- in United States
- with readers working within the Banking & Credit industries
- within Consumer Protection, Environment and Corporate/Commercial Law topic(s)
If your company provides online services from one EU Member State and another Member State is trying to enforce its media or platform laws against you, a recent judgment of the Court of Justice of the European Union deserves your attention. In many cases, the answer to the question “does this foreign national law apply to us?” is probably no, unless the law is structured in a very specific way.
The dispute in a nutshell
France pursues operators of adult websites through two distinct legal instruments. One is a criminal provision: making pornographic content accessible in a manner that minors can reach is an offence, and a simple “I am over 18” click-through does not count as adequate protection. The other is an administrative mechanism: the French media regulator ARCOM can, after finding that a particular website exposes minors to pornographic content, order that specific operator to implement age verification and, ultimately, have the website blocked if it refuses.
The two operators in question, both established in the Czech Republic, challenged the application of these rules. They argued that, under the country-of-origin principle in the e-Commerce Directive, websites are governed by the law of the Member State where the provider is established.
What the Court decided
1. Criminal law offers no escape hatch from the country-of-origin principle
A long-disputed question was whether the country-of-origin principle also blocks the application of another Member State’s criminal law. The Court has now answered yes, at least where the criminal provision regulates how an online service must behave.
The Court’s logic is that the e-Commerce Directive contains an exhaustive list of exclusions, including areas such as taxation, gambling and copyright. If the legislature specifically chose to exclude those areas, anything not included in the list remains covered by the country-of-origin principle. Considering that criminal law is not included, a Member State cannot avoid this principle simply by placing rules governing online services in its penal code.
2. Laws of general application can never use the exception
The e-Commerce Directive does allow a destination Member State to take action against a foreign-established service, including to protect minors. However, the measure must be directed at a specific service. The Court confirmed that a general law does not meet this requirement because it applies automatically to an entire category of providers. Therefore, even a legitimate objective cannot justify applying a general rule to foreign-established services.
This meant that the French criminal provision could not be enforced against the Czech operators. Since the prohibition applied directly by operation of law and affected all providers in the same way, it fell outside the permitted exception.
3. The regulator-order model survives and becomes the template
The most important practical part of the judgment concerns the second French measure. The ARCOM mechanism does not impose a restriction automatically. Instead, it only arises when the regulator issues a specific order against a particular service. This is the type of individual measure that the exception allows.
The distinction is simple: a rule stating that “no provider may make certain content accessible, otherwise it will face a fine” directly restricts all providers by law and cannot generally be enforced against EU-based providers established elsewhere. By contrast, a rule allowing a regulator to issue an order to a specific provider where it has failed to meet certain requirements creates a restriction only through that individual decision and may be justified if the other conditions are met. Member States can therefore still enforce youth-protection rules across borders, but they must use a targeted enforcement approach rather than broad general legislation.
4. No unwritten fundamental-rights exception
The French authorities argued that, if general laws cannot be applied to foreign providers, effective protection of children would become impossible. They also argued that human dignity and children’s rights should create an additional exception allowing general laws to apply where minors are at risk. The Court rejected this argument. Article 3(4) of the e-Commerce Directive remains the only route for taking action against foreign-established services in such cases. Fundamental rights are still relevant, but they are considered as part of the existing assessment, particularly when evaluating whether a measure is proportionate, rather than creating a new exception to the country-of-origin principle.
5. Proportionality and the role of the AVMSD
In addition to requiring an individual measure, Article 3(4) requires that the measure pursue a recognised objective, address a service that genuinely and seriously harms that objective, and be proportionate. There are also procedural requirements: the Member State taking action must first ask the provider’s home Member State to intervene and must notify the European Commission and the home Member State, subject to limited exceptions for urgent situations and criminal proceedings.
When assessing proportionality, the Court used the Audiovisual Media Services Directive (AVMSD) as a reference point. For the most harmful types of content, including pornography, the AVMSD recognises age verification as an appropriate protection measure. A provider relying only on a simple self-declared age check has therefore not implemented sufficient safeguards. In such cases, an order from another Member State requiring effective age verification may be considered proportionate. The national measure therefore acts as a backstop where a provider has not met its existing EU-law obligations.
Why this matters in practice
A large body of national rules may be presumptively inapplicable to EU-foreign providers. In particular, any conduct requirement that applies directly through a general law may not always be automatically enforced against a foreign-established provider.
The protection is limited to EU/EEA establishment. Providers established in third countries, such as the United States, cannot invoke the country-of-origin principle. For online platforms within the meaning of the Digital Services Act, a separate line of defence may exist where national youth-protection rules overlap with the DSA’s harmonised regime – see below.
The DSA question remains open. The judgment concerned only the e-Commerce Directive. Whether the DSA, which itself regulates the protection of minors, displaces national youth-protection laws applicable to online platforms altogether was not before the Court. The European Commission and, recently, German courts have taken the view that it does. Providers should keep both lines of argument in view.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
[View Source]