Greek Law 5067/2023: Regulation of Hosting Service Providers for Preventing the Dissemination of Terrorist Content on the Internet

On 7 June 2022, the EU adopted Regulation (EU) 2021/784 of the European Parliament and Council, addressing the dissemination of terrorist content online. This Regulation imposes significant obligations on hosting service providers related to duties of care and control of Internet content stored on their ICT systems that may be classified as terrorist.

Greek Law 5067/2023 (Official Gazette 189/A/20-11-2023), supplements the provisions of the Regulation. This includes defining competent national supervisory authorities, establishing a register of hosting service providers, ensuring transparency obligations for involved parties, safeguarding legal protection rights for providers and users, and outlining administrative sanctions for violations.

The Law requires that hosting service providers register with the corresponding register of the Hellenic Telecommunications and Post Commission ("HTPC") and subjects them to its supervision.

1. Subject Matter

These legislative acts complement the legal framework for the regulation of hosting service providers, which also includes the provisions of articles 1-8 of the Law 5069/2023 for the conditions of building and construction and permitted land uses for data centers, of Law 4967/2022 on the supply of digital services, and articles 1-10 of Presidential Presidential Decree (P.D). 131/2003 on electronic commerce.

In addition, it includes the provisions of articles 3-3c of Law 2251/1994 on distance consumer contracts and articles 4-10 and 11-18 of the Regulation (EU) 2022/2065 ("Digital Government Act") on the liability and general obligations of intermediary service providers. Furthermore, it includes articles 66E and 66F of Law 2121/1993 on the use of works of other subject - matters of protection by online content-sharing service providers.

Terrorist content refers to material that encourages, instigates, or promotes the commission or participation in any of the offenses outlined in Directive (EU) 2017/541 on combating terrorism (see Article 2 § 7 of the Regulation).

2. Definitions & Scope

A provider of hosting services is defined as a provider of any information society service, typically provided for a fee through electronic remote means. This service involves storing information provided by a content provider at their request (Article 2 § 1 of the Regulation). Such providers include web hosting service providers, cloud computing service providers, social media platforms, file-sharing service providers for video, images, text and audio, as well as general file-sharing service providers.

Nevertheless, interpersonal communication service providers, as defined in article 2 point 5 of the Directive (EU) 2018/1972 (European Electronic Communications Code), such as email or private messaging services (paragraph 14 of the Regulation), do not fall within the scope of the Regulation.

A content provider is also defined as the user who has provided information, which is stored or has been stored and disseminated to the public from a hosting service provider (Article 2 § 2 of the Regulation).

The provisions of Law 5067/2023 apply to hosting service providers offering services in Greece, regardless of the location of their main establishment, as long as they share information with the public (stated in Article 2 § 2 of the Regulation).

Thus, the Law applies to providers based outside the EU, if they allow individuals or businesses in Greece to use their services and have a substantial connection with the country. This connection can be established through activities specifically aimed at Greek consumers, such as using the Greek language or currency, or simply offering the option to order goods or services from Greece (as mentioned in paragraph 16 of the Regulations).

3. Compliance with Removal Orders

Hosting service providers are obliged to remove or disable access to terrorist content within one hour of receiving an official removal order from a public prosecutor and inform the prosecutor accordingly (Article 4 of the Regulation and article 5 of Law).

4. Provision of Appropriate Contractual Terms

In addition, hosting service providers are required to include appropriate contractual terms in their service agreements to counter the misuse of their services for propagating terrorist content to the public (Article 5 of the Regulation).

5. Obligation to Take Specific Measures of Protection

Hosting service providers are obligated to implement special measures to protect their services from disseminating terrorist content publicly, (article 5 of the Regulation). These measures include:

• Implementing appropriate technical and organizational measures or capabilities, including adequate staffing and technological tools, to promptly detect and eliminate or disable access to terrorist content.
• Establishing easily accessible and user-friendly reporting mechanisms to allow users to flag the service provider when they suspect the hosting of terrorist content.
• Introducing additional mechanisms to enhance awareness of terrorist content on the platform, such as implementing moderation mechanisms for user-generated content.
• Employing any other measures deemed appropriate by the hosting service provider to effectively address the availability of terrorist content on their services.

When special measures involve the use of technical means, hosting service providers must provide effective safeguards, including human supervision and verification, to ensure accuracy and prevent the removal of non-terrorist content.

If a competent authority determines that a hosting service provider has been exposed to terrorist content, the provider must submit a report, within three months, outlining the specific special measures taken or intended to be taken. The competent authority has the authority to request additional or more suitable measures, if it deems the existing measures insufficient.

Hosting service providers retain terrorist content that has been removed or to which access has been disabled as a result of a removal order or special measures and any associated user data that has been removed for a period of six (6) months after removal or deactivation.

6. Obligations of Transparency

Hosting service providers must clearly define their terms, conditions and policies for addressing the spread of terrorist content. This should include an easy-to-understand explanation of the operation of special measures and, where applicable, the use of automated tools (Article 7 of the Regulation).

Hosting service providers that have taken action to address the dissemination of terrorist content or have been required to take action under this regulation must publish a transparency report on these actions and the total number of complaints for the relevant year. This report must be made publicly available before the 1st of March of the following year (Article 7 of the Regulation). Transparency reports are required to be published prominently on the hosting service providers' websites and submitted to the Ministry of Justice (Article 19 of the Law).

When the hosting service provider removes terrorist content or disables access to it, it makes the information about this removal or disabling, available to the content provider. At the request of the content provider, the hosting service provider either informs the content provider of the reasons for removal or deactivation and its rights to challenge the removal order, or provides the content provider with a copy of the removal order (Article 11 of the Regulation).

7. Resolution of Complaints

Every hosting service provider is required to institute a responsive and accessible mechanism for resolving complaints from content providers regarding removed content or disabled access. (Article 10 of the Regulation)

Each hosting service provider promptly assesses all complaints, ensuring swift restoration of content or access if the removal or disabling was found to be unjustified. The complainant is informed of the complaint's outcome within two weeks of its submission. If the complaint is rejected, the hosting service provider communicates the reasons for its decision, (Article 10 of the Regulation).

8. Appointment of Legal Representative

A hospitality service provider without its primary establishment in the Union is obligated to appoint a natural or legal person as its legal representative in the Union, specifically in the member state where services are rendered (Article 17 § 1 of the Regulation).

The legal representative assumes responsibility for receiving, complying with, and executing removal orders and decisions issued by competent authorities. In case of any violation of the provisions outlined in the Regulation and/or Law 5067/2023, the legal representative is held accountable (Article 17 § 2-3 of the Regulation).

The provider of hospitality services announces its legal representative to the competent authority of the member state in which its legal representative resides or is established, while making the relevant information on appointment publicly accessible to any third party (Article 17 § 3 of the Regulation).

9. Registration in the Hosting Service Providers of Hellenic Telecommunications and Post Commission (HTPC)

HTPC creates and puts into operation a Register of hosting service providers in electronic form. The registry includes hosting service providers who have their main establishment in Greece or whose legal representative resides or is established in Greece (article 9 of the Law).

HTPC also keeps a record of removal orders and other information and data per hosting service provider. The Register and the file maintain a full and online connection and access, exclusively for the purpose of viewing, accessible to competent prosecution official Article 10 of the Law)

10. Supervisions & Penalties

The National Telecommunications and Posts Commission ("HTPC") is tasked with overseeing the compliance of hosting service providers with the Regulation and Law (Article 5 of the Law).

In case of non-compliance and, following a prior hearing with the hosting service provider or its legal representative, the HTPC has the power to issue a specifically reasoned decision, imposing one of the following penalties for each violation:

• Recommendation to adhere to specific obligations within a defined timeframe set out by HTPC.
• Administrative fines, reaching up to four percent (4%) of the hosting service provider's total worldwide turnover, imposed for any violation of Article 14, referencing the previous financial year from its conclusion (outlined in Article 15 of the Law).

In addition, the Law enacts the following criminal acts, punished with a prison sentence of up to three (3) years and a fine of one hundred and eighty (180) up to three hundred and sixty (360) daily units:

• Violation of the obligation removing or disabling access to terrorist content on all member states no later than within one (1) hour of receipt of the removal order, provided for in paragraph 3 of article 3 of Regulation (EU) 2021/784, with the subject to paragraphs 7 and 8 of article 3 of Regulation (EU) 2021/784.
• The violation of the obligation to immediately inform about terrorist content that it entails imminent threat to life according to par. 5 of article 14 of the Regulation (EU) 2021/784.

The amount of each daily unit cannot be lower than two hundred (200) euros nor higher than one thousand (1,000) euros (article 12 of the Law).

In addition to the physical perpetrator, to the hosting service providers that are legal entities, they are considered as perpetrators or participants of the above crimes, if by any act or omission they contributed to their execution, the persons which are entrusted with the administration or management or representation (article 13 of Law).

11. Means of Judicial Remedy

A hosting service provider that has received a removal order, as well as the provider of the content for which the removal order has been issued, has the right to appeal against the removal order before the council of appeals of Athens. This appeal must be filed within an exclusive period of ten (10) days and is pursued in accordance with paragraph 2 of Article 322 and Articles 474 to 476 of the Code of Criminal Procedure [Law 4620/2019 (A 96)] before the relevant judicial council (as outlined in Article 16 of the Law).

Decisions made by HTPC imposing sanctions under Article 15 are subject to a substantive appeal before the Administrative Court of Appeal of Athens (specified in Article 17 of the Law).

For further reference, Regulation (EU) 2021/784 can be accessed here, and Law 5067/2023 (Government Gazette 189/A/20-11-2023) is available here.