The answer in Germany is “yes.” To understand why, you have to understand the principle of “co-liability” or Störerhaftung. Under the principle of co-liability, operators of an open WiFi network can be held liable for the legal infringements of the users of their networks. This means that if someone uses your company’s free WiFi network to illegally download music, your company could be sent a warning (or could be subject to liability) for permitting the use.

The European Court of Justice recently addressed this issue in a case that dealt with the applicability of the E-Privacy Directive on private operators of internet connections. The case was presented to the European Court of Justice by the Regional Court of Munich, and involved a warning letter that had been sent by Sony Music Group to the operator of a business that offered free WiFi in its sales areas. According to Sony, a guest had allegedly used the free WiFi connection to illegally download music.

Although the European Court of Justice ruled on September 15, 2016 that private providers of open WiFi networks in Germany are in principle not liable for intellectual property infringements that are committed by guest users of the WiFi connection, the European Court of Justice expressly limited the scope of its decision by stating that an operator of an open WiFi connection may be ordered to secure its network by requiring that users provide identifying information and utilize a password in order to end or prevent legal infringements. The intent of the Court’s decision was to strike a balance between three competing interests: the rights of owners of intellectual property; the rights of companies to freely provide Internet access; and the rights of Internet users to freedom of information. The hope is that by forcing users to identify themselves through the authentication process they will be less likely to infringe upon intellectual property rights. Put differently, illegal conduct is more likely if a user believes that their actions are anonymous; it is less likely if they believe that their actions can, or will, be attributed to them.

In order to minimize liability risks, companies across Germany should consider securing all public WiFi networks with a password and an authentication process that requires users to identify themselves. Until the legal situation is clarified, operators should consider noting and reviewing the names and contact information of users of their hot spots. Users should in addition be informed that no legal infringements may be committed via the public network that is being offered.

It remains to be seen how the legal situation will develop, and whether the European Court of Justice’s decision will have practical impacts beyond Germany, throughout the European Union, and throughout countries, like the United Kingdom, that may have a vested interest in tracking European law even after Brexit in order to maintain certain commonalities of legal protection.