What we can and cannot expect from the exercise of public functions by private platforms

Abstract

Platforms have been increasingly assuming functions that do not differ much in nature from those performed by states: rule-making, adjudication, and enforcement authority over users' expressions and conduct. What began as voluntary self-regulation, enabled by legal architectures such as Section 230 of the Communications Decency Act and the EU's e-Commerce Directive, has evolved into a model of outsourced governance in which states mandate private, profit-seeking actors to perform quasi-public functions, stripped of the human rights and constitutional safeguards that bind state action. This paper examines that trajectory and its consequences for freedom of expression. We proceed in two steps. First, we trace the evolution from self-regulation to formal legal mandates, showing how trust and safety practices developed by platforms were progressively formalized into binding legal obligations. Second, we identify two sets of problems arising from this trajectory. The first concerns state-mandated censorship by proxy: by imposing duties of care, risk mitigation obligations, and takedown duties on platforms, states can achieve indirectly what they cannot do directly, restricting speech without satisfying the conditions that make said restrictions legitimate. The second concerns the structural limits of carelessly transposing human rights standards onto private actors. We argue that the linear translation of core human rights concepts and tools---such as the the *three prong* proportionality analysis usual in global freedom of expression law---cannot happen without accounting for the fundamental differences between private and state actors. The paper concludes that regulating the platform ecosystem is a legitimate and necessary endeavor, but that such regulation must adhere to two principles: any state mandate affecting users' freedom of expression must itself satisfy the requirements of legality, necessity, and proportionality; and the obligation to ensure human rights falls primarily upon states and cannot be outsourced to private intermediaries through the back door of content moderation regulation

Introduction

Much of the contemporary narratives around platform governance has revolved around the harms created or magnified by them. Demands for platforms to “do more”—to keep children safe online, to protect the integrity of elections, to curb the rise of disinformation or hate speech— have been recurrent.

Platforms have been increasingly assuming functions that, as some scholars posit, do not differ much in nature from those performed by states [@klonick2018; @dvoskin2023, p. 105]. They now exercise rule-making, adjudication, and enforcement authority over users’ expressions and conduct within their services. Originally, platforms assumed some of these functions voluntarily, as if they were logical derivations of their new affordances. These functions were facilitated by the legal architecture of Section 230 of the Communications Decency Act [@section230] in the US, and the e-Commerce Directive in the European Union [@ecommerce], which provided them with the necessary immunity to engage in content moderation on a large scale without it leading to liability [@kosseff2019; @klonick2018].

Concomitantly, the erosion of trust in traditional democratic institutions across multiple regions—including courts, electoral authorities, and other public oversight bodies—, paved the way for both civil society and governments to increasingly rely on online platforms to carry out functions that formally pertain to the state’s domain, but that private actors can perform more effectively at scale, and free from the legal, procedural, and constitutional constraints that bind the exercise of public power.

This paper examines the growing phenomenon of platforms developing state-like institutions, exercising quasi-public functions and increasingly being mandated by states to exercise them as instruments of governance. This effective outsourcing of state-like functions to platforms, we argue, is not neutral and has serious consequences for human rights. We will focus specifically on the quasi-legislative and quasi-judicial activities involved in content moderation that impact freedom of expression. According to Gillespie, “moderation far from being occasional or ancillary, is in fact an essential, constant, and definitional part of what platforms do”, without it any service “would, in all likelihood, quickly become a cesspool of hate and porn and subsequently be abandoned” [@gillespie2018]. But if rule development and content moderation enforcement developed from self-regulatory exercises, through time, these activities have been formalized, and not only expected but demanded by different stakeholders. Platforms developed, as a consequence, into almost state-like structures.

We can now see emerging regulatory approaches that impose legal obligations upon platforms to exercise them, either in conjunction or collaboration with state actors or in their individual and private capacities, which blur essential boundaries between state action and private action that are fundamental for the protection of human rights. The distinction between constitutionally prohibited censorship and permissible content governance becomes increasingly opaque, as do the differentiated human rights obligations applicable to states and private companies. By mandating platforms to perform functions that states themselves could not perform directly without violating constitutional and human rights law, legislators have created a model of “outsourced governance” that is insulated from the accountability mechanisms that bind public power.

This paper proceeds as follows. Section II traces the trajectory through which digital platforms have assumed state-like functions in content moderation, from self-regulation to legal mandates. Section III two sets of problems arising from this trajectory: the risks that state-mandated content governance poses to freedom of expression, and the structural challenges that emerge when human rights obligations designed to constrain state action are transposed to state actors. Section IV concludes and offers some orientations for a more rights-consistent approach to platform regulation.

From immunity and self-regulation to state-like functions and regulations

This section describes three distinct processes that shaped how the current set of applicable rules on content moderation looks today. Although they occurred simultaneously and not without a great deal of overlap and cross-pollination, we treat them separately, as they ought not to be conflated: self-regulation, voluntary commitments created under International Human Rights Law, and formal regulation. We acknowledge that the distinction between what is here termed voluntary self-regulation and voluntary commitments is conceptual rather than empirical [@price2000]. While analytically differentiable, these modalities overlapped, co-evolved, and mutually affected each other.

At the beginning, there was the self-regulation that Section 230 of the Communications Decency Act (1996) enabled and encouraged, closely followed by the European Union’s E-commerce Directive (2000). These pieces of legislation granted platforms immunity for content moderation decisions over content produced by third parties. This encouraged the birth of an industry [@kosseff2019, 2] that later expanded across the globe, often through free trade agreements. Moreover, other local regulations and case-law contributed to expanding the practice associating the limitation of liability with international freedom of expression, correctly assuming that immunity created the appropriate incentives for platforms to promote the circulation of speech and ideas of all kinds. [@rau2023; @gonzalezmama2023; @delcampo2025dc].

Companies developed their own sets of rules regarding content, such as terms of service, community guidelines, and internal enforcement structures. These rules were driven at first by business incentives [@article2018, p. 16]. The business model of big social media companies runs on the advertisements they sell. As a result, a platform can only be profitable if it becomes attractive enough so that the largest number of users decide to spend as much time as possible using it, making it appealing for advertisers to place their ads in. Hence, the rules were meant to exclude everything that might turn off advertisers’ desire to put their money on these platforms. When it became clear that these rules had profound effects on freedom of expression, calls for making these rules compliant with human rights standards emerged [@effet.al.2018]. And eventually, companies and practitioners developed the field of Trust and Safety as a space of knowledge, intended to make sense of this complex space of corporate practice [@delcampo2026]. Furthermore, the weight of the United Nations Guiding Principles (UNGPs) on Business and Human Rights further incentivized human rights demands on platforms and also encouraged the creation of new corporate structures, such as those in charge of conducting Human Rights Impact Assessments (HRIAs), due diligence, and human rights policy [@rau2020a; @castañeda2020; @alvarez-ugarte2025], which they adopted as part of their voluntary commitments.

After years of consolidated practices by the Trust & Safety and Human Rights departments within social media companies, and amid the broader process of techlash [@atkinson2019], legislators across the world have become increasingly dissatisfied with what they perceive as the real-world effects of companies’ operations. In particular, the general sentiment of acceptance vis-à-vis the kind of “blanket” immunities provided by Section 230 turned into skepticism first and open criticism afterwards.

Bills and proposals mounted upon competing legal theories, designed to provide a philosophical basis for the plain demand that platforms had to “do more”. These conceptual frameworks ranged from treating platforms as akin to a public forum (in the First Amendment sense of the term) [@gonzalezmama2026] to imposing must-carry obligations [@kuczerawy2025], duties of care [@woods; @britocruz], and risk mitigation obligations [@husovec2023]. Each of these regulatory proposals assumes a certain nature for the platform and its functions, which, in turn, dictates specific functions for the state to carry out under such a framework (Figure 1). At one end of the spectrum, the “public forum” approach, based on the homonymous theory under First Amendment Law —under which the state can establish only “time, place and manner” restrictions, subject to strict scrutiny, on expression that takes place in public spaces, such as parks and sidewalks— considers platforms as digital surrogates of such public spaces. Under this scheme, platforms serve a public function as the main forum for the public conversation and, as such, are, for the most part, shielded against government content-based interventions. More minimalist versions of this theory limit its scope considerably and only understand some elements of platforms as public fora. For instance, in Knight First Amendment Institute v. Trump [@knightvtrump], the Federal Court of Appeals for the Second Circuit found that the comment section of then-President Donald Trump’s Twitter account was a public forum, given that Mr. Trump used his account to make public policy announcements and participate in the public conversation [@gonzalezmama2026].

“Duty-of-care” theories [@woods; @britocruz], such as the one underlying the UK Online Safety Act, are on the opposite end of the spectrum. These consider platforms as potentially dangerous products, and therefore, tech companies must be accountable for the harms produced within the systems they release to the market and administer. This places companies under a private law framework. Under this theory, immunity from liability does not release the companies from their obligations to prevent any foreseeable harm that their products may trigger. In this scheme, the state appears in a more classic command-and-control role, equipped with the capacity to issue the necessary regulations to flesh out the generic duty of care and to oversee its implementation. Closer to public forum doctrine we find proposals that include “must-carry” obligations, such as the one struck down by the SCOTUS in Moody v. Netchoice [@moody], which assume that platforms are private entities performing some kind of public function or essential service and, as such, states can impose more stringent regulations, as is the case with the mail, the telephone, and even cable companies, with the legitimate goal of keeping expression accessible for all voices.

The Digital Services Act of the European Union sits in the middle of the spectrum and, even though it treats platforms as private entities, it also takes stock of their real-life effects by incrementally introducing public law elements to their governance, in accordance with their size and functions. For instance, it requires all intermediaries to apply and enforce its terms of service in ways that take into account the rights (including fundamental rights) and interests of users[@dsa, art. 14]. The European Commission stated that “[v]ery large platforms represent a higher level of societal and economic risk because they have become de facto public spaces, playing a systemic role for millions of citizens and businesses.”[@eucom2020, part 2/2, p. 63; @palumbo2026]. In terms of content management, the DSA adopts a risk-based approach for the largest platforms and search engines, which obliges providers to assess and mitigate the risks arising from both their design and the use made of their services. These risks include, but are not limited to, risks to human rights (which underscores the influence of the UNGPs in the drafting process of the DSA). Under this risk-based approach, the state abandons the command-and-control model of regulation for a “new governance” approach that “​​rel[ies] heavily on informal processes of rule-making and an ongoing dialogue between regulators and regulatees” [@delcampo2025a, p. 239].

\begin{tikzpicture}[
  every node/.style={font=\sffamily},
  axis/.style={->, line width=0.6pt},
  tick/.style={line width=0.6pt}
]

\draw[axis] (0,0) -- (12,0);
\draw[<-, line width=0.6pt] (0,0) -- (-0.5,0);

\draw[tick] (0,0.16) -- (0,-0.16);
\draw[tick] (3.6,0.16) -- (3.6,-0.16);
\draw[tick] (7.2,0.16) -- (7.2,-0.16);
\draw[tick] (10.8,0.16) -- (10.8,-0.16);

\node[above=0.35cm] at (0,0) {Public forum};
\node[below=0.35cm] at (3.6,0) {Must-carry};
\node[above=0.35cm] at (7.2,0) {DSA};
\node[below=0.35cm] at (10.8,0) {Duty of care};

\node[below=1.0cm, text=gray] at (-0.15,0) {$\leftarrow$ public nature};
\node[below=1.0cm, text=gray] at (11.7,0) {private nature $\rightarrow$};

\end{tikzpicture}

Regardless of their differences, all these proposals seek to rein in platforms to resolve a multiplicity of problems of the broader digital environment, regardless of whether such problems preexist or are independent of platforms. Additionally, they all share the common baseline that platforms possess a unique technical capacity to intervene in the digital sphere at scale and in almost real time. So, for instance, it is platforms that can prevent the sharing of hashed child sexual abuse materials (CSAM) or—more mundanely—can calculate and collect VAT on an online purchase. As will be analyzed in the next section, through these regulations, states try to seize these capacities for themselves, sometimes legitimately and sometimes not.

What state-like functions look like in practice

The previous section described a trajectory that one could read as some sort of linear “learning by doing” progression in which each stage corrects some deficiencies of the previous one. This paper resists this interpretation. Instead, we argue that the current regulatory turn—exemplified by the DSA—represents the institutionalization and entrenchment of pre-existing practices. This is problematic, to us, for different reasons. Some of us believe the DSA is especially problematic insofar as it expands the scope of governable speech, reaching into new categories such as harmful but legal speech that fall outside the scope of the law. Others believe that it is the DSA’s enforcement structure that leads to informal governance mechanisms through which states can do, by proxy, what they cannot do directly. And while we generally believe that the DSA can be steered to work in a manner that is consistent with human rights standards, it won’t be accomplished without signaling the risks that the framework poses to freedom of expression online. The unchecked expansion of state power is what concerns us. In that sense, the state-like functions assumed by corporations within the context described in the previous section —a standpoint that organized the call for this conference— is one way of approaching this phenomenon. From our point of view, rather than curbing private power, these legal frameworks formalize a model of ‘outsourced governance’ where private entities are mandated to do the state’s bidding, while remaining decoupled from the democratic accountability mechanisms that bind public power. This section identifies some of the pitfalls of this trend.

The perils of state-mandated censorship by proxy

The codification of pre-existing self-regulation practices into legally mandated obligations creates the mechanisms that states can use to achieve by proxy what they cannot do directly. Statutes like the DSA and the UK Online Safety Act take content governance practices that were allegedly developed voluntarily by large platforms — and transform them into binding legal duties. We will focus on content moderation-related practices. Sometimes this transformation is positive or innocuous from a Human Rights stand point. In other cases, it is problematic. We will specifically focus on the latter. The departure from self-regulation to a more rigid regulatory framework can be better understood as the formalization of what Helmke and Levitsky define as informal institutions: “socially shared rules, usually unwritten, that are created, communicated, and enforced outside officially sanctioned channels” [@helmke2006, p. 5]. Perhaps the clearest manifestation of the existence of this set of expectations were the reactions triggered by Meta’s early 2025 changes in content moderation and their fact-checking program in the United States [@hendrix2025]. These rules, enforced not by courts but through political pressure and public outcry, created a path-dependency where platforms were expected to perform public functions in a specific, albeit non-legally mandatory, manner [@khan2025]. Europe’s voluntary Codes of Conduct and Hate Speech represent a further step towards formalization, and the DSA its culmination. At the time of the drafting and the adoption of the DSA, a set of informal practices and social expectations had emerged regarding how platforms should exercise these quasi-sovereign powers in content moderation [@alvarez-ugarte2025, p. 624]. The current regulatory wave represents the final stage of this process: the formalization of these informal institutions into the law.

The idea that informal rules were later formalized has some descriptive power, but should not lead us to assume that the process was linear. On the contrary, we believe that the self-regulatory paradigm of section 230 sought to encourage the birth of an industry but carried—with it—the expectation that platforms would moderate “moderate pornography, filthy jokes, violent stories, and other words and images that could harm children” [@kosseff2019, 2]. As platforms became more powerful and social harms linked to them became more urgent, companies became increasingly receptive to informal external demands (whether from civil society or governments) and to the establishment of problematic informal channels of communication [@rau2026]. Through these channels, state actors managed to exercise some degree of influence on corporate decision-makers, as former Meta officials acknowledged [@harbath2023]. The DSA came to reign in a de facto power that was not autonomously developed by platforms but, rather, had been developed in close relationship with state officials. In this sense, the DSA could be seen as less of a departure than a continuum with previous practices.

The delegation of certain activities from states to private companies is not necessarily problematic, nor is it suspicious in every case. The problem is that when states mandate content removal, they are exercising speech restrictions that are subject under international law to certain conditions: restrictions cannot constitute prior censorship (except in Europe under absolutely exceptional circumstances) and must satisfy the rigorous three-part test of legality, necessity, and proportionality mandated by International Human Rights Instruments (ICCPR, ECHR, IACHR, etc.)[@cidh2024]. When states delegate the power to restrict under ambiguous and unclear duties of care and duties to adopt “mitigation” measures, those constitutional and human rights constraints are brushed aside.

Usually, statutes like the DSA or the UKOSA do not mandate the specific removal or demotion of discrete pieces of content. The duties are for platforms to act in such ways that risks are identified and mitigation measures adopted or care taken to avoid the harms. Failure to do so will enable liability. In this structure, the mitigation measure adopted or the means to diligently deal with risk may very well be the eraser of content, its demonetization, or simply its exclusion from a recommender system. The decision on the measure rests with the company. This shift poses a fundamental human rights problem.

Imposing on companies the burden of moderating content in more or less precise directions is a way for states to perform speech control. Such control will be illegitimate under human rights standards except when restrictions are clear and respect the three-part test. The state cannot control speech through censorship -or content removals, or blockings. On the other hand, companies can block content as they see fit, either as part of their own exercise of free speech or as part of its business decisions -i.e., YouTube Kids. Moreover, if those content moderation norms that are built into law expand beyond illegal and into harmful-but-legal content, the problem aggravates. In these cases, states would be imposing companies’ speech control obligations over content they cannot legally restrict themselves. This is true even when, in essence, the task mandated by law is for companies to do what they used to do voluntarily and for their own reasons —either commercial or to maintain good relations and collaborate with governments —, regarding content they consider obscene, harassing, or otherwise objectionable. This dynamic affects the way state-like functions are exercised by companies.

Take, for instance, the DSA’s risk-based approach, which mandates some intermediaries to identify, assess, and mitigate “systemic risks” that are defined through broad and vague enough categories that sometimes encompass legally protected speech [@delcampo2025a]. As part of the mitigation measures to curb undesirable —albeit not always illegal [@delcampo2025a]— expression, the DSA imposes the duty of “adapting their terms and conditions and their enforcement”[@dsa, art. 35.1.b]. As a result, new obligations arise for very large online platforms and search engines to establish and apply rules on expression, including the exclusion of certain expressions that are not necessarily illegal but could have adverse consequences for society in general. This is the mechanism through which speech restriction categories grow. Harmful but legal speech becomes de facto illegal, at least within the context of platforms’ quasi-legislative functions. It also creates an incentive for platforms to over-remove content rather than providing a more ample space for debate and risking the imposition of legal penalties, while escaping the legal scrutiny any direct state action would merit [@delcampo2025a].

The codification of previously self-regulatory practices also affects the quasi-judicial functions of platforms. Article 10(3)(b) of the UK Online Safety Act establishes a duty for user-to-user services to “operate a service using proportionate systems and processes designed to (…) where the provider is alerted by a person to the presence of any illegal content, or becomes aware of it in any other way, swiftly take down such content.” [@ukosa, art. 10.3.b] In a similar vein, Article 9 of the DSA requires providers of intermediary services to “act against one or more specific items of illegal content”, upon receipt of an order issued by “the relevant national judicial or administrative authorities, on the basis of the applicable Union law or national law in compliance with Union law” [@dsa, art. 9]. Before the enactment of these laws, platforms would already include rules within their terms and conditions that prohibited posting illegal content. Therefore, when encountering a piece that could potentially be found to infringe the law, they would usually remove it, mostly on terms of service grounds. Article 10(3)(b) of the UKOSA and Article 9 of the DSA formalize what platforms had already been doing: acting upon potentially illegal content upon receiving a report.

Service providers are now obliged by law to exercise quasi-judicial authority to assess the illegality of content themselves, a task they are ill-qualified to perform, especially without hearing the parties involved and under the additional time constraints these statutes impose. What used to be a discretionary exercise of content moderation, allowed by their legal immunities for third-party posted content, became a legal obligation to adjudicate legality upon receipt of a notice by an administrative authority [@dsa, art. 9] or any person [@ukosa, art. 10.3.b]. Companies can develop their own adjudicative structures—like Meta tried with its Oversight Board—but there are inherent limits to these private-law mechanisms that attempt to mirror public-law institutions [@alvarezugarte2025]. And these structures are foreign to the need to automate decision-making in order to deal with the problems of speed and scale that the internet uniquely poses.

Problems associated with the outsourcing of the state’s human rights duties

Perhaps one of the most overlooked aspects of the current regulatory trend on intermediary liability is the way human rights obligations stemming from international human rights treaties inform new legal frameworks. To recall, international human rights obligations primarily obligate the states that signed and ratified the treaties that bind them. The responsibility to respect and guarantee human rights rests with them, within their jurisdiction [@ICCPR; @ruggie2008; @larue2011, para. 45]. Transnational corporations have largely managed to escape these framework obligations. First, because the international treaty on business and human rights has been stuck in the United Nations system for decades, because of a lack of agreement between central countries (which export TNCs) and peripheral countries (which receive them). Second, because the United Nations Guiding Principles on Business and Human Rights that emerged as an answer to said gridlock is, beside its best intentions, a voluntary, non-legal framework [@ruggie2008]. States could legislate so that companies are bound by human rights law and in fact they are mandated to do so through their duties to respect and guarantee human rights. The DSA or the UKOSA are defended by many on these precise grounds: the states passing these statutes are fulfilling their duty to guarantee human rights by making corporations liable for the human rights violations they facilitate. So far, so good. The problem lies in the translation of standards designed for the state to private parties or the outsourcing of public duties and obligations to private enforcers.

There is an increasing expectation that platforms apply the freedom of expression three-part test of legality, legitimacy, necessity, and proportionality — originally designed to constrain state restrictions on freedom of expression [@hrc2011] — in their content moderation practices in accordance with their due diligence obligations [@kaye2018; @cidh2024; @trumposb2021; @breastosb2021; @esperanzagomez]. While this development can be understood as an effort to align platform governance with the obligation to respect human rights under the UNGPs [@article2018], it raises significant challenges that need to be addressed. As with any “transposition” of a state-like function to private actors, their adoption and implementation must be carefully calibrated in order not to produce incoherent results or to become inoperable. As some authors have pointed out, platforms do not in practice apply the test in its full structure [@lwin2020].

Our analysis will focus on the application of the three-part test to content moderation practices in the exercise of legislative-like and judicial-like functions by platforms. A key caveat is that—unlike states where such powers are institutionally separated by checks and balances—platforms exercise rule-making and adjudicatory functions without any institutional separation. The legislative-like function of platforms has been commonly identified in the literature as Terms of Service and Community Guidelines (ToS), while the judicial function has been identified with the implementation of content moderation restrictions and the evaluation of these decisions by appeals processes [@lwin2020].

As to the legality of the ToS, it should first be noted that some of the most successful internet-based services work with content-moderation and decision-making systems that explicitly reject the idea of being tied to clear and strict rules, and rather adhere to broad but shared principles [@wikipedia_principles]. It is unclear why strict attachment to rules and principles of legality should be transposed to the governance of online spaces. But, if platforms had to comply with the requirement of legality, then they must make sure that ToS restrictions are clear, accessible, and foreseeable by “law”. This is the first and most salient challenge. The term “law” for the purposes of interpreting these human rights obligations refers to participative, transparent and constitutionally established means to adopt laws in democratic societies. None of the above applies to platforms’ ToS drafting. Furthermore, they can, and are even expected in many cases, to be vague and open-ended [@rozindosandoli2021], modified unilaterally, and lack foreseeability [@quintais2023]. Although today it may seem outdated in a report in 2018 Kaye noted that in order for companies to respect the principle of legality they should “explain their rules in more detail with aggregate data illustrating trends in rule enforcement, and examples of actual cases or extensive, detailed hypotheticals that illustrate the nuances of interpretation and application of specific rules” [@kaye2018]. More recently in 2025, the Colombian Constitutional Court also recognized that “the legality requirement, as part of the three-part test for restrictions on freedom of expression, faces a significant conceptual challenge when applied to content moderation by Internet platforms” [@esperanzagomez].

In the case of platforms, when speech restrictions are not related to prohibited discourses under international human rights law [@cidh2025; @cidh2024], they fall on the commercial interest of platforms (or First Amendment rights in some jurisdictions) [@douek2020] and, therefore, can be more restrictive than any state-mandated restriction. For instance, we can find different standards on the prohibition of nudity across platforms. If we turn to the adjudicatory function of platforms in content moderation, some demand that the decisions adopted therein comply with this principle and be justified on their own ToS. [@lwin2020; @cidh2024].

The legitimacy requirement also encounters some issues when transposed to private actors, both in the legislative and adjudicatory functions. States need to justify what legitimate aim among those expressly contemplated in Article 19 ICCPR, or 10 of the ECHR, or 13 of the ACHR they pursue, when they restrict freedom of expression. Unlike states, companies are driven by commercial purposes and engagement rather than legitimate public aims. While companies are increasingly expected to articulate reasons for restricting content, the notion of “legitimacy” as developed in IHRL presupposes a closed set of publicly defined aims. This feature does not translate well to private actors, whose objectives are plural, internally defined, and not grounded in democratic authorization. This is no surprise, provided the test was designed to discipline state action and not to legitimize private governance of speech.

Regarding the necessity and proportionality requirements, companies are expected to apply the least restrictive measures to freedom of expression as a general principle [@cidh2024; @kaye2018]. However, as Lwin points out, companies tend to conflate the two into the vague category of “risk of harm,” which allows them to avoid any justification of a demonstrable need to protect a legitimate interest and to claim that the adopted measure is the least restrictive to freedom of expression[@lwin2020]. Moreover, platforms may invoke the use of the test in order to legitimize their content decisions without being subject to the same institutional constraints as states [@quintais2023]. Hence, the test can be co-opted by companies in a performative way, allowing them to “‘bluewash’ their content moderation policies”[@vandekerkhof2024].

In their legislative-like functions, platforms should comply with the three-part test requirements when defining the conditions under which speech may be restricted, users suspended, content demonetized, or visibility and reach reduced—ideally through a graduated framework of measures[@cidh2024]. Under this approach platforms would also need to comply with these requirements when they make an adjudication decision in content moderation that restricts speech. If we accept Douek’s point that content moderation decisions are not only a matter of proportionality but also a matter of probability[@douek2020], given the speed and scale these decisions are made, one may ask whether platforms need to comply with these requirements every time they moderate content. Furthermore, we would need to reassess what we actually mean by “comply”, particularly if they have to take into account the potentially disproportionate impact of their decisions, not only on individual users but on the broader digital ecosystem they govern[@cidh2024]. This concern is particularly salient in the context of automated content moderation, where decisions may be taken without adequate contextual assessment.

In this section, we sought to highlight that the transposition of traditional human rights standards for speech restrictions to private actors raises some issues and inconsistencies that require further assessment. Therefore, we believe that a more nuanced approach would be desirable when requiring intermediaries to apply the three-part test[@bsr2021] and further argue that transparency is a fundamental requisite for platform governance [@lwin2020; @douek2020].

Conclusion

The assumption of state-like functions by platforms described in the previous section is not natural or casual, but rather a result of deliberate political choices made over time. What began as a legal architecture that enabled platforms to engage in private “housekeeping” tasks—i.e., managing user-generated content for commercial reasons, under the immunity conditions granted by Section 230 of the CDA and the e-Commerce Directive—has evolved into the delegation to private, profit-seeking actors of functions that states themselves are called to perform, generally devoid from the human rights and constitutional safeguards associated with state action. States have codified corporate self-regulatory practices into law, thus mandating platforms to perform quasi-public functions previously carried out voluntarily. This, as we showed, is problematic in three ways. First, trust and safety practices are imbued with a corporate logic oriented towards private objectives rather than solving public policy goals. Companies’ practices need to remain flexible and able to adapt. The institutionalization of these practices into legal mandates can work against this. Second, state mandates on companies to carry out content moderation duties create serious risks for the right to freedom of expression, particularly when states use the UNGPs and IHRL framework as a vehicle to outsource state-like functions onto private actors. Such mandates need to be scrutinized under the three-part test of legality, necessity, and proportionality required under International Human Rights Law, which means that, as a matter of law, risk assessment and mitigation obligations cannot be used as instruments to circumvent legal obligations that bind state action [@delcampo2025a, @councilofeurope2026].

As we argued in Section III.a, by imposing duties of care, risk mitigation obligations, and takedown duties on platforms, states can achieve by proxy what they cannot do directly: restricting speech without being subject to the three-part test of legality, necessity, and proportionality required under International Human Rights Law. This problem is compounded when mandated content moderation extends beyond illegal content into harmful but legal speech, effectively allowing states to conscript platforms into restricting expression they could not lawfully restrict themselves. The formalization of informal governance practices—through instruments like the DSA and the UK Online Safety Act—does not resolve this problem; it entrenches it.

When states outsource their human rights obligations and institutional functions to private intermediaries, even when they establish some kind of oversight over their activity, they create an appearance of governance but elude their accountability. Platforms are private actors that lack separation of powers, democratic legitimacy, or judicial review. They don’t have the institutional architecture and standing to bear those constraints. The result is that human rights end up being enforced —or not— by private actors, which are not only not equipped to ensure them but also not obligated to ensure them the same way states do, and who are not subjected to the scrutiny and the procedural constraints of public law that guide state action.

Third, as we argued in Section III.b, the transposition of human rights standards originally designed to constrain state action onto private actors raises structural problems that cannot be resolved through mere analogy. The three-part test—legality, legitimacy, necessity, and proportionality—presupposes institutional features that platforms simply do not have: democratic authorization, separation of powers, transparent and participatory rule-making, and judicial review. Platforms exercise legislative-like and adjudicatory functions simultaneously, without checks and balances, and driven by commercial rather than public objectives. Requiring platforms to apply the three-part test without accounting for these structural differences risks producing incoherent results—or worse, allowing companies to invoke the test performatively, bluewashing their content moderation policies without being subject to the same institutional constraints as states.

We do not propose to abandon regulation, but to reorient it. Legislators and enforcers must also take stock of the difference between private initiative and state mandates, and reassume for the state the obligation to ensure the enjoyment of human rights for all. This reorientation requires great care in whether and how the three-part test is invoked and used in platform governance. As we mentioned before, the test was designed to discipline state action. The transposition to private actors without any adjustments raises structural problems that should not be ignored. On the contrary, the issues regarding legality, legitimacy, necessity, proportionality, and constitutional and IHLR constraints should be addressed head-on. A more nuanced approach that preserves the test’s protective function of users’ speech while addressing the structural differences between the state and corporations.

Finally, regulations must reserve a space for platforms to make their own content governance decisions without being conscripted into performing state-like functions. Companies should be able to moderate legal content as they deem appropriate, as part of their right to freedom of expression (where applicable)[@douek2020], following their business model, their editorial discretion, and/or their ethical commitments. Raising these corporate practices to legal mandates will not bring about the much-needed solution for pressing public needs. The problem this paper has identified is that states are increasingly using platforms’ content moderation mechanisms as a means to achieve public ends they cannot pursue directly, or even if they could, would be burdensome to accomplish. Regulating the platform ecosystem is a compelling issue for states. However, such regulation must strictly adhere to at least two principles derived from International Human Rights Law: (i) that any state mandate that affects the user’s right to freedom of expression is established by law, necessary and proportionate, even when it is addressed to or implemented by platforms, and (ii) that the obligation to ensure Human Rights falls upon the states and cannot be outsourced to third parties through the back door of content moderation regulation.