On 16 June, the Court of Justice of the European Union delivered its Grand Chamber judgment in WebGroup/Coyote (Joined Cases C‑188/24 and C‑190/24). The ruling significantly narrows the circumstances in which online platforms can rely on the hosting safe harbour and, correlatively, on the prohibition of general monitoring obligations under the former E‑Commerce Directive and the Digital Services Act (DSA). It does so by placing algorithmic control over user‑uploaded content at the centre of the analysis.

Although the underlying disputes did not concern intellectual property, the Court interprets key concepts of intermediary liability – “active role”, “knowledge” and, above all, “control” – in a way that is highly relevant for the broader EU digital‑regulation framework. The message is clear: where a platform uses algorithms to determine under what conditions, how and in which order third‑party information is disseminated, it will find it increasingly difficult to present itself as a merely neutral host.

Algorithmic control and the erosion of the hosting safe harbour

The starting point is familiar. Under Article 14 of the E‑Commerce Directive (now reflected in Article 6 DSA), a provider that stores information supplied by users may be exempt from liability, provided it plays no “active role” that gives it knowledge of, or control over, the content. This line, grounded in recital 42 ECD and earlier case law such as L’Oréal, Google France and YouTube/Cyando, has been the backbone of the EU hosting safe harbour for over two decades.

In WebGroup/Coyote, the Grand Chamber cautions against the assumption that any service hosting third‑party content automatically falls within the safe harbour. It expressly reiterates that a provider which “controls the stored information” is excluded from Article 14(1) protection, even if it does not subjectively “become aware” of that information because the processing is fully automated. Control, in other words, is not neutralised by automation.

Agreeing with Advocate General Szpunar, the Court then specifies that this control may be exercised “inter alia, by means of the algorithm used”. Once the operator has predetermined, via that algorithm, the conditions under which information “may or may not be broadcast”, it becomes irrelevant that it does not carry out additional manual interventions to promote, modify or delete specific items. The design and configuration of the ranking or recommendation system themselves can amount to control.

The Court draws an important distinction here. Mere categorisation and indexation aimed at improving accessibility – classic search and navigation functions – do not, as such, remove the safe harbour. However, where an operator uses an algorithm that determines, in its own interest or in the interest of its service, “under what conditions, how and in which order of priority” user information is or is not disseminated, that operator does exercise control over that information. In that scenario, the service can no longer be classified as one which “consists of the storage of information provided by a recipient of the service” within the meaning of Article 14(1).

From a practical standpoint, this interpretation potentially affects a wide range of user‑uploaded content (UUC) platforms: social networks, video‑sharing services, recommender‑driven news feeds, apps that re‑broadcast user reports (for instance, on traffic or police checks), and, more generally, any environment where visibility is determined by engagement‑optimised algorithms rather than by user choice or simple chronology. The more a service orchestrates the circulation of content in its own commercial interest, the narrower the room for invoking hosting immunity.

The impact on the prohibition of general monitoring

Building on this, the Grand Chamber tackles a longstanding controversy: who exactly can invoke the prohibition of general monitoring obligations in Article 15 ECD (now Article 8 DSA)? The Court’s answer is strikingly clear. Only providers that actually fall within the scope of the safe harbours – such as the hosting exemption – may rely on that prohibition. If a service cannot be classified as an “information society service that consists of the storage of information provided by a recipient”, then Article 15(1) simply does not apply to it.

This clarification has two important consequences. First, it reinforces the functional link between the scope of the safe harbour and the scope of the “no general monitoring” guarantee: the latter is not a free‑standing right available to anyone operating online, but the corollary of a specific status as a neutral intermediary. Second, it limits the ability of certain platforms to invoke Article 15 as an all‑purpose shield against any form of regulatory intervention, even where their own design choices reveal a far‑reaching control over dissemination.

At the same time, the Court reiterates a well‑established distinction: the prohibition concerns general, undifferentiated monitoring, but does not prevent the imposition of specific monitoring or due‑diligence obligations in clearly defined contexts. For platforms that use ranking and recommendation systems to maximise “virality”, this leaves room for targeted obligations: for instance, to address predictable patterns of illegal content being systematically boosted, or to mitigate particular risks to minors or public security.

Dark patterns, engagement optimisation and “active role”

Placed in today’s technological and regulatory context – marked by the DSA, the rise of high‑risk recommender systems and growing scrutiny of dark patterns – WebGroup/Coyote can be read as a step change in how EU law assesses “active role” and “control”. The Court’s reasoning is particularly uncomfortable for social platforms whose business models depend on attention capture.

Many such services do not simply store and display content; they:

• deploy algorithms that select and prioritise material with high engagement potential;
• design interfaces that nudge users towards endless scrolling, autoplay and constant re‑engagement;
• rely on notification patterns and default settings that channel users into specific content flows.

In this light, dark patterns and manipulative UX are not just a consumer‑protection issue. They become evidence that the provider is structurally shaping the way information is surfaced, sequenced and amplified. Combined with the Court’s emphasis on algorithmic control, these design choices make it more plausible to qualify the provider as playing an “active role” in the distribution of content, with all the consequences that follow in terms of liability and of access to safe harbours.

A shifting equilibrium in EU intermediary liability

Commentators have already noted that WebGroup/Coyote significantly reduces the “breathing space” for platforms compared with earlier decisions such as YouTube/Cyando, and that, depending on how national courts apply it, the judgment could be read as stripping many modern UUC platforms – arguably including most large social media – of the traditional hosting protection. Whether this more radical reading will prevail is ultimately a question for future litigation.

What is clear, however, is that the Grand Chamber has updated the vocabulary of intermediary liability for the age of algorithmic optimisation. Terms like “knowledge”, “control” and “active role” can no longer be understood solely through the lens of manual content selection or explicit editorial choices. They now extend to encompass the architecture of recommendation systems, ranking mechanisms and engagement‑driven interfaces.

For users, this may translate into stronger expectations that platforms will take effective measures against the most harmful amplification dynamics, particularly where minors, public security or fundamental rights are at stake. For regulators and courts, it offers a more precise doctrinal toolkit to address those dynamics without collapsing the distinction between intermediaries and publishers.

For some of the largest social platforms, the signal is unmistakable: continuing to design algorithms and interfaces primarily to maximise attention, while denying responsibility for the foreseeable effects of those design choices – especially where they systematically amplify harmful content – will become increasingly difficult to defend, both under the evolving EU legal framework and in the broader public debate.