The Court of Justice of the EU (CJEU) has ruled on the scope of the "mere conduit" exemption of the e-Commerce Directive, as applied to the liability of free WiFi providers for copyright infringements committed by the users of the free WiFi service. This decision refrained from exposing public WiFi providers to damages if their systems are used in a copyright violation, but would allow copyright holders to require WiFi providers to demand user identities and apply password protections, as a way of discouraging the use of their systems for copyright infringement.

The issue arose from a copyright infringement claim by Sony Music Entertainment Germany ("SME") against Tobias McFadden, a business selling and leasing sound and lighting systems in the German town of Gauting. McFadden operates a wireless local area network (WLAN) that is accessible free of charge and anonymously in his office's building and the immediate vicinity.

At one point this network was used to download a musical work to which SME owns the rights. SME sent a formal notice to McFadden demanding he respect SME's rights over the musical work. McFadden applied to the regional court in Munich ("Landgericht München I") for a "negative declaration," that is, a declaration that he had committed no infringement. SME counterclaimed for damages on the ground that McFadden was directly liable for the infringement, seeking an injunction to prevent any continued infringement.

On the basis of the facts of the case, the regional court was inclined to accept that the infringement of SME's rights had not been committed by McFadden personally, but by an unknown user of his WLAN, and therefore that McFadden could not be held directly liable ("Täterhaftung") for the infringement. However, the court considered holding McFadden indirectly liable ("Störerhaftung") for failing to have secured the network and thus allowing the rights to be infringed anonymously. Before ruling, the court asked the CJEU whether the "mere conduit" exemption laid down in Article 12(1) of the e-Commerce Directive (directive 2000/31), as transposed into German law, might preclude it from finding McFadden liable in any way.

According to the "mere conduit" provision, the provider of an information society service, providing access to a communication network, is not liable for information transmitted, if the provider (i) does not initiate the transmission, (ii) does not select the receiver of the transmission, and (iii) does not select or modify the information contained in the transmission.

The CJEU concluded that the exemption indeed applied to this. Therefore, McFadden could not be held indirectly liable for the infringement of SME's rights resulting from the downloading of a musical work by an unknown user of McFadden's free WLAN. The Court thus held that the "mere conduit" exemption precludes an owner of intellectual property rights from claiming compensation from a provider of access to a communication network on the grounds that that network was used by a third party to infringe these rights.

However, the CJEU also held that the exemption does not preclude a rights owner from claiming injunctive relief from the communication network access provider whose services were used in an infringement, in order to prevent continuing infringement.

As to the nature of the injunctive relief that might be granted in such a case, the Court only took into consideration the three options presented to it by the referring court, namely (i) examining all communications over the connection, (ii) password-protecting the connection, or (iii) terminating the connection. The Court considered that a fair balance had to be struck between the competing interests at stake: protection of the right to the protection of intellectual property, freedom to operate a business as a network access provider, and freedom of information of the service users. The Court concluded that, of the three alternatives, only a measure consisting in password-protecting the WLAN connection and requiring users to reveal their identities to obtain the required password would strike an appropriate balance. According to the Court, such a measure would be an effective deterrent for copyright infringements, while not overly restricting the freedom to conduct a business of the provider, or the ability of internet users to lawfully access information.

On this point, the Court went against the advice of Advocate-General Szpunar, who considered that it would not be appropriate to require password protection, at least for undertakings that offer Internet connections only as an adjunct to their other services, because such a measure by itself would not be effective, but would undermine those undertakings' business model and impose disproportionate administrative burdens.

The Court also seems to contradict the German Federal Court of Justice ("Bundesgerichtshof"), which in 2010 held that a private person operating a WLAN with internet access may be regarded as a "Störer" (indirectly liable) where he has failed to make his network secure by means of a password, thus enabling a third party to infringe a copyright or related right (Sommer unseres Lebens, I ZR 121/08). By contrast, the CJEU considers that a person may only incur liability for failing to heed an injunction to password protect a wireless network. The CJEU's judgment is unlikely to end the debate in German law about Störerhaftung in relation to internet services. A recently adopted amendment of the German Telemedia Act ("Telemediengesetz"), which entered into force on 27 July 2016, was widely expected to exempt WiFi providers from Störerhaftung by extending immunity enjoyed by internet service providers and hosting companies to operators of wireless networks, but critics say the amendment fails to provide legal certainty because it does not rule out certain civil actions, at least not explicitly.

The CJEU has tried to reach a compromise. As is often the case with compromises, it is likely to leave both sides unsatisfied. Intellectual property rights holders will be unhappy they cannot hold connectivity providers liable for infringements, but can only seek injunctions to prevent continuing infringement. This will undermine enforcement of intellectual property rights for content transmitted over the internet, since in most cases it will not be possible to identify the directly liable party (the illegal downloader) if the network is not protected, and having to request an injunction against each and every free WiFi provider is cumbersome and only provides a remedy against future infringements. On the other hand, open access advocates such as McFadden (a local councilor for the German "Pirate Party") and also free WiFi providers will be disappointed that the Court would require password protection, which places additional burdens on the providers and reduces the accessibility and convenience of free WiFi services. The possibility for intellectual property rights holders to seek injunctions against WLAN providers (which include businesses in hospitality, transport hubs, local governments, etc.) may even prompt the latter to preemptively apply password protection to avoid such injunctions, even if only to avoid the costs of formal notice and court costs related to those injunctions. This could also slow down the rollout of public WiFi access in Europe, which is part of the European Commission's objectives in its Digital Agenda.

Read the CJEU's 15 September 2016 judgment.