OpenLobby.EU
Explore

Open-Xchange AG

OX

Open-Xchange (OX) is a developer of secure and open communication and office productivity software, IMAP server software and DNS solutions, offered as downloadable software, as on-premise deployments and as cloud services.

Lobbying Activity

Response to Report on the review of the Digital Decade Policy Programme

9 Jan 2026

Open-Xchange would like to thank the Commission for the opportunity to participate in its call for evidence on the review of the Digital Decade programme. We think that the current targets and objectives remain relevant, but they lack coverage of the newly emerging need for European digital sovereignty. We would thus propose the amendment of target #2 into "Secure, sustainable, sovereign, standard digital infrastructures" Our vital digital resources need to be sovereign and free from foreign control and interference; they also need to be based on open standards, as this would enable better cooperation among European SMEs and favour the development of local skills. We also propose two new objectives: "Ensuring solutions made in Europe exist for all fundamental digital technologies" and "Ensuring businesses can access raw materials, energy and other digital production factors under fair and competitive conditions". These practical action lines would support the revised target #2. Regarding funding, we suggest that the revised target could be facilitated in two ways. It would benefit from a strong industrial policy encouraging Europeans to buy European products, especially through public procurement rules. It could also be supported by a European Sovereign Tech Fund. Finally, to increase dialogue with other stakeholders, we encourage the Commission to strengthen its participation in Internet governance forums such as EuroDIG and the national IGFs. We defer a more detailed discussion to the attached document. We thank you for your kind consideration and stand ready to provide additional technical expertise and comments on these proposals.
Read full response

Response to Digital package – digital omnibus

14 Oct 2025

Open-Xchange would like to thank the Commission for the opportunity to participate in its call for evidence on the digital package on simplification. We would like to deal more specifically with the "cookie popups" issue, as we find it not just important in itself, but an example of what can go wrong in digital regulation. The sorry state of implementation we see today is due to the inability of the European institutions to make prescriptions at the technical protocol and user interface levels, allowing the industry to choose the most annoying and ineffective way of implementing the legal requirements, to undermine their purpose. We think that the Commission needs to introduce a regulatory model that can produce such prescriptions in a matter of weeks, not years, at a much deeper level of detail, possibly through the use of implementing acts or other documents, perhaps through a specialized public agency. In the case of cookies, these prescriptions could be used to forbid "dark patterns", mandate browser support for centralized consent preferences, and force commercial websites to acquire and apply these preferences automatically. We defer a more detailed discussion to the attached document. We thank you for your kind consideration and stand ready to provide additional technical expertise and comments on this issue.
Read full response

Response to Evaluation of the Public Procurement Directives

7 Mar 2025

Open-Xchange would like to thank the Commission for the opportunity to participate in its call for evidence on the functioning of public procurement directives. We think that the current framework has not ensured that public money is spent strategically to contribute to Europe's digital autonomy. The European Union could reach many more of its policy objectives if well-planned and strategic use of public procurement became the norm. We support the Commissions intention to prioritize European products in strategic sectors; due to Europes current state of almost complete dependency on foreign suppliers, digital technologies and specifically online platforms, services, and software are one of the strategic sectors where such priorities should be introduced. An assessment of the total cost of import of non-European digital products, including the loss of jobs and fiscal returns, should be carried out. However, spending European money on European products is only an initial step, as not all European products are the same, nor do they all contribute equally to European societies. Ubiquitous and fair digital platforms can only emerge through the horizontal cooperation and interoperation of multiple smaller partners, which can be achieved through the use of open standards, open protocols, and open-source code. We thus recommend that new public procurement rules are revised to ensure preferential treatment for digital products that are based on the open-source model, implement open standards, support easy data portability across services, do not include lock-in features, and are supplied by the same entity that develops them, or at least contribute back to the actual developers. Whenever a public administration acquires software development services, the resulting code should be released under an open license. We defer a more detailed discussion to the attached document. We thank you for your kind consideration and stand ready to provide additional technical expertise and comments on this issue.
Read full response

Response to Report on the first review of the EU-US Data Privacy Framework

6 Sept 2024

Open-Xchange would like to thank the Commission for the opportunity to participate in its consultation on the EU-US Data Privacy Framework. We regret to say that, in our experience, the impact of this new framework on the European Internet industry has been negative in multiple ways. The privacy guarantees delivered by American companies are not on par with European offerings. Substantially, the shortcomings in privacy protection identified by past EUCJ rulings still stand; just by reading the news and observing common practices, anyone can find continuous examples of American companies tracking people through questionable practices to support data-based business models that violate the Europeans' privacy. The claim of adequacy allowed by the existence of an adequacy decision misleads consumers into thinking that American services can provide the same level of privacy as European ones, undermining one of the key selling points available to European companies and damaging the European economy. Additionally, the frequent changes in the legal framework for EU-US data transfers create uncertainty and additional costs. Should the EUCJ also void this one, we urge the Commission not to propose yet another adequacy decision. We defer a more detailed discussion to the attached document. We thank you for your kind consideration and stand ready to provide additional technical expertise and comments on this issue.
Read full response

Response to Fighting against online piracy of live content

10 Feb 2023

Open-Xchange would like to thank for the opportunity to participate in the Commission's call for evidence on combating illegal live streams. Specifically, as a major provider of DNS (Domain Name System) software and services, we would like to raise a fundamental issue on the usage of DNS filtering, i.e. blocking the end-user's request for an illegal destination at the DNS resolver stage. We do not want to argue whether this mechanism should or should not be used; it embodies a compromise between the user's right to access the Internet and the rightsholders' right to prevent access to unlicensed content, which should be set by the appropriate democratic institutions. If this mechanism is to be used, however, it is paramount that the legal and operational instruments make it so that all DNS resolvers serving a country, be them national, European or from outside the Union, apply the blocks uniformly. Not doing so creates an unpredictable user experience and thwarts competition in favour of non-European services, which continue to offer free access to illegal content that the European DNS resolvers are required to block. We defer to the attached file for a more detailed version of this comment. We thank you for the kind consideration of the aforementioned point and stand ready to provide additional technical expertise and comments on this issue.
Read full response

Response to Cyber Resilience Act

23 Jan 2023

Open-Xchange would like to thank for the opportunity to provide comments on the Commissions proposal for a Cyber Resilience Act, specifically from the viewpoint of the European open-source software industry. While we support the objective of increased security in digital products, we think that the proposal suffers from a misunderstanding of the nature of software. In the proposal, applications are treated as any physical consumer product with digital elements, such as cars or toys; in reality, they are more akin to literature than to industrial output, and are even protected by freedom of expression. Any requirement that limits the distribution of software infringes on this right and discriminates against the many applications whose development is not primarily driven by economic objectives. The limited "non-commercial exemption" mentioned in a recital is too narrow and does not anyway solve the problem, as some financial return is necessary to afford code maintenance, without making it possible to also afford heavy certifications. It would also create ambiguity and legal risks for the entire industry. We note that there is no such thing as the "import" of open-source software; it is developed globally and code flows across borders multiple times per second. Imposing requirements upon this flow will clash with the open-source development model, which makes the Internet possible, and will cut Europe out from the rest of the world. We thus advise that the approach of imposing requirements to all software published in Europe should be reconsidered. The Act should learn from the industry's experience and best practices; some of its imperative requirements can actually be counterproductive. In general, past security issues in some open-source software were due to the lack of resources, not to the lack of regulation. Funding programs that make skilled professionals available to projects that cannot currently afford to pay for them would be way more effective than certifications. We suggest some possible alternatives to the approach of imposing requirements on all published software, which include turning the requirements into criteria for an optional certification mark, limiting the scope only to specific types of use, and require the audit of development processes rather than of code. Also, further exemptions could be considered, but if so, we would recommend to exclude all pure software products (open and proprietary) from the scope of this Act, and work with the industry on a different Act more in line with the nature of software and with the Internet's needs and practices. Please refer to the attached document for the full text of our comments on these topics. We stand ready to explain and discuss our suggestions further, and thank you for your kind consideration.
Read full response

Response to DMA Implementing Regulation

5 Jan 2023

Open-Xchange would like to thank for the opportunity to provide comments on the Commissions proposal for this implementing act. We attach and refer to a short submission, mostly focusing on the importance of early engagement by the Commission with competent third parties and affected stakeholders, which should happen even before proceedings and investigations are opened. We think that the European industry and technical community could be the source of valuable information and ideas which should be considered right from the start, and not just through public comments on draft decisions. This could happen through continuous community engagement in the existing venues, as in the past. We stand ready to explain and discuss our suggestions further, and thank you for your kind consideration.
Read full response

Response to Child sexual abuse online: detection, removal and reporting

12 Sept 2022

Open-Xchange would like to thank for the opportunity to provide comments on the Commission’s proposal for a regulation on fighting child sexual abuse. We generally support the Commission’s objectives, as long as encryption is not weakened, but we are also fully committed to the privacy of our users; we will accept regulatory requirements imposed upon us through a democratic process, but they should be restricted to the minimum possible extent and clearly justified. The Commission's objectives will require a compromise between communications privacy and lawful interception; we are concerned by the lack of clarity in the proposed text on where such compromise should lie. The current text seems to impose contradictory requirements; more specifically, Article 10(3) would require the Internet industry to accomplish the impossible, by implementing technologies that scrutinize content in detail without accessing it, which is practically unfeasible. We are worried by the unmanageable liabilities that this would generate and by the resulting loss of competitiveness for the European messaging industry. We think that the requirement to also search for new material would create an excessive number of false positive cases and risk endangering innocent people's reputation. We recommend to limit the detection requirements to the most offensive grades of the evaluation scale, to known material only and to real-world imagery (not drawings or fantasy products). Finally, as the blocking requirements in Section II.5 are likely to be implemented via DNS filters, we recommend that domain name resolvers that are not Internet service providers are also included in their scope, ensuring that all DNS resolution services are subject to the same regulation. Please refer to the attached document for the full text of our comments on these topics. We stand ready to explain and discuss our suggestions further, and thank you for your kind consideration.
Read full response

Response to Data Act (including the review of the Directive 96/9/EC on the legal protection of databases)

11 May 2022

Open-Xchange would like to thank for the opportunity to provide comments on the Commission’s proposed text for the new Data Act. We generally support the Commission’s objectives and the current proposal, but we would like to address the issue of data sharing obligations for software and hardware products operating in the homes of European consumers, such as browsers, smartphone apps, smart TVs, IoT products etc, when connected to a home network with Internet access. To summarize our thoughts, we think that the proposal goes in the right direction but that it should be clarified and extended so to cover all relevant products including software applications; enforce interoperability and the use of open standards; and address the need for data sharing in the opposite direction, allowing third party data processing services to instruct these products on behalf of the end-user so that undesired data sharing activities are immediately stopped. Please refer to the attached document for the full text of our comments on these topics. We stand ready to explain and discuss our suggestions further, and thank you for your kind consideration.
Read full response

Meeting with Marcel Kolaja (Member of the European Parliament, Shadow rapporteur) and New Vector (trading as Element)

10 Feb 2022 · discussion about interoperability

Response to Standardisation Strategy

6 Aug 2021

Open-Xchange would like to thank for the opportunity to provide comments on the Commission’s roadmap for a European standardisation strategy. We would like to focus our comments on the specific matter of standardisation of Internet technologies, which is generally carried out at the global level by private sector organizations like the IETF and W3C. These organizations rely on a less formal and faster model based on free participation by any interested party, free availability of specifications (without fees or intellectual property constraints), and open source as the preferred licensing model for implementations. These features were key to the success and growth of the Internet and should be copied by any European-level standardisation process in these technical fields; however, due to the global nature of the Internet, standardisation should generally continue to happen at the global level. There are however cases in which global Internet SDOs fail to encompass the views and needs of European stakeholders. In our attached submission we discuss two - Enterprise Transport Security, which was standardised by ETSI after being rejected by the IETF, and DNS-over-HTTPS. These examples highlight how sometimes the decisions by these SDOs can disadvantage industry sectors with a strong European presence (ISPs, telcos, security providers) and advantage others dominated by non-European companies (over-the-top and platform providers). This makes these SDOs very relevant to Europe's objective of digital sovereignty and of an increased market share in online products and services. We thus suggest that the European standardisation strategy should include two action lines addressing global Internet SDOs: 1. Increase European participation in these fora, both by technical and industry experts and by public officers; 2. Evaluate whether the output of these SDOs is in line with European needs and values before recognizing or recommending for use in Europe the standards they produce. The first action line, acknowledging how European players in these industries are often smaller and forced to follow American innovation because of dominant positions, should continue and reinforce funding efforts for SMEs and individuals to participate in these SDOs, and apply moral suasion towards the bigger national players to encourage them. It should also promote specific attention - including direct participation when necessary - by European and member State institutions whose policy purviews could be impacted by new technical developments. To this purpose, specific multi-stakeholder activities should be implemented to promote timely information and exchange of views between European institutions, the industry and other stakeholders. This could also prompt the development of multi-stakeholder European positions. The second action line should foster a mechanism to address cases in which an upcoming standard could negatively impact European interests and public policy objectives. In this case, an advisory or regulatory response by the appropriate European and member State institutions could be devised, and the industry could be asked to develop the necessary technical alternatives or extensions. This should happen in a timely manner, before the new technical standards are finalized or deployed. We think that these actions are necessary to put Europe at the forefront of technical changes more than it has recently been. We would be happy to discuss how they could be further developed within the European standardisation strategy. Please refer to the attached document for the full text of our comments on these topics. We stand ready to explain and discuss our suggestions further, and thank you for your kind consideration.
Read full response

Response to Digital Services Act package: ex ante regulatory instrument of very large online platforms acting as gatekeepers

4 May 2021

Open-Xchange would like to thank for the opportunity to provide comments on the Commission’s proposal for the new Digital Markets Act. We generally support the Commission’s objectives and stand in favour of enacting a new regulation building on the draft. We nonetheless raise some issues building on our first-hand experience in one of our core fields of activity, Internet email and messaging in general. We focus our comments on the following topics: A. Unworkable definition of gatekeepers in consumer platform services. We have concerns on how the gatekeeper requirement on a minimum number of "business users" could play out for many core platform services. While the concept is clear for online intermediation services, it is ambiguous for social media platforms (how do you tell whether a profile belongs to a business or an individual? also, are "business users" the advertisers, or the businesses posting content in their pages, or both?) and even more for instant messaging services (there is no such thing as a "business Whatsapp account"). For platform services where there is no real distinction between "business" and "consumer" accounts - mostly those in points (b) to (g) of Article 2(2) - only the general threshold on the overall number of users should apply. B. Interoperability requirements for consumer platform services. Interoperability is a basic principle of the Internet and an enabler for its success; its limitation is at the roots of many market failure situations. Platform services such as instant messaging and social media should just work like older, interoperable Internet services such as email and the Web; all competing service providers should interoperate through open standards, so that users only need an account with one provider, and a single app, to communicate with all users of all apps and providers. This should be obtained by extending Article 6(1)(f) to all core platform services and to all end-users, not just business users; alternatively, a new specific point could be added especially for this type of platform services. We attach a technical paper addressing some possible concerns, including those on innovation, encryption and privacy, and a letter by 40 European tech companies supporting this request. C. Effective data portability measures. We support the new portability requirement in Article 6(1)(h) but we note that portability is already a requirement per Article 20 of the GDPR; what is missing the most is not a new law, but the enforcement of the existing one. We stress the need for the European institutions to push the industry to work out the missing technical and organizational arrangements to make automated, seamless portability possible. We however stress that data portability, even in real time, is not an adequate replacement for proper interoperability requirements. D. Multi-stakeholder specification and implementation of gatekeeper obligations. We stress that the success of the act does not depend only on the institutions, but on the cooperation of all stakeholders. We recommend that multi-stakeholder approaches are taken in the implementation and specification phase, when deciding which measures and which technical standards should be adopted. Any remedies should not be discussed only with the gatekeepers, but also with their competitors, the rest of the European Internet industry, their business and consumer users, and civil society in general. Such work should rely on existing global and European SDOs, but the Commission should first make sure that Europe is adequately represented in their processes. Please refer to the attached document for the full text of our comments on these topics. We stand ready to explain and discuss our suggestions further, and thank you for your kind consideration.
Read full response

Response to Digital Services Act: deepening the Internal Market and clarifying responsibilities for digital services

31 Mar 2021

Open-Xchange would like to thank for the opportunity to provide comments on the Commission’s proposal for the new Digital Services Act. We generally support the Commission’s objectives and stand in favour of enacting a new regulation building on the draft. We nonetheless raise some issues related to one of our core fields of expertise, the Internet’s Domain Name System (DNS) and its use for controlling access to illegal, harmful and unsuitable content. We focus our comments on the following topics: A. Obligations for the various players in the DNS industry. We think that the current text is ambiguous as it does not define clearly the category of intermediary that each service in the DNS industry (DNS recursive resolver, DNS authoritative server, registry, registrar) belongs to; this should be explicitly clarified. "Mere conduit" obligations would need to be adjusted to be applicable to DNS resolvers; the "hosting" definition does not fit well the other DNS operators, which would deserve the creation of a specific category. B. Voluntary filtering of harmful and unsuitable content. We understand the Commission's intention that harmful content should be addressed through self-regulation, but the concurrence of other norms, such as the Open Internet Regulation, could prevent operators from doing so. We think that the exemption of liability in Article 6 should be extended to activities aimed at blocking harmful content, when such content has been defined through industry codes of conduct or recognized technical standards. Importantly, that exemption should also be extended to activities aimed at blocking content per the user's request, like parental controls, that also risk to be negatively affected. This could be a balanced approach to address the risks posed by excessive blocking of ill-defined "harmful content", but also by the intermediaries' legal inability to counter content which is truly harmful, such as disinformation, or adult content on Internet access services used by children. C. Obligations of global DNS service providers on nationally illegal content. We support the formulation of Article 8 but note that there is an unresolved contradiction between defining illegal content at the national level and the country of origin principle. This disadvantages European operators, subject to national content blocks, and advantages global platforms, that can ignore those blocks by establishing themselves in member States where that content is legal, and then attract consumers by offering access to content which is illegal in their country. This creates a "country shopping" effect, similarly to the GDPR, that pushes global operators to base themselves in countries where enforcement against illegal content is less effective. We thus suggest to require intermediaries that have a significant market position in a member State, different than the one where they are established, to abide by that member State’s laws and court orders against illegal content when serving users from that member State. We also recommend that European enforcement procedures kick in when national enforcement procedures are not prompt or effective. Finally, we comment on the draft's mention of interoperability as a principle for certain services (e.g. advertising repositories). We absolutely share the principle, which is a cornerstone of the Internet, but we disagree with the idea that - as per Article 34 - support for interoperability by dominant players should be optional and voluntary. Dominant players often have an economic interest not to interoperate; they will not do so unless required. The Commission and the Parliament must stand for the open Internet and impose full interoperability with third parties as a requirement for dominant platforms. Please refer to the attached document for the full text of our comments on these topics. We stand ready to explain and discuss our suggestions further, and thank you for your kind consideration.
Read full response

Response to Revision of the NIS Directive

17 Mar 2021

Open-Xchange would like to thank for the opportunity to provide comments on the Commission’s proposal for a new directive enhancing cybersecurity measures, replacing the previous NIS directive. Given our field of expertise and market experience, we will be focusing our comments on the following topics: A. Cybersecurity requirements for email, including end-to-end encryption; B. Cybersecurity requirements for cloud-based services; C. Cybersecurity requirements for DNS operators; D. Requirements for the operators of domain name registration databases. Please refer to the attached document for the full text of our comments on these topics. We stand ready to explain and discuss our suggestions further, and thank you for your kind consideration.
Read full response

Response to Child sexual abuse online: detection, removal and reporting

30 Dec 2020

Open-Xchange welcomes the Commission's initiative to strengthen the fight against CSAM-related content online. We attach to this submission our full contribution to this consultation, but for ease of reading, we would like to summarize here our main points. We advise against requirements to weaken and break encryption and recommend instead that appropriate measures are taken so that content can be detected at the endpoints of encrypted communications, whenever appropriate. We recommend that action at the infrastructural and DNS level is limited to cases where direct content takedown is not possible. In that case, we recommend that blocking is considered as an alternative when takedown (e.g. of domain names, or of entire servers) is impossible even at the infrastructural level. We note that law-mandated blocking of CSAM-related domain names at the DNS resolver level is already employed in some European countries, but can be easily circumvented by adopting non-European DNS resolvers such as Google's. We recommend that the scope of future regulation includes blocking of CSAM-related domain names and ask that any related requirement is applied evenly to European and non-European DNS resolver providers. In terms of legislative options, we demand the choice between the three options to the general discussion, but we note that, should option 2 and especially option 3 be picked, there is the need to formulate requirements in terms of best reasonable efforts at the current state of technology, rather than in terms of absolute obligations to detect and remove each and every piece of content even if yet unknown and unflagged. We also suggest that obligations could be differentiated between "very large online platforms" and other operators, to avoid putting excessive burdens on SMEs. Finally, we note that the impact assessment does not seem to cover another fundamental instrument to remove CSAM-related content from access: parental controls. Especially for grooming and text-based activities that are often performed on general purpose platforms like social media, preventing children from accessing such platforms, for families that so decide, can be a strong and effective protection. We thus invite the Commission to include this topic in this analysis and in the regulatory work on CSAM-related content. Specifically, we note that some new encryption technologies recently deployed by Internet browsers and platforms, namely DNS-over-HTTPS, can circumvent both DNS-based parental controls and law-mandated blocking of CSAM-related domain names. We think that these technologies should be deployed in ways that do not disrupt these mechanisms, and we suggest that deploying technologies in ways aimed at circumventing these mechanisms should be illegal. We defer to our full contribution for a detailed statement of our comments to the inception impact assessment and to the matter in general. We stand ready to explain and discuss our suggestions further, and thank you for your kind consideration.
Read full response

Response to New competition tool

29 Jun 2020

Open-Xchange, as the leading European open source software company in the email and DNS space, commends and supports the Commission's efforts to restore competition in the realm of online services and Internet platforms. We think that these efforts are vital for Europe's future in terms of economic growth and of sovereignty, democracy and individual rights. We defer to our submission on the Digital Services Act roadmaps for further comments on the general topic of platform regulation, but we would still like to make a few points specific to this inception impact assessment. We generally agree with the assessment as published. We encourage the Commission to focus on tools as broadly applicable as possible (i.e. Option 3) as we think that this would be the most future-proof way to ensure that Europe has competition tools that can deal promptly with any unforeseen and rapid development on any socially and economically relevant market, including the possibility of ex-ante measures before competition is actually hampered. To address the risk of excessive market interference, the breadth of the instrument could be mitigated by a guideline of diversifying some of the remedies by the size and market position of the various players, as in some cases, while the entire market (and not just an already dominant player) might display competition failures or risks thereof, the appropriate remedies may be different between larger market leaders and smaller new entrants and startups (which might be exempted). On a specific point, while the possibility of multi-homing (as mentioned on page 2) can alleviate competition risks, it is often insufficient and generally ineffective as a solution. Even when consumers can use multiple competing services (for example, in instant messaging), installing and managing multiple applications provides a sub-optimal experience and creates a burden in terms of cost, energy and time wasted, up to the point that most consumers will refuse doing so more than a few times, thus giving the larger established players a significant advantage. The same happens in multi-sided markets; for example, in online logins, even if users were willing to adopt a different system than Google/Facebook/Apple's, website owners would generally not bother adding support for it, as it would require extra effort and complicate their user interfaces. The only true solution to restore competition in these situations is to mandate interoperability, possibly through the adoption of open and federated protocols that can support any number of providers, requiring all parties to support at least one open interoperable mechanism. Even in terms of environmental impacts (page 3), having to install and run multiple competing applications creates an unnecessary waste of energy and technical resources, hastening device obsolescence. In terms of likely impacts on fundamental rights (page 4), the right to economic initiative and fair legal treatment of the affected companies (while needing protection) is not the only right that comes into play. Especially in sensitive digital markets like messaging, social media and identity management, and whenever personal information is at stake, the lack of competition could reduce the market power of end-users in a way that damages their individual right to privacy, free expression, equality and democracy through digital services and communications. This factor should also be assessed. Finally, we would encourage the Commission to explicitly take into account the objective of ensuring uniform rules for all players supplying digital services to European customers, be them European or foreign. In some cases (for example BEREC's renewed net neutrality guidelines) current European rules only apply to European ISPs, but not to the Internet platforms, thus actually disadvantaging the European industry against foreign competition. It is important to ensure that the European rules treat all players equally. Thank you.
Read full response

Response to Digital Services Act: deepening the Internal Market and clarifying responsibilities for digital services

29 Jun 2020

Open-Xchange, as the leading European open source software company in the email and DNS space, commends and supports the Commission's effort to address the issues related to illegal and harmful online content. We generally agree with the inception impact assessment as published, and we stress the importance of bringing services without legal establishment in the EU into the scope of the upcoming rules, to ensure fair competition and proper protection of the rights of European citizens. Specifically, we note that platforms have become de-facto content regulators with a high impact on fundamental rights like freedom of expression and association. These rights are hampered both when they fail to take down harmful content and when they take down legitimate content. Thus, takedown policies and appropriate redress guarantees must be developed by open, multi-stakeholder processes under appropriate public legislation, and only executed by the platforms. Most of the focus of the impact assessment seems to be on countering illegal content via takedown mechanisms - but while taking down the content is preferrable, sometimes it is impossible to accomplish. For example, hosting providers, social media and website owners that operate outside of European jurisdictions are not directly subject to the enforcement of any European rules, and may easily refuse to comply with them, as they can continue to deliver illegal content to European citizens from abroad. Even within Europe, due to significant differences in national values and regulations among member States, there is content which is illegal in a member State but perfectly legal in another; given the home country principle, such content cannot and should not be taken down. This makes it necessary to establish an additional mechanism to allow individual member States, or Europe as a whole, to block access to content without having to take it down. Most member States already have binding blocking rules in place, be it through court rulings or national laws, on multiple types of illegal content such as copyright violations, counterfeit shops, child sexual abuse material, unlicensed gambling and so on. These rules are enforced by mandating the country's ISPs to apply blocks at the Internet access level, usually through filters on the Domain Name System (DNS) resolver service. However, the present framework has several issues, deriving from the lack of uniform European rules on the matter: 1. It is extremely fragmented across Europe. 2. It imposes burdensome costs and legal uncertainties on ISPs, especially smaller and international ones. 3. It lacks transparency and uniform redress measures to avoid blocking legitimate content. 4. Internet platforms and foreign application makers are not subject to it, so they can make the illegal content accessible and even use this to draw users away from European ISPs. 5. As a consequence, also given a U.S.-led technological trend towards encryption, the filters are increasingly circumvented. 6. This even circumvents voluntary filtering on behalf of the user, e.g. parental control. We thus recommend that Internet content filters are also brought in scope of the DSA, to ensure a uniform European framework, applying to ISPs, platforms and SW/HW makers, that mandates the respect of law-sanctioned Internet blocks, preserving their effectiveness, while providing transparency and checks and balances. Such a framework would also be vital to the enforcement of the DSA itself, as blocking is the only effective measure against platforms not established in the EU, and against any party that might prefer paying the monetary fines while continuing with anti-competitive practices. Given our experience in the topic, we stand ready to provide suggestions on how this framework could work in practice, and we will do so in our future submissions. Consequently, we support option 2, possibly in conjunction with option 3. Thank you for your consideration.
Read full response

Response to Digital Services Act package: ex ante regulatory instrument of very large online platforms acting as gatekeepers

29 Jun 2020

Open-Xchange, as the leading European open source software company in the email and DNS space, commends and supports the Commission's effort to address the gatekeeping power of big Internet platforms and the threat it poses to competition, digital sovereignty and individual rights. We support the scenario analysis included in the inception impact assessment and encourage the Commission to address it promptly, making use of the most ambitious policy options (3a and 3b together). Market regulation is necessary to allow European companies to compete fairly with global platforms, also because of the different structure of the European industry. As the result of 27 different economies not yet fully integrated, Europe generates constellations of smaller allied/merged companies rather than big monolithic platforms. Company alliances work through interoperability, synergy and technology sharing, while big platforms work through market dominance and control. Regulatory and technical standards must protect the distributed nature of the European industry for it to succeed. We support the idea of blacklisting certain practices - for example, self-preferencing and exporting dominance into adjacent markets. However, this alone would not be enough. There are cases in which generally positive practices still need to be constrained through mandatory conditions. For example, big email platforms algorithmically blacklisting ISPs that they consider "spammers" often seriously damage their business, even when such accusation is unfounded; in this case, appropriate protection and redress measures should be required ex-ante to counter this risk, even if the overall practice is legitimate. There are also cases in which practices need to be mandated ex-ante, as soon as a dominant position is achieved or even before, to foster fairness in a fledgling market. Specifically, interoperability should be recognized as a generally useful principle and mandated whenever a market requires it to warrant competition - for example in instant messaging, social media, videoconferencing and online identity and login. Dominant platforms in those markets should be required to support technical standards that allow any number of competing service providers to exist, by letting their users interact with those of the platforms. In some cases, interoperability can be achieved through open technical interfaces, while in others it requires the mandatory use of open protocols or support for open and federated frameworks, preventing the platforms from using their market power to impose themselves as the sole providers. Another useful principle is device neutrality: users should have the right to fully control the software and configuration of their devices, preventing manufacturers from limiting user choice. A regulatory body should be tasked with determining which markets need intervention and which practices should be mandated, picking up bottom-up proposals and relying on multistakeholder policy and technical processes for implementation. The same body could ensure that platforms and standardization organizations align their technical plans to democratically decided public policy principles, rather than forcing their choices onto everyone else (as apparent in the Covid-19 tracing app case). Europe gained ample positive experience from regulation bringing choice and competition to the telco market. All Internet communication services, from instant messaging to videoconferencing, could and should work in a more federated and interoperable manner like email and mobile telephony. There is no technical or consumer protection problem that prevents this from happening - just unregulated market dynamics. Many fundamental rights of European citizens are at play; not just privacy and data protection, but also freedom of expression and association. We thus encourage the Commission to proceed and thank you for your consideration.
Read full response

Response to Report on the application of the General Data Protection Regulation

29 Apr 2020

Open-Xchange, as the leading European open source software company in the email and DNS space, would like to submit the attached feedback on the application of the General Data Protection Regulation. Our feedback builds on the following points: - we commend the GDPR and support its model of strong sanctions and global applicability for any future Internet regulation, starting with the Digital Services Act; - we regret that the GDPR's application and enforcement in the online sphere, for example in website cookie and sign-up consent forms, or in the use of dominant Internet platforms, seems to be significantly lacking; - we suggest that the enforcement mechanisms, including the "one-stop-shop" principle, should be revised to ensure that the big global players have to conform to the highest GDPR implementation and enforcement standards in Europe, not to the lowest ones; - we stress that a new special law for privacy in online services is still necessary, supporting the EDPB's call for the prompt establishment of an ePrivacy Regulation; - we think that a simple mechanism for users to communicate automatically their privacy preferences to websites should be mandated; - we believe that the right to data portability (Article 20) is a very important provision, but that in the email space it has not been fully implemented yet, encouraging the European institutions to lead a "moral suasion" effort to make this happen; - we note that data portability is only a first step towards appropriate regulation of the matter, as in many services other than email (e.g. instant messaging) it is voided by the subsequent lack of interoperability between the old and the new service chosen by the user, making it impossible for the user to interact with contacts that are still on the old service; - we encourage the Commission to revise and develop the data portability matter by establishing interoperability requirements for dominant players as part of the Digital Services Act. We defer to our full comment in the attached PDF for a detailed discussion and explanation of these points, and we stand ready for questions and for further discussions of these matters.
Read full response