Hosting service providers are required to comply mainly with the following obligations.
Designation of a legal representative within the European Union
Where its main establishment is not located within the EU, the provider is required to appoint a legal representative for the purpose of the receipt of, compliance with and the enforcement of removal orders and decisions issued by the competent authorities. This representative is required to have the necessary powers and resources and to cooperate with the competent authorities. It may be held liable for infringements of the TCO Regulation (not to mention the provider’s liability). He must reside or be established in one of the Member States where the provider offers its services.
The hosting service provider is required to
- notify the appointment of its representative to the competent authority (for sanctions) of the Member State in which its legal representative resides or is established (in Belgium: the BIPT);
- make the information about the legal representative publicly available.
This form aims at enabling the providers concerned to make this designation. Once completed, it shall be sent to the BIPT via tco@bipt.be.
Compliance with orders to remove content or to disable access thereto
Throughout the European Union, competent authorities have the power to issue to a hosting service provider offering its services to users in an EU country (regardless of where the provider or its representative is established) an order to remove terrorist content or to disable access thereto in all Member States. The provider must execute the issued order as soon as possible and in any event within one hour of receipt of the order. It must inform the authority that issued the order about the removal of content or the disabling of access that it has carried out.
Unless the authority that issued the order decides otherwise, the hosting service provider must also inform the content provider (the user who provided the information) of the removal of content or disabling of access that it has carried out. In addition, upon request of the content provider, it will have to
- either inform it of the reasons for the removal or disabling and its rights to challenge the removal order,
- or provide it with a copy of the removal order.
TCOR also requires the hosting service provider to retain terrorist content (and related data) which has been removed or access to which has been disabled. It must also provide appropriate technical and organisational safeguards for such preservation (e.g. high level of security of the personal data concerned).
Finally, each hosting service provider must designate a contact point for the receipt and processing of orders. It ensures that information about the contact point is made publicly available.
Referrals to law enforcement authorities
Where hosting service providers become aware of terrorist content involving an imminent threat to life, they inform promptly authorities competent for the investigation and prosecution of criminal offences in the Member States concerned. Where it is not possible to identify the Member States concerned, service providers inform the contact point of the ordering authority of the Member State of their main establishment (or that of their legal representative) and forward the information concerning such terrorist content to Europol.
Transparency obligations
The hosting service provider is required to set out clearly in their terms and conditions its policy for addressing the dissemination of terrorist content.
When the provider has taken action to address the dissemination of terrorist content or has been required to take action, it must make publicly available an annual transparency report including information such as
- the measures taken to identify and remove terrorist content or disable access thereto, to address the reappearance online of material which has previously been removed or disabled, in particular where automated tools have been used,
- the number of items of terrorist content removed or to which access has been disabled following removal orders,
- the number of non-compliance to orders on grounds of force majeure, de facto impossibility or manifest errors,
- the number and the outcome of administrative or judicial review proceedings brought by the hosting service provider and the number of cases in which the provider was required to reinstate content or access thereto as a result of such proceedings.