Last year, the European Commission proposed the Regulation on preventing the dissemination of terrorist content online, to remove and proactively monitor terrorist content.
The problem came with its generic, unfocused and potentially inefficient scope—especially by including cloud infrastructure services.
Our association represents the companies that provide basic infrastructure, the building blocks for cloud IT that are used by businesses and governments to manage data and build their own systems and services.
We do not have access or control over content. We are processors, nor controllers. We cannot, in technical terms, remove a specific piece of content. By including cloud infrastructure services in the Regulation’s scope, the EU has been targeting the wrong players.
CISPE’s position is clear and simple: we are asking MEPs to introduce a properly robust definition of cloud infrastructure services in Article 2 to be able to carve out such services.
Cloud infrastructure services provide customers with access to physical or virtual computer servers to store and process their data as an alternative to using onsite equipment.
We believe it’s crucial to have a clear exclusion of cloud infrastructure in Article 2 and not only in a non-binding Recital.
It’s also vital that any wording to exclude cloud infrastructure services is accurate. Even if Internet infrastructure services such as registries (e.g. web domains like .com) or payment services are not included in scope, it does not capture the breadth of cloud infrastructure services. Internet infrastructure represents only two percent of what cloud infrastructure is.
"By including cloud infrastructure services in the Regulation’s scope, the EU has been targeting the wrong players"
A robust definition and exclusion would provide much-needed clarity across Member States and also avoid loopholes and different interpretations. We’ve also highlighted negative impacts if these changes are not made, including concerns around data privacy and eroding fundamental rights.
The devil is in the detail but time is running out. Key clarifications and improvements are still required to make the Regulation as clear and unambiguous as it needs to be.
The Internal Market and Consumer Protection committee (IMCO) has already adopted compromise language whereby “providers of services at other layers of the Internet infrastructure than the application layer and cloud IT infrastructure service providers shall not be considered as hosting service providers”.
The Culture and Education committee (CULT) have also carved out cloud infrastructure services in Recital 10, including a definition.
The Civil Liberties, Justice and Home Affairs committee (LIBE) is currently working on its compromise amendments. Two weeks ago, we organised a special briefing for MEPs at the European Parliament hosted by LIBE Rapporteur Daniel Dalton MEP.
"The devil is in the detail but time is running out. Key clarifications and improvements are still required to make the Regulation as clear and unambiguous as it needs to be"
It was very encouraging to hear him state, “There is an issue with cloud infrastructure being included. There is a difference between consumer cloud services and those cloud infrastructure providers just providing the back-office for hosting. We in LIBE have tried to make the distinction, and I hope that this distinction will be carried through.”
We’re now urging legislators to take these all-important final steps to embed the necessary exclusions in a legally binding Article, adopting the good amendments already tabled by IMCO, LIBE and CULT.
And when the three EU institutions start the so-called “trilogue” meetings, they need to ensure the definition and exclusion remain and are not ‘lost’ in negotiations.
The indications are that Parliament, Commission and Council may be on the same page but, as the final countdown continues, we are not there yet.
The detail matters. As LIBE Rapporteur Daniel Dalton has made clear, all three institutions have said they don't want cloud infrastructure service providers to be included.
They have all recognised the problem. Now they just need to get the definition right to ensure they don't just “think” that cloud infrastructure services have been excluded.