Commission Implementing Regulation (EU) 2024/607 of 15 February 2024 on the practical and operational arrangements for the functioning of the information sharing system pursuant to Regulation (EU) 2022/2065 of the European Parliament and of the Council (Digital Services Act)
Commission Implementing Regulation (EU) 2024/607of 15 February 2024on the practical and operational arrangements for the functioning of the information sharing system pursuant to Regulation (EU) 2022/2065 of the European Parliament and of the Council (Digital Services Act)THE EUROPEAN COMMISSION,Having regard to the Treaty on the Functioning of the European Union,Having regard to Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market for Digital Services and amending Directive 2000/31/EC (Digital Services Act)OJ L 277, 27.10.2022, p. 1, ELI: http://data.europa.eu/eli/reg/2022/2065/oj., and in particular Article 85 thereof,After consulting the Digital Services Committee in accordance with Article 88 of Regulation (EU) 2022/2065,Whereas:(1)Regulation (EU) 2022/2065 seeks to ensure a safe digital space for users, while ensuring that fundamental rights are respected. It does this by imposing obligations on providers of intermediary services to prevent the spread of illegal content online and by regulating those providers’ content moderation policies in relation to their services. The effective supervision, investigation, enforcement and monitoring of those providers’ compliance with those obligations requires cooperation between the Member States and with the Commission, as well as a seamless exchange of information between the Member States and with the Commission.(2)To this end, Article 85 of Regulation (EU) 2022/2065 requires the Commission to establish and maintain a reliable, secure and interoperable information sharing system, hereinafter "AGORA", that supports communications between Digital Services Coordinators, the Commission and the European Board for Digital Services ("the Board"). Other competent authorities may be granted access to AGORA, where necessary, to carry out the tasks conferred on them in accordance with Regulation (EU) 2022/2065. The Digital Services Coordinators, the Commission, and the Board are required to use AGORA for all communications made pursuant to Regulation (EU) 2022/2065.(3)AGORA is a software application accessible via the Internet to be developed by the Commission. AGORA provides a communication mechanism to facilitate the cross-border exchange of information and mutual assistance between Digital Services Coordinators, the Commission and the Board pursuant to Regulation (EU) 2022/2065. In particular, AGORA should support the Digital Services Coordinators, the Commission and the Board in managing the exchange of information in connection with the supervision, investigation, enforcement and monitoring under Regulation (EU) 2022/2065 based on simple and unified procedures.(4)This Regulation sets out the practical and operational arrangements for the set-up, maintenance and operation of AGORA for the purposes of supervision, investigation, enforcement and monitoring under Regulation (EU) 2022/2065, which may cover, inter alia, one-to-one exchange of information, notification procedures, alert mechanisms, mutual assistance arrangements and problem-solving between Digital Services Coordinators, the Commission, the Board, and other competent authorities that have been granted access to AGORA pursuant to Regulation (EU) 2022/2065 ("AGORA actors").(5)Given the cross-border and cross-sectoral relevance of intermediary services, a high level of coordination and cooperation among the different relevant actors is necessary to ensure the consistent supervision, investigation, enforcement and monitoring under Regulation (EU) 2022/2065, and the availability of relevant information through AGORA for that purpose.(6)In order to overcome language barriers, AGORA should be available in all official languages of the Union. To that end, AGORA should offer fully automated machine-translation tools currently available to the Commission for the translation of documents and messages exchanged through it. The Commission should provide natural persons working under the authority of Digital Services Coordinators, the Commission, the Board or other competent authorities that have been granted access to AGORA ("AGORA user"), and AGORA users appointed as administrators by the Digital Services Coordinators, the Commission, and the Board ("AGORA administrator") with such tools. The automated machine-translation tools should be compatible with the security and confidentiality requirements for the exchange of information in AGORA.(7)In order to fulfil their tasks under Regulation (EU) 2022/2065, Digital Services Coordinators, the Commission and the Board may need to exchange information which may include personal data. Any such exchange of information should comply with the rules on the protection of personal data laid down in Regulations of the European Parliament and of the Council (EU) 2016/679Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (OJ L 119, 4.5.2016, p. 1, ELI: http://data.europa.eu/eli/reg/2016/679/oj). and (EU) 2018/1725Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39, ELI: http://data.europa.eu/eli/reg/2018/1725/oj).. Accordingly, the exchange of personal data necessary to comply with the obligations and to fulfil the tasks laid down in Regulation (EU) 2022/2065 falls within the scope of the lawful processing of data pursuant to Article 5, point (a) of Regulation (EU) 2018/1725, and Article 6(1), point (e) of Regulation (EU) 2016/679.(8)AGORA should be the tool used for the exchange of information, including, where necessary, personal data, which would otherwise take place via other means, including regular mail or electronic mail on the basis of a legal obligation imposed on Digital Services Coordinators, the Commission, the Board, and other competent authorities that have been granted access to AGORA pursuant to Regulation (EU) 2022/2065. Personal data exchanged via AGORA should only be processed for the purpose of the supervision, investigation, enforcement and monitoring under Regulation (EU) 2022/2065. Where personal data is processed in the operation of AGORA for the purposes of sharing, requesting and accessing information answering requests for information, referrals, requesting action and requesting support, the Digital Services Coordinators should be separate controllers within the meaning of Regulation (EU) 2016/679 for the processing activities they carry out.(9)Each Digital Services Coordinator may also decide to use AGORA for its own case-handling activities carried out for the supervision, investigation, enforcement and monitoring under Regulation (EU) 2022/2065. Where personal data is not to be exchanged in AGORA for the purposes of sharing, requesting and accessing information, answering requests for information, referrals, requesting action and requesting support, each Digital Services Coordinator and, where applicable, other competent authorities that have been granted access to AGORA, should be a sole controller within the meaning of Regulation (EU) 2016/679 and Regulation (EU) 2018/1725 with respect to the data processing activities carried out by means of AGORA.(10)The transmission, storage, and other processing of personal data of natural persons should take place in AGORA for the purposes of supporting communications between AGORA actors to carry out case-handling activities by them in connection with the supervision, investigation, enforcement and monitoring under Regulation (EU) 2022/2065.(11)AGORA should process personal data insofar as strictly necessary for the supervision, investigation, enforcement, and monitoring under Regulation (EU) 2022/2065. AGORA should process personal data, such as identification data (e.g., name, nickname, alias, date of birth, place of birth, nationality, identification documents, and where necessary other characteristics likely to assist in identification), contact details (e.g., professional and private address, e-mail address, and telephone), case involvement data (e.g., the position and function of the natural person in an undertaking, other roles such as suspect, victim, whistleblower, informant, and witness), case related data (e.g., document, image, video, voice recording, statement, opinion, and record) and any other information deemed necessary to fulfil the requirements under Regulation (EU) 2022/2065.(12)Following the data protection-by-design and by-default principles, AGORA should be developed and designed with due respect to the requirements of data protection legislation, in particular due to restrictions imposed on access to personal data exchanged in AGORA. Therefore, AGORA should offer a considerably higher level of protection and security than other methods of information exchange, such as telephone, regular mail, or electronic mail.(13)The Commission should supply and manage the software and IT infrastructure for AGORA, ensure its reliability, security, availability, maintenance and operation, and be involved in the training of and technical assistance to AGORA administrators and AGORA users.(14)The competence of the Member States to decide which national authorities carry out the obligations resulting from this Regulation should be exercised in accordance with Article 49 and Article 62 of Regulation (EU) 2022/2065. Member States should be able to adapt functions and responsibilities in relation to AGORA to reflect their internal administrative structures, and to implement in AGORA a specific type of work or order of stages in a given work process.(15)Each Digital Services Coordinatorshould appoint and notify the Commission at least one AGORA administrator in its Member State for issues relating to AGORA. Each Digital Services Coordinator should also be responsible for the appointment of AGORA administrators of its respective competent authorities that have been granted access to AGORA pursuant to Regulation (EU) 2022/2065. Each AGORA administrator should register, grant and revoke access to AGORA to its own AGORA users. In order to achieve efficient supervision, investigation, enforcement and monitoring cooperation of services in scope of Regulation (EU) 2022/2065 through AGORA, Member States should ensure that their respective AGORA administrators and AGORA users have the necessary resources to carry out their obligations in accordance with Article 50(1) of Regulation (EU) 2022/2065.(16)Information received by a Digital Services Coordinator, the Commission, the Board, or another competent authority that has been granted access to AGORA through AGORA from another Digital Services Coordinator, the Commission, the Board, or another such competent authority should not be deprived of its value as evidence in criminal, civil or administrative proceedings in accordance with relevant EU and national laws solely on the ground that it originated in another Member State, or was received by electronic means, and it should be treated by the relevant AGORA actor in the same way as similar documents originating in its Member State.(17)It should be possible to process the name and contact details of AGORA administrators and AGORA users necessary to fulfil the objectives of Regulation (EU) 2022/2065 and of this Regulation, including monitoring of the use of AGORA by AGORA administrators and AGORA users, communication, training and awareness-raising initiatives, and gathering information in connection with the supervision, investigation, enforcement and monitoring of services within the scope of Regulation (EU) 2022/2065, or mutual assistance thereof.(18)In order to ensure the effective monitoring of, and reporting on, the functioning of AGORA, the Digital Services Coordinators, the Board and other competent authorities that have been granted access to AGORA should make relevant information available to the Commission.(19)Data subjects should be informed about the processing of their personal data in AGORA and the rights they benefit from, in particular the right of access to data relating to them, and the right to have inaccurate data corrected and illegally processed data erased in accordance with Regulation (EU) 2016/679 and Regulation (EU) 2018/1725.(20)Each AGORA actor, as controller with respect to the data processing activities that it performs in connection with the supervision, investigation, enforcement and monitoring of services in scope of Regulation (EU) 2022/2065 should ensure that data subjects can exercise their rights in accordance with Regulation (EU) 2016/679 and Regulation (EU) 2018/1725. This should include establishing a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of processing.(21)The implementation of this Regulation and the performance of AGORA should be monitored in the report on the functioning of AGORA based on statistical data from AGORA and any other relevant data. The Commission should submit the report to the European Parliament, the Council and the European Data Protection Supervisor. The performance of the Digital Services Coordinators, the Board and other competent authorities that have been granted access to AGORA should be evaluated, inter alia, based on average reply times with the aim of ensuring efficient and adequate replies. This report should also address aspects relating to the protection of personal data in AGORA, including data security.(22)The European Data Protection Supervisor has been consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725, and delivered an opinion on 4 January 2024,HAS ADOPTED THIS REGULATION: