperation?

The basic idea of CPC is that authorities should collaborate within a European network in order to ensure that consumer rights and interests are protected and enforced. In the digital era, this particularly applies to online shopping and other online offers. Online providers can very quickly and easily change their location, moving from one EU country to another, making it more difficult to trace them and to trace payments. 
The EU has therefore chosen to establish a network of authorities within which information can be shared. It has defined minimum competences that should be afforded to these authorities such that they can effectively carry out their work.

What does the new Regulation entail?

The CPC-R requires all member states to establish or designate at least one competent authority with the responsibility for ensuring that consumers’ economic rights are protected. These authorities are granted specific investigative and enforcement rights in order to fulfill their task. Of particular interest are the enforcement rights for blocking or taking down websites which infringe upon consumer rights, such as by not delivering products paid for or making false or misleading offers. The enforcement powers include also the deletion of infringing content from online platforms, the seizure of domains and obliging ISPs or domain registers to show warning messages. Article 10 of the Regulation stipulates that the implementation and exercise of these powers shall be proportionate and compliant with Union and national law, including the Charter of Fundamental Rights.

What is in the Austrian draft legislation?

Austria has designated the Telekom-Control-Kommission (TKK) as the competent authority for the execution of the internet related enforcement powers in the CPC-R. In the early process of this legislation we were arguing for the inclusion of the TKK as an entity that often deals with telecom issues and can act as a failsafe against a wide range of consumer protection organisations that might want to block access to websites where other means of solving the problem are more proportionate or effective. 

What’s the problem?

The biggest overall problem with the proposal is that the principle of proportionality, as provided for in Paragraph 5 of the legislation, is not sufficiently reflected in the proposal to comply with Article 10 of the Regulation. Although the title reads “Principle of Proportionality”, the text refers only to a criterion of necessity and not of proportionality for determining the legitimacy of any exercise of powers. This is inadmissible for two reasons.
Firstly, it represents not only a divergence from EU legislation but is in direct contradiction to the Regulation. Given the supremacy of EU legislation, this is unacceptable; a divergence would be permissible were the legislation to specify the Regulation, but certainly not when the legislation is omitting central elements of the Regulation.
Secondly, this means that on a practical level there will be no legal basis in national law for rejecting a disproportionate exercise of powers by the TKK. The TKK will only be required to demonstrate necessity of action and not proportionality, which might lead to an unacceptable use of these powers.

Aside from the issue of proportionality, several of the powers afforded to the TKK are questionable in and of themselves. Let’s look at them in more detail.

  • Deleting specific content is the most targeted and most effective approach for tackling illegal online content. This ensures that only the illegal content is taken down and does not affect legal content.
  • Blocking the relevant online offer through the host service provider is significantly more invasive and less targeted. Furthermore, the measure is easy to bypass for both the provider and the user. Certain forms of blocking lead to collateral damage in the areas of privacy and data protection and there is a high risk of blocking legal content.
  • The seizure of domain names under which illegal content or offers are available is a global measure and the targeting and invasiveness depends on the case. When the domain name belongs to the company responsible for the illegal offer or content, this measure can be targeted and justifiable in its invasiveness. However, if the domain has offers or information from multiple companies or individuals, or particularly if it is a sharing platform for goods and services, then the collateral damage will be enormous.
  • Warning signs on individual sub-pages are very rarely an appropriate measure. If the operator of the platform cooperates with the authorities, then there is no reason for not deleting the content. If the entire website belongs to the company concerned, then the host service provider can block access to the website. Blocking individual sub-pages of a website by the host service provider is very concerning from a data protection point of view, given the depth of invasion required into the data traffic of all internet users. Moreover, the measure is predicated on an unencrypted data connection, which is very rare nowadays due to the high risks for data security and integrity.

What should happen?

According to the Principle of Proportionality in the Regulation, the TKK should take a decision about which of the above measures is permissible. In doing so, they should conduct a full legal review, placing particular emphasis on the protection of freedom of expression and on data protection of users, as well as on the freedom of enterprise for uninvolved companies and online platforms.

In our opinion, such a review should lead to the following use of the measures.

  • The first measure should be the attempt to delete the relevant content, as this is the only means by which the problem can be sustainably solved. Deletion before blocking should be the rule. 
  • The deletion of domain names should only be undertaken for Austrian or European country-specific domains. Any other deletion of domain names cannot be considered proportional, as European consumer protection law does not have global authority. 
  • Blocking online content can only be considered when other measures have been tried numerously and have failed to resolve the issue. Any TKK blocking order must be time- and content-limited and must be regularly checked by the TKK.

These current draft legislation does not include these requirements and we hope that this problem can still be solved before the law is adopted. 

Silver lining: transparency about blocking 

Given that Austria doesn’t have the option of not adopting these new internet filters, our goal in this dossier was to limit the damage and create accountability. The fact that only the TKK can issue these dangerous enforcement measures is one step. The other thing we fought for was the creation of a transparency registry about every decision to block a website. This registry allows interested citizens (like us and you) to scrutinize the application of this powerful tool and to be watchful when authorities limit our freedom of speech. We would prefer a world without internet filters and we will continue to fight for it, on all levels. 
 

 

Da du hier bist

… haben wir eine Bitte an dich. Wenn Regierungen laufend neue Überwachungsmaßnahmen fordern, immer mehr Daten über uns sammeln, oder Konzerne auf unsere Kosten ihre Profite steigern, dann starten wir Kampagnen, schreiben Analysen oder fordern unsere Rechte vor Gerichten ein. Dafür brauchen wir deine Unterstützung. Hilf uns, eine starke Stimme für die Zivilgesellschaft zu sein!

Spenden