Chapter 2|Liability of Providers of Intermediary Services|📖 10 min read
1. Member States shall ensure that their competent authorities have the power to require providers of intermediary services to provide information about one or more specific individual recipients of the service concerned who are identified in the order, where such information is necessary for the purpose of identifying and tracing recipients who have provided illegal content, or for the purposes of investigating a criminal offence or preventing imminent threats to public security.
2. Orders to provide information shall be sent to the point of contact designated pursuant to Article 11, include the following information:
(a) the information sought, including a statement as to the specific recipients and the purposes for which the information is required;
(b) the legal basis and statement of reasons;
(c) information about redress available to the provider and the affected recipients;
(d) the period within which the information must be provided.
3. The information ordered may only concern subscriber information and access data. It may not require providers to provide content data or information concerning recipients' browsing history.
Understanding This Article
Article 10 of the Digital Services Act establishes the legal framework enabling national authorities to order intermediary service providers to disclose information about specific individual service recipients. This provision creates essential law enforcement and public safety capabilities while implementing rigorous safeguards protecting privacy, data protection rights, and preventing abuse of information disclosure powers. Unlike Article 9's focus on content removal, Article 10 addresses the distinct question of user identification and information disclosure necessary for accountability and legal enforcement.
The provision carefully balances three competing interests: legitimate law enforcement needs to identify individuals engaged in illegal activity, platforms' operational interests in protecting user data and maintaining trust, and users' fundamental rights to privacy and data protection under the GDPR and Charter of Fundamental Rights. This balance manifests through strict limitations on when, how, and what information can be ordered disclosed.
Article 10(1) establishes three exhaustive purposes justifying information orders: (1) identifying and tracing recipients who provided illegal content; (2) investigating criminal offences; and (3) preventing imminent threats to public security. These purposes are deliberately narrow. Authorities cannot request user information for general administrative purposes, civil litigation discovery, regulatory investigations unrelated to crime or public security, or exploratory inquiries lacking specific justification. The requirement that purposes be 'necessary' imposes a proportionality test - authorities must demonstrate information disclosure is genuinely required for the stated purpose, not merely convenient or potentially useful.
The data categories subject to Article 10 orders are strictly limited by paragraph 3. Orders may request only 'subscriber information' (name, postal address, email address, telephone number, and similar identifying data provided during account creation) and 'access data' (IP addresses, login timestamps, connection metadata). Critically, two categories are explicitly excluded: 'content data' (the substance of communications, posts, messages, files) and 'browsing history' (records of websites visited, searches conducted, content consumed). These exclusions protect core privacy interests - authorities seeking content or browsing data must utilize separate legal processes with heightened safeguards (criminal procedure laws, mutual legal assistance procedures, or specialized regulations like the e-Evidence Regulation).
The procedural requirements in Article 10(2) ensure transparency and legal accountability. Orders must specify the information sought with particularity, identify the specific recipients about whom information is requested (by account identifiers, unique user IDs, or other precise specification), provide comprehensive legal basis and statement of reasons, include information about redress available to both providers and affected recipients, and specify reasonable timeframes for compliance. These requirements prevent fishing expeditions, enable judicial review, protect against abuse, and ensure providers can assess legality and compliance obligations.
Notification requirements create additional procedural safeguards. Providers must inform affected recipients 'at the latest when effect is given to the order' about the disclosure, the statement of reasons, and redress possibilities. This enables users to challenge unlawful disclosures, seek legal remedies if their rights were violated, and exercise data subject rights under GDPR. However, notification timing ('at the latest when effect is given') allows authorities to delay notification temporarily if immediate disclosure would compromise investigations - but delay cannot be indefinite, and users must eventually be informed.
The relationship with GDPR is fundamental and complex. Article 10 doesn't override GDPR protections; rather, it establishes a DSA-specific procedure that must comply with GDPR requirements. When a provider receives an Article 10 order, it must assess: (1) Does the order provide lawful basis under GDPR Article 6(1)(c) (compliance with legal obligation) or 6(1)(e) (public interest/official authority)? (2) Are data protection principles (lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation) respected? (3) Are data subject rights adequately protected? If an order violates GDPR, providers can and should challenge it. The DSA and GDPR work as complementary frameworks - DSA authorizes the order procedure, GDPR imposes substantive data protection requirements.
Cross-border dimensions add complexity. The e-Evidence Regulation proposal (pending as of 2024-2025) aims to harmonize cross-border evidence gathering procedures. Until implemented, Article 10 orders from one Member State seeking data from providers established in another Member State must navigate existing mutual legal assistance procedures, jurisdictional principles, and international cooperation frameworks. Article 10 doesn't resolve cross-border jurisdiction questions but provides a harmonized procedure for national authorities operating within their jurisdiction.
Key Points
Authorities can order providers to disclose information about specific individual service recipients for narrow purposes
Three exhaustive permissible purposes: identifying illegal content providers, investigating criminal offences, preventing imminent public security threats
Only subscriber information (name, address, email, phone) and access data (IP addresses, timestamps) can be ordered
Content data (messages, posts, files) and browsing history explicitly excluded from Article 10 orders
Orders must specify information sought, identify specific recipients, provide legal basis and reasons, include redress information, and specify timeframes
Providers must notify affected recipients about disclosure at latest when providing information to authorities
Must comply with GDPR - Article 10 doesn't override data protection requirements
Providers can and should challenge orders that violate GDPR, lack proper legal basis, or fail proportionality tests
Civil litigation disclosure not covered - Article 10 limited to criminal/public security contexts
Necessity and proportionality requirements prevent fishing expeditions and exploratory information gathering
Works together with Article 9 (content removal orders) to create comprehensive authority-provider cooperation framework
Practical Application
For Criminal Investigations - Identifying Illegal Content Distributors: German police investigate distribution of CSAM through a file-sharing platform. They identify specific user accounts uploading illegal material. Prosecutors obtain a court order under Article 10 requiring the platform to disclose subscriber information (account holder name, email, address) and access data (IP addresses used to upload content, login timestamps) for the identified accounts. The order must: (1) specify the exact accounts (by user IDs); (2) cite criminal procedure laws and explain necessity for identifying CSAM distributors; (3) specify data types sought (subscriber info + access data); (4) provide timeframe for disclosure; (5) explain redress procedures. The platform complies, providing requested data to law enforcement. The platform must notify affected users about disclosure (though timing may be coordinated with law enforcement to avoid compromising investigation initially), including information about their rights and legal remedies.
For Terrorism Prevention - Imminent Threat Response: French authorities learn through intelligence that an individual using a specific Twitter account is planning an imminent terrorist attack. Under Article 10(1)'s 'preventing imminent threats to public security' basis, authorities obtain an urgent order requiring Twitter to immediately disclose subscriber information and access data for the account. 'Imminent threat' requires genuine urgency and specific information indicating concrete attack planning, not generalized concerns about radicalization. Twitter verifies the order's legal validity, checks GDPR compliance, and if satisfied, discloses the requested data. The affected user must be notified after disclosure (timing may be delayed if immediate notification would enable the user to evade apprehension or proceed with planned attack).
For Civil Litigation vs. Criminal Investigation: A company suffers defamation through anonymous posts on Reddit. The company wants to sue for damages and seeks a court order requiring Reddit to disclose the poster's identity. This civil discovery request is NOT covered by Article 10, which limits disclosure orders to illegal content tracing, criminal investigations, or imminent public security threats. Civil litigation disclosure follows national civil procedure laws, which vary across Member States. Some jurisdictions allow civil disclosure orders in defamation cases; others don't. Article 10 doesn't harmonize or authorize civil disclosure - it addresses only the three specified purposes.
For Copyright Infringement Investigations: Rights holders identify large-scale commercial copyright infringement operation using a cloud storage service to distribute pirated films. They work with police to launch a criminal investigation for criminal copyright infringement. Police obtain an Article 10 order requiring the cloud service to disclose subscriber information and access data for accounts involved in the infringement operation. Because copyright infringement can constitute a criminal offence under many Member States' laws, Article 10(1)'s 'investigating criminal offence' basis applies. However, if rights holders sought disclosure for civil copyright enforcement (damages lawsuits) rather than criminal prosecution, Article 10 wouldn't apply - they'd need to pursue civil discovery procedures under applicable national law.
For Data Protection Challenges: An Irish hosting provider receives an Article 10 order from Irish authorities seeking user information. The provider's GDPR assessment identifies concerns: the order doesn't adequately specify why disclosure is necessary (fails proportionality), requests data for more users than justified (fails data minimization), and doesn't explain how long authorities will retain data (fails storage limitation). The provider challenges the order, arguing it violates GDPR requirements. The data protection authority or courts must assess whether the order meets GDPR standards. If it doesn't, the order must be modified or withdrawn. This demonstrates that Article 10 authorization doesn't override GDPR - providers can and should challenge orders failing data protection requirements.
For Content Data Exclusion: Police investigate online harassment. They obtain an order requiring a messaging platform to disclose who sent threatening messages to a victim. Article 10 authorizes disclosure of subscriber information (account holder identity) and access data (when messages were sent, from what IP). Article 10 does NOT authorize disclosure of message contents - those are 'content data' explicitly excluded by Article 10(3). If authorities need message contents, they must use criminal procedure laws' evidence gathering provisions, which typically require higher legal standards (such as judicial warrants meeting heightened privacy protections) reflecting content data's greater privacy sensitivity.
For Browsing History Exclusion: A provider operates both a hosting service and a browser/search engine. Authorities investigating suspected illegal activity request the target's browsing history, search queries, and websites visited. Article 10(3) explicitly excludes browsing history from information orders. Authorities cannot use Article 10 to obtain this data. They must resort to national criminal procedure laws, which may allow such disclosure under strict conditions (serious crime investigations, judicial authorization, proportionality assessment, heightened privacy safeguards). The exclusion reflects browsing data's sensitivity - it reveals comprehensive information about individuals' interests, beliefs, health concerns, political views, and private activities.
For Cross-Border Complexity: Spanish authorities investigate cybercrimes involving suspects using a platform operated by a company established in the Netherlands. Spanish authorities issue an Article 10 order seeking user information. The Dutch-established company questions whether Spanish orders bind it. The answer depends on jurisdictional principles, establishment location, and international cooperation frameworks. If the platform targets Spanish users and the suspects are in Spain, Spanish jurisdiction likely extends to ordering disclosure. However, the Dutch company might require the order to comply with mutual legal assistance procedures or e-Evidence Regulation frameworks (once implemented). This illustrates ongoing cross-border evidence gathering challenges that Article 10 partially addresses but doesn't fully resolve pending broader EU harmonization.
For Platform Compliance Procedures: Telegram establishes internal procedures for handling Article 10 orders: (1) legal team reviews each order for compliance with Article 10 requirements, GDPR, and fundamental rights; (2) if deficient, Telegram requests clarification or challenges the order; (3) if valid, Telegram prepares the requested data (limited to subscriber information and access data as specified); (4) discloses data to authorities; (5) notifies affected users after disclosure (coordinating timing with authorities if investigation necessitates delayed notification); (6) documents compliance for transparency reporting under Article 15. These procedures ensure Telegram complies with lawful orders while protecting user rights and challenging problematic orders.
Real-World Example - Balancing Law Enforcement and Privacy: Austrian police investigate online drug trafficking. They identify specific accounts on an encrypted messaging platform advertising drug sales. They obtain an Article 10 order for subscriber information and access data. The platform complies, providing account registration data and IP/timestamp information. Police use this to identify and prosecute traffickers. However, the platform refuses requests for message contents, correctly noting Article 10 excludes content data and authorities must utilize mutual legal assistance procedures under criminal procedure laws for content access. This demonstrates Article 10's balance: enabling legitimate law enforcement (identifying criminals through subscriber/access data) while protecting core privacy interests (message contents require heightened legal process).