Brussels, 24 October 2016 – CENTR, the Association of European country code top-level domains (such as .eu, .uk or .sk) welcomes the opportunity to comment on the draft proposal on the cooperation between national authorities responsible for the enforcement of consumer protection laws (COM(2016) 283). In total, CENTR members manage over 60 million second-level domain registrations.
Strengthening consumer protection is essential to build online consumer trust and a prerequisite for a successful Digital Single Market. We feel, however, that the current draft lacks the clarity to achieve these goals. As managers of the registries that are at the core of the domain name infrastructure, we would like to share our concerns and offer suggestions for clarification.
1. Better define minimum powers of competent authorities and, in particular, what they can request or require from third parties, including from registries.
Art. 8.2 (g) adopt interim measures to prevent the risk of serious and irreparable harm to consumers, in particular the suspension of a website, domain or a similar digital site, service or account;
Art. 8.2 (l) close down a website, domain or similar digital site, service or account or a part of it, including by requesting a third party or other public authority to implement such measures;
The terms ‘serious’ and ‘irreparable’ need to be defined.
The term ‘domain’ is too vague. Registries can only act when the demand from competent authorities deals with second-level domains, such as ‘example.eu’. For third-level domains such as ‘shop.example.eu’, only the entity or person who registered ‘example.eu’ can take action. Any action taken by the registry related to a second-level domain will affect all third-level domains and, as such, will have unintended consequences for all users of third-level domains that are unrelated to the issue the competent authorities want to tackle. For instance, the deletion of ‘europa.eu’ would affect all third-level domains such as ‘curia.europa.eu’, ‘europarl.europa.eu’, ‘ec.europa.eu’ and so forth.
The term ‘suspension’ of a domain name is unclear. We understand this refers to the temporary measure to stop the name from resolving, while keeping it registered under the current holder. We suggest for this to be explained in the text. In addition, the draft refers to ‘interim measures’, yet doesn’t specify for how long such measures should be in place. A maximum period should at least be defined.
The term ‘close down’ of a domain is unclear. We understand this refers to the deletion or deregistration of the domain. However, once a name is deleted, it would normally be available for registration again. In order to avoid this, the domain name would need to remain registered, but not resolving.
2. Ensure that proposed measures are effective and avoid disproportionate negative impact on fundamental rights.
The ‘suspension’ or ‘close down’ of a domain name does not remove the content. It does not make the content inaccessible. While it might make access more difficult for the average Internet user who (only) relies on domain names to find a website, it is important to underline that in many cases of consumer fraud (such as spam with embedded IP addresses rather than domain-based links), the ‘suspension’ or ‘closing down’ of a domain name will not protect consumers to the extent envisaged by the regulation.
We believe that the proposed [interim] measures could have a disproportionate and negative significant impact on fundamental rights. Although until now, courts have typically balanced the impact of the measure with the impact on the rights of the defendant, the current proposal seems to bypass the safeguards of the judicial oversight.
3. Better protect consumers through a cascading sequence of actions.
In order to achieve the effective protection of the consumer and to ensure that interim measures safeguard fundamental rights of the millions of Europeans who have registered a domain name, we ask for the following steps to be introduced in the regulation prior to any attempt to order the ‘suspension’ or ‘closing down’ of a domain:
a. The trader is ordered to modify or remove the content. If this fails:
b. The host is ordered to remove the content. If this fails:
c. The registrant is ordered to suspend or close down all domains referring to the content.
4. Avoid third party assessment of lawfulness of content. We suggest that art. 8.2 (l) be clarified.
‘Requesting’ the closing down of a website seems to suggest that there is a voluntary element or room for judgement of the lawfulness of content on that website or the ‘request’ on the side of the third party, including registries. However, the addressee of any such ‘request’ will only be relieved of making value judgements and incurring liability as the result of infringement of contractual and/or fundamental rights if the addressee acts on well-defined instructions from a clearly identifiable public authority, within a clearly defined legal framework. It would also be necessary to make clear that the actions taken by ‘request’ of a competent authority could never lead the party following such a ‘request’ to be held liable by a third party. We therefore strongly suggest to add this exoneration in the draft regulation.
5. Retain but clarify concept of ‘information requests’.
We support the idea of ‘information request’ as indicated in art. 8.2 (b). Nevertheless, a clear definition of who can request that information is needed. In cases and/or Member States where no court order is needed, these requests should be based on the rule of law. Failure to do so might lead to conflicts with existing data protection laws. At a minimum, information requests should be proportionate to the purpose they serve and therefore be as detailed as possible.
PDF version of this CENTR Comment
