The European Data Protection Supervisor (EDPS) Peter Hustinx said that hosting service providers may be forced to process sensitive personal data when dealing with 'notice and action' requests.
The EDPS made the comments in a response (3-page / 32KB PDF) to a European Commission consultation on reforming rules that govern the removal of illegal material posted on the internet.
In its consultation the Commission had listed intellectual property rights infringements; consumer protection law breaches; hate incitement; child abuse content; terrorism related content; defamatory material, and privacy-invading material among the examples of what could constitute 'illegal content'.
However, the EDPS said that hosts may not be best placed to deal with some requests to remove or disable that material contained on their platform.
"The EDPS is of the view that there is a need for a more pan-European harmonised definition of the notion of 'illegal content' for which the notice-and-action procedures would be applicable," the watchdog said. "The EDPS underlines that notice-and-action procedures may imply the processing of personal sensitive data (such as data relating to offences), which requires additional safeguards in terms of data protection."
"Not all categories listed in [the Commission's consultation] carry out the same weight and would best benefit from a notice-and-action procedure being addressed to a hosting service provider. For instance, privacy infringements could be best reported to data protection authorities (similarly infringements of consumer protection rules could best be reported to competent authorities and/or national associations representing consumers' interests). Several types of infringements would require the involvement of law enforcement, e.g. child abuse content and terrorism related content," Hustinx added.
"Furthermore, it should be defined more clearly what type of action is required from hosting service providers in those cases (for instance, define the conditions and modalities of forwarding these requests to the competent authority/body)," he said.
Host service providers should be required to comply with "separate and distinct" steps to either remove or disable illegal content depending on what the material relates to, the EDPS said.
Under EU law a 'host' of content has less responsibility for that content under EU law than a publisher. Under the EU's E-Commerce Directive 'hosts' are defined as platforms that store information in order to provide "information society services" to recipients.
Under the E-Commerce Directive online hosts of content are generally not liable for illegal content communicated by others, but are required to act to remove the material when notified of its existence.
The Directive protects service providers from liability for material that they neither create nor monitor but simply store or pass on to users of their service. The Directive says that service providers are generally not responsible for the activity of customers and that member states must not put service providers under any obligation to police illegal activity on its service.
Service providers are not liable for infringement via their services if they do not have "actual knowledge" or an awareness of the illegal activity or having obtained such knowledge "acts expeditiously to remove or to disable access to the information". The Directive is implemented in the UK by the E-Commerce Regulations.
However, the EDPS said that even if content hosts can escape liability for illegal activity by others under the E-Commerce Directive, those service providers would still be held responsible for any breach of data protection law that was incurred on their platform.
"The EDPS would like to emphasise that the definition of the activities that should be considered as 'hosting' for purpose of applying the e-commerce liability exemption regime should not affect the liability incurred by any of the service providers listed [in the Commission's consultation questionnaire] under data protection law," he said.
Hustinx said that social networks and search engines can be considered to be 'data controllers' that are responsible for personal data contained on their services.
The watchdog also said that notice and takedown forms should "contain only the minimum personal information required for purpose of such notification". Those that issue "unjustified or abusive notices should be subject to rules and possible sanctions," he added.
Any requirement for hosts to pro-actively "prevent illegal content" should not place responsibility on those service providers to generally monitor information that is transmitted or stored on their service to identify illegal activity, the EDPS said. Such a general monitoring obligation runs contrary to the E-Commerce Directive, whilst the European Court of Justice has also ruled in two cases against initiatives requiring internet service providers and social networks to monitor for infringement of intellectual property rights, the watchdog said.