When Mr McFadden provided a free, open Wi-Fi network in order to attract customers to his business, he would never have imagined that, in doing so, he would have responsibility for a third party uploading a musical work on the internet, without the rightholders consent. This is the finding of the Court of Justice of the European Union (the “CJEU”), in the case of McFadden v Sony Music Entertainment Germany GmbH (“McFadden v Sony”). The CJEU has recently, in the case of GS Media v Sanoma BV, taken a hard line against those who infringe copyrights, even those who only facilitate the infringement of those rights. McFadden v Sony is another case where the CJEU has found in favour of the rightholders and has laid out specific requirements for those who operate open Wi-Fi networks as part of their business.

The Facts
Mr McFadden operated an open wireless network from his business. This was done specifically to attract customers to his premises from neighbouring shops. A third party uploaded to the internet a music work to which Sony held the rights. Sony served Mr McFadden with a letter asking him to respect the rights of the phonogram of that work. Following the giving of formal notice by Sony, Mr McFadden brought an action for declaration that he was doing nothing wrong and Sony in turn, brought a number of counterclaims seeking:

  1. Payment of damages;
  2. The grant of an injunction against infringements on pain of a penalty; and,
  3. Reimbursement of the costs of giving formal notice and court costs.

There were numerous questions asked of the CJEU, but ultimately it was asked to determine whether Mr McFadden bore any responsibility for the actions of the third party, and if so what he was required to do in order to prevent this happening again.

The Decision
Sony’s counterclaims were assessed in light of Article 12(1) of Directive 2000/31/EC (the “Directive on electronic commerce”).The CJEU found in favour of Sony, insofar as it granted injunctive relief on pain of penalty and reimbursement of the costs of giving formal notice and court costs. In its decision the court did not consider that it was appropriate to award damages against Mr McFadden for the third party's actions in infringing Sony’s rights. However, it was appropriate to require Mr McFadden to take steps to stop the infringement from continuing.

The court considered different ways that this might be achieved, such as monitoring all the information transmitted or terminating the internet connection completely. The CJEU was of the opinion that such measures were excessive and contrary to the aims of the Directive on electronic commerce. However, it settled on the requirement for the network to be password protected. If a third party wanted to gain access to the network it would need to identify itself and this would act as a sufficient deterrent to dissuade people from uploading works that infringed the copyrights of the owners. The CJEU felt that this would:

“…be sufficiently effective to ensure genuine protection of the fundamental right at issue, that is to say that [the measure] must have the effect of preventing unauthorised access to the protected subject matter or, at least, of making it difficult to achieve and of seriously discouraging internet users who are using the services of the addressee of that injunction from accessing the subject matter made available to them in breach of that fundamental right…”

The Effect
This decision of the CJEU answers the question of whether a provider of a free and open not-for-profit service is free from liability as a mere conduit of a communication. The answer is no.

Perhaps of greater concern is the open-ended nature of such a decision. At a national level the result is far from certain. Whilst the court does not go so far as to say that all open Wi-Fi networks must be password protected, there is certainly scope for national courts to grant injunctions to this effect. In an attempt to strike a fair balance between the copyright holder and the rights of a service provider, the court seems to have opened the service provider up to liability in the future, if access is not protected by a password.