Sunday, March 20, 2016

AG Speaks Out On Accountability For Third Party Infringements Commited Via One's Open WiFi

As many readers surely know by now, the much awaited Opinion of the Advocate General, Maciej Szpunar, in McFadden C-414/14 case has been released this week. To my great surprise, it is one of the best opinions on the E-Commerce Directive any member of the Court has ever produced (yes, even better than Maduro's Google France or Villalón's excellent Scarlet Extended). AG Szpunar goes systematically through numerous open questions and answers them with a great attention to detail and systematic importance. The fact that he even goes as far as to explicitly stress importance of open WiFi for innovation - something that I and EFF argued in the open letter to the Court - makes me naturally even very happy.

This blog has reported on the issue and background of McFadden rather extensively in this blog post. The case arose between an entrepreneur selling light and audio systems who is also a member of the German Pirate Party and a record label. The entrepreneur operates an open and free of charge WiFi in his store. He uses the WiFi sometimes as a tool for advertising of his store (preloaded home page points to his shop and name of the network bears its name) and sometimes to agitate for his political views (pointing to particular websites such as data protection campaigns, etc.). After receiving a letter informing him about a copyright infringement allegedly committed via his hot-spot, the entrepreneur unusually sued the right holder pursuing the negative declaratory action. The right holder as a defendant later counter-claimed asking for damages, injunctive relief and pre-trail costs as well as court fees under the above mentioned doctrine of BGH.

The heart of the case is about the following four questions:
  1. Is an open WiFi that is provided for free still an information society service covered under the E-Commerce Directive?
  2. Can an operator of an open WiFi benefit from a mere conduit safe harbour enshrined in Art. 12 of the E-Commerce Directive?
  3. Does the safe harbour limit pre-trial costs, injunctions and penalties for non-compliance with injunctions?
  4. Provided that injunctions are allowed in principle, is an injunction prescribing a) the termination of the Internet connection, b) the password-protection of the Internet connection and c) the examination of all communications passing through that connection compatible with the EU law?
AG Szpunar provides guidance with respect to all of them and does not shy away from discussing some more subtle and critical issues of the E-Commerce Directive. The overall message of the opinion is clearly against imposition of the proposed measures to open wireless. But let's have a look on what AG has to say question-by-question.

1. Is provision of open WiFi covered by ECD? Answer: Yes!

41.      In my view, where, in the course of his business, an economic operator offers Internet access to the public, even if not against payment, he is providing a service of an economic nature, even if it is merely ancillary to his principal activity.
42.      The very operation of a Wi-Fi network that is accessible to the public, in connection with another economic activity, necessarily takes place in an economic context.
43.      Access to the Internet may constitute a form of marketing designed to attract customers and gain their loyalty. In so far as it contributes to the carrying on of the principal activity, the fact that the service provider may not be directly remunerated by recipients of the service is not decisive. In accordance with consistent case-law, the requirement for pecuniary consideration laid down in Article 57 TFEU does not mean that the service must be paid for directly by those who benefit from it. (13)
48.      In my opinion, the provision of Internet access in such circumstances takes place in an economic context, even if it is offered free of charge.
 2. Is provision of open WiFi covered by Art. 12? Answer: Yes!
65.      In accordance with Article 12(1)(a) to (c), this limitation of liability takes effect provided that three cumulative conditions are fulfilled: the provider of the mere conduit service must not have initiated the transmission, must not have selected the recipient of the transmission and must not have selected or modified the information contained in the transmission.
66.      According to recital 42 of Directive 2000/31, the exemptions from liability solely cover activities of a merely technical, automatic and passive nature, which implies that the service provider has neither knowledge of nor control over the information that is transmitted or stored.
67.      The questions referred by the national court are based on the assumption that those conditions are fulfilled in the present case.
97.      Article 12(1)(a) to (c) of Directive 2000/31 makes the limitation of the liability of a provider of mere conduit services subject to certain conditions that are cumulative and also exhaustive. (24) The addition of further conditions for the application of that provision seems to me to be ruled out by its express terms.

 3. What kind of liability does Art. 12 not shield from? Answer: liability for injunctions and for penalties arising from non-compliance with them
64.      As is apparent from the preparatory work for that legislative act, the limitation of liability in question extends, horizontally, to all forms of liability for unlawful acts of any kind, and thus to liability under criminal law, administrative law and civil law, and also to direct liability and secondary liability for acts committed by third parties. (19)
68.      I would observe that it is clear from a combined reading of paragraphs 1 and 3 of Article 12 of Directive 2000/31 that the provisions in question limit the liability of an intermediary service provider with respect to the information transmitted, but do not shield him from injunctions.
69.      Equally, according to recital 45 of Directive 2000/31, the limitations of the liability of intermediary service providers do not affect the possibility of injunctive relief, which may, in particular, consist of orders by courts or administrative authorities requiring the termination or prevention of any infringement.
73.      I would recall that Article 12(1) of Directive 2000/31 limits the civil liability of intermediary service providers and precludes actions for damages based on any form of civil liability. (20)
74.      In my opinion, that limitation of liability extends not only to claims for compensation, but also to any other pecuniary claim that entails a finding of liability for copyright infringement with respect to the information transmitted, such as a claim for the reimbursement of pre-litigation costs or court costs.
76.      Pursuant to Article 12 of Directive 2000/31, a provider of mere conduit services cannot be held liable for a copyright infringement committed as a result of the information transmitted. Therefore, he may not be ordered to pay pre-litigation costs or court costs incurred in connection with that infringement, which cannot be imputed to him.
This is a very important holding for the German practice. It basically precludes pre-trial reimbursement of cease and desist letters (Abmahnungskosten) against safe harbours-covered intermediaries. This leads to the most significant change for mere conduits who don't lose the safe harbours even after obtaining knowledge. Not only can this holding disrupt the industry of cease and desist letters against the operators of open WiFis in Germany, but after the BGH admitted the possibility of website blocking injunctions, this holding can significantly limit pre-trial risk of the Internet access providers in Germany. If accepted by the Court, ISPs could basically wait until they are sued, as is currently the case in the UK, since Stoererhaftung is blocked from leading to any important (pecuniary) consequences. I have argued for this solution in my PhD thesis [which is in the process of being turn into a book], so I am naturally very happy to see it formulated by the AG explicitly like this. It remains to be seen if the CJEU follows this suggestion.  
77.      I would also observe that the making of an order to pay the pre-litigation costs or court costs relating to such an infringement could compromise the objective pursued by Article 12 of Directive 2000/31 of ensuring that no undue restrictions are imposed on the activities to which it relates. An order to pay pre-litigation costs or court costs could potentially have the same punitive effect as an order to pay damages and could in the same way hinder the development of the intermediary services in question.
78.      Admittedly, Article 12(3) of Directive 2000/31 provides for the possibility of a court or administrative authority imposing certain obligations upon an intermediary service provider following the commission of an infringement, in particular by means of an injunction.
79.      However, given the provisions of Article 12(1) of that directive, a judicial or administrative decision imposing certain obligations on a service provider may not be based on a finding of the latter’s liability. An intermediary service provider cannot be held liable for failing to take the initiative to prevent a possible infringement or for failing to act as a bonus pater familias. He may incur liability only after a specific obligation contemplated by Article 12(3) of Directive 2000/31 has been imposed on him.
This is a very important line of the judgement. However, one should note that it is limited by the fact that injunctions can be imposed by the administrative authority or the court. Still, however, it confirms that "punishing" a safe-harbour-compliant intermediary is limited by the E-Commerce Directive in general. And given that injunctions based on Art. 8(3) InfoSoc have their own limitations that distinguish them from injunctions against infringers, the consequences are substantial especially for some countries. I particularly like the fact that AG has considered the issues in the context and explicitly foresees that possible penalties for injunction-non-compliance (e.g. for not respecting a website blocking injunction) should not be covered (§ 90). This is the only sensible policy since otherwise intermediaries could easily disrespect injunctions issued against them. Again, something I also argued in my PhD thesis. 
80.      In the present case, in my view, Article 12(1) of Directive 2000/31 therefore precludes the making of orders against intermediary service providers not only for the payment of damages, but also for the payment of the costs of giving formal notice or other costs relating to copyright infringements committed by third parties as a result of the information transmitted.
4. Can the measures of access termination / password-locking / surveillance be imposed on an operator of open WiFi? Answer: No

115. In the light of those considerations, national courts must, when issuing an injunction against an intermediary service provider, ensure:
–        that the measures in question comply with Article 3 of Directive 2004/48 and, in particular, are effective, proportionate and dissuasive,
–        that, in accordance with Articles 12(3) and 15(1) of Directive 2000/31, they are aimed at bringing a specific infringement to an end or preventing a specific infringement and do not entail a general obligation to monitor,
–        that the application of the provisions mentioned, and of other detailed procedures laid down in national law, achieves a fair balance between the relevant fundamental rights, in particular, those protected by Articles 11 and 16 and by Article 17(2) of the Charter.
116. The national court asks whether Article 12 of Directive 2000/31 precludes injunctions which contain prohibitions formulated in general terms and leave it to the addressee of the injunction to determine what specific measures should be adopted.
Here the AG starts making an attempt to limit CJEU's UPC Telekabel decision.
117. The measure envisaged in the main proceedings consists in an order requiring the intermediary service provider to refrain in the future from enabling third parties to make a particular protected work available for electronic retrieval from an online exchange platform via a specific Internet connection. The question of what technical measures are to be taken remains open.
118. I would observe that a prohibitory injunction that is formulated in general terms and does not prescribe specific measures is potentially a source of significant legal uncertainty for the addressee thereof. The fact that the addressee will be entitled, in any proceedings concerning alleged failure to comply with such an injunction, to show that he has taken all reasonable measures does not entirely remove that uncertainty.
119. Moreover, given that determining what measures it is appropriate to adopt entails striking a fair balance between the various fundamental rights involved, that task ought to be undertaken by a court, rather than left entirely to the addressee of an injunction. (33)
120. Admittedly, the Court has already held that an injunction addressed to a provider of Internet access which leaves it to the addressee to determine what specific measures should be taken is, in principle, consistent with EU law. (34)
121. That solution was based, in particular, on the consideration that an injunction formulated in general terms had the advantage of enabling the addressee to decide which measures were best adapted to his resources and abilities and compatible with his other legal obligations. (35)
122. However, it does not seem to me that that reasoning can be applied in a case, such as the case in the main proceedings, in which the very existence of appropriate measures is the subject of debate.
123. The possibility of choosing which measures are most appropriate can, in certain situations, be compatible with the interests of the addressee of an injunction, but it is not so where that choice is the source of legal uncertainty. In such circumstances, leaving it entirely to the addressee to choose the most appropriate measures would upset the balance between the rights and interests involved.
124. I therefore consider that, whilst Article 12(3) of Directive 2000/31 and Article 8(3) of Directive 2001/29 do not, in principle, preclude the issuing of an injunction which leaves it to the addressee thereof to decide what specific measures should be taken, it nevertheless falls to the national court hearing an application for an injunction to ensure that appropriate measures do indeed exist that are consistent with the restrictions imposed by EU law.
This is a very clever suggestion to limit the UPC Telekabel ruling and substantially addresses the criticism that surrounded CJEU's approach. If there is no certainty that fundamental-rights-compliant measures to achieve the goal of an injunction do exist, then the court should not simply grant any injunction. It would be irresponsible to do so, as otherwise the courts would risk obliging to outcomes that have no implementations that are human-rights-complaint. I strongly agree that this outcome is impossible to reconcile with the EU Charter, since the courts cannot simply leave such scrutiny out of their hands just with a simple pointer to flexibility gains for injunction-addressees (the fact that they can choose the measures). Any other approach would basically allow also very easy circumvention of the holdings of the CJEU in Scarlet Extended or Sabam.
130. I consider that, in the present case, the inconsistency with EU law of the first and third hypothetical measures mentioned by the national court is immediately evident.
131. Indeed, a measure which requires an Internet connection to be terminated is manifestly incompatible with the need for a fair balance to be struck between the fundamental rights involved, since it compromises the essence of the freedom to conduct business of persons who, if only in ancillary fashion, pursue the economic activity of providing Internet access. (39) Moreover, such a measure would be contrary to Article 3 of Directive 2004/48, pursuant to which a court issuing an injunction must ensure that the measures imposed do not create a barrier to legitimate trade. (40)
The reference to the essence of a right is very crucial here. As Miquel and I have argued in our paper on disconnecting injunctions, since even the administrative three-strikes regimes are implementations of the EU law - usually of Art. 8(3) of the InfoSoc, they also underlie the same limits. If the CJEU accepts this reasoning, the court's holding will substantially limit availability of the three-strike schemes under the national laws.
132. In so far as concerns a measure requiring the owner of an Internet connection to examine all communications transmitted through that connection, that would clearly conflict with the prohibition on imposing a general monitoring obligation laid down in Article 15(1) of Directive 2000/31. Indeed, in order to constitute a monitoring obligation ‘in a specific case’, (41) such as is permitted under Article 15(1), the measure in question must be limited in terms of the subject and duration of the monitoring, and that would not be the case with a measure that entailed the examination of all communications passing through a network. (42)
d)      The compatibility of an obligation to make Wi-Fi networks secure
137. I would observe that an obligation to make access to such a network secure would potentially meet with a number of objections of a legal nature.
138. First of all, the introduction of a security obligation could potentially undermine the business model of undertakings that offer Internet access as an adjunct to their other services.
139. Indeed, some such undertakings would no longer be inclined to offer that additional service if it necessitated investment and attracted regulatory constraints relating to the securing of the network and the management of users. Furthermore, some users of the service, such as customers of fast-food restaurants or other businesses, would give up using the service if it involved a systematic obligation to identify themselves and enter a password.
140. Secondly, I would observe that imposing an obligation to make a Wi-Fi network secure entails, for persons who operate that network in order to provide Internet access to their customers and to the public, a need to identify users and to retain their data.
141. In this connection, Sony Music states in its written observations, that, in order to be able to impute an infringement to a ‘registered user’, the operator of a Wi-Fi network would need to store the IP addresses and the external ports through which registered users have established an Internet connection. Identifying users of a Wi-Fi network essentially corresponds to the allocation of IP addresses by an access provider. The operator of the Wi-Fi network could therefore use a computer system, which would not be very costly, according to Sony Music, to enable it to register and identify users.
142. I would observe that obligations to register users and to retain their private data fall within the scope of the regulations governing the activities of telecoms operators and other Internet service providers. The imposition of such administrative constraints seems to me to be clearly disproportionate, however, in the case of persons who offer their customers and potential customers access to the Internet via a Wi-Fi network as an adjunct to their principal activity.
143. Thirdly, although an obligation to make a Wi-Fi network secure that is imposed in a particular injunction is not the same as a general obligation to monitor information or actively to seek facts or circumstances indicating illegal activities, such as is prohibited by Article 15 of Directive 2000/31, any general obligation to identify and register users could nevertheless lead to a system of liability applicable to intermediary service providers that would no longer be consistent with that provision.
144. Indeed, in the context of prosecuting copyright infringements, network security is not an end in itself, but merely a preliminary measure that enables an operator to have a certain degree of control over network activity. However, conferring an active, preventative role on intermediary service providers would be inconsistent with their particular status, which is protected under Directive 2000/31. (47)
145. Fourthly, and lastly, I would observe that the measure at issue would not in itself be effective, and thus its appropriateness and proportionality remain open to question.
146. It must also be observed that, given the ease with which they may be circumvented, security measures are not effective in preventing specific infringements of protected works. As the Commission states, the use of passwords can potentially limit the circle of users, but does not necessarily prevent infringements of protected works. Moreover, as the Polish Government observes, providers of mere conduit services have limited means with which to follow exchanges of peer-to-peer traffic, the monitoring of which calls for the implementation of technically advanced and costly solutions about which there could be serious reservations concerning the protection of the right to privacy and the confidentiality of communications.
147. Having regard to all of the foregoing considerations, I am of the opinion that the imposition of an obligation to make access to a Wi-Fi network secure, as a means of protecting copyright on the Internet, would not be consistent with the requirement for a fair balance to be struck between, on the one hand, the protection of the intellectual property rights enjoyed by copyright holders and, on the other, that of the freedom to conduct business enjoyed by providers of the services in question. (48) By restricting access to lawful communications, the measure would also entail a restriction on freedom of expression and information. (49)
148. More generally, I would observe that any general obligation to make access to a Wi-Fi network secure, as a means of protecting copyright on the Internet, could be a disadvantage for society as a whole and one that could outweigh the potential benefits for rightholders.
149. First, public Wi-Fi networks used by a large number of people have relatively limited bandwidth and are therefore not particularly susceptible to the risk of infringement of copyright protected works and objects. (50) Secondly, Wi-Fi access points indisputably offer great potential for innovation. Any measures that could hinder the development of that activity should therefore be very carefully examined with reference to their potential benefits.
Although I could imagine that AG could put forward even stronger arguments against WiFi password-locking, the opinion is definitely convincing as it stands. For my personal reasons, I would refer the reader to our letter to the Court

Let's hope that the Court will follow the suggestions of AG Szpunar, at least in its most important aspects!

No comments: