Chapter 2|Liability of Providers of Intermediary Services|📖 12 min read
1. Where an information society service is provided that consists of the transmission in a communication network of information provided by a recipient of the service, or the provision of access to a communication network, the service provider shall not be liable for the information transmitted, on condition that the provider:
(a) does not initiate the transmission;
(b) does not select the receiver of the transmission; and
(c) does not select or modify the information contained in the transmission.
2. The acts of transmission and of provision of access referred to in paragraph 1 include the automatic, intermediate and transient storage of the information transmitted in so far as this takes place for the sole purpose of carrying out the transmission in the communication network, and provided that the information is not stored for any period longer than is reasonably necessary for the transmission.
3. This Article shall not affect the possibility for a court or administrative authority, in accordance with Member States' legal systems, of requiring the service provider to terminate or prevent an infringement.
Understanding This Article
Foundational Liability Exemption and Policy Rationale: Article 4 establishes the most fundamental liability exemption in the DSA's framework, protecting 'mere conduit' services from liability for content they transmit. This provision recognizes a basic policy principle: entities providing neutral transmission infrastructure shouldn't be held liable for content flowing through their networks any more than telephone companies are liable for criminal conversations or postal services for illegal letter contents. Without this protection, ISPs and network operators would face impossible liability exposure - they couldn't possibly review every packet transmitted, and liability threats would either destroy their business models or force them to block vast amounts of content to avoid risk. The exemption enables the internet's basic functionality by ensuring infrastructure providers can operate without constant legal jeopardy. Article 4 directly continues Article 12 of the e-Commerce Directive 2000/31/EC, maintaining established law while incorporating CJEU case law developments. The Court of Justice has consistently held that intermediaries must be 'passive' - playing merely technical, automatic, passive roles without knowledge of or control over transmitted information - to qualify for protection. Any active role in content selection or modification destroys the exemption.
Three Mandatory Conditions for Protection: Paragraph 1 establishes three cumulative conditions that must all be satisfied. First, the provider must not initiate the transmission - users must request or initiate data transmission; providers can't autonomously decide to transmit content. An ISP routing data requested by subscribers satisfies this; an ISP autonomously pushing content to users does not. Second, the provider must not select the receiver - transmission must be automatic or user-determined; providers can't editorially choose who receives information. Standard internet routing satisfies this; curated distribution does not. Third, the provider must not select or modify the information contained in the transmission - content must pass through unchanged; providers can't alter, edit, or curate transmitted data. Bit-perfect transmission satisfies this; content modification (beyond technical format changes necessary for transmission) does not. These conditions ensure providers remain genuinely passive conduits. CJEU case law (particularly Google France, L'Oréal v eBay, and subsequent cases) emphasizes that knowledge of illegal content alone doesn't destroy the exemption - passive conduits can know about illegal content yet remain protected. However, active involvement in content (selecting, initiating, modifying) ends protection regardless of knowledge.
Automatic Transient Storage and Technical Operations: Paragraph 2 explicitly permits automatic, intermediate, and transient storage necessary for transmission. Modern internet transmission requires temporary storage - buffering in router memory, caching in network equipment, temporary storage in switching systems. This technical necessity doesn't transform mere conduit into hosting if storage is solely for transmission purposes and doesn't exceed reasonably necessary duration. For example, an ISP's router temporarily storing packets in memory buffers while routing them to destinations remains mere conduit. Network equipment caching routing tables or DNS information for operational efficiency remains mere conduit. However, if an ISP stores transmitted content for purposes beyond transmission (data mining, advertising, long-term caching for performance), storage may exceed paragraph 2's limits and create hosting obligations. The distinction is functional: is storage purely technical necessity for transmission, or does it serve independent business purposes? Duration matters too - fleeting microsecond buffering clearly qualifies; hours-long storage for non-transmission purposes likely doesn't. Recital 19 clarifies that this transient storage provision aims to enable efficient network operations without creating liability, recognizing modern transmission's technical realities.
Injunctive Relief and Court Orders: Paragraph 3 creates critical limitation: while mere conduit providers aren't liable for transmitted content, they remain subject to court or administrative authority orders to 'terminate or prevent an infringement.' This preserves judicial authority to require blocking, filtering, or other measures addressing illegal content or activities. Courts can order ISPs to block access to illegal websites, filter specific content types, or terminate services to infringers. The injunction exception balances provider protection with enforcement needs - providers aren't automatically liable for everything transmitted, but courts can compel action against specific violations. However, Article 8 DSA prohibits general monitoring obligations, so injunctions must be specific and targeted, not requiring comprehensive surveillance. CJEU case law (particularly Scarlet Extended and SABAM cases) establishes that injunctions can't require general monitoring or filtering systems that would identify all potentially infringing content - such orders would violate fundamental rights and impose disproportionate burdens. Lawful injunctions must identify specific content, specific infringements, or specific illegal actors, allowing providers to implement targeted blocking without wholesale content surveillance. This creates tension: courts want effective enforcement, but providers resist expensive filtering obligations, and users' fundamental rights constrain what courts can order. Recent case law continues refining this balance.
Scope and Service Types Covered: Article 4's mere conduit category encompasses diverse services sharing transmission functions. Traditional ISPs (Comcast, Vodafone, Deutsche Telekom, Orange) providing internet access clearly qualify - they transmit data requested by users without selecting content or receivers. Telecommunications providers (mobile networks, telephone services) transmitting voice, text, or data fall under mere conduit when passively routing communications. VPN providers routing encrypted traffic through private networks qualify if they don't inspect, select, or modify content - though VPNs specifically designed to circumvent legal restrictions or facilitate illegal activity may lose protection. WiFi hotspot providers (cafes, airports, libraries, hotels) offering network access are mere conduits when simply providing connectivity. Mesh network operators, peer-to-peer network infrastructure, and similar distributed transmission systems qualify if purely transmitting user-initiated content. However, services with active content roles don't qualify - a service selecting which content to display, curating feeds, or recommending information plays active roles incompatible with mere conduit status. The technical function determines classification, not the provider's self-description.
Loss of Protection and Active Roles: Mere conduit protection is conditional - actively participating in content dissemination ends the exemption. If an ISP monitors content and selectively blocks or prioritizes based on content (beyond court-ordered specific blocking), it may lose protection by 'selecting' content for transmission. If a network operator modifies transmitted content (injecting advertisements, altering webpages, stripping encryption), it violates the non-modification condition. If a provider autonomously initiates transmissions (spam distribution, unsolicited content pushing), it violates the non-initiation condition. CJEU case law distinguishes passive technical operations from active content involvement. An ISP that partners with content providers to deliver their content faster is walking a fine line - if it involves active content selection or prioritization beyond users' requests, protection may be jeopardized. Critically, knowledge alone doesn't end protection - an ISP aware that users access illegal content through its network remains protected as long as it maintains passivity. However, once a court issues an injunction ordering specific action, failure to comply creates liability (not for the underlying content, but for violating the court order).
Relationship to Other Liability Exemptions: Article 4 is the first of three liability exemptions (Articles 4-6), creating a hierarchy. Mere conduit involves only transmission; caching (Article 5) adds temporary storage for efficiency; hosting (Article 6) adds permanent user-requested storage. Many providers perform multiple functions - an ISP might provide mere conduit (network access), caching (proxy servers), and hosting (email, web hosting). Each function receives corresponding protection. The exemptions aren't mutually exclusive - different activities by the same provider receive different protections. Amazon provides hosting (marketplace, AWS cloud), but also uses CDNs involving caching, and potentially transmission qualifying as mere conduit. Proper classification requires analyzing each specific function and activity. Moreover, Article 7 ensures that providers conducting voluntary investigations or content moderation don't lose mere conduit protection for activities remaining genuinely passive. An ISP that implements child safety filters at users' requests (optional, user-controlled) maintains mere conduit status for transmission functions, though the filtering service itself might create different obligations.
Key Points
Service providers not liable for transmitted information if they act as passive conduits without editorial involvement or control
Three mandatory conditions: provider must not initiate transmission, must not select receivers, and must not modify transmitted content
Covers ISPs, telecommunications providers, network operators, VPN services, and WiFi hotspot operators transmitting user data
Automatic intermediate transient storage permitted if necessary for transmission and not stored longer than reasonably required
Liability exemption only applies to third-party content liability - providers remain subject to court-ordered injunctions to terminate or prevent infringements
Maintains e-Commerce Directive Article 12 framework while codifying CJEU case law clarifying passive nature requirements
Providers remain liable for their own illegal activities and must comply with lawful orders to block or filter specific content
Exemption lost if provider plays active role in content selection, transmission initiation, or information modification
Practical Application
ISP Operations and Liability Protection: Internet service providers constitute the paradigmatic mere conduit example. When Comcast, Vodafone, or Deutsche Telekom provides residential internet access, customers use the connection to access websites, stream videos, send emails, and engage in countless online activities. The ISP doesn't choose which websites customers visit, doesn't modify webpage contents (beyond technical formatting for transmission), and doesn't initiate transmissions on customers' behalf. This qualifies for full Article 4 protection - if a customer accesses illegal content, the ISP isn't liable for facilitating that access through network provision. However, ISPs must respond to lawful court orders. If a German court orders Vodafone to block access to specific websites hosting illegal content, Vodafone must implement blocking (DNS blocking, IP blocking, or other technical means) as ordered. The exemption protects against automatic liability, not against following lawful injunctions. ISPs should maintain policies for receiving and implementing court orders, legal review processes to verify order validity, technical systems for implementing blocks when ordered, and documentation of compliance with orders.
VPN Services and Encryption: VPN providers present interesting scenarios. A VPN encrypting and routing users' traffic through private networks performs mere conduit functions - transmitting encrypted data without knowing, selecting, or modifying content. ExpressVPN, NordVPN, or similar services maintain protection if they operate as genuinely passive conduits. However, VPNs explicitly designed to circumvent legal restrictions or marketed primarily for accessing illegal content might be deemed active facilitators losing protection. Courts could order VPN providers to block access to specific illegal services or terminate accounts of identified infringers. Providers should implement: clear terms prohibiting illegal use, procedures to respond to infringement notices and court orders, logging sufficient to comply with lawful information requests (balanced against privacy promises), and technical capability to implement targeted blocking without undermining service functionality. 'No-logs' VPNs create compliance challenges - if they genuinely can't identify individual users, they can't comply with many enforcement orders, potentially creating legal vulnerability.
WiFi Hotspot Providers: Cafes, airports, hotels, and libraries offering public WiFi qualify as mere conduit providers when simply providing internet access. They don't select what users access, don't modify transmitted content, and don't initiate transmissions. However, many implement filtering or access controls - blocking adult content, limiting bandwidth for certain services, or requiring login credentials. Do these destroy mere conduit status? Generally no, if filtering is transparent, user-requested, or implements court orders rather than provider content preferences. A library blocking adult content per institutional policy likely maintains mere conduit status for non-blocked transmission, though the blocking itself isn't protected mere conduit (it's institutional policy enforcement). If a hotel receives a court order to block piracy sites, implementing that block maintains mere conduit status while complying with obligations. Hotspot providers should: publish acceptable use policies, implement technical measures to respond to court orders, maintain capacity to identify users if legally required (subscriber information for law enforcement), consider limiting liability through terms of service (though terms can't override legal obligations).
Court-Ordered Blocking and Filtering: While Article 4(3) permits courts to order providers to terminate or prevent infringements, Article 8 prohibits general monitoring obligations, creating tension. Courts want effective enforcement; providers resist burdensome obligations; and fundamental rights constrain permissible orders. CJEU case law provides framework: Orders must be specific - identifying particular illegal content, specific websites, or identified infringers, not requiring general scanning for 'anything potentially illegal.' Orders must be proportionate - balancing enforcement needs against provider costs, user rights, and technical feasibility. Blocking all of YouTube because some videos infringe copyright would be disproportionate; blocking specific channels or videos is proportionate. Orders must preserve legal content - blocking mechanisms must be designed to avoid over-blocking lawful content. Orders must respect fundamental rights - particularly freedom of expression and information, requiring careful tailoring. Practical examples: A court can order an ISP to block access to a specific website entirely devoted to distributing pirated content - this is specific and targeted. A court can order an ISP to block specific URLs identified as distributing CSAM - highly specific and clearly illegal content. A court cannot order an ISP to monitor all traffic and block anything potentially infringing copyrights - this requires general monitoring prohibited by Article 8. A court can order an ISP to terminate internet service to an identified repeat infringer - specific to an individual, though subject to proportionality limits. ISPs receiving court orders should: verify order validity and jurisdiction, assess technical feasibility and costs, consider appeal if order appears to violate Article 8 or fundamental rights, implement using least restrictive means necessary, document implementation, and preserve user rights to challenge blocks.
Network Equipment and Technical Operations: Mere conduit protection extends to necessary technical operations. Routers temporarily storing packets in memory buffers while forwarding them remain protected - this is automatic, transient, technical storage essential for transmission. ISPs caching DNS queries to improve performance remain protected if caching is purely for technical efficiency. Network operators implementing quality of service (QoS) prioritizing time-sensitive traffic (VoIP, video calls) over less time-sensitive traffic (software downloads) likely maintain protection if prioritization is content-neutral and based on technical protocols, not content selection. However, partnerships prioritizing specific services or content providers might create active selection roles jeopardizing protection. An ISP offering 'zero rating' (not counting certain services against data caps) might be selecting content for favorable treatment, potentially problematic. The key question: is the action purely technical and content-neutral, or does it involve content-based selection or modification? Technical operations in users' interests (faster speeds, better reliability) maintain protection; content-based favoritism for business reasons might not.
Content Modification and Middle Boxes: ISPs must avoid modifying transmitted content to maintain protection. However, format conversions necessary for transmission (protocol changes, compression for network efficiency) don't constitute prohibited modification if content remains substantively unchanged. Transcoding video to adapt to available bandwidth likely remains protected. However, ISPs injecting advertisements into webpages, modifying content for business purposes, or stripping privacy protections destroy mere conduit status by modifying content. Early 2010s practices of ISPs injecting ads or tracking cookies into webpages would violate Article 4(1)(c)'s non-modification requirement. Similarly, ISPs that strip HTTPS encryption to inspect traffic modify transmitted content (though this may be justifiable for security purposes, it ends mere conduit protection for modified transmissions, potentially creating hosting obligations and liabilities). Deep packet inspection (DPI) used to monitor and modify content crosses the line from passive transmission to active content involvement. ISPs should: avoid content modification beyond necessary technical format conversions, implement encryption respecting users' privacy and content integrity, resist commercial temptations to monetize transmission through content insertion, and document technical operations to demonstrate passivity.