Has the CJEU quietly changed the conditions for safe harbour availability?

Kat on the beach

Right before the summer break, on 7 August last, when most people had already turned their out-of-office auto-reply on or were getting ready to move to the beach, the Court of Justice of the European Union (CJEU) issued quite an interesting ruling - SNB-REACT, C-521/17 - concerning enforcement of IP rights under Article 4(c) of the Enforcement Directive and the availability and scope of the safe harbours under the E-Commerce Directive.

Background

This referral from Estonia was made in the context of proceedings that a collecting society, SNB-REACT, had initiated against an individual, Deepak Mehta, concerning the latter's alleged liability for infringement of the IP rights of 10 trade mark owners. 

According to SNB-REACT, Mehta had allegedly registered a number of IP addresses and internet domain names, which unlawfully used signs identical to the trade marks owned by SNB-REACT members, together with websites unlawfully offering for sale goods bearing such signs. 

Mehta, however: (1) denied that he had registered the IP addresses and domain names challenged by the claimant; (2) even if he owned 38,000 IP addresses, he had rented them to third-party companies; and (3) this activity should be regarded as akin to that of a service providing access to an electronic communications network, together with an information transmission service, being - as a result - eligible for the safe harbour protection under the Estonian provisions corresponding to Article 12 to 14 of the E-Commerce Directive.

At first instance, SNB-REACT's action was dismissed on grounds that, first, it would lack standing to bring legal proceedings in its own name to enforce its members' rights and, second, Mehta was eligible, as an information society service provider, for the safe harbour protection.

SNB-REACT appealed to the Tallinn Court of Appeal, which made a reference to the CJEU and asked:

(1) Is Article 4(c) of [the Enforcement Directive] to be interpreted as meaning that Member States are required to recognise bodies collectively representing trade mark proprietors as persons with standing to pursue legal remedies in their own name to defend the rights of trade mark proprietors and to bring actions before the courts in their own name to enforce the rights of trade mark proprietors?
(2) Are Articles 12, 13 and 14 of [the E-commerce Directive] to be interpreted as meaning that even a service provider whose service consists in registering IP addresses, thus enabling them to be anonymously linked to domains, and in renting out those IP addresses, is to be regarded as a service provider within the meaning of those provisions to whom the exemptions from liability provided for in those articles apply?’

The CJEU answered both questions in the affirmative, without seeking the prior Opinion of the appointed Advocate General (Wathelet). 

Here's how it reasoned.

Standing of a collecting society

Article 4(c) of the Enforcement Directive provides that:

Member States shall recognise as persons entitled to seek application of the measures, procedures and remedies referred to in this chapter [...] intellectual property collective rights-management bodies which are regularly recognised as having a right to represent holders of intellectual property rights, in so far as permitted by and in accordance with the provisions of the applicable law

The Court deemed it necessary to clarify the meaning of ‘applicable law’ and ‘as permitted’ in that provision:

• First, the expression 'applicable law' refers to both EU and national laws, as appropriate. 
• Second, Member States do not enjoy unlimited discretion as to whether or not recognize collecting societies as having standing.
• Third, as is apparent from Recital 18 in the preamble to the Enforcement Directive, EU law intended to grant standing also to those having a direct interest in the defence of third-party IP rights.

It follows that, where a collecting society is regarded by national law as having a direct interest in the defence of its members' rights and that law allows that body to bring legal proceedings, the Member States are required to recognize such collecting society as a person entitled to seek application of the measures, procedures and remedies provided for by the Enforcement Directive, and to bring legal proceedings for the purpose of enforcing such rights.

Liability of providers of IP address rental and registration service

Turning to the second question, the CJEU provided a recap of the conditions at which the safe harbours within Article 12 to 14 of the E-commerce Directive apply.

Notion of 'information society service'

First, the Court tackled the question whether the provider of an IP address rental and registration service could be deemed an information society service provider for the sake of the E-commerce Directive. The Court noted how this notion is fairly loose, in that the concept of ‘information society service’ refers to services which are provided:

• at a distance, 
• by means of electronic equipment for the processing and storage of data, 
• at the individual request of a recipient of services, 
• normally in return for remuneration. 

It is a notion that includes services contributing to facilitating relations between persons engaged in online sales activities and their customers. 

The CJEU found that it did not have sufficient evidence to determine whether a service like that one at issue in the background proceedings would fall within the notion of information society service, but it appeared not to exclude it. 

Availability of safe harbours

Then the CJEU turned to consideration of the conditions at which the 'limitations of liability' [note that the Court used the term 'limitations'], aka safe harbours under the E-commerce Directive, apply. And here the Court provided a 'checklist'.

What one needs to do is in fact the following:

1. Identify whether the information society service at issue consists of mere conduit (Article 12), caching (Article 13) or hosting (Article 14);
2. Review whether the conditions for the safe harbour for the specific service at issue are satisfied.

For all three scenarios, the safe harbour only applies where the activity of the information society service provider is of a mere technical, automatic, and passive nature. This implies that that service provider has neither knowledge of nor control over the information which is transmitted or stored by the persons to whom he provides his services. 

By contrast, those limitations of liability do not apply in the case where a provider of information society services plays an active role, by allowing its customers to optimise their online sales activity. [para 48]

It's impossible to speak of safe harbours
without at least a (cheerful) sailor Kat pic!

When is the safe harbour trumped?

At this point of the judgment, things become a bit more interesting (or troubling, depending on one's own perspective), in that the CJEU stated [para 50]:

it is for the referring court to satisfy itself, in the light of all relevant facts and evidence, as to whether such a service provider has neither the knowledge of nor control over the information transmitted or cached by his clients and whether he does not play an active role by allowing them to optimise their online sales activity.

This paragraph is quite ambiguous. The reasoning appears construed in light of landmark safe harbours decisions like Google France and L'Oréal, yet the wording is not the same. In those cases the CJEU linked the active role of the provider which excludes the availability of the safe harbour to knowledge of or control over of third-party information. In Google France the Court held [para 120, emphasis added]:

Article 14 of Directive 2000/31 must be interpreted as meaning that the rule laid down therein applies to an internet referencing service provider in the case where that service provider has not played an active role of such a kind as to give it knowledge of, or control over, the data stored. If it has not played such a role, that service provider cannot be held liable for the data which it has stored at the request of an advertiser, unless, having obtained knowledge of the unlawful nature of those data or of that advertiser’s activities, it failed to act expeditiously to remove or to disable access to the data concerned.

Similarly in L'Oréal the Court stated that [para 113, emphasis added]:

Where, by contrast, the operator has provided assistance which entails, in particular, optimising the presentation of the offers for sale in question or promoting those offers, it must be considered not to have taken a neutral position between the customer-seller concerned and potential buyers but to have played an active role of such a kind as to give it knowledge of, or control over, the data relating to those offers for sale. It cannot then rely, in the case of those data, on the exemption from liability referred to in Article 14(1) of Directive 2000/31. 

In those cases the logic was the following:

active role → knowledge of or control over information → unavailability of safe harbours

While in SNB-REACT the process is different [see also para 52 of the judgment]:

knowledge of or control over information + active role (eg optimization of online sales activities) = unavailability of safe harbours

Comment

As it appears to be the case when the Court decides without the prior Opinion of the appointed AG, the resulting reasoning is not as straightforward as one would wish. 

The approach to the definition of the conditions for excluding the availability of the safe harbours is telling: are paragraphs 50 and 52 in the judgment just the result of rather imprecise writing or has the Court, instead, inaugurated a new approach to the definition of the conditions for the E-commerce safe harbours? 

The answer is ... till the next preliminary ruling!