The team is joined by GuestKats Mirko Brüß, Rosie Burbidge, Nedim Malovic, Frantzeska Papadopolou, Mathilde Pavis, and Eibhlin Vardy
InternKats: Rose Hughes, Ieva Giedrimaite, and Cecilia Sbrolli
SpecialKats: Verónica Rodríguez Arguijo (TechieKat), Hayleigh Bosher (Book Review Editor), and Tian Lu (Asia Correspondent).

Thursday, 15 September 2016

BREAKING: CJEU says that free Wi-Fi provider is not liable for third-party copyright infringements but may be required to password-protect its network to terminate infringements

Image result for cjeu logoWow, what a rolling coaster of emotions the past few days have been for EU-based copyright enthusiasts! 

After last week's GS Media decision [here, here, here] in Luxembourg and yesterday's copyright package in Brussels, today is back again to Luxembourg for the judgment of the Court of Justice of the European Union in Mc Fadden, C-484/14 [the decision is not yet available on the Curia website, but here's the press release] [UPDATE at 11:12: the judgment is now available on the Curia website]

This blog has followed this case for a while, after reporting for the first time on this reference for a preliminary ruling from the Landgericht München I (Regional Court, Munich I, Germany) in late 2014 (and also hosting the open 'Save our open WiFi' letter penned by the Electronic Frontier Foundation in 2015).

What is this case about?

In a nutshell, this case required the CJEU to clarify who can be considered an intermediary for the sake of the ECommerce Directive and what remedies can be sought against intermediaries - notably mere conduit (access) providers - that enjoy the so called safe harbour protection ex Article 12 of the ECommerce Directive.

More specifically, as Advocate General (AG) Spzunar explained in his Opinion [here], the issues for the CJEU to address were the following:

Is a professional who, in the course of business, operates a Wi-Fi network that is accessible to the public free of charge providing an information society service within the meaning of Directive 2000/31/EC? [so, more generally: who's an intermediary within the Ecommerce Directive? A recent - non-IP - instance in which this very question was addressed is Papasavvas, an online defamation case]
To what extent may his liability be limited in respect of copyright infringements committed by third parties? [to whom the Ecommerce Directive safe harbours apply and to what extent?]
May the operator of such a public Wi-Fi network be constrained by injunction [in this case, being copyright the relevant IP right at hand, an injunction pursuant to Article 8(3) of the InfoSoc Directiveto make access to the network secure by means of a password? 
The last question raises an additional one, ie: who has to bear the costs of implementing such injunction?  As readers know, this point is not of secondary importance: for instance, in the UK, it has prompted the dissent of Briggs LJ in the recent Court of Appeal judgment in Cartier [here].

Tobias Mc Fadden

This reference for a preliminary ruling was made in the context of proceedings between Sony and a person (Tobias Mc Fadden) who operates a business selling and renting lighting and sound systems for various events.

Mc Fadden owns a Wi-Fi connection that is open to anyone to use as it not protected by any password. The main reason why McFadden provides password-free free internet access is to drive traffic to his website and encourage customers to visit his shop.

In 2010 that connection was used by someone other than Mc Fadden to download unlawfully a musical work to which Sony owns the copyright. Following Sony’s formal notice, Mc Fadden sought a negative declaration from the referring court. 

This dismissed it and upheld Sony’s counterclaim, granting an injunction against Mc Fadden on the ground of his direct liability for the infringement at issue and ordering him to pay damages, the costs of the formal notice, and costs. 

Mc Fadden appealed that decision, arguing that the provisions of German law transposing Article 12(1) of the ECommerce Directive would shield him from liability for third-party infringements. 

The Regional Court held the view that Mc Fadden would not be directly liable, but rather indirectly liable according to the German doctrine of Störerhaftung [which apparently German Government wishes to abandon soon], on the ground that his Wi-Fi network had not been made secure. This court decided nonetheless to stay the proceedings and seek guidance from the CJEU on the issues outlined above.

The AG Opinion

In his Opinion on 16 March 2016 AG Szpunar held the view that to determine whether one could be regarded as an information society service/ISP/intermediary [the AG suggested that these terms are synonyms] one should consider the nature - economic or not - of the service offered. 

He concluded that the provision of internet access is normally to be regarded as an economic activity, even if such provision is for free and an ancillary service to someone's principal activity.

Having held that someone like Mc Fadden should be regarded as an intermediary, the AG found that it follows that the safe harbour in Article 12 of the Ecommerce Directive applies. 

In any case, the presence of a safe harbour does not prevent a rightholder from seeking an injunction against an ISP: “it is clear from a combined reading of paragraphs 1 and 3 of Article 12 of Directive 2000/31 that the provisions in question limit the liability of an intermediary service provider with respect to the information transmitted, but do not shield him from injunctions.” [para 69]

While injunctions against intermediaries can be sought independently from a finding of civil liability [para 86], their content cannot go as far as requiring its addressee to terminate or protect the internet connection by means of a password or examine all communications transmitted through it.

As regards the hot potato issue of costs, according to the AG held that, since an intermediary cannot be held liable for an IP infringement committed by a user of its services, as a result cannot be asked to bear pre-litigation and court costs. Holding otherwise "could potentially have the same punitive effect as an order to pay damages and could in the same way hinder the development of the intermediary services in question." [para 77]
The AG also held that the safe harbour regime  "precludes the making of orders against intermediary service providers not only for the payment of damages, but also for the payment of the costs of giving formal notice or other costs relating to copyright infringements committed by third parties as a result of the information transmitted." [para 80 - as I noted here, in my own opinion, the phrase “other costs” might include the costs of implementing an injunction, including a blocking injunction].

Today's decision

It appears that in today's decision the CJEU followed the AG Opinion on some points, but took a different approach on others. One of the most significant points of departure is that, unlike the AG, the Court held that a provider of password-free, free Wi-Fi may be asked to password-protect its network to bring infringements to an end.

According to the relevant press release:

"In today’s judgment, the Court holds, first of all, that making a Wi-Fi network available to the general public free of charge in order to draw the attention of potential customers to the goods and services of a shop constitutes an ‘information society service’ under the directive. 

Next, the Court confirms that, where the above three conditions are satisfied [ie: (i) the provider of the mere conduit service must not have initiated the transmission; (ii) it must not have selected the recipient of the transmission; and (iii) it must neither have selected nor modified the information contained in the transmission], a service provider such as Mr Mc Fadden, who providers access to a communication network, may not be held liable. Consequently, the copyright holder is not entitled to claim compensation on the ground that the network was used by third parties to infringe its rights. Since such a claim cannot be successful, the copyright holder is also precluded from claiming the reimbursement of the costs of giving formal notice or court costs incurred in relation to that claim. 

However, the directive does not preclude the copyright holder from seeking before a national authority or court to have such a service provider ordered to end, or prevent, any infringement of copyright committed by its customers. [but, in light of the above, who bears the costs of implementing an injunction?]

Lastly, the Court holds that an injunction ordering the internet connection to be secured by means of a password is capable of ensuring a balance between, on the one hand, the intellectual property rights of rightholders and, on the other hand, the freedom to conduct a business of access providers and the freedom of information of the network users. The Court notes, in particular, that such a measure is capable of deterring network users from infringing intellectual property rights. In that regard, the Court nevertheless underlines that, in order to ensure that deterrent effect, it is necessary to require users to reveal their identity to be prevented from acting anonymously before obtaining the required password.

However, the directive expressly rules out the adoption of a measure to monitor information transmitted via a given network. Similarly, a measure consisting in terminating the internet connection completely without considering the adoption of measures less restrictive of the connection provider’s freedom to conduct a business would not be capable of reconciling the abovementioned conflicting rights."

This looks like a truly landmark decision. A more detailed analysis will be provided as soon as the judgment is made available: stay tuned! 


Anonymous said...

"... for instance, in the UK, it has prompted the dissent of Jackson LJ in the recent Court of Appeal judgment in Cartier [here]."

I think you mean the dissenting judgment from Briggs LJ, not Jackson LJ.

Eleonora Rosati said...

Yes, sorry!

Anonymous said...

On the face of it this looks like a good decision. Clearly there was no political influence over this one….

Mirko Brüß said...

Once again (as seen last week for the GS Media case), the CJEU has decided quite differently than the AG's opinion.

Wi-Fi operators will need to password-protect their networks and obtain the true identity of users who want to use the network. If they fail to do this, they can be liable to reimburse the costs of giving formal notice and/or court costs incurred in relation to a claim by the copyright holder.

Anonymous said...

And how will a Wi-Fi operator be able to obtain the true identity? A simple form on a login-page shouldn't suffice as it can be filled in with wrong information.

An ID-check & fill-in by an employee will make public Wi-Fi spaces obsolete as it would take too long and be too costly for an average coffee bar. Not to mention privacy-objections to giving out ID-information to multiple businesses, sure is an easy way for the multinationals to obtain a lot of data for free. This ruling effectively kills public Wi-Fi.

The Cat that Walks by Himself said...

Re: An ID-check & fill-in by an employee will make public Wi-Fi spaces obsolete as it would take too long and be too costly for an average coffee bar. Not to mention privacy-objections to giving out ID-information to multiple businesses, sure is an easy way for the multinationals to obtain a lot of data for free. This ruling effectively kills public Wi-Fi.

Thinks do not have to be so desperate.

Time ago, I wrote about some sort of Internet ID for people. It can be implemented in many different ways.
One of them, you receive an ID with purchasing a mobile phone or a mobile phone contract.

Anonymous said...

What a coincidence:

The Pigs said...


You do not escape the identity issue by stretching the chain of that identifying mechanism.

Either you have "identity protection" (which equates to the ability to provide false identity) or you have to surrender your true identity (which means loss of identity protection).

There is NOT a third option to this purely binary point.

The Cat that Walks by Himself said...

Re: You do not escape the identity issue by stretching the chain of that identifying mechanism.

But one can significantly limit the category of those who will be able to work with an unencrypted identity info ...
Thereby, the identity will get protected to a certain technical level.

The Pigs said...


You really want to believe that in the post-Snowden era...?

You are either of two rather unsavory things and either of which removes any credibility in your position.

query said...

Applying this to a UK context, how could McFadden have been liable - assuming he wasn't the one who downloaded/uploaded/whatevered the copyrighted material?

In other words, how does an internet provider infringe copyright if a user of their wifi does so? There's no copying on their part, no broadcast, no transmission, etc. Am I missing something? Is this whole question of the mere conduit defence completely irrelevant in the UK?

Subscribe to the IPKat's posts by email here

Just pop your email address into the box and click 'Subscribe':