Abstract
Content moderation practices of online platforms are underpinned by a complex interplay between public and private power. This interplay raises important questions concerning the division of responsibility for safeguarding fundamental rights, particularly freedom of expression, among various actors involved in online content governance. This article examines the role of the CJEU in shaping an elaborate multi-actor system for the protection of fundamental rights within the context of EU platform regulation. It establishes that in the absence of comprehensive EU legislation on content moderation, the CJEU offered crucial reflections on the existence, scope and content of obligations which may be incumbent upon the EU, the Member States and online platforms under the EU Charter of Fundamental Rights. The CJEU's case law has therefore laid essential groundwork for the rules set out in the Digital Services Act (DSA), which has codified and expanded on the Court's key findings. At the same time, the article shows how the DSA's rules challenge the core tenets of the framework crafted by the CJEU. This underscores the need to refine the principles for distributing responsibility for securing the protection of fundamental rights, which must be rooted in a more comprehensive understanding of the intricate relationships between public and private actors in the digital environment.
Introduction
Content moderation on online platforms has been a subject of vigorous public debate for over a decade now. Initially, the advent of platforms promised to stimulate a free and robust civic discourse by offering a compelling alternative to traditional media. By turning to early social networking websites, individuals seemed to gain the possibility to connect and exchange their views and opinions without strict editorial control. 1 The naïve anticipation that the newly evolving platform economy would have a democratizing effect on society at large gradually faded when a few globally operating platforms came to dominate the online communication environment. 2 Their custom rules that determine the categories of content that may not be uploaded on their servers and intricate mechanisms for enforcing them play a key role in shaping the production and dissemination of information and ideas. While content moderation is imperative for addressing the misuse of platform services and maintaining an environment conducive to healthy engagement and dialogue, the strategies platforms employ to govern user behaviour often run counter to democratic values and affect the exercise of fundamental rights. 3 The ongoing backsliding of US-based platforms on their commitments to protect vulnerable groups highlights the precarious nature of their far-reaching control over online speech. 4
Since online platforms operate within a complex sociopolitical environment, their moderation practices are influenced by a broad range of factors. The commercialization of platform services is often cited as a central reason why content moderation poses a threat to the free exchange of legitimate information. 5 By striving to increase advertising revenue while cutting costs on content moderation personnel and infrastructure, platforms have been widely criticized for appeasing influential personas spreading polarizing messages, which typically garner more attention and views, while showing insensitivity towards already silenced marginalized communities. 6 Besides purely business-related motivations, content moderation is also significantly influenced by governments which establish a regulatory climate for the platform economy. The lenient approach to regulating digital services initially adopted by most jurisdictions to avoid stifling innovation played a significant role in enabling the concentration of power and resources in the hands of a small number of leading platforms. 7 Since then, some countries, such as the US, have doubled down on their free-market vision, while others have recognized the need for an effective legal framework stipulating how platforms must operate their communication networks. This stark disagreement underlies the current geopolitical tension challenging the entire transatlantic alliance. 8 Regardless of different regulatory pathways, online content governance is inevitably co-shaped by both private and public actors, raising difficult queries concerning the division of responsibility for the effective protection of fundamental rights.
The EU is a pioneer in promoting the transparency and accountability of online platforms. The Digital Services Act (DSA), adopted in 2022, aims to ensure a safe, predictable and trustworthy online environment for EU citizens. 9 However, for more than two decades prior, the EU's horizontal legal framework governing information society services was characterized by a largely hands-off approach and lacked explicit fundamental rights language. The e-Commerce Directive, 10 adopted in 2000 and now amended by the DSA, primarily pursued economic objectives. 11 By harmonizing the exemptions from liability for illegal third-party content enjoyed by different types of information society service providers, 12 it sought to remove barriers to the EU internal market. Against this backdrop, a crucial role in addressing novel challenges arising from digital transformation in light of the Charter of Fundamental Rights of the EU (‘Charter’) was played by the CJEU. 13 In doing so, it also had to grapple with questions concerning the allocation of duties for safeguarding fundamental rights among different actors within the online content governance landscape. Since EU platform regulation is embedded in the pluralist architecture of fundamental rights protection, 14 it has inherited many long-standing dilemmas of EU and national fundamental rights law. The prominence of globally operating non-state actors in shaping the rules governing the digital environment further complicates the picture. Originally intended to constrain state authority, fundamental rights are increasingly viewed as a means of enhancing accountability of transnational corporations. 15 Therefore, the applicability of fundamental rights in relationships between online platforms and their users has long remained a critical issue in the EU legal scholarship and practice. 16 While the CJEU made a significant contribution to addressing many of these complex dilemmas, its judgments have also introduced new complexities. 17
Furthermore, it remains an open question how the CJEU's reflections offered before the adoption of the DSA should inform the implementation and enforcement of the new legal framework. As noted by De Gregorio, the CJEU's judicial activism phase has now been superseded by the far-reaching paradigm of digital constitutionalism, whereby the EU legislator has imposed stringent obligations on online platforms as well as significantly strengthened user rights. 18 A broad range of novel rules and mechanisms established by the DSA call into question some of the principles concerning the division of responsibility for protecting fundamental rights as elaborated by the CJEU. The shift also has important implications for the norm-making authority of the CJEU, 19 which are yet to be explored.
This article examines the challenges of allocating responsibility for protecting fundamental rights among the EU, the Member States and online platforms under EU platform regulation, using the CJEU's case law as a lens. It contends that while the reform of the EU legal framework governing platform conduct has been largely devoted to enhancing fundamental rights protection, it has also prompted new and pressing dilemmas that require nuanced and thoughtful judicial interpretation. After briefly unpacking the public–private entanglement in online content governance and its implications for fundamental rights (section 2), it demonstrates the CJEU's integral role in crafting the multi-actor framework for fundamental rights protection prior to the adoption of comprehensive EU-wide legislation regulating the provision of digital services (section 3). At the same time, the article shows how the provisions of the DSA, which seek to address the dissemination of illegal content while enhancing the transparency and accountability of online platforms, have significantly complicated the division of responsibility for safeguarding fundamental rights (section 4). It concludes by calling for a more elaborate and robust framework governing the distribution of fundamental rights obligations among public and private actors within the context of online content governance.
The article's contribution to the existing literature is threefold. First, it advances an academic debate on the interaction between public and private actors in the context of online content governance. By referring to scholarly works and practice from both the EU and the US, it underscores the global nature of the issues at stake and shows the strong multi-actor involvement in the regulation of online communications across jurisdictions despite clear divergences in regulatory approaches. 20 Second, the article enhances the understanding of the CJEU's normative authority concerning the division of responsibility for protecting fundamental rights in complex multistakeholder systems. Although there is an abundance of academic commentary on the fundamental rights reasoning of the CJEU in cases concerning EU platform regulation in general, 21 its role in elucidating the division of responsibility for protecting fundamental rights within this strand of case law has not yet been comprehensively analysed. The article therefore complements scholarly literature examining the CJEU's approach to the allocation of fundamental rights obligations or liability for their breach in other policy domains, ranging from the area of freedom, security and justice 22 to the labour policy 23 and intellectual property rights. 24 Finally, drawing on the rich body of academic work on the relationship between legislative and judicial authority in the EU, 25 the article argues that the evolution of EU platform regulation does not curtail the CJEU's important role in shaping the multi-actor system of fundamental rights protection. To the contrary, the introduction of new provisions explicitly referring to fundamental rights warrants the Court's clarification on how different actors should contribute to the pursuit of complex and overlapping policy objectives in the digital sphere.
Fundamental rights in the multi-actor landscape of online content governance
Since the Internet is a global and decentralized phenomenon that transcends national borders, its governance is inherently pluralist: a broad range of actors with different interests and expertise contribute to the creation of norms and principles ordering the relationships in the digital domain. 26 From its early days, the Internet was heavily shaped by bottom-up, participatory governance mechanisms driven by private entities. 27 The legitimacy of government regulation, on the other hand, used to be radically rejected. A plea for the retreat of the state and an embrace of the ‘New Social Contract’, implying the Internet's autonomy from traditional governance, was famously articulated by John Perry Barlow in the Declaration of the Independence of Cyberspace of 1996. 28 However, it soon became clear that the emergence of non-state actors with rule-making capacities did not overshadow the state's regulatory power. For instance, the seminal work of Birnhack and Elkin-Koren described how the 9/11 tragedy provoked the convergence of public and private interests in the information paradigm and gave rise to a peculiar regulatory phenomenon which the authors refer to as ‘the Invisible Handshake’. 29 By relying on the so-called ‘private nodes of control’, the state assumed vast control over the decentralized digital ecosystem, enabling it to roll out large-scale anti-terrorism policies.
Originally theorized in literature on the Internet's underlying infrastructure, the relationship between private and public power has since become a prominent point in the academic debate on online content governance. One of the most influential accounts in this regard was offered by Jack M. Balkin, who compared the 21st-century model of speech regulation to a triangle. 30 One corner is occupied by states and supranational organizations, such as the EU. The second corner includes companies transmitting or hosting third-party information, including online platforms. Different categories of speakers, be it platform users or professional media outlets, are then placed in the third corner. Their expression can be regulated through three different means: directly by governments in the form of bans or sanctions (which Balkin calls ‘old-school’ regulation), through legislation obliging intermediaries to control user-generated content (defined as ‘new-school’ regulation), as well as by private regulation comprised of online platforms’ terms and conditions and community standards. 31 Despite being succinct and illustrative, this analytical framework has also attracted criticism. When applying Balkin's model to examine governance mechanisms for promoting freedom of expression and participation, Ricknell has found that ‘the sharp corners of the triangle obscure potential merging points’ in light of novel formats of cooperation between governments and their citizens or online platforms and their users. 32 Later, Schulz and Ollig have challenged an actor-based perspective encoded in Balkin's free speech triangle, advocating a shift of focus towards the interaction of publicly and privately set rules, which they conceptualize as ‘hybrid speech governance’. 33 This alternative vision aims to provide a lens for studying the application of constitutional norms to the dynamic field of online communications.
While the debate on the relationship between public and private actors in the context of online content governance has helped illuminate how authority over what can be said online is exercised, it has generated limited insight into the practical legal implications thereof. Schulz and Ollig recognize the allocation of responsibility for fundamental rights as one of the key dilemmas of hybrid speech governance, yet acknowledge that such rules still need to be fleshed out both in theory and in practice. 34 The attribution of limitations on the exercise of fundamental rights to public authorities in the context of content moderation remains a highly contested issue. As seen from the jurisprudence of both the US Supreme Court and the European Court of Human Rights (ECtHR), direct restrictive or coercive measures, such as enacting legislation criminalizing the transmission of certain content or issuing blocking orders against online platforms, were often found to constitute a violation of free speech protections which must be upheld by the state. 35 However, the attribution of fundamental rights infringements to public authorities becomes more challenging where their influence over content moderation on online platforms is more obscure. A heated debate in this regard was sparked by the practice of ‘jawboning’ – a term describing the efforts of government actors to tacitly coerce or cajole platforms to remove third-party content hosted on their networks beyond the boundaries of their formal legal authority. 36 By resorting to ‘jawboning’, such actors strive to evade compliance with fundamental rights which they would otherwise have to secure if they directly restricted certain forms of expression. ‘Jawboning’ has become a particularly polarizing issue in the US in view of the strong protection of free speech under the First Amendment to the US Constitution. The tension ultimately culminated in a court case against the Biden administration, which had allegedly pressured platforms into censoring content regarding the COVID-19 pandemic and the 2020 US presidential election. 37 However, the US Supreme Court eventually determined that the plaintiffs lacked standing as they had failed to demonstrate a link between the government's actions and the platforms’ content moderation decisions. 38
In the EU, concerns regarding ‘jawboning’ were sparked by a series of statements made by former Commissioner Thierry Breton. In 2023, amid the pension reform protests in France, Breton remarked that online platforms could face a shutdown under the DSA if they fail to ‘immediately’ remove hateful content. 39 Following a public outcry, 40 Breton hurried to double down on the European Commission's commitment to protect freedom of expression, noting that the temporary restriction of access to platforms’ services was intended for exceptional circumstances and ‘will always be undertaken with due process’. 41 One year later, Breton sent a letter to Elon Musk, ‘reminding’ him of his platform X's obligation to tackle illegal content related to far-right, anti-immigration protests in the UK and the planned broadcast of a live conversation between Musk and the then-US presidential candidate Donald Trump. 42 However, it was later discovered that the content of the letter had not been agreed with Commission President Ursula von der Leyen or other Commissioners, which, among other incidents, paved the way for Breton's subsequent resignation. 43
As online platforms increasingly push back against government interference in their content moderation policies, another pressing question that arises is whether they can be directly bound by fundamental rights obligations. In the US, the First Amendment protects free speech exclusively from government censorship and does not bind private actors. 44 Furthermore, online platforms enjoy broad protection from liability for third-party speech under section 230 of the Communications Decency Act (CDA). 45 As a result, holding platforms accountable for either removing lawful content or failing to address problematic content is incredibly challenging. 46 In the EU, the question of the horizontal application of Charter rights is considerably more nuanced. Online platforms must respect fundamental rights which are operationalized under EU secondary legislation, such as the right to erasure (also known as the ‘right to be forgotten’) stipulated in Article 17 of the General Data Protection Regulation (GDPR), derived from the right to the protection of personal data under Article 8 of the Charter. 47 However, the horizontal effect of other fundamental rights, such as freedom of expression, remains contested. 48
Fundamental rights can also govern the relationships between online platforms and their users indirectly. Under the doctrine of positive obligations, states must not only abstain from unduly limiting fundamental rights but may also be required to take active measures to ensure their effective enjoyment, including in private relationships. 49 For example, as determined by the ECtHR, freedom of expression under Article 10 of the European Convention on Human Rights (ECHR) obliges the Contracting Parties to create a favourable environment for participation in public debate. 50 However, it is debatable whether and under what circumstances content moderation decisions of online platforms could trigger the state's positive obligation to protect fundamental rights. For instance, the suspension of the accounts of the then-former US President Donald Trump in view of his role in inciting the storming of the US Capitol on 6 January 2021 by several major social media platforms sparked a debate regarding whether states must foresee special safeguards for the speech of politicians and other prominent public figures. 51 Similarly, one may also wonder whether positive obligations apply where online platforms systematically censor certain forms of expression, such as pro-Palestinian content, 52 or avoid taking sufficient measures to protect vulnerable groups from online abuse and harassment (for instance, as evidenced by Meta's changes to its hateful conduct policy, which currently allows users to post certain homophobic and racist slurs). 53
The EU's multilevel governance system makes these inquiries especially complex. Both the EU and the Member States aim to exercise authority over online platforms. Prior to the maximum harmonization of the rules on intermediary services in the EU internal market, several Member States had enacted domestic legislation aimed at enhancing the transparency and accountability of online platforms. 54 Although such legislation has now been replaced by the DSA, Member States continue to shape content moderation practices by, for example, determining what constitutes illegal content or activity and ordering platforms to act against it. 55 The EU's model of online content governance is therefore three-dimensional: in contrast to Balkin's model, it encompasses three distinct nodes of control: the EU, its Member States and online platforms. As will be shown in section 3, these types of actors also feature most prominently in the CJEU's case law, with each of them bearing some degree of responsibility for safeguarding the fundamental rights of platform users. In practice, however, the overlapping and commingling regulatory influence of public and private actors across different levels of governance makes it extremely challenging to determine the scope and content of fundamental rights obligations which could potentially be imposed on them.
The evolution of the multi-actor system of fundamental rights protection under the case law of the CJEU
The current EU legal framework governing online platforms is explicitly aimed at striking an appropriate balance between ensuring the smooth functioning of the EU internal market for intermediary services and protecting the fundamental rights of the recipients of these services. 56 However, an explicit acknowledgement of the latter objective is still a fairly recent trend in EU platform regulation. Since the e-Commerce Directive predated the Charter, it only made a vague reference to freedom of expression as guaranteed by Article 10 ECHR but lacked any concrete operationalization thereof. 57 The importance of fundamental rights in the context of EU platform regulation was first emphasized by the Commission upon unveiling the Digital Single Market (DSM) strategy in 2015. Specifically, it noted that none of the envisioned measures to tackle illegal content shall result in undue interference with the freedom of expression enjoyed by platform users. 58 However, EU legislation used to provide limited guidance on the allocation of fundamental rights obligations within online content governance. Prior to the DSA, fundamental rights provisions were incorporated only in the Terrorist Content Regulation (TERREG) – one of the sector-specific legislative acts adopted in 2021 to combat the dissemination of terrorist-related materials on online platforms. 59
Against this backdrop, an instrumental role in aligning EU secondary legislation on information society services with the requirements of the Charter was played by the CJEU. In doing so, it not only had to balance the conflicting fundamental rights at stake but also delineate the division of responsibility between public authorities and private entities involved. This section traces the development of the CJEU's case law predating the adoption of the DSA and demonstrates how the Court has effectively shaped the multi-actor system for protecting fundamental rights affected by platform conduct, while also highlighting the blind spots in some of its judgments. It begins by reviewing the CJEU's approach to defining the duty to ensure appropriate balancing of conflicting fundamental rights incumbent on Member States (A). It then looks at the CJEU's careful attempts to determine the extent to which information society service providers may be expected to respect fundamental rights of their users (B). Finally, this section examines the CJEU's stance on fundamental rights obligations of the EU as elaborated in its judgment in Poland v Parliament and Council (C).
The ‘balancing’ obligations of Member States in injunction-related cases
The Charter, which became legally binding in 2009, requires the Member States to respect the rights, observe the principles and promote the application thereof ‘when implementing EU law’. 60 This ambiguous wording sparked a long-standing academic debate on the scope of application of the Charter. 61 Furthermore, the precise content of the Member States’ Charter-based duties becomes elusive in complex scenarios involving overlapping fundamental rights enjoyed by different stakeholders.
For the first time, the obligation of the Member States to uphold fundamental rights with regard to the transposition of the e-Commerce Directive was elucidated in Promusicae. 62 The domestic proceedings were initiated by the Spanish music industry association Promusicae, which requested preliminary measures against the internet access provider Telefónica, seeking an order to disclose the identities and physical addresses of persons who had allegedly used its services to infringe intellectual property rights. 63 In its request for a preliminary ruling, the Spanish court inquired whether EU law read in light of the Charter permitted Member States to limit the duty of information society service providers to retain and make available information about their users to the context of a criminal investigation or where such information is needed for safeguarding public security and national defence. 64 While the e-Commerce Directive explicitly excluded injunctive relief from the scope of the liability exemptions and did not harmonize the rules on injunctions aimed at terminating third-party infringements, 65 the CJEU did not hesitate to apply the Charter in resolving the issue at hand. Although the national court only referred to the right to intellectual property (Article 17(2)) and the right to an effective remedy (Article 47), the CJEU noted that the situation also concerns the rights to privacy and data protection under Articles 7 and 8. 66 While it acknowledged the mechanisms for balancing conflicting rights and interests are codified in the directives themselves, it also emphasized the Member States’ obligation to achieve a fair balance between the various fundamental rights during the transposition process. 67 Additionally, when implementing the measures transposing EU directives, domestic authorities and courts must not only interpret their national law in a manner consistent with those directives but also make sure that they do not rely on an interpretation of them which would conflict with the Charter. The CJEU eventually concluded that EU law did not require Member States to lay down an obligation to communicate personal data in the context of civil proceedings concerning copyright enforcement. 68
The CJEU had a chance to flesh out the ‘balancing’ obligations of the domestic authorities and courts of the Member States when issuing injunctions against information society service providers in Scarlet Extended and SABAM. The referring court sought clarification on whether EU law permits Member States to authorize their national courts to order an internet service provider and a hosting provider respectively to install a system for filtering all electronic communications passing via their services in order to identify copyright infringements. 69 In both cases, the CJEU highlighted that the issue in question affected not only intellectual property rights of authors, composers and editors of musical works, but also the freedom to conduct a business enjoyed by information society service providers under Article 16 of the Charter due to the significant costs associated with the introduction of the said filtering system, as well as the rights of their customers to the protection of personal data and freedom of expression, given the systemic collection and analysis of the network information and the potential restrictions on non-infringing material. 70 Hence, it ruled that an order was incompatible with Article 15 of the e-Commerce Directive, which prohibited the imposition of general monitoring obligations on information society service providers, and did not strike a fair balance between the fundamental rights at stake. 71
In several subsequent judgments, the CJEU proceeded to reaffirm the importance of the balancing exercise to be performed by the Member States when ordering information society service providers to act on third-party infringements. 72 Yet its ruling in Glawischnig-Piesczek stands in stark contrast. The request for a preliminary ruling made by the Austrian Supreme Court arose from a dispute between Austrian politician Eva Glawischnig-Piesczek and the social media platform Facebook. 73 After Facebook failed to honour Glawischnig-Piesczek's request to delete a post which harmed her reputation, she sought an injunction which would require the platform to remove not only the originally flagged post but also all other publications containing her photographs and similarly defamatory text. 74 The CJEU was therefore called upon to delineate the permissible personal, material and territorial limits on the scope of such injunctions under the e-Commerce Directive. 75 The CJEU took a rather controversial approach by ruling that Article 15 of the e-Commerce Directive did not preclude courts of Member States from ordering hosting providers to remove not only illegal information which has not been expeditiously removed after due notice but also items with an identical wording and an equivalent meaning. 76 It also established that hosting providers may be ordered to remove or block access to the said information worldwide, subject to the relevant rules of international law. At the same time, the CJEU avoided emphasizing the obligation incumbent on courts of Member States to ensure a proper balancing of fundamental rights when determining the exact scope of an injunction. Admittedly, the question of the compatibility of injunctions obliging hosting providers to remove all content identical or equivalent to the specific infringement with the Charter was not featured in the request for a preliminary ruling. It is regrettable, however, that the CJEU did not offer a more Charter-inspired interpretation of the e-Commerce Directive, especially given the potentially significant impact of such broadly formulated injunctions on freedom of expression enjoyed by the recipients of hosting services. It simply assumed that since a national court had already established the illegal nature of the post in question and all hosting providers have access to ‘automated search tools and technologies’ allowing them to detect all relevant duplicates of this post, the risk of the erroneous removal of lawful content was minimal. 77 Nonetheless, the CJEU glossed over the fact that algorithmic content moderation often produces unfair outcomes and can exacerbate the silencing of marginalized groups and non-mainstream viewpoints. 78 The threats associated with the global removal of content subject to different legal standards across jurisdictions were not considered by the CJEU either. 79 Hence, the CJEU's case law spelling out fundamental rights duties of the Member States when governing online communications, while highly influential, is also prone to inconsistencies.
The ambiguous obligation of information society service providers to respect fundamental rights
A literal interpretation of the Charter suggests that its provisions are not intended to govern relationships between private persons. 80 Nevertheless, in a series of judgments, the CJEU has recognized the applicability of several Charter rights in horizontal situations not involving a public authority. 81 Given the tremendous impact of content moderation decisions made by online platforms on their users’ fundamental rights, it is tempting to argue that these platforms should be required to comply with the Charter. However, some rights recognized by the Charter are formulated in a way that appears to exclude the possibility of their horizontal application. For instance, freedom of expression guaranteed by Article 11 is framed as the right to hold opinions and to receive and impart information and ideas ‘without interference by public authority’. 82 Furthermore, as also reflected in the CJEU's case law, online platforms themselves enjoy protection under the Charter. Therefore, any potential obligation to respect the fundamental rights of their users must be balanced against these platforms’ freedom to conduct a business. 83
The CJEU has never directly grappled with the issue of the horizontal effect of fundamental rights when interpreting the EU legal framework on information society services. However, it first hinted at it in UPC Telekabel Wien. 84 One of the central questions asked by the referring court concerned the compatibility with EU law of an injunction prohibiting an internet service provider from providing access to a website containing copyright-infringing material without ordering specific measures that must be taken by this provider. 85 The CJEU found that such an injunction was compatible with the freedom to conduct a business under Article 16 of the Charter, since the internet service provider is entitled to tailor the measures to the available resources and abilities and can avoid liability by proving that it has taken all reasonable measures to achieve the result sought. 86 At the same time, when choosing the measures to comply with an injunction, the provider ‘must ensure compliance with the fundamental right of internet users to freedom of information’. 87 Specifically, the CJEU noted that the measures in question must be strictly targeted at the infringement of intellectual property rights without affecting lawful information; otherwise, ‘the provider's interference in the freedom of information’ would be disproportionate. 88 Therefore, without tackling the question of whether or not internet service providers may be bound by Article 11 of the Charter, the CJEU acknowledged that freedom of expression must inform the activities of information society service providers. 89 At the same time, it noted that the implementation of the injunction must also be effective to ensure genuine protection of the fundamental right to protection of intellectual property. 90 Hence, the CJEU arguably suggested that, similarly to the Member States, online platforms should engage in a balancing exercise when addressing third-party infringements. The judgment in UPC Telekabel Wien is also noteworthy since, for the first time, the CJEU tacitly recognized a shared responsibility of the Member States and information society service providers for upholding fundamental rights: the former when issuing injunctions and enabling individuals to challenge the measures taken by the internet service provider in domestic proceedings, 91 and the latter when implementing the measures necessary to comply with them.
The CJEU reaffirmed its stance in Mc Fadden, where it once again dealt with the lawfulness of an order issued by a domestic court against a provider of access to a communication network under EU secondary legislation and the Charter. 92 Furthermore, it followed a similar line of reasoning outside the injunction-related context. In YouTube and Cyando, the CJEU was asked, inter alia, to interpret the liability exemption for hosting providers under Article 14 of the e-Commerce Directive. 93 The requests for a preliminary ruling made by the German Federal Court of Justice originated from the domestic disputes between the music producer Frank Peterson and the video-sharing platform YouTube, as well as between the international publisher Elsevier and the file-hosting and -sharing platform Uploaded operated by Cyando. In both cases, the claimants brought an action for damages against these platforms for the infringement of their intellectual property rights, whereas the latter insisted that they were protected from liability as they had no knowledge of or control over content made available by their users. The CJEU was therefore asked to clarify whether hosting providers cannot benefit from the liability exemption only if they have the actual knowledge of specific unlawful activities or information. 94 Following its previous case law, 95 the CJEU reiterated that the so-called ‘knowledge test’ is satisfied whenever hosting providers become aware of facts or circumstances that enable a ‘diligent economic operator’ to identify the illegality in question. 96 These facts or circumstances can be uncovered through an own-initiative investigation undertaken by the provider or upon receiving a notification indicating the existence of illegal activity or information. At the same time, the CJEU underlined that a notification must contain adequate information allowing the provider to establish, ‘without a detailed legal examination, that that communication is illegal and that removing that content is compatible with freedom of expression’. 97 In reaching this finding, the CJEU sided with Advocate General Saugmandsgaard Øe, who succinctly stated that hosting providers should not be put in the position of ‘judges of online legality’ responsible for resolving complex legal issues. 98 At the same time, the CJEU specified that upon becoming aware of illegal third-party content, hosting providers must act expeditiously to remove or disable access to it ‘with due regard to the principle of freedom of expression’. 99 It therefore extended the providers’ responsibility to ensure compliance with fundamental rights not only when implementing injunctions but also in other scenarios where such providers tackle illegal content. In practice, this arguably means that online platforms must avoid imposing any blanket restrictions on the exchange of information by their users, affecting the availability of legitimate material. At the same time, the CJEU avoided discussing the potential horizontal effect of Article 11 of the Charter in greater detail, leaving open the question of whether individuals can invoke their right to freedom of expression vis-à-vis online platforms.
The negative and positive dimensions of fundamental rights obligations borne by the EU legislature
While the EU has come to play a crucial role in regulating online platforms, the extent of its responsibility for protecting fundamental rights remains undefined. 100 On a number of occasions, the CJEU noted that the e-Commerce Directive reflected an appropriate balance struck by the EU legislature between various rights and interests at stake. 101 However, the introduction of sector-specific legislation which adopted a significantly stricter approach to addressing illegal content raised concerns about the EU's compliance with fundamental rights. 102
The CJEU made an important pronouncement on the Charter-based obligations of the EU legislature in Poland v. Parliament and Council. The action for annulment brought by the Republic of Poland concerned Article 17(4)(b) and (c) of the Directive on Copyright in the Digital Single Market (CDSM Directive). Adopted in 2019 amid severe controversies, the directive introduced the specific liability regime for online content-sharing service providers (OCSSPs) – a subcategory of information society service providers storing and giving the public access to a large amount of copyright-protected works which are organized and promoted for profit-making purposes. 103 Under the CDSM Directive, Member States must ensure that by hosting third-party copyrighted material, OCSSPs perform an act of communication to the public within the meaning of Article 3(1) of the Copyright and Information Society (InfoSoc) Directive and therefore must obtain an authorization from the rightholders. 104 If no authorization is granted, OCSSPs may not fall back on Article 14 of the e-Commerce Directive and shall be liable for third-party infringements unless they fulfil three cumulative conditions under Article 17(4) of the CDSM Directive. 105 Specifically, OCSSPs must demonstrate that they have: (a) made best efforts to obtain an authorization; (b) made, in accordance with high industry standards of professional diligence, best efforts to ensure the unavailability of for which the rightholders have provided the relevant and necessary information; and (c) acted expeditiously, upon receiving a sufficiently substantiated notice from the rightholders, to remove or disable access to the notified works and made best efforts to prevent their future uploads. According to the Republic of Poland, the latter two conditions for the liability exemption effectively require OCSSPs to engage in preventive monitoring and filtering of all third-party content, posing a risk of unjustified or disproportionate restrictions on lawfully uploaded material. 106
The CJEU, however, found the relevant provisions of the CDSM Directive compatible with the Charter. It first confirmed that by introducing a carve-out from the liability exemption for hosting providers under the e-Commerce Directive, Article 17 of the CDSM Directive constitutes a limitation on the exercise of freedom of expression attributable to the EU legislature. 107 In doing so, the CJEU underscored the importance of complying with a negative obligation to respect freedom of expression even where the legal framework does not explicitly obligate online platforms to remove specific content but merely incentivizes them to do so by exposing them to potential actions for damages from the rightholders. Even though restrictions on third-party content are actually imposed by online platforms, the EU legislature is not absolved of its responsibility to justify the corresponding limitation on the exercise of freedom of expression in accordance with the requirements of Article 52(1) of the Charter.
The CJEU also adopted a curious approach to analysing the proportionality of the limitation on the right guaranteed by Article 11 of the Charter arising from Article 17(4) of the CDSM Directive. Much like in its previous judgments, it stressed the need for balancing between intellectual property rights and the rights enjoyed by platform users. 108 Nevertheless, the CJEU refrained from discussing in detail whether the strict liability regime was genuinely necessary to ensure effective protection of the rights under Article 17(2) of the Charter and whether this objective could be achieved through less restrictive measures. Instead, it focused on examining whether the EU legislature had laid down minimum safeguards for protecting freedom of expression. 109 The CJEU therefore suggested that when legislating, the EU not only bears an obligation to avoid the unnecessary limitation on the exercise of fundamental rights (negative dimension) but is also required to take active steps to ensure that those rights are adequately safeguarded, which may not be left entirely to the legislatures of the Member States tasked with transposing the directive (positive dimension). 110 By emphasizing the responsibility of the EU legislature, the CJEU has arguably amended its position expressed in Promusicae, where the Member States were portrayed as the primary actors responsible for protecting fundamental rights affected by the provision of information society services. Having established that the CDSM Directive protects legitimate uses of copyrighted content, reaffirms the prohibition of general monitoring obligations and envisions the creation of effective and expeditious complaint and redress mechanisms available to all users of services provided by OCSSPs seeking to challenge the removal of their content, the CJEU found that the limitation on the exercise of freedom of expression was compatible with the Charter. 111 Yet it largely avoided considering whether the safeguards in question would effectively mitigate the risks to freedom of expression prompted by the large-scale use of automated tools for detecting and removing copyright-infringing content, which is explicitly encouraged by the challenged provisions. 112 For example, the CJEU stressed the key importance of Article 17(7) of the CDSM Directive, which requires Member States to ensure that individuals are able to freely upload content falling under exceptions or limitations to copyright, namely quotation, criticism, review, caricature, parody or pastiche. Unlike Article 17(4)(b) and (c), which merely impose an obligation of conduct, Article 17(7) prescribes an obligation of result. 113 Nonetheless, only a few Member States have incorporated specific safeguards aimed at securing the availability of non-infringing content. 114 It also remains questionable whether the negative impact on freedom of expression resulting from the strict liability regime under the CDSM Directive can be adequately mitigated by legislative measures adopted at the Member State level. Therefore, by relying on the notion of minimum safeguards, the CJEU avoided strict scrutiny of the EU's legislature's compliance with the Charter.
Novel challenges to the protection of fundamental rights under the DSA
Throughout its case law, the CJEU has not only interpreted the provisions of EU secondary legislation on information society services in line with the Charter but has also shown sensitivity to the multistakeholder realities of online content governance. In doing so, it illuminated how the EU, its Member States and online platforms should each contribute to safeguarding fundamental rights enjoyed by recipients of intermediary services. At the same time, the CJEU's case law reveals some inconsistencies and gaps, which point to the difficulty of establishing a coherent and robust framework for the division of responsibility for protecting fundamental rights in this complex setting.
The adoption of the DSA has marked an important turning point in fostering responsible and diligent behaviour of online platforms. This revolutionary regulation lays out horizontal rules governing the provision of intermediary services with the aim of securing a safe, predictable and trustworthy online environment. While adopted under Article 114 of the Treaty on the Functioning of the EU (TFEU), it strives to strike a balance between ensuring the smooth functioning of the EU internal market for intermediary services and protecting fundamental rights of the recipients of these services. 115 As the DSA has reaffirmed and concretized the core provisions originally stipulated in the e-Commerce Directive, including the liability exemptions, its text clearly reflects the clarifications offered by the CJEU in its case law. For instance, Articles 9 and 10 DSA, which provide the rules on orders to act against illegal content and to provide information, explicitly codify the CJEU's findings in Glawischnig-Piesczek, 116 while Article 16 DSA on notice and action mechanisms makes a reference to the ‘diligent economic operator’ standard developed and invoked by the CJEU in several cases, including YouTube and Cyando. 117 However, the DSA has also introduced a novel ‘tiered’ system of due diligence obligations tailored to providers of intermediary services depending on their size and the nature of the service provided, the supervision and enforcement of which is split between national Digital Services Coordinators (DSCs) and the Commission. 118 These new rules and mechanisms create complex scenarios extending well beyond those considered by the CJEU when interpreting the e-Commerce Directive.
The EU legislature's move to establish a comprehensive, fundamental rights-based framework governing platform conduct also sparks an important question concerning the role of the CJEU as an original ‘architect’ of the multi-actor system of fundamental rights protection in this domain. The shifting dynamic between the EU legislature and the CJEU, including in the field of fundamental rights, has received much attention in the academic literature. 119 Given that more detailed legislation could potentially restrict space for judicial constitutionalization, one may wonder whether the adoption of the DSA has effectively constrained the CJEU's authority to develop the principles concerning the distribution of fundamental rights duties among the actors involved.
This section demonstrates how the elaborate legal framework of the DSA challenges the key principles for allocating the responsibility for safeguarding fundamental rights elaborated by the CJEU. To that end, it highlights the complexities arising from three distinct scenarios introduced by the DSA: fundamental rights obligations borne by providers of intermediary services (A); the challenges of enforcing the risk management framework in compliance with fundamental rights (B); and fundamental rights queries arising from the instrument of trusted flaggers (C). Additionally, it argues that securing an appropriate level of fundamental rights protection in each of these scenarios requires a thoughtful reconsideration of the division of responsibility for protecting fundamental rights based on a more substantial awareness of the intermingling of public and private influence on online communications. Since the rules of the DSA pose new and pressing challenges in ascertaining how fundamental rights duties should be distributed between public and private actors in the EU multilevel governance context, it is suggested that the CJEU will continue to play a crucial role in shaping the multi-actor system for the protection of fundamental rights.
Fundamental rights duties of providers of intermediary services
One of the DSA's most notable innovations is the direct co-optation of private actors in the system of fundamental rights protection. It embodies the idea that fundamental rights not only bind public authorities but also serve as an essential tool for reining in the ever-expanding corporate power. 120
Above all, the DSA requires all providers of intermediary services to respect fundamental rights when applying and enforcing their terms and conditions. Under Article 14(4) DSA, they must act in a diligent, objective and proportionate manner when imposing contractual restrictions in relation to the use of their service, ‘with due regard to the rights and legitimate interests of all parties involved, including the fundamental rights of the recipients of the service’. Such rights include freedom of expression, freedom and pluralism of the media, and other fundamental rights and freedoms as enshrined in the Charter. Recital 47 clarifies that the duty to take fundamental rights into account also extends to the design of the providers’ terms and conditions. However, since content moderation always calls for an intricate consideration of multiple rights and interests at stake, it is not clear how this provision is supposed to be applied in practice. Platforms like Meta and X, which have recently engaged in the systematic and intentional weakening of their moderation policies, leaving vulnerable groups exposed to various forms of online harm, could probably be seen to be in violation of Article 14(4) DSA. In other scenarios, the content of the obligation to have due regard to fundamental rights when applying and enforcing restrictions on third-party content is less apparent. 121 For instance, Ó Fathaigh, Buijs and van Hoboken highlight the difficulty of ascertaining how Article 14(4) DSA should inform the conduct of providers of intermediary services when moderating mis- and disinformation, since under international and European human rights law, even false information and ideas fall within the scope of freedom of expression, and the states are generally prohibited from penalizing their dissemination. 122
The Charter-inspired obligations of private actors are also embedded into the risk management framework applicable to very large online platforms (VLOPs) and very large search engines (VLOSEs). Article 34 DSA obliges them to diligently identify, analyse and assess any systemic risks stemming from the design or functioning of their service and its related systems or from the use of their services by third parties on a yearly basis. One of the categories of systemic risks concerns any actual or foreseeable negative effects for the exercise of fundamental rights. 123 Although the list of Charter rights that must be reflected in the risk assessments is non-exhaustive, they must concern, in particular, the rights to human dignity, to respect for private and family life, to the protection of personal data, to freedom of expression, to non-discrimination, to respect for the rights of the child, and to a high level of consumer protection. Furthermore, under Article 35 DSA, VLOPs and VLOSEs must put in place reasonable, proportionate and effective mitigation measures tailored to the identified risks, with particular consideration to the impacts of such measures on fundamental rights. 124 Yet the practical operationalization of the risk management framework presents several compelling challenges. Unlike courts, which must make a binary determination of whether there has or has not been an infringement of a fundamental right in a concrete case, private companies are called upon to perform an intricate assessment of the scale and intensity of effects on all fundamental rights which might be potentially influenced by their services, as well as determine suitable means for alleviating them. 125 Apart from the lack of consensus regarding how these processes should be carried out, it is uncertain whether VLOPs and VLOSEs can be trusted to properly navigate tensions between competing fundamental rights and devise appropriate approaches to balancing them. For instance, efforts to combat discriminatory content through algorithmic systems could undermine the commitment to protecting freedom of expression, while enhanced protection of children's rights in the form of parental controls could ultimately compromise the enjoyment of the rights to privacy and data protection.
By explicitly requiring providers of intermediary services to take fundamental rights into account when moderating content under their terms and conditions and when assessing and mitigating systemic risks, the EU legislator significantly expanded the material scope of their fundamental rights obligations attributed to them by the CJEU in cases such as UPC Telekabel Wien, Mc Fadden and YouTube and Cyando. In those cases, the CJEU clarified that providers must comply with fundamental rights only when removing or disabling access to illegal content pursuant to an injunction or a notice. In doing so, it arguably implied that private entities played a merely subsidiary role in upholding fundamental rights of their users, with core obligations under the Charter resting firmly with the EU and the Member States. The DSA, however, has extended the applicability of fundamental rights in entirely private relationships between platforms and their users. Nonetheless, this bold approach has sparked concerns that the DSA simply ‘offloads’ the responsibility to protect fundamental rights to private actors while absolving the EU legislature from the need to define their content in more concrete terms. 126 Indeed, the DSA contains few substantive rules on how online platforms must engage in content moderation; rather, it lays out procedures aimed at stimulating platforms to provide their services in the spirit of the Charter. 127 A three-layered system of user redress, consisting of notice and action mechanisms, internal complaint-handling mechanisms and out-of-court dispute settlement bodies, is particularly prominent with the DSA's framework, as it allows individuals to seek the removal of illegal content or the reinstatement of the wrongfully restricted content. 128 As a result, even when an online platform fails to appropriately consider fundamental rights when making a specific content moderation decision, they have the opportunity to revise it upon request from its users. However, the outcomes of these procedural obligations are not easily foreseeable. As noted by Mast and Ollig, fundamental rights duties imposed on providers of intermediary services under the DSA can hardly be equated with the obligations of the EU and the Member States under the Charter. 129 Since online platforms continue to enjoy broad discretion in applying fundamental rights when moderating content, the protection of those rights may prove illusory. 130
A greater role played by online platforms in safeguarding fundamental rights also raises a thorny question of whether, by adopting the DSA, the EU legislature has complied with its own obligations under the Charter. The logic expressed by the CJEU in Poland v. Parliament and Council is ill-suited for answering this question since the DSA does not entail any direct interference with fundamental rights, such as the strict liability regime. Rather, the question that arises whether the safeguards enshrined by the DSA are adequate for achieving its proclaimed objectives in light of the positive dimension of the EU legislature's responsibility to protect fundamental rights. It remains uncertain, however, whether compliance with the Charter can be secured through the delegation of fundamental rights duties to private actors – an issue the CJEU has yet to clarify.
Risk management framework
The DSA's risk management framework not only introduces new questions regarding the obligations of online platforms to uphold fundamental rights but also raises important issues as to the scope and content of the Charter obligations borne by the European Commission, which has the exclusive competence to enforce this framework. 131 This centralized approach aims to overcome the flawed enforcement processes at the domestic level, as illustrated by the GDPR's infamous one-stop-shop mechanism, which essentially paralysed the enforcement of data protection rules against Big Tech firms. 132
The DSA does not empower the Commission to exert top-down influence over how VLOPs and VLOSEs assess and mitigate systemic risks. Rather, it provides for a more elaborate system involving independent third-party audits, which must verify compliance with the risk management framework and other obligations under the DSA. 133 If an audit report is not positive, VLOPs and VLOSEs must adopt an audit implementation report setting out the measures aimed at implementing the operational recommendations addressed to them. However, the DSA does foresee several pathways for the involvement of the Commission in steering risk management processes. 134 For example, it may issue guidelines on the mitigation of specific risks 135 or engage in monitoring actions to assess compliance with risk management obligations. 136 To a significant extent, risk management is also shaped by codes of conduct setting out voluntary commitments to tackle various systemic risks, which are drawn up by the Commission and the European Board for Digital Services together with VLOPs and VLOSEs. 137 In 2025, the Code of Conduct + on Countering Illegal Hate Speech Online and the Code of Conduct on Disinformation, both of which are based on previously agreed codes, have been officially integrated into the DSA framework. 138 In addition, the Commission enjoys far-reaching investigatory and enforcement powers, including the power to impose fines of up to 6% of the worldwide annual turnover of the VLOP or the VLOSE in question in the event of non-compliance. 139
Recently, the Commission has clearly demonstrated its resolve to ensure the effective enforcement of the DSA's risk management framework. In February 2026, the Commission preliminarily found TikTok in breach of its obligation to implement reasonable, proportionate and effective measures to mitigate risks stemming from its addictive design. 140 The finding came less than two months after the Commission issued a €120 million fine to X following a nearly two-year-long investigation. 141 Although this decision did not concern the risk management provisions, it is significant as it signals the Commission's willingness to use its enforcement powers despite the mounting geopolitical tensions. At the same time, there is a critical dilemma related to the fundamental rights-compliant enforcement of the DSA. In contrast to DSCs, which are independent supervisory bodies designated by the Member States, 142 the Commission is the EU's main executive organ. 143 It does not shy away from articulating its political priorities as regards the regulation of online communications, be it the protection of children online 144 or more rigorous measures against foreign information manipulation and interference (FIMI). 145 This sparks the risk of both over- and underenforcement of the risk management framework, both of which could ultimately compromise the DSA's objective to ensure the effective protection of fundamental rights. 146
First, if the Commission considers that VLOPs and VLOSEs do not adequately mitigate certain systemic risks, it could, in theory, use (or threaten to use) its powers to urge them to restrict the availability or limit the visibility of content protected by freedom of expression. According to Husovec, the Commission may not demand the imposition of restrictions on lawful forms of expression, as the definition of illegal content is an exclusive prerogative of the EU and national legislatures. 147 Rather, it can merely request VLOPs and VLOSEs to tackle content that is not illegal yet harmful by adopting content-neutral measures, such as raising awareness or optimizing their online interface. 148 Nonetheless, the Commission could still resort to more implicit means of influencing the management of systemic risks by VLOPs and VLOSEs. Hence, the DSA's risk management framework essentially legitimizes ‘jawboning’; 149 although, as rightly remarked by Leerssen, the Commission's interference in risk management processes remains grounded in the DSA, leading him to conceptualize it as ‘lawboning’. 150 For instance, in 2023, the European Commission's Directorate-General for Communications Networks, Content and Technology (DG CONNECT) presented an independent study that introduces an approach to assess the effectiveness of the mitigation measures against Russian disinformation under the DSA. 151 The report determined that the six platforms studied (Facebook, Instagram, Twitter, YouTube, TikTok and Telegram) had fallen short of effectively combatting foreign malicious activity. 152 At the same time, the report glossed over the importance of safeguards that need to be put in place by platforms to avoid unduly restricting freedom of expression. 153 Since this report is likely to inform the enforcement of the risk management framework, the Commission could be inclined to pressure VLOPs and VLOSEs to resort to more rigorous forms of content moderation when addressing the dissemination of disinformation. A notable threat to freedom of expression was also sparked amid the escalation of the Israeli-Palestinian conflict. In October 2023, the Commission sent X a request for information regarding its compliance with several rules of the DSA, including the measures taken to assess and mitigate the relevant systemic risks. 154 This request was submitted just two days after the publication of an open letter by then-Commissioner Breton, who expressed his concern about the spreading of illegal content and disinformation ‘following the terrorist attacks carried out by Hamas against Israel’. 155 Two months later, when the Commission proceeded to open formal proceedings against X, it specified that its initial request only concerned the dissemination of illegal content in the context of Hamas’ attacks. 156 Nevertheless, since it expressed a particular stance on the conflict, VLOPs and VLOSEs may feel compelled to remove as much potentially problematic content as possible to avoid penalties, thereby risking further silencing of Palestinian voices.
Second, it appears that the Commission's enforcement actions are predominantly focused on the alleged failures of VLOPs and VLOPSEs to address illegal or harmful content, with comparatively little focus on the potential over-removal or restriction of lawful content. The ongoing investigation against Meta constitutes a notable exception, as it focuses, inter alia, on the demotion of political content in the recommender systems of Instagram and Facebook, which is suspected to violate the requirement to assess and mitigate risks to civic discourse and electoral processes. 157 Otherwise, the shortcomings in the protection of freedom of expression by VLOPs and VLOSEs seem to fall outside of the Commission's current focus, despite the long-standing concerns about private censorship. Indeed, proving the systematic, unjustified erasure of content protected by freedom of expression is empirically more challenging than establishing the presence of inappropriate content. However, this approach also reflects the Commission's conscious political choice, which can ultimately result in blind spots in its enforcement practice.
The DSA's unique enforcement architecture raises intricate questions concerning the division of responsibility for protecting fundamental rights. In its case law, the CJEU only elaborated on the Member States’ obligations to ensure the appropriate balancing of fundamental rights when issuing injunctions against information society service providers. Nonetheless, the extensive powers of the Commission as a sole enforcer of the risk management framework arguably mean that the balancing exercise which it is expected to carry out is more extensive than the one envisaged by the CJEU in relation to domestic administrative and judicial authorities. Specifically, fundamental rights considerations should underpin the initial decision to open formal enforcement proceedings, the scope and content thereof and the nature and extent of the penalty issued upon their conclusion. However, achieving the balance between different fundamental rights at play will likely remain an outstanding challenge. Furthermore, should the CJEU ever be asked to interpret the DSA's rules on risk management in light of the Charter, it would inevitably have to grapple with the precise allocation of responsibility for protecting fundamental rights between the Commission, on the one hand, and VLOPs and VLOSEs, on the other. Although the cooperation between public authorities and private entities appears crucial to ensuring the effective mitigation of systemic risks while respecting the Charter, judicial interpretation would help clarify how exactly it should be realized.
Trusted flaggers
Another feature of the DSA that poses puzzling conundrums regarding the allocation of fundamental rights duties among different actors is the mechanism of trusted flaggers. While this mechanism itself is not novel, 158 the DSA is the first legal instrument to have formally legitimized it. Under Article 22 DSA, providers of online platforms must take the necessary technical and organizational measures to prioritize the processing of notices submitted by trusted flaggers – entities specialized in identifying and reporting illegal content to online platforms – within their designated area of expertise. Accordingly, their primary function is to help enhance the speed and accuracy of the moderation process. The status of ‘trusted flagger’ is granted by the national DSC of the Member State where the entity in question is established. 159
Long before the adoption of the DSA, the cooperation between trusted flaggers and online platforms has attracted criticism in view of the underrepresentation of marginalized interests, as well as transparency and accountability gaps. 160 While Article 22 DSA has introduced safeguards to remedy some of these issues, it has been argued that certain compelling concerns have not been properly addressed. 161 One of such concerns relates to the risk of unjustified removal of content protected by freedom of expression. Admittedly, online platforms are not required to take action on the content reported by the trusted flagger if they conclude that it does not violate EU law or the domestic law of a Member State. However, since failure to act upon the notice could potentially expose the platform to liability, 162 online platforms may excessively rely on the trusted flaggers’ knowledge and experience and simply ‘rubberstamp’ notices submitted by them, without engaging in a diligent assessment thereof. 163 Importantly, while Article 22 DSA requires that trusted flaggers must be independent from online platforms, public and semi-public bodies are not barred from acting in this capacity. Recital 61 DSA even offers an example of internet referral units of national law enforcement authorities or of Europol, even though their involvement in content moderation on online platforms has received significant backlash. 164 It has also been reported that in certain Member States like Germany, the most prominent trusted flaggers are state-funded or state-run and may strive to make platforms remove not only illegal content but also controversial yet lawful viewpoints. 165 On the other hand, notices submitted by non-governmental organizations with the trusted flagger status, including those representing the interests of vulnerable online communities, can be treated less diligently, as platforms may assume that those bear a relatively low risk of legal repercussions.
The trusted flaggers instrument raises the question of how fundamental rights must guide the conduct of the EU and Member States’ authorities when they act as trusted flaggers. On the one hand, the primary task of any trusted flagger is to get online platforms to remove certain problematic content, with fundamental rights considerations being secondary. 166 On the other hand, since public entities are bound by the Charter, one may wonder whether they must comply with the requirements of Article 52(1) when submitting notices. A notice does not necessarily amount to a limitation on the exercise of freedom of expression, since an online platform can still refuse to remove the flagged content. 167 The obligation of online platforms to act on notices with due regard to freedom of expression, elaborated by the CJEU in its judgment in YouTube and Cyando, could even be interpreted as meaning that they must refrain from laying down restrictions on the information in case there are legitimate and serious doubts that it actually constitutes illegal content. Where a particular entity frequently submits manifestly unfounded notices, platforms are even required to temporarily suspend the processing of notices by this entity. 168 However, van de Kerkhof suggests that, in light of the indirect coercion that could be employed by state entities vis-à-vis online platforms and the risk of fundamental rights infringements arising as a result, the submission of notices must comply with the requirements for a lawful limitation on the exercise of fundamental rights. 169 Yet the obligation to take into account the principle of proportionality when identifying and reporting illegal content may be at odds with the practical realities of trusted flaggers’ operations, which are often carried out at scale with the assistance of algorithmic tools. 170 Therefore, when acting as trusted flaggers, public authorities face an inherent tension between their ambition to prompt online platforms to take swift action on unlawful material and their commitment to ensure the effective protection of fundamental rights pursuant to the Charter.
The mechanism of trusted flaggers also sparks a dilemma regarding fundamental rights obligations of national DSCs, which are tasked with awarding this status. Although the DSA mentions that the status of ‘trusted flagger’ is granted ‘upon application by any entity’, it does not harmonize other aspects of the certification process. 171 The criteria that must be met by entities seeking this status are also formulated rather vaguely. DSCs appear to enjoy particularly broad discretion in determining whether a specific organization ‘carries out its activities for the purposes of submitting notices diligently, accurately and objectively’. 172 In light of the CJEU's case law, it is reasonable to suggest that DSCs must also strike a fair balance between the competing fundamental rights at stake when certifying trusted flaggers. In contrast to an injunction directly requiring an online platform to remove or disable access to specific illegal content, the decision to enable a particular entity to operate as a trusted flagger has more remote fundamental rights implications. Nevertheless, DSCs still exercise an indirect influence over the protection of fundamental rights in the context of the moderation process. 173 For instance, as suggested in the guide by civil society organizations EDRi and HateAid, DSCs should refrain from awarding the trusted flagger status to rightholders and law enforcement agencies, in view of a plausible risk that their notices may disproportionately impact lawful creative and political content respectively. 174 Apart from verifying that the notices submitted by a particular entity would not unreasonably enhance the risk of wrongful removal of content protected by freedom of expression, 175 DSCs would arguably need to consider whether the content flagged contributes to the protection of other fundamental rights. It could also be assumed that DSCs must also take fundamental rights into account when suspending or revoking the trusted flagger status. 176 However, the exact content of the balancing duty imposed on DSCs in these scenarios remains uncertain and therefore requires further judicial elaboration.
Conclusion
Online content governance is co-created by private and public actors. When shaping the rules for the exchange of information in the digital sphere, both online platforms and public authorities exert significant influence on the exercise of fundamental rights. Accordingly, the responsibility for protecting fundamental rights should be appropriately distributed among all actors involved. This article has explored the allocation of fundamental rights obligations against the backdrop of EU platform regulation. Its contribution to the existing literature is threefold. First, it has illuminated how the interplay between public and private power in the context of online content governance challenges the protection of fundamental rights. Second, the article has highlighted the CJEU's central role in the creation of a multi-actor system for the protection of fundamental rights at a time when EU legislation governing the provision of information society services lacked explicit fundamental rights language. Therefore, despite its controversial reasoning in certain cases, the CJEU has made a crucial contribution to clarifying how the responsibility for safeguarding fundamental rights should be allocated among the EU, Member States and online platforms. Third, this article has exposed how the adoption of the DSA complicates the application of the multi-actor framework for fundamental rights protection crafted by the CJEU. Although the text of the DSA incorporates the clarifications provided by the CJEU, its newly introduced mechanisms aimed at ensuring a safe and trustworthy online environment involve more difficult forms of interaction between public authorities at the EU and Member States levels, on the one hand, and online platforms, on the other. As a result, despite offering important starting points, the pre-DSA case law of the CJEU is hardly sufficient for resolving the dilemmas related to the distribution of fundamental rights obligations among different actors under the DSA. Even though the EU legislature has now laid down the extensive legal framework with the explicit goal of safeguarding fundamental rights, the CJEU is expected to continue to play an essential part in clarifying how public entities at different levels of governance, as well as private companies, must contribute to its attainment. Undoubtedly, principles for dividing responsibility for protecting fundamental rights among the EU, Member States and online platforms under the DSA will also be elaborated through implementation and enforcement practice. Nevertheless, by exercising its norm-making authority, the CJEU is uniquely positioned to ensure a uniform interpretation and application of the new provisions in accordance with the requirements of the Charter.
It remains to be seen when the CJEU will have the first opportunity to interpret the DSA in light of the Charter. In December 2025, however, it caused shockwaves by delivering its judgment in Russmedia, which concerned the intersection between the liability exemption enjoyed by hosting providers and the rules on the protection of personal data. The CJEU reached an unexpected conclusion that under the General Data Protection Regulation (GDPR), operators of online marketplaces enabling the publication of advertisements by third parties are required to identify advertisements containing sensitive data, verify the identify of the person preparing to place such an advertisement, and refuse publication if the advertisement contains sensitive data of another individual and neither of the lawful bases for prosessing of this data is satisfied. 177 It also clarified that online marketplaces cannot rely on the liability exemption for hosting providers in respect of infringements of the said provisions of the GDPR. 178 Although the CJEU interpreted the provisions of the e-Commerce Directive, as the dispute in the main proceedings arose in 2018, its peculiar stance on the relationship between the two regimes is expected to have significant implications for the application of the DSA. 179 Throughout its reasoning, the CJEU attributed particular importance to Articles 7 and 8 of the Charter given the significant damage that the advertisement caused to the applicant's honour and reputation, 180 but did not engage in the balancing of fundamental rights at stake, even though the imposition of an obligation on online marketplaces to proactively review the content of advertisements could incentivize different types of platforms to over-remove lawful content, thus negatively impacting the exercise of freedom of expression. 181 Moreover, the CJEU's reasoning appears to run contrary to the EU legislator's logic that the protection of fundamental rights affected by the provision of digital services must be achieved primarily through compliance with due diligence obligations rather than the imposition of liability. Regardless of the CJEU's findings, its judgment in Russmedia underscores once more that both legislative and judicial activity are essential to crafting a multi-actor system of fundamental rights protection.
The DSA has set out a highly promising architecture for ensuring Charter-compliant platform conduct. It is, however, imperative to ensure the further development of the principles governing the division of responsibility for protecting fundamental rights of platform users, grounded in a profound understanding of the interplay between private and public power. As the geopolitical crisis continues to escalate, this interplay is likely to have even more far-reaching implications for online communications. However, even in times when the EU battles the ‘free speech absolutism’ crusade of the US administration and open defiance of several powerful platforms against the measures for enhancing their transparency and accountability, fundamental rights should remain a cornerstone of its regulatory strategy. In practical terms, this will require facing and navigating highly nuanced challenges, such as encouraging online platforms to moderate content in accordance with fundamental rights without shifting the responsibility away from public authorities, and empowering competent authorities to effectively exercise their powers while striving to preclude their misuse.
Footnotes
Acknowledgements
The author would like to sincerely thank the anonymous reviewers and the Editorial Board of the Maastricht Journal of European and Comparative Law for their sharp remarks and valuable suggestions.
Declaration of conflicting interests
The author declared no potential conflicts of interest with respect to the research, authorship and/or publication of this article.
Funding
The author received no financial support for the research, authorship and/or publication of this article.
