In McFadden v Sony, the CJEU has ruled that the mere conduit defence applies to the operator of a free WiFi network, but that it could be ordered under European law to password-protect the network.


  • Tobias McFadden runs a hifi/lighting store. He provides a free WiFi network to customers (which can also be accessed by customers of nearby stores and passers-by).
  • In 2010, someone illegally downloaded a music file over McFadden's WiFi network. Sony issued legal proceedings against McFadden.
  • The German court referred a number of questions to the CJEU. The questions deal with the scope of the mere conduit defence, and the potential injunction that could be ordered against a service provider in order to terminate/prevent infringement over that service.


  • The CJEU said that the operator of a free WiFi network could be ordered under European law to password-protect the network.
  • The decision does not change the current position under EU law, it just discusses in detail the measures required to comply with a potential injunction that could be obtained on this fact pattern (a provider of a free WiFi network).
  • We already know as a result of the E-Commerce Directive (ECD), as well as the L'Oréal v eBay and Telekabel CJEU decisions, that a mere conduit could potentially be injuncted to terminate/prevent infringement on its services. This is just a fact specific application of that settled law. We've split up the discussion below into (a) where the decision confirms what we already know and (b) new "stuff".

a. Confirming what we already knew

i. The scope of "Information Society Service" in the ECD (and therefore what the mere conduit defence applies to) is broad

  • The judgment initially deals with a number of questions about the types of service which the mere conduit defence applies to. It's not worth going into that in detail here, but it was relevant to the facts of the case - where the WiFi service was free, and not the 'main' service that the store provided.ii. "Actual knowledge" is irrelevant for the mere conduit defence
  • One of the questions referred asked whether the "actual knowledge" limb of the hosting defence (under article 14 ECD) was also relevant to the mere conduit defence. Whilst article 12 ECD does not make any reference to the knowledge requirement, the recitals confusingly suggest that it is relevant. There has long been suspicion that the drafting of the recitals was incorrect and that knowledge is not relevant to the mere conduit defence.
    • In this decision, the CJEU has confirmed that knowledge is irrelevant to the mere conduit defence (paras 55-65). The mere conduit defence applies if the service is automated, technical, passive
      • automated, technical and passive;
      • does not initiate the transmission;
      • does not select the receiver of the transmission; and
      • does not select or modify the information contained in the transmission.

iii. There are no additional conditions for the mere conduit defence to apply

  • The CJEU also confirmed that there are no other conditions that have to be satisfied in order to have the mere conduit defence available. There does not even have to be a specific contractual relationship between the provider of the service and the user (paras 66-71).

iv. Where the mere conduit defence applies, rights holders cannot bring a damages claim against the service. However, they are not precluded from obtaining an injunction under national law.

  • The CJEU then considered the series of questions relevant to the options available to rights holders where infringement occurs on the service.
  • Where the mere conduit defence applies, the CJEU has confirmed that rights holders cannot bring claims for damages against a service provider for infringement that occurs on that service (paras 72-74). However, that does not preclude rights holders from obtaining an injunction against the service to prevent that infringement, and the service may be liable for the costs of implementing that injunction (paras 75-79).
    • That is not new, we've always known that the mere conduit defence does not preclude a national court from issuing an injunction, it just confirms what the ECD says.
    • Further, any injunction will be subject to national law on injunctions – this judgment does not change that position.

b. New position on injunctions – free WiFi providers

  • The final (and most interesting) part of the judgment assesses the scope of the potential injunction to prevent infringement that could be available in this case. It is a very fact-specific discussion in the judgment – what can a provider of a free WiFi service be compelled to do in order to terminate/prevent infringement?
  • The CJEU did not issue an injunction, it just commented on the scope of a potential injunction of preventing copyright infringement against a free WiFi network provider. It looked at the potential measures available to the service provider, and took into account the balance of fundamental rights (protection of IP rights vs (1) freedom to conduct a business and (2) freedom of information.
  • The German court had highlighted that there are only really 3 measures that an injunction could prescribe, and the CJEU assessed the compatibility of each as against EU law:
  1. Monitor all of the information transmitted. The CJEU rejected this. It is contrary to Article 15 ECD (para 87).
  2. Terminate the internet connection. The CJEU rejected this. It is not a fair balance of fundamental rights to prevent a shop owner providing a WiFi connection (para 88).
  3. Password-protect the connection. The CJEU accepted this as a possibility. It could be necessary in order to ensure the effective protection of IP rights, and would be a fair balance of fundamental rights:
  • The business owner can still offer WiFi, it just has to marginally adjust the technical options for that connection (para 91);
  • Requiring a password does not undermine the freedom of information – the WiFi connection is only one way of accessing the internet (para 92);
  • It does not affect users' ability to access information lawful, as it does not block any internet site (paras 93-94);
  • An injunction must have the effect of preventing infringement, or at least making it difficult/dissuading users from doing so. Users would have to reveal their identity to obtain the password and could not use the service anonymously – that would dissuade infringement (paras 95-96);
  • Password protecting the connection – as long as it forced users to identify themselves and could not remain anonymous – therefore would be an appropriate balance of the fundamental rights, and effective to prevent infringement (paras 100-101).


  • The headlines that you might see about this case will likely be a little over the top. This decision does not set out that all WiFi networks must be password protected. It says that in relation to an injunction against the provider of a free WiFi network to terminate/prevent infringement over that network by users, password-protecting the network might be an appropriate measure to comply with that injunction, but that it was for the national court to decide the scope of the injunction.
  • The headlines might leave out some very important practical considerations, for example:
    • The rights holder would first have to obtain a court injunction for the provider of the network to prevent infringement (injunctions have high thresholds in most Member States);
    • The rights holder would have to obtain evidence of infringement over that network initially; and
    • The rights holder would have to convince the court that, while balancing the interests of legitimate users, the WiFi provider and the rights holder, an injunction of this sort was appropriate and proportionate.
  • The decision (like more and more of the CJEU decisions these days) is very fact specific. Although there will likely be a lot of discussion around the potential impact of this decision, we believe it currently has limited effect outside of this fact pattern. However, could this be a signal that the CJEU will start to articulate and shape the jurisprudence around injunctions against service providers to prevent infringement? That is certainly possible.