CJEU sheds light on liability for operators of open Wi-Fi networks (Case C-484/14 Mc Fadden v Sony Music)

By Bernd Justin Jütte

One week after the Court of Justice (CJEU) handed down its Judgment in GS Media (see for a comment here), it has ruled on another important copyright case. In Mc Fadden v Sony Music the Court followed the Opinion of AG Szpunar (see for comment on this blog here) to a large extent while disagreeing on two crucial points. It decided that the operator of an open wireless network provides an ‘information society service’ (ISS) within the meaning of Article 14 E-Commerce Directive if he provides access to the network as part of his economic activities. This means he can avail himself of the liability exemption laid down in that provision. However, the operator of a wireless network can be required to protect the network with a password in order to deter users from infringing the rights of copyright holders. The Court further decided that the right holder can claim from network operators the costs related to an injunction (e.g. to prevent future infringements), but not the costs related to claims for primary infringements of copyrights by the users of the Wi-Fi network.


The facts of the case are as follows. Mr Mc Fadden is the owner of a store that sells and leases sound and lighting equipment. As part of his business, in order to attract customers, he operated an open wireless network with the name macfadden.de, which he changed to ‘freiheitstattangst.de’ (meaning ‘freedom, not fear’) in early September 2010 to draw attention to a demonstration for the protection of personal data. Around that time a digital song file was offered for downloading via his network without the consent of the right holders (namely Sony Music, the right holder of the phonogram of that particular musical work). Mc Fadden claimed that he did not commit this infringement, but did not deny that a user of his wireless network could have infringed the rights of Sony Music. Having received notice of the infringement, Mc Fadden sought a negative declaration (‘Feststellungsklage’), which Sony answered with a counterclaim for direct liability, a request for an injunction and a claim for the reimbursement of the costs of the formal notice as well as the court costs. Mc Fadden lost the litigation in first instance, but appealed arguing that, as an ISS provider, he was exempted from civil liability under Article 12 E-Commerce Directive. By contrast, Sony requested to uphold the first instance judgment or, alternatively, to hold Mc Fadden indirectly liable for the failure to prevent copyright infringements through his network.


The Landgericht München I (Reginal Court, Munich I) addressed no less than ten questions to the CJEU, which mainly related to the interpretation of Article 12 E-Commerce Directive, which exempts ISS providers from civil liability for infringements made via their networks under certain conditions. The German court sought advice on the precise conditions under which an ISS provider could benefit from this liability exemption and also whether an operator of an open wireless network (such as Mc Fadden) would qualify as an ISS provider in the first place. It further asked who would have to bear the costs for ordering an injunction against an ISS provider to bring an end to an infringement of copyright and what form such an injunction could take.


Liability exemptions in the E-Commerce Directive

The general framework for ISS provider liability is contained in Articles 12 to 14 the E-Commerce Directive, which provide for three instances in which ISS providers cannot be held liable for infringements conducted by third parties using their services. Under Article 12 (relating to ‘mere conduit’) an ISS provider which only transmits information or provides access to a network and which (a) does not initiate the transmission, (b) does not select the recipient of the transmission, and (c) does not select or modify the information contained in the transmission, cannot be held liable for that information. Such information can take the form of digital works protected by copyright. The other two instances to which the liability exemption applies are ‘caching’ (i.e., the automated, intermediate and temporary storage of information to increase the efficiency of the transmission of that data) and ‘hosting’ (i.e., the long-term or permanent storage of data on a server). In short, if ISS providers comply with the criteria of the respective liability exemptions, they cannot be held liable for the information transmitted, cached or hosted on their services.

What is an ‘information society service’?

In order to benefit from the liability exemption of Article 12(1) E-Commerce Directive, Mc Fadden, as the operator of the Wi-Fi network via which the song was illegally offered for downloading, must qualify as an ISS provider. The E-Commerce Directive as such does not define what an ISS is, but refers to Directive 98/34/EC (as amended) which defines an ISS in Article 1(2) as ‘any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services.’ Recital 2 of Directive 98/48/EC (which amended Directive 98/34/EC) further makes reference to the definition of services under Article 58 TFEU.

In the case at hand it was disputed that Mc Fadden did not fulfil one criterion of the definition of an ISS, namely that he offered his service for remuneration. It is, however, established case-law of the CJEU that in order to fulfil this criterion a service must not be paid for directly by the recipient (Papasavvas). Instead, the provider can receive remuneration from other sources, or factor the cost for the service into the price for other services or goods in relation to which the ISS is rendered. According to the Court, this also includes services which are offered without direct remuneration or free of charge, as long as such services are offered as part of an economic activity (paras 41 and 42). Accordingly, this also covers services which do not constitute the main economic activity but are only ancillary to the operator’s business. As Mc Fadden operates his network to advertise his business, the CJEU ruled that this constitutes a service offered as part of his economic activity.

When is a service ‘provided’?

Furthermore, the German court inquired whether there are any other conditions that must be fulfilled in order to consider a service to be ‘provided’ within the meaning of Article 12(1) E-Commerce Directive, other than that access to a network has been made available. The referring court raised the question based on the text of the German version of the E-Commerce Directive, which suggests that a service that is ‘provided’ (see Article 2(b) which uses the term ‘providing’, the German version uses ‘anbietet’) would require some form of advertising (para. 51). As the Directive itself does not list any further criteria, and other language versions of the Directive do not suggest another interpretation, the CJEU concluded, in order to safeguard a uniform interpretation and application of the Directive, that no further requirements beyond that of providing access to a communication network are necessary to qualify for an exemption under Article 12(1) (paras 52-53).

The difference between ‘hosting’ and ‘mere conduit’

According to the answers given by the Court in relation to the nature of an ISS and the conditions contained in Article 12(1), a compliant ISS provider could thus be relieved from liability. But the German court further asked whether one of the conditions of Article 14(1)(b) E-Commerce Directive (relating to the hosting exemption) could not also be applied mutatis mutandis to Article 12(1). Article 14(1)(b) requires an ISS provider ‘upon obtaining (…) knowledge or awareness [of infringing content hosted on its service to act] expeditiously to remove or to disable access to the information.’

The CJEU however clearly distinguished between the conditions of Article 12 and 14, which are ‘all governed by different conditions’ (para. 60). These differences are due to the fact that the activities – and therefore the services – for which liability is excluded are fundamentally different. Recital 42 E-Commerce Directive states that an ISS for the purpose of Article 12 is characterized by its ‘technical, automatic and passive nature’, whereas a hosting service, to which the abovementioned additional requirement, commonly referred to as the ‘notice and take down rule’, applies is of a ‘more permanent nature’ (paras 61-62). By its nature, an Article 12(1) provider cannot possibly intervene in the same was a hosting provider can. Therefore, the notice and take down rule of Article 14(1)(b) cannot be applied to Article 12(1) by analogy because the two activities covered by Article 12 and 14 respectively are not comparable (para. 63).

Judicial self-restraint

Having rejected a wide interpretation of the term ‘provided’ and also having refused the application of additional criteria to Article 12(1) by analogy, the CJEU also replied negatively to the question of the German court whether any further criteria had to be taken into consideration in addition to those contained in Article 12(1) and 2(b) with systematic coherence and judicial constraint. Whereas in relation to other fields of copyright law the CJEU ‘identifies’ ever more criteria (judgment in GS Media, also cases Rafael Hoteles, SCF, Svensson and BestWater), in Mc Fadden the Court underlined that the provisions of the Directive, by providing limited liability to ISS providers under certain conditions, create a balance between the interests involved. Adding further criteria would ‘call that balance into question’ (para. 70). Given the balance reflected in the provisions, which provide for (exhaustive) conditions for liability exemption it ‘is not for the Court to take the place of the EU legislature by subjecting the application of that provision to conditions which the legislature has not laid down’ (para. 69).

Who bears the costs for injunctions?

 With regard to the question who has to bear the costs for an injunction, in particular the cost for the formal notice and the court costs, the CJEU partially disagreed with AG Szpunar. It agreed in so far an ISS cannot be burdened with the cost for a formal notice and court costs in relation to the primary infringement. As a passive ISS provider is exempted from liability under the conditions listed in Article 12(1) and 2(b) E-Commerce Directive, it cannot be expected to bear the costs for the formal notice and court proceedings in relation to such claim (paras 63-64). In other words, in the absence of any liability no related costs can be pushed on the ISS provider.

Nonetheless, the situation is different, so the Court argued, in relation to an injunction, and here it disagreed with AG Szpunar. The AG had indeed argued that an injunction does not create liability, and that an ISS can thus not be expected ‘to take the initiative to prevent a possible infringement or for failing to act as a bonus pater familias’ (para. 79 of the AG’s Opinon). Unfortunately, the Court’s ruling is quite brief on this issue; it merely states that the possibility to order an injunction under Article 12(3) E-Commerce Directive would ‘[c]onsequently’ not prevent the person requesting an injunction to also ask for the reimbursement of the costs mentioned above (para. 78).

Must Wi-Fi networks be password-protected?

Finally, in a last set of questions, the German court asked what kind of injunction a national court could order to bring an infringement of an intellectual property right to an end (cf. Article 12(3) E-Commerce Directive). Although the court asked whether it would be possible to order an injunction that leaves the choice of the precise technical means to the addressee of the injunction (see UPC Telekabel), in its request for a preliminary ruling it had actually already narrowed down the choice of potential injunctions to three: (1) a mechanism to be installed by the operator of the network to filter and monitor all communications passing through its network, (2) the termination of the connection, or (3) the protection of the connection by password. The Court, therefore, only addressed the three measures suggested by the German court, which the latter considered to be the only effective measures to prevent further infringements.

AG Szpunar had rejected all three options by arguing that all of them would unduly restrict the exercise of either the right to conduct a business of the operator of the network or the right to receive information of the users. Yet again, the Court partially disagreed with the AG.

First, with respect to the first type of injunction, the Court concurred that an obligation to monitor all communications through a network is precluded by Article 15(1) E-Commerce Directive, which prohibits precisely such obligations to be imposed on an ISS provider (para. 87).

The other two injunctions are subjected to a more thorough balancing exercise. In this context the CJEU balanced the intellectual property right of the copyright owner, protected under Article 17(2) EU Charter, and the rights under Article 16 (freedom to conduct a business) and Article 11 EU Charter (freedom of information). A complete termination of the wireless connection would, according the Court, not ensure a fair balance between the rights under Articles 17(2) and 16. Although the service in question is only of a secondary nature to Mc Fadden’s primary business activity, a prohibition to operate a network would not be proportionate in relation to the interest of the owner of the copyright, which is to protect its intellectual property (paras 88-89). The CJEU did, however, find that the protection of a wireless network by password does strike a reasonably fair balance between the interests involved. More precisely, it argued that such an injunction would ‘not damage the essence of the right to freedom to conduct a business’ as it only requires the operator of the network to ‘marginally [adjust] one of the technical options’ available to the operator (para. 92). Protecting the network by a password, which would require users to reveal their identity when accessing the network (by which technical means the Court did however not say – and as will be explained below, this might prove to be a weak point in the Court’s ruling), could deter and dissuade users from committing infringing acts through this network. Furthermore, users would still have access to all information on the Internet and, as a result, their right to receive information would not be unduly limited (paras 94-96). It is noteworthy that the Court only considered the three injunctive measures suggested by the German court; a more openly-phrased question from the German court might have changed the CJEU’s assessment. But rejecting the third and least intrusive measure of those suggested in the preliminary reference would not serve to create a fair balance as it would leave the fundamental right to intellectual property largely unprotected (paras 96-98).


Interestingly, the Court’s judgment in McFadden v Sony Music was handed down one day after the European Commission had announced its plans to support open wireless networks in public places in the EU. This initiative might prove to be necessary as businesses might be tempted to shut down their open Wi-Fi networks as a consequence of this judgment, and this for two reasons.

The first and probably most compelling reason is that operators of open wireless networks, although they benefit from the liability exemption under Article 12(1) E-Commerce Directive, can still incur the costs for an injunction ordered against them. Whereas the costs of implementing the injunction might not be deterring themselves, the costs for the formal notice as well as costs for court proceedings might, especially in the case of multiple injunctions, amount to a substantial sum of money. In any case, it would appear from the arguments of the Court, which links the costs related to an injunction (notice and court costs) directly to the legality of the injunction itself, that the addressee of such an injunction would have to bear, if not all, at least a substantial amount of the costs. This is surprising, given that Article 12(1) should relieve ISS providers from liability in the first place. The Court’s interpretation of Article 12(3) would then oblige operators of open wireless networks to pay most of the costs for an injunction in lieu of direct liability. It could also be argued that this is partially at odds with the ruling in Scarlet Extended v SABAM, in which the CJEU ruled that injunctions that, inter alia, require an intermediary to install a filtering system ‘exclusively at its expense’ would not be in conformity with the above directives. Admittedly, a filtering system is certainly much more difficult to realize, and therefore more expensive than installing password-protection for a wireless network; however, the procedural costs in both cases will probably be similar.

The second reason are the practical difficulties and uncertainties that result from the Mc Fadden judgment. The Court found that the obligation to protect an open network by password is a proportionate restriction of the freedom to operate a business, which would leave ample space for the exercise of the freedom of information and the protection of intellectual property. It reached this result by comparing the three options suggested by the German court, without considering any further options. This could mean that if other options (e.g. IP-blocking) exist to effectively bring infringements of intellectual property rights to an end while safeguarding the essence of all conflicting fundamental rights, such measures could be considered as well. Nevertheless, password protection will most certainly be the most cost efficient solution for wireless network operators to escape further liability as it is fairly cheap to implement while making access to a network relatively easy for users.

Another problem related to password-protection are the technical details of such protection. The Court argued that password-protected wireless networks might dissuade potential infringers as they would be ‘required to reveal their identity’. But this seems to imply that a simple password-protection does not suffice. In addition to such protection, the surrender of the password to the customer would indeed necessitate some form of basic identification, which could later be used to track down customers who, disregarding the dissuasiveness of such measure, infringed copyright over such a network. This would, in two simple scenarios, either require a more advanced password-protection that requires users to register with an email address, or a manual recording of personal data for every user of such a network. Both scenarios are certainly more intrusive than a mere protection of a network by password. Therefore, it is up to national courts to repeat this balancing exercise in every particular case. Yet, it seems highly probable that a simple protection by password without recording user data will most likely not be sufficient to safeguard ample protection of the rights of copyright holders. Collecting personal data manually from users of wireless networks (e.g. by the owner of a café or a restaurant) might also prove to be rather burdensome.

Despite the foregoing concerns, the case also has a beneficial outcome as it is draws the circle of businesses that can benefit from the Article 12 regime of the E-Commerce Directive rather wide. By including operators of networks whose main commercial activity is not the operation of the network, but for whom the operation of the network is only an ancillary activity, more businesses are exempted from liability for infringement made by use of their services. This means that shops, cafés, restaurants, but also complementary wireless networks on public transport fall within the scope of application of Article 12. This wide scope might thus encourage businesses to open their networks once the conditions for a duty of care standard (e.g. what kind of measures are sufficient to prevent the ordering of injunctions) will have been further elaborated. The advantage of the rather simple and straightforward interpretation of the term ‘information society service’ is that it creates legal certainty for operators of wireless networks. It makes it easy to assess which businesses fall within that definition, and which can benefit from the liability exemptions under Article 12(1).

The preliminary reference already had some immediate effects: The German legislator changed the national regime for the liability of access providers (‘Störerhaftung’), excluding operators of public wireless networks from civil liability. It did so quite swiftly, already after the AG had given his opinion. Hence, it may be expected that the Court’s ruling might also have significant effects on the liability of network operators in other Member States where uncertainty persists as to the liability for injunctions and their related costs.

Nevertheless, the precise practical implications of the Court’s decision are yet to be clarified. Whereas the clarification of the scope of Article 12 is a relief for network operators, the ‘distribution’ of costs for an injunction, which potentially places the entire economic burden on the network operator, might prove detrimental for openly-accessible wireless networks. This imbalance might motivate operators of open networks to shut them down because of potential costs stemming from injunctions ordered against them. That being said, they might perhaps be able to avoid those costs: it is indeed not so clear whether right holders will be able to request further injunctions if a password-protected network is used to infringe their rights (i.e. if this meets the duty of care standard) and if no other application of technological measures can reasonably be expected from the network operator. Nor does it result clearly from the Court’s judgment whether any further measures will be considered to be disproportionate to the interests of the network operators, or whether the application of other technical means (that might just not yet exist) could help ISS providers escape liability and injunctions against them. After all, more complicated technical mechanisms, such as the installation of filtering software or the blocking of certain websites, might go beyond the technical abilities and economic resources of a restaurateur or bar owner.