Saturday, July 12, 2014

Austrian Court Sentenced a Tor Exit Node Operator

Last week, Austrian Regional Criminal Court in Graz (Landesgericht für Strafsachen in Graz) sentenced 22-year old William Weber to 3 months jail time with 3 years probation period for aiding distribution of child pornography by operating a Tor Exit Node, according to

For those who don't know Tor Project, it is a Free Software enabling online anonymity. Tor is increasingly used by activists, human rights defenders, journalists and others who need to or just want to use Internet more anonymously. Among them, of course, also criminals such as distributors of child pornography use it. Tor Exit Nodes are Tor's gateways where encrypted Tor traffic hits the Internet. Nodes are run by volunteers all over the world in order to increase the capacity and speed of the Tor Network.

William Weber was running one of such Tor Exit Nodes upon which the system relies. The Austrian Court found that this activity may lead to criminal liability for aiding and abetting of a crime of distribution of child pornography when coupled with other circumstances. Of course, mere provision of Tor Nodes would not be enough to establish at least indirect intent (bedingte Vorsatz), which such aiding and abetting under criminal laws usually requires (§ 5 StGB).

In order to find such circumstances, according to PCWorld, the court cited transcripts of chat sessions uncovered during the investigation in which the Weber told an unidentified correspondent “You can host 20TB child porn with us on some encrypted hdds”, “You can host child porn on our servers” and “If you want to host child porn ... I would use Tor.” Weber defended himself against this on his blog saying: "Yes, this logs existed – Yes, i recommended Tor to host *anything* anonymously, including child pornography – Yes, this is of course taken out of context."

From the reporting I have found, it is not clear to me if the Austrian discussed mere conduit safe harbor under Art. 12 of the eCommerce Directive [Section 13 of the Austrian eCommerce Act]. Commenting Austrian lawyers, Franz Schmidbauer and Huťko's friend Maximilian Schubert, however, referred to this provision in the media coverage [here, here, here].

Article 12 of the eCommerce Directive states in this respect that:

1. Where an information society service is provided that consists of the transmission in a communication network of information provided by a recipient of the service, or the provision of access to a communication network, Member States shall ensure that the service provider is not liable for the information transmitted, on condition that the provider:
(a) does not initiate the transmission;
(b) does not select the receiver of the transmission; and
(c) does not select or modify the information contained in the transmission.
An operator of a Tor Exit Node in my opinion clearly falls into the definition of the mere conduit services, as it only helps to route the Internet traffic. Because eCommerce Directive cuts through all the fields of liability, including criminal liability, it might appear questionable that Weber, who most likely satisfied (a)-(c) requirements, could have been held liable for the routed traffic at all. But things are never that simple, and so is not the eCommerce Directive itself. In Recital 44 of the Directive, you find following:

(44) A service provider who deliberately collaborates with one of the recipients of his service in order to undertake illegal acts goes beyond the activities of "mere conduit" or "caching" and as a result cannot benefit from the liability exemptions established for these activities.
This provision is an extra requirement; one which relates to (in)famous CJEU requirement of passivity of intermediary activities in general, including hosting; In other words, Austrian court was free to impose criminal liability if a Tor Exit Node operator intentionally collaborated with the perpetrator of the crime of distribution of child pornography. The open question, however, is, how extensively can one understand such "deliberate collaboration". First of all, given that it is defined nowhere in the eCommerce Directive, it is clearly an autonomous term of the Union law, which is in hands of the CJEU. The Austrian courts thus might have been interested in seeing whether their local interpretation of indirect intent is still in line with this requirement. I know close to nothing about the exact facts of the case, but from the media coverage it appears that Weber did identifiably encourage exact perpetrators over chat.

This decision shows that one should be not only technically, but also legally cautious with operating a Tor Exit Nodes [perhaps Tor should add a note here]. Don't get me wrong, operation of such Nodes is very important in serving all the legitimate Tor traffic. But one should not forget that legitimacy of Tor is based on these case, and aiding identifiable misuses can be penalized. The main problem I see with this decision is not the application of the criminal liability in the current case. And I don't even worry that people would start generalizing this too much. Although we should be really careful in keeping the standard of "deliberate collaboration" very high, otherwise it might be easy to criminalize Tor Exit Nodes operators.

At least in Europe, the CJEU should be able to prevent such excess. More troubling could be that if the same logic is applied in countries with less legitimate criminal offences such as anti-state propaganda crimes, it can be very easy to criminalize Tor Exit Nodes operators. The case also shows that limited liability of intermediaries also serves protection of privacy, and that without clear rules, even technical solutions might have problems in their deployment.

Weber told media that he will not appeal the case due to legal fees. Moritz Bartl from TorServers, however, expressed himself:
This particular case went bad because of multiple reasons. We  strongly believe that it can be easily challenged. While certainly shocking, lower court ruling should not be taken too seriously, and this won't necessarily mean that all Tor relays in Austria are now automatically illegal. The ruling only happened two days ago, there is no written statement from the court yet, so we should all be patient and wait for that before we make any assumptions. We will definitely try and find some legal expert in Austria and see what we can do to fight this.
I believe that the last thing we should try, is to see things black and white here.

Wednesday, July 9, 2014

ECtHR: Delfi AS v Estonia Hearing

Today, the Grand Chamber of the European Court of Human Rights is holding a hearing in an important intermediary liability case - Delfi AS v. Estonia (web-stream here). The Court is hoped to correct many issues which the Chamber judgement so flagrantly overlooked, and as a consequence alarmed 69 organizations to support the re-hearing of the case.

In the meantime, some of the NGOs were given a possibility to intervene in the case by submitting their amicus briefs. European Information Society Institute (EISi), an NGO I volunteer for, also submitted one such brief, which is authored by me. In this submission, we make couple of suggestions to the Court, which I would like to share with the readers. EISi suggests that the Court should:
  • spells out, as an abstract principle, that any general monitoring obligation imposed upon disseminators of non-editorial third party defamatory content is incompatible with Article 10 of the Convention and
  • promote the guarantee of a content author’s right to reply to any allegations before speech is taken down from on-line circulation, by requiring that no liability can be imposed before this moment.
I invite you to read the brief.

Some other organizations made their briefs also already available.
ECtHR should also soon hear an another case that was filed earlier which focuses on liability of bloggers for users’ online comments, Jezior v. Poland.

Friday, May 30, 2014

Should We Centralize the Right to be Forgotten Clearing House?

Being in Silicon Valley during the time when the honourable Court of Justice of the European Union "cracks" its epic right to be forgotten ruling, is a very interesting social experience. Suddenly, the European part of you receives a strange lot of attention among tech folks in all the small talks. No wonder.

[cross-posted with Stanford CIS Blog]

This blog so far did not report on the decision not because I don't have any strong opinion on the issue [you can bet I do!], but because, frankly, I needed to digest its parts and think of them from several angles. I wanted to provide my sophisticated reader with more than just my emotional rants, which I rather ventilate in op-eds like this one.

Google Spain C-131/12 for me is both great and terrible. It is great because the European data protection laws definitely should apply to companies that make a lot of money in Europe, and should regulate search engines. If small European companies manage, so can their American counterparts. The decision is, however, terrible for the (im)balance it strikes. And I know this is where most of the people get passionate. I think that the optimism of many people who commented on ruling is driven by the belief that the law will be changed (e.g. my friend Julia Powles in the Guardian and Wired). If this is your framework, then I do agree. Yes, the decision will definitely move things ahead. 

This might be all true and great, but still, from the short term perspective, the decision with its (im)balance is just terrible. Steve Peers, Peter Lehofer and others already commented on the constitutionally striking language of the decision. Peter Lehofer eloquently characterized this reading of privacy as a "super-human-right". This blanket preference for one human right disturbs me, especially when it comes from a court that is increasingly taking the role of a constitutional court and even claiming to have the ultimate words on the content of those rights. As all European law students learn, perhaps as the first thing in their human rights classes, that there is no hierarchical relationship between the conflicting human rights. That's why we need a test of proportionality. The CJEU now seems to disagree.

So why do I think that the current decision can not serve as a right balance for the future law? 

First of all, the Directive itself has very narrow exceptions for the use of personal data without the permission of the individual concerned ["solely for journalistic purposes or the purpose of artistic or literary expression"]. The fact that CJEU explicitly had no problem with giving a blessing to reading that precludes search engines and other websites from referring to a legitimate article (e.g. up-to-date news article), just because no explicit exception exists. This is deeply worrying. I think that a search engine should be able to invoke the same exception, which a source website is able to invoke (e.g. journalistic, scientific, etc.). This could potentially affect not only search engines, but anybody linking to an article with an anchor which uses personal data (or think of Tweets that encompass personal data when referring to a legitimate article). I think if we expand the notion of "data controllers" and thus data protection laws, we should also expand exceptions [yes, think here of the the old problem of the copyright laws]. Otherwise we might outlaw socially legitimate processing of personal data and artificially break the chain of speech online.

Second, and this is where most of my European friends disagree, the right to object to "no longer relevant" processing of personal data, should be made an exception and not a general rule as CJEU tell us [the word "relevant" in Art. 6(1)(3) IMHO refers not to time-relevant, but proportionate]. I can personally see many instances when we want to give a second chance to people and relieve them from their personal history. Spent convictions for rehabilitated offenders, juvenile indiscretions or personal bankruptcies all share the same justification - a need to give a second chance to people. But this not universal. Not all outdated data have such properties and can be supported by such justification. In fact, I would argue it is only a small subset of all outdated information. Many people also seem to assume that a time dimension decreases the societal value of the information that has such merit. Yes in some cases, but in others it can even increase its societal value (e.g. former radical now applying for job as a high school teacher or running for the public office, etc.). I just don't think that narrative of second chance really supports a universal right of this kind.

But let's look into the application. Google just published its European removal tool. The company seems to be preparing for serious examination of all the requests. From a business perspective, this is no surprise, given that if Google wants to continue to provide its service with any meaningful value, it has to comply. Other it might potentially face criminal charges. And Google is of course capable of doing it. The problem is, however, by shifting the burden completely on a search engine, we just literally "cemented" search engine market by erecting incredibly high barriers to entry. Are mini-competitors of Google like Czech also capable of doing this? I doubt so. They will most likely just automate the process to save the costs.

Of course you can argue that our preference for privacy is stronger than any concern of competition in the search engine market. But the search engine market is crucial to the online flow of information and any business online. I am not saying we should not regulate search engines, but trying to outsource some of the burden, so a more competitive environment can be preserved, would be desirable. For instance, having to apply to data protection authorities prior to removal on grounds of "no longer relevant", would be a good step [mind you, this is not about right to erasure]. 

This way, we have a state authority to determine such conflicts of freedom of expression and privacy. The authority, which is, unlike a private company, directly bound by human rights [because its a state power]. This would also centralize such decision making into one place, so the consistency can be achieved. And we can better discuss edge cases, because its all public [though anonymized]. The handling of "no-longer-relevant" complaints and defending of potential freedom of expression issues would not be in this way left to business incentives of companies, but to publicly accountable body. Again, the search engines represent a way more critical infrastructure [at least today] than any other service, and no-longer-relevant requests are way more difficult to assess than say copyright issues. So a different treatment, I think, it justified. 

This would also create more legal certainty for service providers and originators of objected speech. Because what is time-relevant for a society is determined by the state, not industry players. At the same time, it would outsource some of the decision making costs, so the barriers of entry would be lowered. Also the mental barrier for applications would be slightly increased, as filling a request to the administrative authority perhaps makes us think twice [even if its free of charge]. The examination effort of search engines would thus not be replicated many times, but be centralized to one decision-making process, with positive spill-over on less wealthy competitors.

To conclude. I think that the Google Spain ruling is really better understood as a political act of the CJEU than as some interpretation of the laws. CJEU members probably disgusted by the difficult policy debates about a new European data protection regulation and "US overreach" revealed by Snowden, decided on this strong ruling to make a political statement. US tech companies have been blocking a new Regulation in Brussels, so the judges decided to mix up the pack of cards on the policy table from Luxemburg, to see what will happen now [thus proving that Coase’s theorem does not work in the political process as well].

Only the way this ruling will be practically carried will determine whether the history will list Google Spain as a good or bad move for the European society.

PS: There are plenty of alternative options. In a conversation, Julia Powles, for instance, suggested that if Google was really concerned about smaller players, it would look seriously at creating an independent, industry-sponsored platform to do this job, because it could be a faster option than any DPA. I personally favour state-implemented solution, given the direct obligations to respect human rights. But I agree that fragmentation and tardiness of DPAs is something that would need to be solved.

Wednesday, April 30, 2014

BGH: Screen Scraping Does Not Constitute Unfair Competition

German Federal Supreme Court (BGH) is in a new case on meta search engines and screen scraping -- Flugvermittlung im Internet, I ZR 224/12 -- again proving its superior expertise and better sense of the real world compared to the Court of Justice of the EU.

In a case involving notorious litigant Ryaniar who sued a meta search engine Vtours, it comes to the conclusion that a meta search engine which carries out a booking on behalf of the consumer, or even in its own name (integrated booking), does not per se engage in an act of unfair competition.

The case started some time ago as both sui generis database right and unfair competition law case. The second instance, Regional Court in Hamburg (OLG Hamburg, 5 U 38/10), accepted protection of Ryanair's database, but rejected that it would be infringed by the practice of screen-scraping relying partially on the argumentation of BGH's Automobil-Onlinebörse case. The Hamburg court however, upheld the unfair competition claims arguing that if a reseller conceals his intent to resell to supplier (so called Schleichbezug), he acts unfairly as the supplier has right to a freely choose for direct or selective distribution system. As mentioned above, the decision concerned an integrated booking system. This is important because the Hamburg Court explicitly opined that a non-integrated booking system (e.g. Skyscanner) could be indeed legitimate. This all happened prior to infamous Innoweb ruling of the CJEU. The decision, where CJEU labelled as "nearly parasitic" even a comparison meta search engine that was referring consumers always back to the source website.

Because Ryanair appealed further, the BGH was asked to review the case. But it did not review all the claims that were put forward initially, but only a claim related to unfair competition. BGH thus could not deal with a open conflict of its own case law (Automobil-Onlinebörse case) and one of the CJEU (Innoweb case). Today, BGH issued its press release that reads:

Der Bundesgerichtshof hat eine wettbewerbswidrige Behinderung der Klägerin gemäß § 4 Nr. 10 UWG verneint. Im Streitfall führt eine Gesamtabwägung der Interessen der Mitbewerber, der Verbraucher sowie der Allgemeinheit nicht zu der Annahme, dass die Klägerin durch die beanstandete Vermittlung von Flügen durch die Beklagte ihre Leistungen am Markt durch eigene Anstrengungen nicht mehr in angemessener Weise zur Geltung bringen kann. Erforderlich ist insoweit eine Beeinträchtigung der wettbewerblichen Entfaltungsmöglichkeit, die über die mit jedem Wettbewerb verbundene Beeinträchtigung hinausgeht und bestimmte Unlauterkeitsmomente aufweist. Allein der Umstand, dass sich die Beklagte über den von der Klägerin in ihren Geschäftsbedingungen geäußerten Willen hinwegsetzt, keine Vermittlung von Flügen im Wege des sogenannten "Screen-Scraping" zuzulassen, führt nicht zu einer wettbewerbswidrigen Behinderung der Klägerin.

Ein Unlauterkeitsmoment kann allerdings darin liegen, dass eine technische Schutzvorrichtung überwunden wird, mit der ein Unternehmen verhindert, dass sein Internetangebot durch übliche Suchdienste genutzt werden kann. Einer solchen technischen Schutzmaßnahme steht es aber - anders als es das Berufungsgericht angenommen hat - nicht gleich, dass die Klägerin die Buchung von Reisen über ihre Internetseite von der Akzeptanz ihrer Geschäfts- und Nutzungsbedingungen durch Ankreuzen eines Kästchens abhängig macht und die Beklagte sich über diese Bedingungen hinwegsetzt. Der Bundesgerichtshof hat auch nicht angenommen, dass die Interessen der Klägerin die der Beklagten überwiegen. Das Geschäftsmodell der Beklagten fördert die Preistransparenz auf dem Markt der Flugreisen und erleichtert dem Kunden das Auffinden der günstigsten Flugverbindung. Dagegen wiegen die Interessen der Klägerin daran, dass die Verbraucher ihre Internetseite direkt aufsuchen und die dort eingestellte Werbung und die Möglichkeiten zur Buchung von Zusatzleistungen zur Kenntnis nehmen, nicht schwerer. Das Oberlandesgericht wird nunmehr zu prüfen haben, ob der Klägerin Ansprüche wegen Irreführung und nach den Grundsätzen des wettbewerbsrechtlichen Leistungsschutzes zustehen.
For my non-German speaking readers. The Court rejected that operation of a meta search engine with an integrated booking system would constitute an act of unfair competition only because the source website did not allow this practice in its general terms and conditions. According to the PR, the Court came to this conclusion after balancing the interests of all concerned parties, including consumership at large. The Court explicitly mentions positive effects that price transparency has on competition. Interestingly enough, it also goes so far as to say that the interests of Ryaniar to preserve its income from the advertising and to preserve a chance to sell complementary products does not by itself justify contrary judgement [sic!]. Considering the fact that sui generis database protection is in fact unfair competition law derivative, this language is strikingly opposing what the CJEU assumed in its Innoweb ruling.

In this respect I can only refer the reader to my working paper The End of Meta Search Engines in Europe? (SSRN link), which addresses the exact reasons why I believe that BGH is right and CJEU wrong. This is essential. If German courts follow its jurisprudence of granting sui generis protection to Ryanair's database, which is rather unusual among the Member States, then they would be bound by Innoweb to find for an infringement. Fortunately they can prevent such outlawing of meta search engines by increasing its requirements for protection in a similar way as most of the other national European courts do.

Coming back to BGH decision, the Court also notes that if Ryanair would apply technical protection measures, it could have an actionable breach of unfair competition law rules. So if Ryanair would for instance implement CAPTCHA to prevent robots from accessing its sub-pages, then it could possibly claim a violation. The Court also notes that the lower court must now asses whether the meta search engine did not mislead consumers by its practice, and if the plaintiff does not qualify for some extra protection against appropriation based on unfair competition law (wettbewerbsrechtliche Leistungsschutz). This last mentioned layer of protection is in Germany granted as an extra supplementary protection on the top of some formalized IP-rights in some cases. Given the position of the Court in respect to lost benefits of the plaintiff, I think it is unlikely that the plaintiff could prevail here. However, the outcome of the case as such is very questionable because of the already mentioned change in the jurisprudence by the Innoweb ruling (I am not sure if the lower court can still change his mind on that point). Any comments on procedural situation from my German colleagues are most welcome.

I will update the post once the text of the decision is out. In the meantime, here is the abstract of The End of Meta Search Engines in Europe?:

Technology behind the meta search engines supports countless number of services ranging from the price and quality comparison websites to more sophisticated traffic connection finders and aggregators. The meta search engines generally increase market transparency, intensify competition and decrease transaction costs of consumers. Because they are also capable of disturbing established business models of the indexed websites, number of lawsuits were filed against the various operators of meta search engines in the last years in Europe. The scrutiny of the operation of some of them was recently even escalated to the Court of Justice of the European Union. In December 2013, the Court handed down its Innoweb C-202/12 ruling, where it held that operation of meta search engines is likely to infringe the database right of the indexed websites, assuming that they constitute a protectable subject matter. This paper therefore analyses legal and practical consequences of this landmark decision for the innovation, consumers and e-commerce in the comparative context.

The investigation then comes to the following conclusions. Meta search engines sourcing product and price information from websites that directly sell services/goods, are not likely to be affected by the decision due to lack of database protection of its parts. Meta search engines that on the other hand source user generated content, are likely to be affected and will need to acquire the licenses from the database owners. It is submitted that the Innoweb decision may lead to the meta search engines shifting more to two sided market configuration, where suppliers who value the users more than users commonly subsidize the service for users. As a consequence, this pricing structure of a two sided market can render this newly acquired blocking right based on the database right valueless. On the other hand, the existence of an exclusion right might increase the barriers-to-entry by imposing a need of concluding of licensing deals for new entrants who have to solve the “chicken-egg” problem, what may negatively impact the competition between different meta search engines and thus ironically foster position of meta search incumbents.

Wednesday, April 9, 2014

Data Retention Challenge Earns Historical Victory for Privacy

I am sure all of you already know by this time about the epic privacy ruling - Digital Rights Ireland C-293/12 - that the Court of Justice of the EU yesterday handed down. This post won't be a usual legal analysis on which you are used to. I think that more learned colleagues and experts on human rights law, such as Steve Peers, Cybermatron, Daithí Mac Síthigh, Fiona de Londras, Paul Bernal can express and comment better on this ruling than I ever could.

I rather want to share with you my personal note of gratitude for this achievement that is owed to many amazing individuals not only in Europe. 

The success of Irish and Austrian reference is a very personal thing for me. Yet as a student at Law School, it was our first strategic litigation. Inspired by many members of EDRi taking actions in Germany, Czech republic, Romania and other countries, I and bunch of my wonderful colleagues decided to help out, formed EISi, and started sending out letters to Slovak authorities. And it did not work. Authorities completely ignored our requests, despite the fact that the German Constitutional Court (BVerfG) at the time already cancelled the German implementation. Its quite funny to think of it now, but for some unknown reason, probably more as citizens than scholars or lawyers, we felt that even BVerfG got it wrong. And so we started getting in touch with EDRi members such as Patric Breyer from German AK Vorrat, Jan Voboril from Czech IuRe, Katitza Rodrigez from EFF and many others. From the very beginning, I was very pleasantly surprised by very supportive and constructive atmosphere on EDRi mailing lists and also by how many great small organizations and individuals around the Europe decided to spend their time on fighting data retention. I was more than happy when three years later, I could finally report that we made it to the Slovak Constitutional Court.

And even thought preliminary reference eventually came from Austria and Ireland, I think it is important to view this as a win of many more individuals. As paradoxical as it sounds, I don't think that we could get here without many decisions of the national Constitutional Courts that got it wrong - from today's perspective (German one, Czech one, etc.). In a sense, I think that they framed the debate and thus gave us good grounds to demand more and more privacy from the state. All of us coming after, were inevitably building on these decisions, and also on all the scholarly commentaries, scientific responses or public interested steered by them.

I believe that nothing tells better the story behind this success as the fact that Digital Rights Ireland itself has no staff or office and that Austrian challenge was brought up almost 12.000 individuals. It tells us that it was not big corporations or angry industry, but small individuals who made this whole thing happen. Thank you to all of you!

CJEU Confirms Pinckney Ruling

For all the private international law & IP law enthusiast, it might of interest that in the meantime of waiting for Coty Prestige C-360/12 ruling, the CJEU issued its Hi Hotel C-387/12 ruling last week (without an advice from Advocate General). Hi Hotel partially pre-determines the outcome of Coty Prestige with the main message - the attribution of effects under Art. 5(3) Brussels I. will, despite the criticism from the Advocate General, govern our case-law on jurisdiction for the future. In a similar way, Melzer ruling is confirmed. Several points are still not clear, but it is fair to say that Hi Hotel resoundingly confirms Pinckney on attribution. Readers of this blog might know that I on several occasions, similarly as Advocate General, criticized Pinckney

I believe that by enabling to hear a "territory-limited claims" under Art. 5(3) Brussels I. against a defendant, who is not domiciled, and did not act or directly cause an effect by his acts in a state of the court, purely on the basis that that the effect was furthered by somebody else, is a dangerous approach. Despite the fact that the end result might be an empty jurisdiction, i.e. jurisdiction, where no claim can be awarded. I have recently summed up some of my arguments in a comment for IIC (see Husovec, Case Comment on Pinckney, IIC, Volume 46 - 3 Issue, not yet out, so if you are interested, just drop me an email).

From the ruling:

32      Consequently, Article 5(3) of that regulation does not allow jurisdiction to be established on the basis of the place of the causal event with respect to one of the supposed perpetrators of the damage who has not acted within the jurisdiction of the court seised (see Melzer EU:C:2013:305, paragraph 41).

33      However, in contrast to the Melzer case (EU:C:2013:305), in the present case the referring court has not limited its question to the interpretation of Article 5(3) of the regulation for the sole purpose of establishing the jurisdiction of the German courts on the basis of the causal event of the alleged damage.

34      Accordingly, it must also be examined whether, in circumstances such as those at issue in the main proceedings, where several supposed perpetrators of the alleged damage have acted in different Member States, Article 5(3) of Regulation No 44/2001 allows jurisdiction to be attributed, on the basis of the occurrence of the damage, to the courts of a Member State with respect to one of the supposed perpetrators of the damage, even though he did not act within the jurisdiction of the court seised.
This brings me only a little comfort, as the Court does not seem to anticipate prima-facie absurd assertions of such connections (attributions). To the contrary, it indicates that most likely it will not create any qualitative criteria for such an attribution, and that it will leave it completely open for the national courts. I don't think that proving the "empty jurisdiction" on the substantive law level then anyhow helps the defendant, who had to spend some money on his defense. But maybe I am missing something.

35      It should be noted that jurisdiction to hear an action in tort, delict or quasi-delict may be established in favour of the court seised of a claim for a finding of a breach of copyright, where the Member State in which that court is situated protects the rights of copyright relied on by the applicant and the alleged damage may occur within the jurisdiction of the court seised (see Pinckney EU:C:2013:635, paragraph 43).

36      In the main proceedings Mr Spoering is claiming a breach of various rights of copyright, namely the rights to reproduce, distribute and exhibit the photographs in question. It is common ground that those rights are protected in Germany in accordance with Directive 2001/29/EC of the European Parliament and of the Council of 22 May 2001 on the harmonisation of certain aspects of copyright and related rights in the information society (OJ 2001 L 167, p. 10).

37      In circumstances such as those at issue in the main proceedings, it must be considered that the fact that damage may occur follows from the possibility of acquiring a reproduction of the work to which the copyright relied on by the applicant attaches in a bookshop located within the jurisdiction of the court seised. As appears from the facts referred to in paragraph 14 above, the handing over of the photographs in question to Phaidon-Verlag of Paris gave rise to the reproduction and distribution of the photographs, and thereby to the possibility that the damage alleged might occur.

38      On the other hand, in so far as the protection afforded by the Member State of the court seised applies only in that Member State, the court seised on the basis of the place where the damage occurs has jurisdiction only to determine the damage caused in the territory of that State (Pinckney EU:C:2013:635, paragraph 45).

39      The courts of other Member States in principle retain jurisdiction, in the light of Article 5(3) of Regulation No 44/2001 and the principle of territoriality, to rule on the damage to copyright caused in their respective Member States, given that they are best placed, first, to ascertain whether the rights of copyright guaranteed by the Member State concerned have in fact been infringed and, secondly, to determine the nature of the damage caused (see Pinckney EU:C:2013:635, paragraph 46).
Let's see what the Coty Prestige will bring.

Thursday, March 27, 2014

CJEU Allowed Website Blocking Injunctions With Some Reservations

So the CJEU finally issued its UPC Telekabel Wien C-314/12 decision. It contains several good points, but also some missed opportunities (the rejections of a need of specific measures is quite a disappointment), and black-box type of issues, where only the time will tell.

But before I get to the ruling, it is very interesting to see that CJEU yet again (Scarlet, Sabam same story) did not follow a very interesting argumentation of the Advocate General Cruz Villalón, who suggested to take a look at the injunctions also from the perspective of "quality of the law". This might be a good/bad news for the pending data retention reference in Digital Rights Ireland C-293/12, where he suggested to the CJEU to invalidate the data retention directive mostly not due to proportionality considerations, but for "quality of the law" reasons. I think that his argument there is politically not acceptable for the CJEU, but let's see. So back to the website blocking.

The Court first accepts (§ 23-40) that an access provider who has no affiliation or business relationship with the infringers (streaming websites) can still be a target of the injunctions against intermediaries. This basically means that anybody who enables infringement is capable of being sued from Art. 8(3) injunctions. No surprise here.

In the second part, the Court allows some of the website blocking injunctions as such, but makes it subject to couple of conditions. The Court recalls that the case is about a maximal admissible celling of these injunctions (§ 45), and not about minimal standard required from the Member States (§ 43). This means, as I suggested earlier, that this case in fact does not answer whether the Member States have to provide for such injunctions, but only whether they are permissible when provided for under the national law.

The Court stylized the entire judgment in the perspective of conflicting human rights: 
  • (i) copyrights and related rights, which are intellectual property and are therefore protected under Article 17(2) of the Charter, 
  • (ii) the freedom to conduct a business, which economic agents such as internet service providers enjoy under Article 16 of the Charter, and 
  • (iii) the freedom of information of internet users, whose protection is ensured by Article 11 of the Charter. 
As anticipated earlier, the right to fair trial argument did not appear in the case, but there are some consequences for it as well (see below). The relevant part of the decision are then § 49 -63.

49      The freedom to conduct a business includes, inter alia, the right for any business to be able to freely use, within the limits of its liability for its own acts, the economic, technical and financial resources available to it.

50      An injunction such as that at issue in the main proceedings constrains its addressee in a manner which restricts the free use of the resources at his disposal because it obliges him to take measures which may represent a significant cost for him, have a considerable impact on the organisation of his activities or require difficult and complex technical solutions.

51      However, such an injunction does not seem to infringe the very substance of the freedom of an internet service provider such as that at issue in the main proceedings to conduct a business.

52      First, an injunction such as that at issue in the main proceedings leaves its addressee to determine the specific measures to be taken in order to achieve the result sought, with the result that he can choose to put in place measures which are best adapted to the resources and abilities available to him and which are compatible with the other obligations and challenges which he will encounter in the exercise of his activity.
I think this is implicit acceptance of openly formulated website blocking injunctions, and also rejection of AG's suggestion of a need for specific measures. This should make German BGH feel more comfortable with its own case-law. Not sure about ISPs.

53      Secondly, such an injunction allows its addressee to avoid liability by proving that he has taken all reasonable measures. That possibility of exoneration clearly has the effect that the addressee of the injunction will not be required to make unbearable sacrifices, which seems justified in particular in the light of the fact that he is not the author of the infringement of the fundamental right of intellectual property which has led to the adoption of the injunction.
This paragraph is slightly confusing, but I think it essentially refers to execution proceedings when an openly formulated website blocking injunction was being granted. Again, this kind of rule might make a perfect sense for a German or other lawyer who is used to negligence based liability for disobeying the rulings also in the execution proceedings. In some countries, however, execution proceedings attaches strict liability standards to disobeying of the decisions. For these countries, it might be more challenging to implement this principle. This seems to shift the entire debate of exact measures from the court proceedings to the execution proceedings. Also I keep wondering how compatible with the eCommerce Directive it would be to fine an access provider in such proceedings, as Art. 12 safe harbor might be still a limitation here (just a thought).

54      In that regard, in accordance with the principle of legal certainty, it must be possible for the addressee of an injunction such as that at issue in the main proceedings to maintain before the court, once the implementing measures which he has taken are known and before any decision imposing a penalty on him is adopted, that the measures taken were indeed those which could be expected of him in order to prevent the proscribed result.

55      None the less, when the addressee of an injunction such as that at issue in the main proceedings chooses the measures to be adopted in order to comply with that injunction, he must ensure compliance with the fundamental right of internet users to freedom of information.

56      In this respect, the measures adopted by the internet service provider must be strictly targeted, in the sense that they must serve to bring an end to a third party’s infringement of copyright or of a related right but without thereby affecting internet users who are using the provider’s services in order to lawfully access information. Failing that, the provider’s interference in the freedom of information of those users would be unjustified in the light of the objective pursued.
This is an important point. The CJEU here implicitly adheres to the prohibition of the collateral censorship as stipulated in the case-law of the ECHR. This part of the ruling should prevent some forms over-blocking e.g. by means of IP blocking when the IP address is shared.

57      It must be possible for national courts to check that that is the case. In the case of an injunction such as that at issue in the main proceedings, the Court notes that, if the internet service provider adopts measures which enable it to achieve the required prohibition, the national courts will not be able to carry out such a review at the stage of the enforcement proceedings if there is no challenge in that regard. Accordingly, in order to prevent the fundamental rights recognised by EU law from precluding the adoption of an injunction such as that at issue in the main proceedings, the national procedural rules must provide a possibility for internet users to assert their rights before the court once the implementing measures taken by the internet service provider are known.
I consider this to be the most important part of the ruling. My reading is that unless the procedural law of the Member State can guarantee that, the website blocking can not be granted at the first place. Although this remark is made in the framework of a right to the freedom of information, I believe that it can have a big impact also on the right to fair trial issue. Especially the countries that grant website blocking injunctions without any possibility to challenge them by the targeted website ex post (UK courts now incorporate such possibility), it might prevent the injunctions to be granted entirely. CJEU makes an important step by safeguarding the same for the Internet users as well. It would be interesting to see if the national law of your Member State enable that kind of challenge of a non-party. Any thoughts?

58      As regards intellectual property, it should be pointed out at the outset that it is possible that the enforcement of an injunction such as that in the main proceedings will not lead to a complete cessation of the infringements of the intellectual property right of the persons concerned.

59      First, as has been stated, the addressee of such an injunction has the possibility of avoiding liability, and thus of not adopting some measures that may be achievable, if those measures are not capable of being considered reasonable.
Again strict liability might be precluded in these cases.

60      Secondly, it is possible that a means of putting a complete end to the infringements of the intellectual property right does not exist or is not in practice achievable, as a result of which some measures taken might be capable of being circumvented in one way or another.

61      The Court notes that there is nothing whatsoever in the wording of Article 17(2) of the Charter to suggest that the right to intellectual property is inviolable and must for that reason be absolutely protected (see, to that effect, Scarlet Extended, paragraph 43).

62      None the less, the measures which are taken by the addressee of an injunction, such as that at issue in the main proceedings, when implementing that injunction must be sufficiently effective to ensure genuine protection of the fundamental right at issue, that is to say that they must have the effect of preventing unauthorised access to the protected subject-matter or, at least, of making it difficult to achieve and of seriously discouraging internet users who are using the services of the addressee of that injunction from accessing the subject-matter made available to them in breach of that fundamental right.
A difficult sentence, but probably says following: website blocking must (i) make it more difficult to access the source, and [sic!] (ii) seriously discourage Internet users from accessing the blocked source. It is my understanding that unless such a measure exists, not even an open ended injunctions should be granted. I think that the analyses of Justice Arnold in his blocking cases can hold the water in this respect. This part, however, needs to be scrutinized for its impact beyond this brief comment.
63      Consequently, even though the measures taken when implementing an injunction such as that at issue in the main proceedings are not capable of leading, in some circumstances, to a complete cessation of the infringements of the intellectual property right, they cannot however be considered to be incompatible with the requirement that a fair balance be found, in accordance with Article 52(1), in fine, of the Charter, between all applicable fundamental rights, provided that (i) they do not unnecessarily deprive internet users of the possibility of lawfully accessing the information available and (ii) that they have the effect of preventing unauthorised access to protected subject-matter or, at least, of making it difficult to achieve and of seriously discouraging internet users who are using the services of the addressee of that injunction from accessing the subject-matter that has been made available to them in breach of the intellectual property right.
My main issue with the judgment is that it rejected a need for a measure-specific injunctions as suggested by the Advocate General. The CJEU to the contrary, seems to be fine with shifting the debate to the executoin proceedings. I am not sure how flexible are these procedural rules in different countries. On the other hand, CJEU appers to set its standard for what is effective a bit higher than AG, who was also willing to accept also "easily circumventable measures". This negative parts are however somehow overweighted by a good feeling from paragraph 57 of the judgment. Let's see if the second look gives the same impression as well.

And also, an another consequence of this ruling is that the debate of what constitutes a general monitoring obligations can be perhaps again re-opend.