The Court of Justice of the European Union has confirmed that business owners who offer free Wi-Fi are not responsible for copyright infringement carried out by customers using their service. However, this does not affect a national court’s ability to impose injunctions against providers and to impose mandatory password protection requiring users to reveal their identity before gaining access.

A recent case before the Court of Justice for the European Union ("CJEU") involved a retailer, Tobias McFadden, who operates a business selling and renting lighting and sound systems for various events in Germany. At his business premises, he provided use of a Wi-Fi connection free of charge to the public. In September 2010, a musical work was unlawfully offered for downloading via that Internet connection. Sony Music, as holder of the rights in that musical work, issued proceedings against Mr McFadden for copyright infringement.

Background to proceedings

The referring court, the Munich Regional Court, initially held that Mr McFadden was directly liable for the infringement and granted an injunction in favour of Sony Music. Mr McFadden appealed that decision on the basis of the ‘mere conduit’ defence under Article 12 of the Directive 2000/31/EC (“E-Commerce Directive”). Article 12 contains a limitation on the liability of Internet service providers for information transmitted in circumstances where the provider does not initiate the transmission, does not select the receiver of the transmission and does not select or modify the information contained in the transmission. The preliminary reference, which comprised of nine questions, focused on the scope and application of the ‘mere conduit’ defence under Article 12 of the E-Commerce Directive.

Opinion of Advocate General Szpunar and the CJEU decision

The Advocate General’s opinion was delivered on 16 March 2016, as outlined in a previous article published by our Technology team. The CJEU handed down its judgment on 15 September 2016, which largely echoes the Advocate General’s findings.

In order to come within the scope of the E-Commerce Directive, the service in question must be “normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services”. The national court requested a determination on whether the provision of free Wi-Fi could be considered economic in nature. The Advocate General had held that although internet access is often provided free of charge in, for example, a hotel or bar, that service is matched with a monetary consideration that is incorporated into the price of other services such as the room rate. The CJEU ultimately confirmed that a service provided free of charge constitutes an ‘information society service’ “where the activity is performed by the service provider in question for the purposes of advertising the goods sold or services supplied by that service provider.”

The fact that Mr McFadden could be considered a ‘mere conduit provider’ for the purposes of the E-Commerce Directive was not disputed. However, clarification was sought on the range of relief permissible against a mere conduit. With regard to damages and other claims, the CJEU, in agreement with the Advocate General, held that as a provider of mere conduit services cannot be held liable for the copyright infringement committed by users, Mr McFadden should not be ordered to pay compensation in respect of the infringement. However, the CJEU also noted that this interpretation does not prevent a person from claiming injunctive relief against an Internet service provider in respect of the continuation of that infringement.

Imposing security measures including password protection

The referring court also sought clarification on whether a service provider could be required to put in place additional measures such as disconnection, password-protection or monitoring. The CJEU held that a measure requiring the owner of an Internet connection to examine all communications transmitted through that connection would clearly go against the prohibition on imposing a general monitoring obligation, laid down in Article 15(1) of the E-Commerce Directive. A measure which requires an Internet connection to be terminated was considered by the CJEU to be incompatible with the need for a fair balance to be struck between the fundamental rights involved, since it compromises the essence of the freedom to conduct business on the part of the service provider.

The Advocate General also concluded that the imposition of an obligation to make access to a Wi-Fi network secure, such as through password protection, would be incompatible with the need for a fair balance to be struck between the various fundamental rights. However, the CJEU did not follow this interpretation. The CJEU was of the view that “a measure consisting in password-protecting an internet connection may dissuade the users of that connection from infringing copyright or related rights, provided that those users are required to reveal their identity in order to obtain the required password.” The rationale behind this requirement would be to prevent users from acting anonymously. The court was of the view that omitting to place any need on service providers to secure their internet connections would be to deprive the fundamental rights to intellectual property of any protection. However, the CJEU emphasised that the imposition of this requirement would be a matter for the national court to ascertain.


This decision provides welcome confirmation that service providers can rely on the safe harbour provisions set out in the E-Commerce Directive, irrespective of whether they charge customers for use of their internet connection. However, business owners will no doubt be less receptive to the possibility of mandatory password protection.