Protections for public Wi-Fi providers affirmed by ECJ
A recent case in the European Court of Justice (ECJ) considered whether a business owner in Germany, who provided a public, open, Wi-Fi network, should… Read more
A recent case in the European Court of Justice (ECJ) considered whether a business owner in Germany, who provided a public, open, Wi-Fi network, should be liable for the copyright infringements carried out by members of the public using the network[1].
In 2010 an individual used the Wi-Fi network to download music unlawfully. The German court, which first considered the case, accepted that the business owner, Tobias McFadden, did not directly infringe the copyright in the music but considered whether he was liable for indirect infringement by facilitating the infringement. The case was referred to the ECJ on the basis that a finding of liability for indirect infringement could be incompatible with the protections afforded to service providers in the E-commerce Directive 2000/31 (the Directive).
The ECJ found that the Wi-Fi network offered by McFadden qualified as ‘information society service’ under the Directive. Providers of an information society service benefit from the ‘mere conduit’ defence, which exempts intermediary network providers from liability for the infringing acts of third party users, providing that the provider is a passive facilitator of services and has no knowledge of the infringing acts.
The ECJ found that these conditions were satisfied in McFadden. However, the court also found in such circumstances that copyright holders could be entitled to secure the co-operation of the provider to prevent or limit the infringing acts. In this case, the court found nothing in the Directive which would prevent the claimant from seeking other remedies, including granting an injunction to compel McFadden to password protect the Wi-Fi service and require users to declare their identity, to act as a deterrent to those users who would otherwise be able to carry out unlawful acts anonymously.
It is worth noting that the findings of the ECJ deviate (in part) from the opinion provided by the Advocate General (AG), which found that service providers should not be compelled to password protect Wi-Fi services (although both the AG and the ECJ agreed that the provider should not be liable for copyright holders’ losses, or be compelled to withdraw the Wi-Fi service). The court found that its approach was an appropriate balance between upholding an intermediary Wi-Fi provider’s rights under the Directive and those of the intellectual property rights holders.
The ECJ’s finding mirrors the court’s approach in L’Oréal SA v eBay International AG, in approving the use of injunctions to curtail demonstrably infringing activity of users of the intermediary platform (in this case, users selling counterfeit goods bearing L’Oréal trade marks). However, the court also found that a proportionate approach should be taken so that intermediaries, such as eBay, would not have to withdraw their services completely, or check every item users offered for sale on the platform.
What does this mean for public Wi-Fi network providers?
The prospect of rights holders bringing claims is only likely to increase given the proliferation of Wi-Fi services and providers presenting a more attractive target for litigation given they are easier to identify and likely to have deeper pockets.
Providers can take comfort in the general finding that they will not be liable for the losses incurred by rights-holders but, given that the judgment required McFadden to apply security measures, providers may wish to minimise the risk of liability by password protecting such services, and collect certain personal data sufficient to deter users from carrying out infringing acts. The judgment also confirms that rights holders have other remedies available to them, including injunctions, which could require providers to take steps as may be deemed appropriate on a case by case basis.
Issues for lawyers to consider
- Terms of use/AUP: McFadden is a reminder that Wi-Fi access, whether public or otherwise, should be subject to the acceptance of terms of use. Such terms should include the standard warranties given by users that they shall not use the service to carry out any unlawful acts, with users required to positively confirm that such restrictions have been understood. Given the rise in malware and ransomware attacks on users of public Wi-Fi networks, providers should also include relevant disclaimers in the terms of use.
- Data protection: In McFadden, the ECJ also required the provider to collect personal information from users. Providers should consider their obligations under relevant data protection legislation, including lawful processing, the implementation of adequate technical safeguards for such data, the duration of data retention, and its use in connection with marketing activities. Providers may also wish to reserve the right to disclose an infringing user’s details to a rights holder in the event of a claim.
- Commercial public Wi-Fi providers: Where a provider is making Wi-Fi services freely available on a commercial basis (for example to shoppers on behalf of a shopping centre, or to employees in an office block on behalf of the employer) the provider will also have to consider the terms between it and the organisation or business on behalf of which it makes the service available. Providers should consider whether to bear the risk of claims for infringement (in the relatively unlikely event the provider is found to be liable) or whether to back off its liability against the organisation or business. This issue is more likely to be relevant if such organisation or business has a degree of control over the users – for example, if the users are employees. In such circumstances, the provider may seek indemnity protection for losses it incurs due to the infringing acts from users.
[1] McFadden v. Sony Music Entertainment Germany GmbH, Case C-484/14.
Share this blog
Share this Blog
- Adtech & martech
- Agile
- Artificial intelligence
- EBA outsourcing
- Brexit
- Cloud computing
- Complex & sensitive investigations
- Connectivity
- Cryptocurrencies & blockchain
- Cybersecurity
- Data analytics & big data
- Data breaches
- Data rights
- Digital commerce
- Digital content risk
- Digital health
- Digital media
- Digital infrastructure & telecoms
- Emerging businesses
- Financial services
- Fintech
- Gambling
- GDPR
- KLick DPO
- KLick Trade Mark
- Open banking
- Retail
- SMCR
- Software & services
- Sourcing
- Travel