Tuesday, October 28, 2014

CJEU is Asked: Are Dynamic IP Addresses Personal Data?

BGH just issued a press release informing that it filed a preliminary reference to the CJEU. The question is whether dynamic IP addresses constitute a personal data according to Art. 2 (a) Data Protection Directive. The case arose between an individual who is suing the Federal Republic of Germany for an injunction against the storage of its information.

  • The first question is basically if an IP address, which is stored by a service provider in context of accessing a website, constitutes a personal data despite the fact that only a third party with its additional knowledge can identify said person.
  • By the second question, BGH is trying to see if Art. 15(1) of the Telemedia Act is compliant with the Data Protection Directive, especially its Art. 7. This provision reads as follows:
Art. 15(1) TMG: The service provider may collect and use the personal data of a recipient of a service only to the extent necessary to enable and invoice the use of telemedia (data on usage).
Article 2 (a) defines 'personal data' as "any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;"

Monday, October 13, 2014

Munich Court Asks CJEU About Injunctions Against Operators of Open WiFis

Regional Court in Munich (LG München) last month filed a preliminary reference to the CJEU (Case 7 O 14719/12 - reported by OffeneNetze) asking several questions related to applicability of mere conduit safe harbour to free and open WiFis and also to possibilities of national courts to impose certain obligations on (non-liable) providers of such hot spots. In Germany, German Federal Supreme Court (BGH) in 2010 judgement (Sommer unseres Lebens, I ZR 121/08) obliged most of the operators to password-protect their WiFis. Now this could either change or be extended to some other European countries.

The case arose between an entrepreneur selling light and audio systems who is also a member of the German Pirate Party and a record label. The entrepreneur operates an open and free of charge WiFi in his store. He uses the WiFi sometimes as a tool for advertising of his store (preloaded home page points to his shop and name of the network bears its name) and sometimes to agitate for his political views (pointing to particular websites such as data protection campaigns, etc.). After receiving a letter informing him about a copyright infringement allegedly committed via his hot-spot, the entrepreneur unusually sued the right holder pursuing the negative declaratory action. The right holder as a defendant later counter-claimed asking for damages, injunctive relief and pre-trail costs as well as court fees under the above mentioned doctrine of BGH.

The referring court is hesitant whether mere conduit safe harbour of Article 12 allows especially for injunctive relief on which the German concept of Stoererhaftung is based. It points to similar cases before the Hamburg court (Case No. 25b C 431/13 and Case No. 25b C 924/13) that recently denied such claims arguing that mere conduit safe harbour prevents them. The court comes to conclusion that the plaintiff did not infringe the rights himself, and thus is considering what kind of measures can be imposed on a WiFi operator such as plaintiff. It is very symptomatic to German case-law on injunctive relief that the Munich court does not even mention applicability of Article 8(3) InfoSoc in this case. Despite the fact that its case is clearly about its local transposition and European limits.

Here is my very freely translated and heavily rephrased summary of questions with some commentary.

1. Question 

Q: Can a provider of a free open WiFi qualify for a mere conduit safe harbour? In particular, should the phrase of ‘normally provided for remuneration’ that defines the terms ‘information society services’ be interpreted as meaning that:
  • the particular service must be provided for remuneration,
  • the services on the market of this kind need to be provided for remuneration or
  • it is enough that majority of such or comparable services are provided for such remuneration.

This question was a ticking bomb. And it was not even a few weeks ago, when I criticized that if CJEU follows its approach from Papasavvas C-291/03, its case-law will soon bump into a trouble. So here it is. I understand that ‘normally provided for remuneration’ is limitation coming from the primary law and the very competence of the EU, but stretching the factor of required economic activity is a step that is necessary if we don't want to end up with a framework which punishes service providers for not making any money out of their services.

2. & 3. Question

Q: Does provision of an open WiFi hot spot constitute "the transmission in a communication network of information" as required by Article 12 of the E-Commerce Directive? And if so, is such a service also "provided" in the sense of the same Article when it is offered to the public by mere opening of connectivity without any advertising or offer to contract.

Personally, I don't see why this should not be resounding "YES". Munich court apparently thinks the same, but probably only wanted to make sure it is right.

4. & 5. Question

Q: Does the wording of Article 12(1), which requires Member States to "ensure that the service provider is not liable for the information transmitted" and Article 12(3), which permits some injunctions, when read together, mean that (a) injunctive relief, (b) damages, (c) pre-trail costs and (d) court fees are precluded before the first copyright infringement is established.

Q: Should Article 12 bar the national court from obliging an operator of WiFi to prevent third parties from using the Internet access for peer to peer file-sharing?

Article 12 covers only monetary claims. I think this is a general consensus [not necessarily in Germany, I know]. In my opinion, there is clear string of case-law that shows that injunctive relief is not covered by Article 12 (see here). UPC Telekabel Wien being the most obvious one. I believe that the CJEU will just confirm this. What is, however, very interesting and potentially far-reaching are the questions related to shielding from pre-trail costs and court fees. Especially in countries like Germany where you can recover pre-trail expenses related to injunctive claims, this could be of a great significance. Also, if such expenses would be included in the safe harbours, in the future, even courts in the enforcement proceedings could have difficulty to impose fines on mere conduits when they do not comply with website blocking for instance. I am really thrilled to see how the court approaches this question. Though admittedly for different reasons that the referring court.

6. Question

Munich court, disturbed by the fact that if no obligations were to be imposed on open WiFi operators there could be no recourse for right holders, suggests that such a situation would be incompatible with the recital 41 that safeguards the balance "between the different interests at stake and establishes principles upon which industry agreements and standards can be based". To prevent such imbalance, the court suggests his solution in questions 6,7,8.

Q: Should the knowledge requirement of hosting safe harbour apply per analogy also to injunctive relief against mere conduits?

This question is "understandable" from the German perspective, where the problem is whether pre-trail costs attach to the first cease and desist letter exercising claim to injunctive relief (yes, in most of the continental countries injunctive relief is a material claim, similarly as damages, not a procedural tool of a court, so it existis also outside of the court). The Munich court is basically trying to curb these costs before the first notification by this question [at least that is my understanding]. Not sure if CJEU will get this message, and even if it does, whether it can/should at all do something about it, given that the court wrongly seems to assume that Article 14 knowledge requirement also applies to injunctions against hosts. It does not. I probably do not need to stress too much that this would be constitute rewriting of the existing safe harbour schemes.


7. & 8. Questions

But the court also has second suggestion.

Q: Are there any unwritten requirements for mere conduits?

Invoking wording of Article 2(a) [who qualifies as a service provider] and Article 12 it seeks to know if there is any backdoor for mere conduits. The Munich court explicitly suggests that a possible unwritten requirement could be whether operators can prove to have a link/need of such open WiFis to their business model. I personally think that the CJEU might take the L'Oreal v. eBay neutrality requirement out of pocket and apply it here. This would, however, create similar uncertainty as it created with hosting safe harbour today.
9. Question

Puzzled by what UPC Telekable Wien, especially with considerations of Article 15 of E-Commerce Directive, might mean for the case at hand, the Munich court also asks an additional question provided that injunctions are permitted.

Q: Does Article 12, considering the provisions of the EU Charter, the Enforcement Directive and the InfoSoc Directive, bar a national court from issuing an injunction against a WiFi operator obliging him to prevent third parties from using that access for peer to peer file-sharing, if such a provider is given option to chose what kind of technical means he will use to comply with this obligation? Does the fact that such a provider can comply with this obligation change if it is known already before the enforcement proceedings that the only way of complying with the order is refraining from using the WiFi, password-protecting it, or filtering all the content passing through it.

Summary

In a way, this is an indirect direct attack on BGH case-law obliging operators of open WIFIs to password-protect them in order to prevent infringing use. At the same time, some questions are scary. It is expected that the CJEU confirms that injunctive relief is not restricted by mere conduit safe harbour. And it is hoped that it will refuse the invitation to create new conditions for mere conduits out of the blue. The court could, however, seize the opportunity to examine whether such measures are compatible with fundamental rights and not only another socially wasteful enforcement practice. In order this to happen, somebody should explain the court the innovative potential and social use of open WiFis beyond mere household use, which most of the judges are [only] familiar with.

Tuesday, September 23, 2014

New Paper On Novel Type of Injunctions Against Intermediaries

The readers interested in questions of intermediary liability, injunctions and online enforcement might be interested in a new paper authored by me and my friend Miquel Peguera. It is a substantially revised version of a working paper that was previously made available on SSRN in July this year. Since the copyright policy of the journal (IIC) requires us to remove the paper after its publication from SSRN for two upcoming years, I encourage all the interested readers to download it as soon as possible.

In this article we examine the legal framework of the European Union for injunctions against intermediaries whose services are used by a third party to infringe an intellectual property right, as set forth in the InfoSoc Directive and the Enforcement Directive. In particular, we consider the conditions to apply for the injunctions, taking into account how those conditions have been construed by the CJEU. We explore which is the minimum floor of injunctive relief Member States are obliged to provide under the Directives, as well as the maximum ceiling allowed, beyond which the protection granted would infringe upon the limits imposed by the EU Law. Next, we move to consider a particular type of injunctions that rights holders may apply for against intermediaries on the basis of Art. 8(3) of the InfoSoc Directive, namely those that would consist of enjoining an ISP from providing internet access to one of its users allegedly engaging in copyright infringement. A case already decided in Spain, Promusicae et al v. R Cable y Telecomunicaciones Galicia, granting such an injunction serves us as a study case to assess the problems these remedies face.

On the one hand, these privately litigated internet disconnection injunctions may be seen by rights holders as a promising tool to fight online copyright infringement – maybe an alternative to unsuccessful graduate response schemes. However, as we show in the article, these injunctions raise serious issues regarding their compatibility with the EU Charter of Fundamental Rights. Indeed, the possibility of effective and human-right-conform injunctions of this kind turns up to be very narrow. In other words, the Directive's provisions promise much, but if applied correctly, they deliver little.

Friday, September 12, 2014

CJEU on Applicability of the Safe Harbors to Free-of-Charge Websites

CJEU seems to be on copyright spree these days. Technische Universität Darmstadt C-117/13 [decision], Deckmyn C-201/13 [decision], Commission v Council C-114/12 [decision], Pez Hejduk C-441/13 [decision] and Art & Allposters C-419/13 [opinion] are all the cases I hope to be able to come back to on this blog. While these cases can wait, CJEU's new ruling - Papasavvas C-291/03 - on safe harbours can not.

Papasavvas involves pretty "disoriented" CJEU reference from the Cypriot court [reported before here]. The court wanted to know all sorts of things, but mostly whether: a) E-Commerce Directive safe harbours also apply to services that are provided free of charge, b) if so, whether newspapers could invoke any of the safe harbours for its editorial content [sic!]. Cypriot court also tried to use the country of origin principle and to rewrite European history of direct effect of the directives, but CJEU very quickly made clear what is the rule ["the Court wishes to inform the referring court that .."].

Background. On 11 November 2010, Mr Papasavvas brought an action for damages before the Cypriot court against a newspaper company, and against its Editor-in-Chief and an another journalist at that newspaper, for acts which, in his opinion, constitute defamation. Mr Papasavvas seeks damages for harm allegedly caused to him by articles published in the daily national newspaper and, which were published online on two websites (http://www.philenews.com and http://www.phileftheros.com). He requests also the national court to order a prohibitory injunction to prohibit the publication of the contested articles.

Questions: 

  • Free of charge, still covered?
Cypriot court asks about the concept of ‘information society services’, which is a precondition of all the safe harbours. It wants to know whether this term covers also provision of such online information services for which the service provider is remunerated not by the recipient, but by income generated by advertisements posted on a website. This questions has following source: Article 2(a) of Directive 2000/31 defines the terms ‘information society services’ by making a reference to Article 1 of Directive 98/34, which refers to any service ‘normally provided for remuneration’, at a distance, by electronic means and at the individual request of a recipient of services. 

The answer of the CJEU is very predictable - of course, as long as its an economic activity such as service running on advertising. Although predictable [due to Art. 57 TFEU], the answer by the CJEU, however, is not particularly clever one. What about websites that are run non-profit such as Wikipedia? Should they disqualify just because they have decided not to carry any advertising? Or are they also an economic activity? This is why I argued in my book that even potential economic activity should suffice. In any case, I would not immediately infer from this that Wikipedia is not anymore covered. But CJEU should have had taken this more into account when replying.

  • Does editorial content of newspapers qualify for safe harbours?
Another question related to whether editorial content of newspapers can qualify for one of the safe harbours. Instead of rejecting this invitation by pointing to the need of information to be provided by the recipient of the service, CJEU rather started invoking its case-law on what it means to be "an intermediary", i.e. to be passive, not providing assistance etc. It is no surprise then that CJEU instead of using more suitable argument of source of the information at hand [employed or contracted journalists], comes up rather with following argument:

45      Consequently, since a newspaper publishing company which posts an online version of a newspaper on its website has, in principle, knowledge about the information which it posts and exercises control over that information, it cannot be considered to be an ‘intermediary service provider’ within the meaning of Articles 12 to 14 of Directive 2000/31, whether or not access to that website is free of charge.
The problem of this is what it does not say. Namely, that this can be objected with pretty much any service out there. Carving editorial content out of safe harbours by referring to knowledge is probably the worst strategy the Court could have taken. Not being enough, CJEU then accepts invitation to add this argument to the context of the referred question - which I bet with you - will be misrepresented many times in the future:
46      In the light of the foregoing, the answer to the fifth question is that the limitations of civil liability specified in Articles 12 to 14 of Directive 2000/31 do not apply to the case of a newspaper publishing company which operates a website on which the online version of a newspaper is posted, that company being, moreover, remunerated by income generated by commercial advertisements posted on that website, since it has knowledge of the information posted and exercises control over that information, whether or not access to that website is free of charge.
No, it does not say what it states. But you need to read the context first to get that. 

  • Are safe harbours directly invokable in horizontal relationships?
Some context for US readers first. In the European Union, the Directives oblige only Member states. This means that if the state fails to implement them, you generally can not use them as a supplementary source of law, i.e. apply/invoke it directly [there are some exceptions for vertical relationships]. In the horizontal relationships [individual vs. individual] it is more than settled that only indirect effect [interpretation in the light of the Directive] is possible. CJEU here confirms again obvious. Safe harbours have no direct horizontal effects. So if the state fails to implement them, individuals can not invoke provisions of the Directive in their disputes.

All in all, I don't think this decision brings anything new. Perhaps only new sources of certain confusions.

Friday, August 15, 2014

#CETA: Should Canadian Internet Intermediaries Worry?

The Comprehensive Economic and Trade Agreement (CETA) is a proposed free trade agreement between Canada and the European Union. It is yet another alphabet soup that was cooked by our dear policy makers without first asking the public if it is hungry for any change of intellectual property protection/enforcement. As most of the other alphabet soups these days, also this was kept secret in order not to be [b]eaten by people before its ready for serving. Until, well, until German Tagesschau leaked its entire 521 pages long recipe this week.

The intellectual property chapter of CETA (Chapter 22) also contains several provisions regulating Internet intermediaries. And exactly these provisions should not be overlooked.

For the Europeans, intermediary liability provisions of CETA might first even appear boringly predictable as they do not seem to add anything new to the Union law. But this would be misleading. First of all, these provisions are definitely TRIPS-plus provisions, and if coupled with strong investment protection before the arbitration courts, flexibility of any reform of these provisions in the existing Union law will be near to zero. So as long as CETA goes beyond TRIPS, it automatically also adds to the Union law a new international obligations, which did not exist before.

For the Canadians, these obligations can be more groundbreaking. CETA seems to mandate that (i) safe harbours should not limit injunctions and  that (ii) injunctions should extend also to innocent (non-infringing) intermediaries. I have zero knowledge of the Canadian law, but I would humbly predict that at least (ii) is not currently provided for.

Article 5.5 of CETA seems to guarantee the safe harbours in the domestic law. Sounds like a great step, doesn't it? After taking a closer look, however, it becomes clear that domestic law is almost completely free in legislating the exact conditions for the two most important safe harbours, namely hosting and mere conduit ["Each Party may prescribe in its domestic law, conditions for service providers to qualify for the limitations or exceptions in this Article." (Art. 5(5)(4))]. In fact, the only thing the provision seems to guarantee is that some safe harbours for the two activities will exist in the domestic law, and that those domestic conditions can not be conditioned "on the service provider monitoring its service, or affirmatively seeking facts indicating infringing activity" (Art. 5(5)(3)). The more precise notice and take-down system, or counter-notification system is optional (Art. 5(5)(4)). Moreover, this applies only "when [they are] acting as intermediaries" [which sounds like a good Trojan horse for concepts like "passive intermediaries"]. Oh, and did I mention that this all concerns only "copyright or related rights" (Art. 5(5)(1))?

The most important mandatory rule of the safe harbours then seems to be what comes next:
This Article shall not affect the possibility of a court or administrative authority, in accordance with Parties' legal systems, of requiring the service provider to terminate or prevent an infringement.
For non-Europeans. Similarly worded rules in the E-Commerce Directive make safe harbours "injunctions-leaky" in the EU. And they are, together with some other provisions (Art. 8(3) InfoSoc, etc.), increasingly responsible for the most of the private actions against Internet services providers on the old continent [see overview here and here]. Without appropriate cause of action, of course, this would be only a half-way attempt to import the current European trend of increasing accountability of intermediaries by blocking and filtering injunctions or as US scholars would frame it - a system of more preventive notice-and-stay-down requirements.

But CETA does not stop half-way. Article 20 provides for a [differently worded] private cause of action for injunctions against innocent third parties:
1. Each Party shall provide that, in civil judicial proceedings concerning the enforcement of intellectual property rights [by accident not only copyright and related rights?], its judicial authorities shall have the authority to issue an order against a party to desist from an infringement, and inter alia, an order to that party, or, where appropriate, to a third party over whom the relevant judicial authority exercises jurisdiction, to prevent infringing goods from entering into the channels of commerce.
Please note that this a shall-provision. And that its wording could potentially achieve everything that European system of Art. 8(3) style of injunctions does today. And yes, it is exactly the provision which was among other things strongly criticized in ACTA. In fact, ACTA started (Article 2.X.2 of ACTA April Draft 2010) with a provision which was just copy and paste of Art. 8(3) InfoSoc ["The Parties [may] shall ensure that right holders are in a position to apply for an injunction against [infringing] intermediaries whose services are used by a third party to infringe an intellectual property right."]. The provision has proved, however, too controversial. Surprisingly, not because of the concerns of the Internet service providers, but of health activists who were worried about the access to medicines. This language was eventually dropped in the September 2010, but substituted by the following provision:
“Each Party shall provide that, in civil judicial proceedings concerning the enforcement of intellectual property rights, its judicial authorities shall have the authority to issue an order against a party to desist from an infringement, and inter alia, an order to that party or, where appropriate, to a third party over whom the relevant judicial authority exercises jurisdiction, to prevent infringing goods from entering into the channels of commerce.”
As you can see, this provision from the September version of ACTA is the same rule, which now re-appeares in Art. 20(1) CETA. If it becomes the law in Canada one day, its citizens can be also looking forward to a flood of privately litigated website blocking, disconnecting, filtering and other kind of creative injunctions.

One of the senior official at the Commission in Brussels told media that: "The free trade treaty with Canada is a test for the agreement with the United States". Well, if this is the case, than US readers of this blog might "forget" about their fears from their national reform of the DMCA, given that a "reform" might soon unexpectedly come from TRIPS-plus "waters".

Update 22/10/2014

The European Commission just released the final text of the CETA. Provisions relevant from the perspective of the post now look as follows:

Article 5.5 - Liability of Intermediary Service Providers

Subject to the other paragraphs of this Article, each Party shall provide limitations or exceptions in its domestic legislation regarding the liability of service providers, when acting as intermediaries, for infringements of copyright or related rights that take place on or through communication networks, in relation to the provision or use of their services.

The limitations or exceptions referred to in the previous paragraph: shall cover at least the following functions: hosting of the information at the request of a user of the hosting services; caching carried out through an automated process, when the service provider: does not modify the information other than for technical reasons; ensures that any directions related to the caching of the information that are specified in a manner widely recognized and used by industry are complied with; and does not interfere with the use of technology that is lawful and widely recognized and used by the industry in order to obtain data on the use of the information; mere conduit, which consists of the provision of the means to transmit information provided by a user, or the means of access to a communication network; may also cover other functions including: providing an information location tool, by making reproductions of copyright material in an automated manner, and communicating the reproductions.

Eligibility for the limitations or exceptions in this Article may not be conditioned on the service provider monitoring its service, or affirmatively seeking facts indicating infringing activity. Each Party may prescribe in its domestic law, conditions for service providers to qualify for the limitations or exceptions in this Article. Without prejudice to the above each Party may establish appropriate procedures for effective notifications of claimed infringement, and effective counter-notifications by those whose material is removed or disabled through mistake or misidentification. This Article is without prejudice to the availability in a Party' law of other defences, limitations and exceptions to the infringement of copyright or related rights. This Article shall not affect the possibility of a court or administrative authority, in accordance with Parties' legal systems, of requiring the service provider to terminate or prevent an infringement.


Article 17
Right of Information


Without prejudice to its law governing privilege, the protection of confidentiality of information sources or the processing of personal data, each Party shall provide that, in civil judicial proceedings concerning the enforcement of intellectual property rights, its judicial authorities shall have the authority, upon a justified request of the right holder, to order the infringer or the alleged infringer, to provide to the right holder or to the judicial authorities, at least for the purpose of collecting evidence, relevant information as provided for in its applicable laws and regulations that the infringer or alleged infringer possesses or controls. Such information may include information regarding any person involved in any aspect of the infringement or alleged infringement and regarding the means of production or the channels of distribution of the infringing or allegedly infringing goods or services, including the identification of third persons alleged to be involved in the production and distribution of such goods or services and of their channels of distribution.


Article 18
Provisional and Precautionary Measures


1. Each Party shall provide that its judicial authorities shall have the authority to order prompt and effective provisional and precautionary measures, including an interlocutory injunction, against a party, or where appropriate, against a third party over whom the relevant judicial authority exercises jurisdiction, to prevent an infringement of an intellectual property right from occurring, and in particular, to prevent infringing goods from entering the channels of commerce.

Article 20
Injunctions


1. Each Party shall provide that, in civil judicial proceedings concerning the enforcement of intellectual property rights, its judicial authorities shall have the authority to issue an order against a party to desist from an infringement, and inter alia, an order to that party, or, where appropriate, to a third party over whom the relevant judicial authority exercises jurisdiction, to prevent infringing goods from entering into the channels of commerce.
2. Notwithstanding the other provisions of this Section, a Party may limit the remedies available against use by government, or by third parties authorized by government, without the use of authorization of the right holders to the payment of remuneration provided that the Party complies with the provisions of Part II of the TRIPS Agreement specifically addressing such use. In other cases, the remedies under this Section shall apply or, where these remedies are inconsistent with a Party’s law, declaratory judgments and adequate compensation shall be available.

Friday, August 1, 2014

Austrian Supreme Court Confirms Open-Ended Website Blocking Injunctions [UPC Telekabel Wien]

Last Thursday, the Austrian Supreme Court (OGH) issued the decision (OGH, 4 Ob 71/14s) in the proceedings that gave rise to the UPC Telekabel C-314/12 reference before the Court of Justice of the European Union. OGH confirmed the lower court decision, which granted an open-ended website blocking injunction against the biggest Austrian ISP. Although the outcome was quite predictable, the reasoning of the court is very interesting.

First of all, OGH comes to the conclusion that open-ended website blocking injunctions are the only (sic!) available form of such a measure under Art. 8(3) implementation [§ 81(1a) UrhG] in Austria [Ein Anspruch auf bestimmte Maßnahmen lässt sich weder aus diesem Wortlaut noch aus dem ihm zugrunde liegenden Ausschließungsrecht ableiten ... Zwar wäre rechtspolitisch auch eine andere Lösung denkbar; nach geltendem österreichischen Recht hat es aber auf dieser Grundlage bei der Beschränkung der in Art 8 Abs 3 Info-RL genannten „Anordnungen“ auf Erfolgsverbote zu bleiben. § 81 Abs 1a UrhG bietet daher keine Grundlage, dem Access-Provider konkrete Maßnahmen zur Verhinderung des Zugangs zu einer Website mit rechtsverletzenden Inhalten vorzuschreiben]. And that specific injunctions are not provided for in the Austrian law.

The Court supports this reasoning by both citing the case-law from the field of law of nuisance, and by arguing that measure-specific injunctions are more serious interference than open-ended ones, because they remove the flexibility from the obliged party (Dieser Unterlassungsanspruch ist auf Unterlassung der Mitwirkung an einem Eingriff in ein absolut geschütztes Recht gerichtet. Ein weitergehender Anspruch auf konkrete Maßnahmen ergibt sich daraus nach geltendem Recht nicht). OGH borrows numerous legal principles from law of nuisance when it concludes that traditionally plaintiffs had only a claim of defence against the interference itself and never had a claim for exact positive measures, which could prove to be ineffective in the course of time. In other words, you could never compel your neighbour to erect a certain type of fence if the interference in question could have been prevented by other sufficient means, which the defendant gave preference to.

It should be reminded that it was the CJEU itself, who suggested that this kind of flexibility is something that reduces the conflict with the right to conduct a business. I have criticized this for number of reasons here. But even if you disagree with me on all of those grounds, consider following. Is in it weird that this flexibility is somehow not appreciated by the ISPs themselves who should be its primary beneficiaries?

Second, OGH examines in detail whether the Austrian legislation complies with the requirements of i) review of reasonableness before any fine for noncompliance is imposed, and ii) possibility of users of an ISP to challenge the website block ex post. After lengthy discussion of the national provisions on execution proceedings, OGH suggests that it found a way how to implement this requirement into the law. It is very interesting that the Court assumes that in absence of such Union-conform interpretation, the Austrian law would be incompliant with the Article 8(3) [Diese unionsrechtlich begründete Auffassung wäre jedoch - ebenfalls aus unionsrechtlicher Sicht - höchst problematisch. Denn sie führte faktisch zur Unanwendbarkeit von § 81 Abs 1a UrhG, wodurch Österreich seine auf Art 8 Abs 3 InfoRL beruhende Pflicht verletzte, im nationalen Recht Regelungen vorzusehen, wonach Rechteinhaber gerichtliche Anordnungen gegen Vermittler erwirken können]. In other words, the Court apparently thinks that website blocking injunctions are part of the minimal standard required by the Union law.

As to second requirement, the reasoning of the Court is even more interesting. It follows my anticipation presented in JIPLP that such claims of users could have their legal basis in the Internet contract with an ISP [Kunden des Providers könnten ihre Rechte auf vertraglicher Grundlage gegen diesen durchsetzen]. The Court explains:

Dieses Erfordernis ist im österreichischen Recht schon deswegen erfüllt, weil Kunden ihren Provider auf vertraglicher Grundlage in Anspruch nehmen können, wenn sie Sperrmaßnahmen für unzulässig oder überschießend halten. Denn der Vertrag zwischen dem Access-Provider und seinen Kunden wird im Regelfall dahin auszulegen sein, dass alle - aber auch nur solche - Website-Sperren zulässig sind, die den Vorgaben des EuGH entsprechen. Schon diese Möglichkeit genügt, um das vom EuGH betonte Recht der Nutzer auf rechtmäßigen Zugang zu Informationen zu wahren. Um der Gefahr einander widersprechender Entscheidungen entgegenzuwirken, wird der Provider in diesem Fall dem Rechteinhaber, der eine Sperre veranlasst hat, den Streit verkünden können.

For non-German speakers [very quick and rusty translation]:

This requirement is already fulfilled in the Austrian law because the customers can sue their provider on the contractual basis in case they consider the blocking measures not lawful or excessive. Because the contract between the access provider and his consumers is to be, as a rule, interpreted meaning that all - but only those - website blocking injunctions are permitted, which correspond to requirements of the CJEU. Already this possibility suffices to guarantee the right of the customers to legal access to information, which was stressed by the CJEU. In order to reduce the risk of conflicting decisions, the provider will be in such a case able to announce the dispute to the right holder, who gave rise to such blocking.
The part that is most surprising for me comes only after this. OGH goes on to say that this does not exhaust the possibility of a user and that any user can also sue directly the rightholder [Darüber hinaus kann erwogen werden, dass Nutzer ihr Recht auf rechtmäßigen Informationszugang auch unmittelbar gegen einen Rechteinhaber geltend machen können, der es - mittelbar - durch die Veranlassung unzulässiger oder überschießender Sperrmaßnahmen verletzt]. I see you asking -- on what basis for God's sake?

Well, OGH has a pretty interesting answer. It opens by saying that CJEU "evidently assumes" that such a right of a user has an erga omnes effect, ie must be respected by all third parties, including right holders. This would mean that a user can object in the execution proceedings compliance with its right to legal access to information. But this is peanuts compared to what comes next. From the reasoning of OGH who is calling this right - an absolute right - it appears plausible that a user could sue directly also a right holder or a provider (sic!) for interference with a right to lawful access to information in a same way as you sue for an infringement of a right to intellectual property. No question, this would be revolutionary as so far all discussion about limitation of lawful access were only of human rights nature [which are of course, not directly invokable against the private individuals]. Unfortunately, OGH then questions this novelty itself by saying that this would apply only if the CJEU really meant to say this [see, similarly surprised Lehofer]. I probably do not need to stress too much what would such a right to lawful access to information as an absolute right enforceable by tort law mean for net neutrality or other debates.

What I miss in the decision is the issue of transparency. Possibility of users to challenge website blocking is dependent on transparency of what is being blocked. Giving users right to challenge, but at the same time keeping factual conditions for such right unfavourable seems to be schizophrenic.

All in all, this decision means that Austrian courts will be issuing open-ended website blocking injunctions in the future. Moreover, Austrian ISPs will need to figure out themselves what exactly to do in order to prevent any fines being imposed on them. If the provider does nothing to prevent access to websites, it will be most likely fined. The tragedy of this is not only legal uncertainty and waste of resources this creates, but also that CJEU's threshold of effective measures that are preventing or seriously discouraging the access to a targeted website and which do not lead to unbearable sacrifices for an access provider, will be most likely forgotten after the first meeting of risk averse shareholders.

PS: Fans of historical doctrinal debates might be interested that OGH at some point seems to endorse my view of (Roman) origin of this type of injunctions, when it says:
Der hier strittige Anspruch, das Vermitteln des Zugangs zu einer bestimmten Website zu unterlassen, ist gleich zu beurteilen. Denn auch dabei geht es um die Abwehr eines Eingriffs in ein dinglich wirkendes Ausschließungsrecht.
Who read my paper on in rem character of such injunctions, might know what I mean here. For others, I recommend to have a look.

Saturday, July 12, 2014

Austrian Court Sentenced a Tor Exit Node Operator

Last week, Austrian Regional Criminal Court in Graz (Landesgericht für Strafsachen in Graz) sentenced 22-year old William Weber to 3 months jail time with 3 years probation period for aiding distribution of child pornography by operating a Tor Exit Node, according to FutureZone.at.

For those who don't know Tor Project, it is a Free Software enabling online anonymity. Tor is increasingly used by activists, human rights defenders, journalists and others who need to or just want to use Internet more anonymously. Among them, of course, also criminals such as distributors of child pornography use it. Tor Exit Nodes are Tor's gateways where encrypted Tor traffic hits the Internet. Nodes are run by volunteers all over the world in order to increase the capacity and speed of the Tor Network.

William Weber was running one of such Tor Exit Nodes upon which the system relies. The Austrian Court found that this activity may lead to criminal liability for aiding and abetting of a crime of distribution of child pornography when coupled with other circumstances. Of course, mere provision of Tor Nodes would not be enough to establish at least indirect intent (bedingte Vorsatz), which such aiding and abetting under criminal laws usually requires (§ 5 StGB).

In order to find such circumstances, according to PCWorld, the court cited transcripts of chat sessions uncovered during the investigation in which the Weber told an unidentified correspondent “You can host 20TB child porn with us on some encrypted hdds”, “You can host child porn on our servers” and “If you want to host child porn ... I would use Tor.” Weber defended himself against this on his blog saying: "Yes, this logs existed – Yes, i recommended Tor to host *anything* anonymously, including child pornography – Yes, this is of course taken out of context."

From the reporting I have found, it is not clear to me if the Austrian discussed mere conduit safe harbor under Art. 12 of the eCommerce Directive [Section 13 of the Austrian eCommerce Act]. Commenting Austrian lawyers, Franz Schmidbauer and Huťko's friend Maximilian Schubert, however, referred to this provision in the media coverage [here, here, here].

Article 12 of the eCommerce Directive states in this respect that:

1. Where an information society service is provided that consists of the transmission in a communication network of information provided by a recipient of the service, or the provision of access to a communication network, Member States shall ensure that the service provider is not liable for the information transmitted, on condition that the provider:
(a) does not initiate the transmission;
(b) does not select the receiver of the transmission; and
(c) does not select or modify the information contained in the transmission.
An operator of a Tor Exit Node in my opinion clearly falls into the definition of the mere conduit services, as it only helps to route the Internet traffic. Because eCommerce Directive cuts through all the fields of liability, including criminal liability, it might appear questionable that Weber, who most likely satisfied (a)-(c) requirements, could have been held liable for the routed traffic at all. But things are never that simple, and so is not the eCommerce Directive itself. In Recital 44 of the Directive, you find following:

(44) A service provider who deliberately collaborates with one of the recipients of his service in order to undertake illegal acts goes beyond the activities of "mere conduit" or "caching" and as a result cannot benefit from the liability exemptions established for these activities.
This provision is an extra requirement; one which relates to (in)famous CJEU requirement of passivity of intermediary activities in general, including hosting; In other words, Austrian court was free to impose criminal liability if a Tor Exit Node operator intentionally collaborated with the perpetrator of the crime of distribution of child pornography. The open question, however, is, how extensively can one understand such "deliberate collaboration". First of all, given that it is defined nowhere in the eCommerce Directive, it is clearly an autonomous term of the Union law, which is in hands of the CJEU. The Austrian courts thus might have been interested in seeing whether their local interpretation of indirect intent is still in line with this requirement. I know close to nothing about the exact facts of the case, but from the media coverage it appears that Weber did identifiably encourage exact perpetrators over chat.

This decision shows that one should be not only technically, but also legally cautious with operating a Tor Exit Nodes [perhaps Tor should add a note here]. Don't get me wrong, operation of such Nodes is very important in serving all the legitimate Tor traffic. But one should not forget that legitimacy of Tor is based on these case, and aiding identifiable misuses can be penalized. The main problem I see with this decision is not the application of the criminal liability in the current case. And I don't even worry that people would start generalizing this too much. Although we should be really careful in keeping the standard of "deliberate collaboration" very high, otherwise it might be easy to criminalize Tor Exit Nodes operators.

At least in Europe, the CJEU should be able to prevent such excess. More troubling could be that if the same logic is applied in countries with less legitimate criminal offences such as anti-state propaganda crimes, it can be very easy to criminalize Tor Exit Nodes operators. The case also shows that limited liability of intermediaries also serves protection of privacy, and that without clear rules, even technical solutions might have problems in their deployment.

Weber told media that he will not appeal the case due to legal fees. Moritz Bartl from TorServers, however, expressed himself:
This particular case went bad because of multiple reasons. We  strongly believe that it can be easily challenged. While certainly shocking, lower court ruling should not be taken too seriously, and this won't necessarily mean that all Tor relays in Austria are now automatically illegal. The ruling only happened two days ago, there is no written statement from the court yet, so we should all be patient and wait for that before we make any assumptions. We will definitely try and find some legal expert in Austria and see what we can do to fight this.
I believe that the last thing we should try, is to see things black and white here.